[Feature]: Add `openshell policy merge` for incremental policy updates

[nv-ddave]

Description

openshell policy set replaces the entire sandbox policy. Adding a single new endpoint requires manually merging 200+ lines of existing policy YAML.

Steps to Reproduce

1. Sandbox has multiple network policy groups configured for various services
2. Need to add a new endpoint (e.g., Slack)
3. Must create a complete YAML with ALL existing + new policies and apply it
4. Accidentally omitting any existing policy silently blocks that network access

Proposal

# Add a network policy group incrementally
openshell policy add my-assistant --group slack --endpoints slack.com,api.slack.com --binaries /usr/local/bin/node

# Or from a preset file
openshell policy add my-assistant --from-file presets/slack.yaml

# Remove a policy group
openshell policy remove my-assistant --group telegram

# List active policy groups
openshell policy list my-assistant --groups

Workaround

Manually merge YAML files. This is error-prone — it's easy to accidentally omit an existing policy group and silently lose network access for that service.

[johntmyers]

We are going to take a fresh look at providers which I think would give us a better entry point to do policy chunk modifications. We also support automatic chunk approvals when connections are denied and which automatically handles merging policy chunks back into the running config. So if you run the TUI for example, and your workload tries and connect to an endpoint that is blocked, you should see a policy rule ready for approval.

I'll move this to our internal tracker for inclusion in our provider RFC that we are working on.

In the interim, agents have shown to be really good at modifying policies and handling the merge stuff for you. We have a skill for it in the repo as well.