Vouch request: tatsuya-ogawa

[tatsuya-ogawa]

What do you want to work on?

This PR introduces the External Resolver, allowing the sandbox to fetch credentials on-demand from an HTTP endpoint right before relaying a request to an upstream provider. This enhances security by moving secret management out of the sandbox configuration and into dedicated infrastructure.

similar issue:
#538

Why this change?

Currently, the OpenShell sandbox's L7 relay only supports static secrets or environment variable placeholders resolved at startup. To support environments where secrets are dynamic or managed by external systems (e.g., rotating tokens, vault services, or identity-based access), a more flexible resolution mechanism is required.

Checklist

• I wrote this request myself (not AI-generated)
• I have read CONTRIBUTING.md