feat: MCP server container isolation mode — policy-driven sandboxing

[msaad00]

Goal

When a policy rule requires it, automatically wrap an MCP server in an OCI container for network and filesystem isolation — triggered by `agent-bom run` or as a standalone enforcement mode.

User story

```bash

policy.json

{ "rules": [{ "condition": "untrusted_source", "action": "isolate" }] }

agent-bom run npx/@modelcontextprotocol/server-filesystem --policy ./policy.json

→ policy detects untrusted source → launches in container automatically

```

Or explicit:
```bash
agent-bom run --isolate
```

Why

ToolHive's differentiator is container isolation for MCP servers. We already build OCI images for our own server. This extends that to arbitrary servers — using Docker/Podman as a runtime, controlled by our policy engine.

Combined with #885 (`agent-bom run`), this makes ToolHive's entire feature set a subset of agent-bom.

Implementation notes

• Add `isolate` action to policy engine (`policy.py`)
• `--isolate` flag on `agent-bom run`
• Use Docker SDK or subprocess to run server in container
• Mount only explicitly allowed paths (least privilege)
• Network policy: default deny outbound unless `--allow-network`
• Proxy wraps the containerized server's stdio

Acceptance criteria

• `agent-bom run --isolate` runs server in container
• Policy `"action": "isolate"` triggers auto-containerization
• Filesystem mounts are explicit (no implicit host access)
• Network isolated by default
• Works with Docker and Podman runtimes