[docker/cli] Feature request: Port exposure/forwarding for docker sandbox

### ROOT CAUSE The current Docker sandbox feature lacks support for port forwarding, preventing users from accessing services running inside the sandbox container from the host. This is critical for use cases like SafeClaw, which relies on exposing specific ports to host browsers for web terminal access. The absence of this feature hinders the migration to Docker Sandboxes due to the inability to map ports. ### CODE FIX 1. **Add `--publish` flag to `docker sandbox run`:** Extend the `sandbox run` command to accept a `--publish` flag (similar to `docker run -p`), allowing users to map container ports to the host. Example: `docker sandbox run --publish 127.0.0.1:8080:8080 my-sandbox`. 2. **Modify `sandbox create` to support port mappings:** Update the `sandbox create` command to accept port mappings in the configuration file or via a `--publish` flag. Ensure these mappings are applied during container creation. 3. **Integrate port mapping into container runtime:** In the `docker sandbox` implementation, parse the `--publish` flag and pass the mappings to the container runtime (e.g., `docker run -p`). This requires modifying the sandbox’s entrypoint script to include port mappings in the `docker run` command. 4. **Handle host networking constraints:** Ensure port mappings use `host` or `ip:hostPort:containerPort` syntax to align with Docker’s publish rules. For example, `--publish 0.0.0.0:8080:8080` exposes the port to all interfaces. 5. **Update documentation:** Document the new flags in the Docker CLI help and sandbox-specific guides. This fix ensures sandbox containers can expose ports, enabling secure and flexible access to internal services while maintaining Docker’s isolation guarantees.