Summary

Fixes the root cause described in #837: openshell sandbox get now fetches the effective runtime policy via GetSandboxConfig for all output modes — including hot-reloaded updates and gateway-global overrides. The base output also surfaces the policy source (sandbox or global) and revision number, so callers no longer need to stitch together sandbox get and policy get --full output.

A --policy-only flag is also added for scripting workflows:

openshell sandbox get my-sandbox --policy-only > current.yaml
# edit current.yaml, then:
openshell policy set my-sandbox --policy current.yaml --wait

Related Issue

Fixes #837

Changes

• sandbox get now always calls GetSandboxConfig to retrieve the active runtime policy (replaces creation-time spec lookup)
• Base output now includes Policy source (sandbox/global) and Revision fields
• Added --policy-only flag to openshell sandbox get; when set, prints only the active policy YAML to stdout
• Added sandbox_get_policy_only_round_trip integration test; updated get_sandbox_config mock to return a real SandboxPolicy
• Updated CLI reference docs and docs/sandboxes/manage-sandboxes.mdx with the new flag and updated output

Testing

• mise run pre-commit passes
• Unit tests added/updated (sandbox_get_policy_only_round_trip)
• E2E tests added/updated (if applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)