[Feature]: Add `openshell policy merge` for incremental policy updates

[nv-ddave]

Description

openshell policy set replaces the entire sandbox policy. Adding a single new endpoint requires manually merging 200+ lines of existing policy YAML.

Steps to Reproduce

1. Sandbox has 9 network policies (claude, nvidia, github, clawhub, openclaw, npm, telegram, discord, etc.)
2. Need to add Slack endpoints
3. Must create a complete YAML with all 10 policies and apply it
4. Accidentally omitting any existing policy silently blocks that network access

Proposal

# Add a network policy group incrementally
openshell policy add my-assistant --group slack --endpoints slack.com,api.slack.com --binaries /usr/local/bin/node

# Or from a preset file
openshell policy add my-assistant --from-file presets/slack.yaml

# Remove a policy group
openshell policy remove my-assistant --group telegram

# List active policy groups
openshell policy list my-assistant --groups

Workaround

Manually merge YAML files. This is error-prone — we accidentally lost Discord access once by forgetting to include it in the merged file.