feat: reachability and consumer profiles (SAND-WP-0011)

Add reachability enrichment (tunnel metadata, ops-bridge pointer),
secret_refs boundary resolution, profile.agent-dev and profile.build,
CLI reachability show, API endpoint, consumer smoke scripts, and tests.

docs/integrations/snuggle-inventor.md

@@ -30,6 +30,16 @@ sandboxer create \
 | Generated code and PR output | snuggle-inventor |
 | Secret resolution at boundary | sand-boxer (via ops-warden / OpenBao) |
 
+## Smoke test
+
+```bash
+# Skips live create when SANDBOXER_SECRET_BUILD_REGISTRY_TOKEN is unset
+export SANDBOXER_SECRET_BUILD_REGISTRY_TOKEN=<token>
+SANDBOXER_VM_TUNNEL_PORT=12222 ./scripts/smoke-build-profile.sh
+```
+
+Optional env: `SMOKE_VM` (default `haskell-build`).
+
 ## Out of scope for sand-boxer
 
 - Code generation prompts and tech specs