56d3373e69
gVisor is incompatible with OrbStack bind mounts on macOS — writes to /mnt/mac are blocked by the gVisor filesystem sandbox. Removing runtime: runsc from docker-compose.yml, the gVisor setup docs from README.md, and the runsc assertion test from rebuild.rs. The existing Docker hardening (read-only root, cap_drop ALL, no-new-privileges, resource limits) remains in place. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>