feat(core): implement SandboxManager interface and config schema

- Add `sandbox` block to `ConfigSchema` with `enabled`, `allowedPaths`,
  and `networkAccess` properties.
- Define the `SandboxManager` interface and request/response types.
- Implement `NoopSandboxManager` fallback that silently passes commands
  through but rigorously enforces environment variable sanitization via
  `sanitizeEnvironment`.
- Update config and sandbox tests to use the new `SandboxConfig` schema.
- Add `createMockSandboxConfig` utility to `test-utils` for cleaner test
  mocking across the monorepo.

packages/test-utils/src/index.ts

@@ -6,3 +6,4 @@
 
 export * from './file-system-test-helpers.js';
 export * from './test-rig.js';
+export * from './mock-utils.js';

packages/test-utils/src/mock-utils.ts

@@ -0,0 +1,18 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import type { SandboxConfig } from '@google/gemini-cli-core';
+
+export function createMockSandboxConfig(
+  overrides?: Partial<SandboxConfig>,
+): SandboxConfig {
+  return {
+    enabled: true,
+    allowedPaths: [],
+    networkAccess: false,
+    ...overrides,
+  };
+}