feat: reachability and consumer profiles (SAND-WP-0011)

Add reachability enrichment (tunnel metadata, ops-bridge pointer),
secret_refs boundary resolution, profile.agent-dev and profile.build,
CLI reachability show, API endpoint, consumer smoke scripts, and tests.

scripts/smoke-agent-dev.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Smoke profile.agent-dev — requires SANDBOXER_HOST or defaults via placement.
+set -euo pipefail
+
+if [[ -z "${SANDBOXER_HOST:-}" ]]; then
+  echo "SANDBOXER_HOST not set — using profile placement fallback" >&2
+fi
+
+REPO="${SMOKE_REPO:-$(pwd)}"
+echo "Smoke: profile.agent-dev repo=$REPO"
+STATUS=$(sandboxer create \
+  --profile profile.agent-dev \
+  --input "repo=$REPO" \
+  --actor agt \
+  --project glas-harness)
+ID=$(echo "$STATUS" | python3 -c "import sys,json; print(json.load(sys.stdin)['sandbox_id'])")
+echo "Created: $ID"
+sandboxer reachability show "$ID"
+sandboxer destroy "$ID"
+echo "OK: agent-dev smoke"