Changed sandbox_exec_cmd to return a context manager that automatically
handles profile file cleanup. This ensures the temporary profile is
always removed, even if exceptions occur.
Adds macOS sandboxing support similar to Linux bubblewrap implementation:
- Created clan_lib/sandbox_exec module with sandbox profile creation
- Implemented file system isolation allowing only tmpdir and nix store access
- Added network restrictions (deny outbound except localhost)
- Integrated sandbox-exec command into vars generation on macOS
- Added comprehensive test suite for macOS sandbox functionality
- Fixed working directory handling for generators writing to CWD
