feat: deny-by-default filesystem isolation

Flip the sandbox from allow-by-default reads (--ro-bind / /) to
deny-by-default (--tmpfs / with selective mounts). This makes the
sandbox safer by default — only system paths, CWD, and explicitly
allowed paths are accessible.

- Config: DefaultDenyRead is now *bool (nil = true, deny-by-default)
  with IsDefaultDenyRead() helper; opt out via "defaultDenyRead": false
- Linux: new buildDenyByDefaultMounts() using --tmpfs / + selective
  --ro-bind for system paths, --symlink for merged-usr distros (Arch),
  --bind for CWD, and --ro-bind for user tooling/shell configs/caches
- macOS: generateReadRules() adds CWD subpath, ancestor traversal,
  home shell configs/caches; generateWriteRules() auto-allows CWD
- Landlock: deny-by-default mode allows only specific user tooling
  paths instead of blanket home directory read access
- Sensitive .env files masked within CWD via empty-file overlay on
  Linux and deny rules on macOS
- Learning templates now include allowRead and .env deny patterns

internal/sandbox/integration_test.go

@@ -123,13 +123,17 @@ func assertContains(t *testing.T, haystack, needle string) {
 // ============================================================================
 
 // testConfig creates a test configuration with sensible defaults.
+// Uses legacy mode (defaultDenyRead=false) for predictable testing of
+// existing integration tests. Use testConfigDenyByDefault() for tests
+// that specifically test deny-by-default behavior.
 func testConfig() *config.Config {
 	return &config.Config{
 		Network: config.NetworkConfig{},
 		Filesystem: config.FilesystemConfig{
-			DenyRead:   []string{},
-			AllowWrite: []string{},
-			DenyWrite:  []string{},
+			DefaultDenyRead: boolPtr(false), // Legacy mode for existing tests
+			DenyRead:        []string{},
+			AllowWrite:      []string{},
+			DenyWrite:       []string{},
 		},
 		Command: config.CommandConfig{
 			Deny:        []string{},