feat(core): integrate SandboxManager to sandbox all process-spawning tools (#22231)

packages/cli/src/config/settingsSchema.ts

@@ -1300,7 +1300,7 @@ const SETTINGS_SCHEMA = {
         default: undefined as boolean | string | SandboxConfig | undefined,
         ref: 'BooleanOrStringOrObject',
         description: oneLine`
-          Sandbox execution environment.
+          Legacy full-process sandbox execution environment.
           Set to a boolean to enable or disable the sandbox, provide a string path to a sandbox profile,
           or specify an explicit sandbox command (e.g., "docker", "podman", "lxc").
         `,
@@ -1522,6 +1522,16 @@ const SETTINGS_SCHEMA = {
     description: 'Security-related settings.',
     showInDialog: false,
     properties: {
+      toolSandboxing: {
+        type: 'boolean',
+        label: 'Tool Sandboxing',
+        category: 'Security',
+        requiresRestart: false,
+        default: false,
+        description:
+          'Experimental tool-level sandboxing (implementation in progress).',
+        showInDialog: true,
+      },
       disableYoloMode: {
         type: 'boolean',
         label: 'Disable YOLO Mode',