feat: reachability and consumer profiles (SAND-WP-0011)

Add reachability enrichment (tunnel metadata, ops-bridge pointer),
secret_refs boundary resolution, profile.agent-dev and profile.build,
CLI reachability show, API endpoint, consumer smoke scripts, and tests.

tests/test_secrets.py

@@ -0,0 +1,51 @@
+"""Setup secret resolution tests."""
+
+from __future__ import annotations
+
+import pytest
+
+from sandboxer.models import Profile, SetupSpec
+from sandboxer.secrets.resolver import resolve_secret_ref, resolve_setup_secrets
+
+
+def test_resolve_secret_ref_from_env(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("SANDBOXER_SECRET_BUILD_REGISTRY_TOKEN", "tok123")
+    assert resolve_secret_ref("build-registry-token") == "tok123"
+
+
+def test_resolve_setup_secrets_success(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("SANDBOXER_SECRET_BUILD_REGISTRY_TOKEN", "tok123")
+    profile = Profile.model_validate(
+        {
+            "id": "profile.build",
+            "version": "1.0.0",
+            "extension": "ext.vm-packer",
+            "setup": SetupSpec(secret_refs=["build-registry-token"]).model_dump(),
+        }
+    )
+    secrets = resolve_setup_secrets(profile)
+    assert secrets["build-registry-token"] == "tok123"
+
+
+def test_resolve_setup_secrets_missing_raises() -> None:
+    profile = Profile.model_validate(
+        {
+            "id": "profile.build",
+            "version": "1.0.0",
+            "extension": "ext.vm-packer",
+            "setup": SetupSpec(secret_refs=["missing-ref"]).model_dump(),
+        }
+    )
+    with pytest.raises(ValueError, match="Unresolved secret_refs"):
+        resolve_setup_secrets(profile)
+
+
+def test_empty_secret_refs() -> None:
+    profile = Profile.model_validate(
+        {
+            "id": "profile.compose-e2e",
+            "version": "1.0.0",
+            "extension": "ext.compose-ssh",
+        }
+    )
+    assert resolve_setup_secrets(profile) == {}