Allow disabling boolean flags from the CLI

Pair --hardened, --dry-run, and --unshare-net (renamed from --no-net)
with negation counterparts so a CLI invocation can override a truthy
config-file or profile value.

src/cli.rs

@@ -19,12 +19,20 @@ pub struct Args {
     pub whitelist: bool,
 
     /// Harden: unshare IPC, PID, UTS; private /tmp, /dev, /run
-    #[arg(long)]
+    #[arg(long, overrides_with = "no_hardened")]
     pub hardened: bool,
 
+    /// Disable hardening (overrides config-file `hardened = true`)
+    #[arg(long, overrides_with = "hardened")]
+    pub no_hardened: bool,
+
     /// Unshare the network namespace
-    #[arg(long)]
-    pub no_net: bool,
+    #[arg(long, overrides_with = "share_net")]
+    pub unshare_net: bool,
+
+    /// Share the host network namespace (overrides config-file `unshare-net = true`)
+    #[arg(long, overrides_with = "unshare_net")]
+    pub share_net: bool,
 
     /// Bind an extra path read-write (repeatable)
     #[arg(long = "rw", value_name = "PATH", action = clap::ArgAction::Append)]
@@ -35,9 +43,13 @@ pub struct Args {
     pub extra_ro: Vec<PathBuf>,
 
     /// Print the bwrap command without executing
-    #[arg(long)]
+    #[arg(long, overrides_with = "no_dry_run")]
     pub dry_run: bool,
 
+    /// Disable dry-run (overrides config-file `dry-run = true`)
+    #[arg(long, overrides_with = "dry_run")]
+    pub no_dry_run: bool,
+
     /// Working directory inside the sandbox (default: current directory)
     #[arg(long, value_name = "PATH")]
     pub chdir: Option<PathBuf>,