feat: deny-by-default filesystem isolation

Flip the sandbox from allow-by-default reads (--ro-bind / /) to
deny-by-default (--tmpfs / with selective mounts). This makes the
sandbox safer by default — only system paths, CWD, and explicitly
allowed paths are accessible.

- Config: DefaultDenyRead is now *bool (nil = true, deny-by-default)
  with IsDefaultDenyRead() helper; opt out via "defaultDenyRead": false
- Linux: new buildDenyByDefaultMounts() using --tmpfs / + selective
  --ro-bind for system paths, --symlink for merged-usr distros (Arch),
  --bind for CWD, and --ro-bind for user tooling/shell configs/caches
- macOS: generateReadRules() adds CWD subpath, ancestor traversal,
  home shell configs/caches; generateWriteRules() auto-allows CWD
- Landlock: deny-by-default mode allows only specific user tooling
  paths instead of blanket home directory read access
- Sensitive .env files masked within CWD via empty-file overlay on
  Linux and deny rules on macOS
- Learning templates now include allowRead and .env deny patterns

internal/sandbox/dangerous.go

@@ -28,6 +28,30 @@ var DangerousDirectories = []string{
 	".claude/agents",
 }
 
+// SensitiveProjectFiles lists files within the project directory that should be
+// denied for both read and write access. These commonly contain secrets.
+var SensitiveProjectFiles = []string{
+	".env",
+	".env.local",
+	".env.development",
+	".env.production",
+	".env.staging",
+	".env.test",
+}
+
+// GetSensitiveProjectPaths returns concrete paths for sensitive files within the
+// given directory. Only returns paths for files that actually exist.
+func GetSensitiveProjectPaths(cwd string) []string {
+	var paths []string
+	for _, f := range SensitiveProjectFiles {
+		p := filepath.Join(cwd, f)
+		if _, err := os.Stat(p); err == nil {
+			paths = append(paths, p)
+		}
+	}
+	return paths
+}
+
 // GetDefaultWritePaths returns system paths that should be writable for commands to work.
 func GetDefaultWritePaths() []string {
 	home, _ := os.UserHomeDir()