Feature: sandbox and approval profile controls

[slashdevcorpse]

Research-backed TODO

CodexClaw defaults to read-only, but users need clear per-run control over sandbox and approval behavior so capability changes are visible and auditable.

Acceptance criteria

• Expose named run profiles such as read-only inspect, workspace write, and elevated manual review.
• Show the effective Codex CLI sandbox/approval flags before send.
• Require explicit confirmation when a run profile allows writes or elevated actions.
• Persist the selected default per workspace and record the profile in session history.

Public research basis

• OpenCode separates plan/read-only and build/full-access agent modes.
• Open SWE emphasizes isolated execution boundaries for higher-permission tasks.
• MCP server docs warn that tool access requires evaluating security requirements.

Non-goals

• No hosted cloud sandbox in this issue.
• No bypass around Codex CLI’s own safety controls.

Source set

• OpenAI Codex CLI - local terminal coding agent, installer paths, IDE/desktop context.
• OpenHands - local GUI with REST API + SPA, CLI, cloud collaboration/integrations.
• Aider - repo maps, git integration, image/web context, lint/test loops.
• Continue - source-controlled AI checks as markdown agents in CI.
• Open SWE - isolated sandboxes, AGENTS.md context, curated tools, subagents, Slack/Linear handoff.
• Model Context Protocol servers - tool/server registry pattern, filesystem/git/memory/fetch examples, security warnings.
• Open WebUI - responsive/PWA UI, RAG/web browsing, artifact storage, permissions.
• OpenCode - coding-agent modes, plan/build separation, subagent pattern.
• Cline - autonomous coding agent as SDK, IDE extension, and CLI assistant.
• Roo Code - agent-oriented coding workflow inside the editor.

[slashdevcorpse]

Completed by merged PR #100.