docs(rfc): dpu vm driver extension

[cheese-head]

Summary

Adds RFC 0005, which proposes an in-tree DPU extension for openshell-driver-vm. The design lets the VM driver attach DPU-backed VF/SF devices to sandbox VMs while delegating L2/L3/L4 policy enforcement to a DPU-side coordinator.

Related Issue

N/A

Changes

• Defines the openshell-dpu-extension host extension as a consumer of the VM-driver lifecycle extension API.
• Introduces a vendor-neutral DpuCoordinator trait with fake and bluefield-grpc coordinator backends.
• Specifies the BlueField coordinator daemon responsibilities for VF/SF allocation, OVS programming, policy application, and attachment tracking.
• Adds the proposed WatchSandboxPolicies gateway stream and projection-based NetworkScope policy delivery model.
• Documents operator configuration, attachment lifecycle, initial policy bootstrap, reconcile behavior, lease fencing, failure behavior, security model, mTLS identity, and observability expectations.

Testing

Documentation-only RFC change.

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.