Add sandbox exclusion list for system services

Implement exclusion list for services that don't require sandboxing due
to their nature (SSH, Docker, system services). These services now show
"no(ok)" in SB column and maintain green status instead of warning.

Changes:
- Add is_sandbox_excluded field to ServiceData and ServiceInfo structs
- Add is_sandbox_excluded() method with system service exclusions:
  - sshd/ssh (needs system access for auth/shell)
  - docker (needs broad system access)
  - systemd services, dbus, NetworkManager, etc.
- Update status determination to accept excluded services as ok
- Update format_sandbox_value to show "no(ok)" for excluded services
- Update all ServiceData constructors with exclusion field

Service status logic:
- Sandboxed: Status=Running, SB="yes"
- Excluded: Status=Running, SB="no(ok)"
- Should be sandboxed but isn't: Status=Degraded, SB="no"

This provides clear distinction between services that legitimately don't
need sandboxing vs. those requiring security attention.

dashboard/src/data/metrics.rs

@@ -121,6 +121,8 @@ pub struct ServiceInfo {
     #[serde(default)]
     pub is_sandboxed: bool,
     #[serde(default)]
+    pub is_sandbox_excluded: bool,
+    #[serde(default)]
     pub description: Option<Vec<String>>,
     #[serde(default)]
     pub sub_service: Option<String>,