v0.2.1 — public-release docs polish (Status section, audit-trace/line…

…age rewording, doc.go sync); no functional or API changes

v0.1.0 — initial hybrid extraction (Mux Profile API + Nanite SBPL/bwr…

…ap impls)

Standalone Go module github.com/hollis-labs/go-sandbox.

Public surface:
- sandbox.Profile / FSSpec / LoadProfile / LoadProfiles
- Apply(cmd, profile, workspace) (cleanup func(), error)
- darwin: BuildSBPL + non-optional validateSeatbeltLiteral
- linux:  BuildBwrapArgs (narrowed --ro-bind, namespace unsharing, --tmpfs /tmp,
--die-with-parent, --new-session, conditional --unshare-net)
- unsupported: hard-error stub (no silent downgrade)

Hardening posture (verbatim from nanite's 2026-04-10 audit, gaps #1–#5)
plus SBPL profile-string injection guard on darwin.

Origin: CW-20260427-0022 (hollis-labs Clockwork). Sibling decisions in
Vanta: decisions.portfolio.cli_substrate_layering_go_providers_go_sandbox
and decisions.portfolio.cli_substrate.go_sandbox_runner_contract.