[Epic] Dynamic Policy Update

[muscariello]

Let operators add or revoke sandbox capabilities at runtime without restarting the agent process.

Summary

Allow users to dynamically update and extend sandbox policies at runtime so that
a running SHADI-sandboxed agent can be granted (or revoked) additional
capabilities without restarting the process.

Motivation

Today, sandbox policy is resolved once at launch (profile → policy file →
CLI flags) and baked into the OS enforcement boundary before exec. If an agent
needs a new filesystem path, a network destination, or an additional allowed
command during its lifecycle, the operator must kill and relaunch with an updated
policy.

This is safe but inflexible:

• Long-running agents may discover they need access to a new tool or path during
  a session (e.g., a SecOps agent that needs to fetch from a newly discovered
  registry endpoint).
• Human-in-the-loop workflows benefit from incremental capability grants: start
  strict, widen only on explicit operator approval.
• Composable agent systems (ADK, A2A) may negotiate capabilities dynamically;
  policy should be able to follow.

Scope

In scope

1. Policy reload signal — shadictl watches for a reload trigger (file
   change on the policy JSON, Unix signal, or a local control socket) and
   re-resolves the effective ResolvedPolicy.
2. Incremental policy patches — define a lightweight JSON-patch or overlay
   format so operators can add paths, network destinations, or commands without
   rewriting the full policy file.
3. Platform re-application — investigate whether macOS Seatbelt and Windows
   AppContainer allow tightening or widening at runtime; where they don't,
   document the ceiling and implement the subset that is possible (e.g., network
   rules via firewall APIs).
4. Audit trail — every policy mutation is logged with a timestamp, the
   requesting identity, and the delta applied, feeding into the existing
   telemetry pipeline.
5. CLI surface — shadictl policy patch --add-read /new/path and similar
   commands that apply to a running sandbox session.
6. Python binding — expose the reload/patch surface through shadi_py so
   ADK-based agents can request capability changes programmatically (subject to
   operator approval policy).

Out of scope (for now)

• Fully replacing the policy at runtime (only incremental patches).
• Automatic capability expansion without an explicit operator trigger.
• Cross-host policy synchronization.

Design Considerations

• Principle of least privilege — dynamic widening must never happen silently.
  A default-deny approval gate (interactive prompt, webhook, or pre-approved
  rule set) must exist between a request and enforcement.
• Monotonic tightening — revoking a capability at runtime is always safe and
  should be immediate. Widening requires the approval gate.
• Platform limits — macOS Seatbelt profiles are compiled once; runtime
  changes may require a secondary enforcement layer (e.g., a FUSE overlay or
  ptrace-based interposition for filesystem, pf rules for network). Document
  these limits clearly.
• Backward compatibility — existing one-shot policy resolution must remain
  the default; dynamic updates are strictly opt-in via --watch-policy or
  equivalent.

Tasks

• Design the policy-patch JSON schema and overlay semantics.
• Add a file-watch or control-socket listener to shadictl for reload
  triggers.
• Implement platform re-application for the subset of policy axes that
  support runtime changes (network rules on both platforms, command
  allow/block lists).
• Add shadictl policy patch CLI subcommands.
• Extend shadi_py with shadi.policy.request_patch(...).
• Add audit-trail logging for every policy mutation.
• Write integration tests covering reload, patch, revoke, and
  platform-ceiling fallback.
• Update docs/sandbox.md with the dynamic-update workflow.

References

• Current policy resolution: crates/shadictl/src/policy_helpers.rs
• Sandbox policy struct: crates/shadi_sandbox/src/policy.rs
• Platform enforcement: crates/shadi_sandbox/src/platform/
• Existing docs: docs/sandbox.md