feat(adk/backend): implement both Ark Sandbox and Local filesystem backends

This commit introduces two new backend implementations for `adk/backend` to support flexible filesystem operations: `arksandbox` for secure remote execution and `local` for direct local filesystem access.

Key changes include:
- **Ark Sandbox Backend (`arksandbox`)**:
  - Implements `filesystem.Backend` to integrate with Volcengine's Ark Sandbox.
  - Features include request signing, session management, and remote execution of filesystem commands (LsInfo, Read, Write, Edit, GrepRaw, GlobInfo).
  - Adds `code_template.go` for Python-based sandbox operations and `types.go` for API definitions.

- **Local Backend (`local`)**:
  - Implements `filesystem.Backend` for operating directly on the local machine's filesystem.
  - Supports standard operations: `LsInfo` (directory listing), `Read` (with line limits/offsets), `Write` (file creation), `GrepRaw` (content search), and `GlobInfo` (pattern matching).
  - Includes input validation to ensure paths are absolute and handles permission errors gracefully.

- **General**:
  - Adds unit tests for both backends (`arksandbox_test.go`, `local_sandbox_test.go`) to verify functionality.
  - Updates `go.mod` and `go.sum` with necessary dependencies.
  - Provides comprehensive `README.md` documentation for both implementations.

Author: zhuangjie1125

adk/backend/arksandbox/README.md

@@ -0,0 +1,166 @@
+# EINO ADK - Ark Sandbox Backend
+
+`arksandbox` is an ADK (Agent Development Kit) backend that integrates with Volcengine's Ark Sandbox service. This backend provides a secure, sandboxed environment for executing code and performing filesystem operations, leveraging Volcengine's infrastructure to ensure isolation and security.
+
+It implements the `filesystem.Backend` interface, allowing you to interact with the sandbox's filesystem through a standardized set of methods.
+
+## Features
+
+- **Secure Execution**: All operations are performed within a secure, isolated sandbox environment.
+- **Full `filesystem.Backend` Implementation**: Supports all standard filesystem operations:
+  - `LsInfo`: Lists files and directories.
+  - `Read`: Reads file content.
+  - `Write`: Creates and writes to files.
+  - `Edit`: Searches and replaces content within files.
+  - `GrepRaw`: Searches for patterns in files.
+  - `GlobInfo`: Finds files matching a glob pattern.
+- **Session Management**: Supports session isolation via `UserSessionID` and configurable session TTL.
+
+## Configuration
+
+To initialize the backend, you need to provide a `Config` struct with your Volcengine credentials and tool details.
+
+```go
+// Config holds the configuration for the Ark Sandbox.
+type Config struct {
+	// AccessKeyID for Volcengine. Required.
+	AccessKeyID string
+
+	// SecretAccessKey for Volcengine. Required.
+	SecretAccessKey string
+
+	// ToolID is the ID of the sandbox tool created in the Volcengine console. Required.
+	ToolID string
+
+	// UserSessionID specifies the user session to achieve context isolation. Required.
+	UserSessionID string
+
+	// Region is the request's region (e.g., "cn-beijing").
+	// Optional. Defaults to "cn-beijing".
+	Region Region
+
+	// SessionTTL is the session expiration time in seconds (range: 60-86400).
+	// Optional. Defaults to 1800.
+	SessionTTL int
+
+	// InvokeTimeout is the timeout for executing a single command in the sandbox, in seconds.
+	// Optional. Defaults to 30.
+	InvokeTimeout int
+	
+	// HTTPClient specifies the client to send HTTP requests.
+	// Optional. If not set, a default client with a timeout is used.
+	HTTPClient *http.Client
+
+	// Timeout specifies the maximum duration for the HTTP client.
+	// This is ignored if HTTPClient is set.
+	// Optional.
+	Timeout time.Duration
+}
+```
+
+## Usage
+
+Here is a complete example of how to initialize and use the `arksandbox` backend.
+
+### Prerequisites
+
+Set the following environment variables with your Volcengine credentials:
+
+- `VOLC_ACCESS_KEY_ID`: Your Access Key ID.
+- `VOLC_SECRET_ACCESS_KEY`: Your Secret Access Key.
+- `VOLC_TOOL_ID`: The ID of your Ark Sandbox tool.
+
+### Example Code
+
+```go
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"time"
+
+	"github.com/cloudwego/eino-ext/adk/backend/arksandbox"
+	"github.com/cloudwego/eino/adk/middlewares/filesystem"
+)
+
+func main() {
+	// 1. Configure the backend
+	accessKeyID := os.Getenv("VOLC_ACCESS_KEY_ID")
+	secretAccessKey := os.Getenv("VOLC_SECRET_ACCESS_KEY")
+	toolID := os.Getenv("VOLC_TOOL_ID")
+
+	if accessKeyID == "" || secretAccessKey == "" || toolID == "" {
+		log.Fatal("Environment variables VOLC_ACCESS_KEY_ID, VOLC_SECRET_ACCESS_KEY, and VOLC_TOOL_ID must be set.")
+	}
+
+	config := &arksandbox.Config{
+		AccessKeyID:     accessKeyID,
+		SecretAccessKey: secretAccessKey,
+		ToolID:          toolID,
+		UserSessionID:   "example-session-" + time.Now().Format("20060102-150405"),
+		Region:          arksandbox.RegionOfBeijing,
+		Timeout:         60 * time.Second,
+	}
+
+	// 2. Create a new backend instance
+	client, err := arksandbox.NewArkSandboxBackend(config)
+	if err != nil {
+		log.Fatalf("Failed to create backend: %v", err)
+	}
+
+	// 3. Use the client for filesystem operations
+	ctx := context.Background()
+
+	// Example: List files in the root directory
+	// Note: The default user 'gem' may not have permission. Use a writable directory like '/home/gem'.
+	files, err := client.LsInfo(ctx, &filesystem.LsInfoRequest{Path: "/home/gem"})
+	if err != nil {
+		log.Fatalf("Failed to list files: %v", err)
+	}
+	fmt.Println("Files in /home/gem:")
+	for _, f := range files {
+		fmt.Printf("- %s\n", f.Path)
+	}
+
+	// Example: Write a new file
+	filePath := "/home/gem/example.txt"
+	err = client.Write(ctx, &filesystem.WriteRequest{
+		FilePath: filePath,
+		Content:  "Hello, Ark Sandbox!",
+	})
+	if err != nil {
+		log.Fatalf("Failed to write file: %v", err)
+	}
+	fmt.Printf("Successfully wrote to %s\n", filePath)
+
+	// Example: Read the file content
+	content, err := client.Read(ctx, &filesystem.ReadRequest{
+		FilePath: filePath,
+	})
+	if err != nil {
+		log.Fatalf("Failed to read file: %v", err)
+	}
+	fmt.Printf("Content of %s: %s\n", filePath, content)
+}
+```
+
+## API Reference
+
+The `arksandbox` backend implements the `filesystem.Backend` interface.
+
+### `NewArkSandboxBackend(config *Config) (filesystem.Backend, error)`
+
+Initializes a new backend instance with the given configuration. It returns a `filesystem.Backend` interface, hiding the specific implementation.
+
+## FAQ
+
+**Q: Why am I getting "permission denied" errors?**
+
+A: Instances created by the default AIO Sandbox and Skills Sandbox tools in Volcengine have a default execution user named `gem`. This user may not have permissions to operate on system paths like `/` or `/tmp`. Always perform file operations in a designated user-writable directory, such as `/home/gem`, to avoid permission issues.
+
+**Q: How should I manage API credentials?**
+
+A: Never hardcode your `AccessKeyID` and `SecretAccessKey` in your source code. Use environment variables (as shown in the example) or a secure secret management service to handle your credentials.