sandbox: macOS backend via sandbox_init / SBPL

## Context

v0.1 stubs macOS: users get \`--allow-unsandboxed\` mode (Cedar + receipts only,
no OS isolation). This is fine for development but means macOS has no parity
with Linux for the sandbox layer.

## What's needed

Translate \`Profile\` into an SBPL (Sandbox Profile Language) string and invoke
\`sandbox_init(3)\` from Rust via a small FFI shim.

SBPL is Apple-private and undocumented; workable references:
- https://boredzo.org/sandbox/sbpl.html (Peter Hosey's writeup)
- \`/System/Library/Sandbox/Profiles/\` on any macOS install
- \`sandbox-exec\`(1) tests empirically for rule-match behaviour

## Acceptance criteria

- [ ] \`crates/sb-sandbox/src/macos.rs\` implemented
- [ ] \`apply()\` on macOS calls the new backend
- [ ] Integration test on a macOS CI runner: read-only + write-to-tmp + no-network
- [ ] DESIGN.md "Platform support" updated

## Release target

v0.2.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sandbox: macOS backend via sandbox_init / SBPL #3

Context

What's needed

Acceptance criteria

Release target

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

sandbox: macOS backend via sandbox_init / SBPL #3

Description

Context

What's needed

Acceptance criteria

Release target

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions