Twig Sandbox Bypass via __toString() Calls

The sandbox security mechanism was bypassed because SandboxNodeVisitor only wrapped a hardcoded list of AST nodes in CheckToStringNode, missing many constructs that trigger __toString() calls. The fix introduces CoercesChildrenToStringInterface for nodes to declare which children need guarding, and adds runtime checks for spread arguments and dynamic attribute names.

All Twig users relying on the sandbox to restrict __toString() calls on Stringable objects. Any template author in a sandboxed environment could invoke __toString() on objects not allowlisted.

Update to the latest Twig version that includes the security fix. Review and adjust any custom sandbox policies if needed.