build: ensure stable container CWD to PROJECT_ROOT before stages

• Normalize CWD inside container to PROJECT_ROOT to prevent relative path issues in validation and downstream stages via [bash.setup_build_environment()](scripts/build.sh:133)

• Complements earlier hardening in [bash.initramfs_validate()](scripts/lib/initramfs.sh:774) that resolves absolute paths and checks existence

scripts/build.sh

@@ -139,6 +139,14 @@ function setup_build_environment() {
     log_info "Rust target: ${RUST_TARGET}"
     log_info "Optimization level: ${OPTIMIZATION_LEVEL}"
 
+    # Ensure a stable CWD inside the container (prefer /workspace)
+    if in_container; then
+        if [[ "$(pwd)" != "${PROJECT_ROOT}" ]]; then
+            log_info "Ensuring container CWD=${PROJECT_ROOT}"
+            safe_execute cd "${PROJECT_ROOT}"
+        fi
+    fi
+    
     # Create build directories only if we're in container
     # Host will let container create them to avoid permission issues
     if in_container; then