Sandbox enforcement has two cooperative jobs - translation and
confinement - and until now the translation half lived only inside
SwiftBash's MountedFileSystem. Every cooperative caller that isn't a
bash builtin (SwiftPorts CLIs, the JS runtime, SwiftScript) resolved
paths in the wrong space: Shell.resolve returned virtual spellings it
then fed to FileManager/C APIs, and the URL gate checked those virtual
spellings against host roots. Cocoanetics/SwiftBash#83 moves the core
down here so both facades share one authority:

- PathMapping: the mount table (longest-virtual-prefix routing,
  lexical `..` collapse via the new Shell.normalizePath) translating
  virtual -> host, plus virtualPath(forHost:) folding host paths back
  to virtual for display so realpath-style output never leaks the
  embedder's host layout.
- Sandbox.confined(to:home:temporaryDirectory:...): the Facade-B gate.
  Authorizes a file URL iff its canonical (symlink-resolved) path
  lands inside one of the mapping's host roots; carries the mapping as
  Sandbox.pathMapping. Region directories anchor at the `home` mount's
  host root; temporaryDirectory defaults to the `/tmp` mount's host.
- Shell.resolve now translates through sandbox?.pathMapping after the
  cwd join, so SwiftPorts CLIs / JS / SwiftScript get host paths that
  do real I/O on the right files with no per-tool rewrite; the same
  table gates them, so resolution and confinement cannot disagree.
  Shell.currentDirectory translates identically. Without a mapping
  (standalone CLIs, rooted/appContainer sandboxes) nothing changes.
- Shell.displayPath(for:): the outbound door for anything a script
  gets to see.

Shell.normalizePath is the lexical normaliser SwiftBash carried; it
moves down so the mapping (and the subclass) share one implementation.

SwiftLint CI: file_length on Sandbox+Factories (confined(to:) moves to
its own file, sharing the now-internal authorizeUnderRoots),
type_body_length on PathMappingTests (the confined-gate suite moves to
SandboxConfinedTests), and large_tuple in virtualPath(forHost:) (the
best-match accumulator becomes a small local struct).

Codex P1 on #17: under a mapping, resolve returned paths that matched
no mount unchanged - so a script holding (or guessing) the HOST
spelling of a mounted directory could address files through it, and
the gate authorized it since the location genuinely lies inside a
canonical host root. The containment boundary held; the namespace
boundary (scripts speak virtual only) didn't - and Facade B
disagreed with the bash-side mounted filesystem, which ENOENTs host
spellings.

resolve now never hands back un-translated text under a mapping:
paths outside every mount (including the Windows drive-letter and
empty-cwd fallbacks) resolve to a voided location under
Shell.unmappedPathSentinel ("/dev/null/unmapped" + the normalised
virtual spelling). /dev/null is a file on every POSIX host, so
nothing below it can exist or be created, and the gate's containment
check rejects it like any other out-of-roots path. displayPath folds
the sentinel back to the original spelling so diagnostics stay
readable. Tests cover the host-spelling probe (verbatim and
symlink-resolved), gate denial, and ..-escape of the sentinel.