feat: reachability and consumer profiles (SAND-WP-0011)

Add reachability enrichment (tunnel metadata, ops-bridge pointer),
secret_refs boundary resolution, profile.agent-dev and profile.build,
CLI reachability show, API endpoint, consumer smoke scripts, and tests.

docs/integrations/glas-harness.md

@@ -31,6 +31,16 @@ sandboxer create \
 | SSH / tunnel reachability setup | glas-harness + ops-bridge |
 | Agent memory and session state | glas-harness |
 
+## Smoke test
+
+```bash
+# Requires sandboxer CLI and SANDBOXER_HOST (or profile placement fallback)
+SANDBOXER_HOST=coulombcore ./scripts/smoke-agent-dev.sh
+```
+
+Creates `profile.agent-dev`, prints reachability (tunnel metadata + SSH
+one-liner), then destroys.
+
 ## Out of scope for sand-boxer
 
 - Tool schemas and approval flows

docs/integrations/snuggle-inventor.md

@@ -30,6 +30,16 @@ sandboxer create \
 | Generated code and PR output | snuggle-inventor |
 | Secret resolution at boundary | sand-boxer (via ops-warden / OpenBao) |
 
+## Smoke test
+
+```bash
+# Skips live create when SANDBOXER_SECRET_BUILD_REGISTRY_TOKEN is unset
+export SANDBOXER_SECRET_BUILD_REGISTRY_TOKEN=<token>
+SANDBOXER_VM_TUNNEL_PORT=12222 ./scripts/smoke-build-profile.sh
+```
+
+Optional env: `SMOKE_VM` (default `haskell-build`).
+
 ## Out of scope for sand-boxer
 
 - Code generation prompts and tech specs