refactor: Use chroot instead of systemd-nspawn for workspace entry

- Replace systemd-nspawn with chroot to avoid nested container audit errors
- Add manual bind mount setup for /home/ai:/root sharing
- Add mount and chroot to sudoers permissions
- chroot avoids kernel audit subsystem conflicts in nested containers

build.zsh

@@ -65,7 +65,7 @@ cp -rf ./cfg/os-release root.x86_64/etc/os-release
 
 # Configure sudoers for wheel group
 echo "Configuring sudoers..."
-arch-chroot root.x86_64 /bin/sh -c 'echo "%wheel ALL=(ALL:ALL) NOPASSWD: /usr/bin/pacman, /usr/bin/pacstrap, /usr/bin/arch-chroot, /usr/bin/rm, /usr/bin/mkdir, /usr/bin/mv, /usr/bin/cp, /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/machinectl, /usr/bin/systemd-nspawn, /bin/bash" >> /etc/sudoers'
+arch-chroot root.x86_64 /bin/sh -c 'echo "%wheel ALL=(ALL:ALL) NOPASSWD: /usr/bin/pacman, /usr/bin/pacstrap, /usr/bin/arch-chroot, /usr/bin/rm, /usr/bin/mkdir, /usr/bin/mv, /usr/bin/cp, /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/machinectl, /usr/bin/systemd-nspawn, /usr/bin/mount, /usr/bin/chroot, /bin/bash" >> /etc/sudoers'
 
 # Install aigpt (aios core package)
 echo "Installing aigpt..."

cfg/setup-user.sh

@@ -75,7 +75,11 @@ if [[ -o login ]] && [[ -o interactive ]]; then
     if [[ -z "$INSIDE_WORKSPACE" ]]; then
         # Running as ai user on aios OS - enter workspace container
         export INSIDE_WORKSPACE=1
-        exec sudo systemd-nspawn -q -D /var/lib/machines/workspace /bin/zsh
+        # Setup bind mount for shared user directory
+        sudo mkdir -p /var/lib/machines/workspace/root 2>/dev/null || true
+        sudo mount --bind /home/ai /var/lib/machines/workspace/root 2>/dev/null || true
+        # Enter workspace via chroot (avoiding nested systemd-nspawn audit issues)
+        exec sudo chroot /var/lib/machines/workspace /bin/zsh
     else
         # Running as root inside workspace container - start claude
         if command -v claude &>/dev/null; then