cli: --dry-run flag for sb exec (evaluate policy, emit receipt, skip execve)

## Context

AGT's `GovernanceSkill.check_policy(action, context)` is *pure evaluation* —
it returns a `PolicyDecision` without actually running the action. `sb exec`
today evaluates *and* runs. The [SbRuntimeSkill shim](../blob/main/examples/agt-integration/sb_runtime_skill.py)
currently works around this by reading the receipt the `sb` binary emits
before it calls `execve`, which is brittle.

A first-class `--dry-run` flag would:
- Evaluate Cedar
- Emit a signed receipt (marked \`dry_run: true\` in its context)
- Exit 0 for allow, 2 for deny
- Not apply sandbox
- Not call execve

## Acceptance criteria

- [ ] \`sb exec --dry-run --policy P -- CMD ARGS...\` exits 0/2 based on policy
- [ ] Emitted receipt has \`context.dry_run: true\`
- [ ] \`SbRuntimeSkill\` updated to pass \`--dry-run\` and \`SB_DRY_RUN\` env
      handling removed
- [ ] Unit test + CI smoke for both allow + deny paths

## Release target

v0.1.1.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cli: --dry-run flag for sb exec (evaluate policy, emit receipt, skip execve) #2

Context

Acceptance criteria

Release target

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

cli: --dry-run flag for sb exec (evaluate policy, emit receipt, skip execve) #2

Description

Context

Acceptance criteria

Release target

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions