feat(core): add tool sandboxing setting and initialization

- Add `tools.sandboxing` boolean flag to `settingsSchema.ts` to control whether tools are executed within a sandbox.
- Introduce `createSandboxManager` factory function that returns either `LocalSandboxManager` or `NoopSandboxManager` based on the new setting.
- Update `Config` initialization to read the setting and construct the appropriate sandbox manager.
- Update unit tests to reflect the new initialization and instantiation behavior.

packages/cli/src/config/config.ts

@@ -699,6 +699,7 @@ export async function loadCliConfig(
     clientVersion: await getVersion(),
     embeddingModel: DEFAULT_GEMINI_EMBEDDING_MODEL,
     sandbox: sandboxConfig,
+    toolSandboxing: settings.tools?.sandboxing ?? false,
     targetDir: cwd,
     includeDirectoryTree,
     includeDirectories,

packages/cli/src/config/settingsSchema.ts

@@ -1247,6 +1247,15 @@ const SETTINGS_SCHEMA = {
     description: 'Settings for built-in and custom tools.',
     showInDialog: false,
     properties: {
+      sandboxing: {
+        type: 'boolean',
+        label: 'Tool Sandboxing',
+        category: 'Tools',
+        requiresRestart: false,
+        default: false,
+        description: 'Enable sandboxing for tool execution.',
+        showInDialog: true,
+      },
       sandbox: {
         type: 'string',
         label: 'Sandbox',