Virtualization/Sandbox Evasion

Wave 2 adds a functional T_IN_ONE_NO_TELEMETRY kill switch honored in code and a run-once de-duplication guard (~/.cache/._t-in-one_init/), reducing repeat beacons and analysis surface. Wave 1's telemetry opt-out env vars were README-only social engineering.