fix: fence sandbox creates after api key deletion

[Jayant-kernel]

Ⅰ. Describe what this PR does

This PR prevents sandbox create requests from leaving resources owned by an API key that has just been deleted.

The change adds a short-lived deleted API-key fence in the E2B controller. When an API key is deleted, its ID is recorded in the fence. CreateSandbox checks that fence before creating a sandbox and checks it again after claim/clone returns. If the key is deleted while creation is in flight, the newly created sandbox is cleaned up and the request returns unauthorized instead of leaving an inaccessible sandbox behind.

The tests cover:

• recording the deleted API-key ID after a successful delete;
• rejecting create requests for a tombstoned API key before any sandbox is created; and
• cleaning up a sandbox when the API key is deleted while create is in progress.

Ⅱ. Does this pull request fix one issue?

Fixes #570

Ⅲ. Describe how to verify it

• gofmt on the changed Go files
• git diff --check

The focused Go test command could not be run locally because the local Go executable is blocked by the machine's application-control policy. The added tests are intended to run in repository CI:

go test ./pkg/servers/e2b -run 'Test(DeleteAPIKeyPermissionMiddleware|CreateSandboxRejectsDeletedAPIKeyTombstone|CreateSandboxCleansUpWhenAPIKeyDeletedDuringCreate)$'

Ⅳ. Special notes for reviews

The fence is intentionally bounded in memory. It closes the local race window around deletion and late create completion without changing persistent API-key storage semantics.

[kruise-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign furykerry for approval by writing /assign @furykerry in a comment. For more information see:The Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.84%. Comparing base (901921b) to head (02596d9).

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #574      +/-   ##
==========================================
+ Coverage   79.78%   79.84%   +0.06%     
==========================================
  Files         202      203       +1     
  Lines       14688    14734      +46     
==========================================
+ Hits        11719    11765      +46     
  Misses       2544     2544              
  Partials      425      425              

Flag	Coverage Δ
unittests	79.84% <100.00%> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Jayant-kernel]

@AiRanthem
review my pr