[Podman] bind-mount provider with SELinux + mounts + network

[pyadav]

Parent

#1

What to build

Add the Podman bind-mount sandbox provider. Imported from @missingstudio/sanddune/sandboxes/podman. Validates that the bind-mount factory abstraction (#4 — Tracer bullet) supports a second runtime, with SELinux label support for Fedora/RHEL hosts.

Also adds mounts and network options shared with Docker (slice #4 only used the defaults). mounts accepts absolute paths, ~, and cwd-relative paths. network accepts string | string[].

Acceptance criteria

• podman() factory exported from @missingstudio/sanddune/sandboxes/podman
• Built via createBindMountSandboxProvider (same factory as Docker — slice [Tracer bullet] run() with Docker + Claude Code + head + inline prompt #4)
• SELinux labels handled correctly: bind mounts on Fedora/RHEL work without manual chcon (typically :Z suffix)
• mounts option accepts Mount[] with hostPath, sandboxPath, optional readonly; hostPath supports absolute, ~, and cwd-relative paths
• network option accepts string | string[] and attaches the container to the named Podman network(s)
• Same mounts + network options also added to docker() (parity)
• imageName defaults to sanddune:<repo-dir-name>
• env provider option supported
• Unit tests: provider construction, mounts path resolution (absolute, ~, relative), network args, SELinux label flag added to bind args on Linux
• Smoke test against real Podman (CI-flag-gated) confirms a commit lands in a fixture repo
• bun test and bun run typecheck pass

Blocked by

• [Tracer bullet] run() with Docker + Claude Code + head + inline prompt #4