fix: preserve denyRead precedence in linux mount planner

[jy-tan]

Summary

Prevent overlapping Linux filesystem deny rules from re-exposing masked paths by replacing the late exact-path dedupe with subtree-aware mount planning.

The new planner makes denyRead masks take precedence over later read-only self-binds from denyWrite, mandatory dangerous-path protection, and runtime exec deny, including descendant paths under a masked directory.

Resolves #87.

Changes

• Add internal/sandbox/linux_mount_planner.go to plan the late policy overlays for denyRead, mandatory dangerous-path protection, denyWrite, and runtime exec deny
• Encode explicit precedence rules for overlapping mounts:
  • a masked ancestor beats any later same-path or descendant self-bind
  • same-path denyRead + denyWrite stays masked instead of becoming visible read-only
  • child denyWrite entries under a masked directory are ignored
  • redundant read-only descendant mounts are pruned
• Simplify internal/sandbox/linux.go by delegating only the overlay/security phases to the planner and leaving the base, special mounts, and cross-mount repairs imperative
• Add unit tests for planner conflict resolution and command generation for same-path and child-path overlap cases
• Add Linux integration regressions covering the original ~/.ssh overlap and the stronger child-under-masked-parent case

[cubic-dev-ai]

No issues found across 4 files