git remotes: reduce authority granted

[banksean]

We should tighten up a few things around "pull-only" commit flow, so we don't grant more priveledges than necessary:

Problems:

• The sandbox is given read access to the original host worktree through the /run/git-origin-ro mount. For fetching committed host changes, it does not need read access to untracked files, ignored files, editor state, local secrets, or other non-Git worktree contents.
• Several host-side commands run Git in sandbox-controlled repositories.sand git status, sand git log, and sand git diff --include-uncommitted execute host Git against the sandbox worktree, which means sandbox-controlled Git config, attributes, filters, pagers, fsmonitor settings, and related Git behavior may be evaluated by a trusted host process.
• Sand fetches sandbox objects into the original host repository before the user explicitly adopts sandbox work. This does not update the host worktree, but it does import sandbox-controlled objects and refs into the user's trusted original .git directory.

TODOs:

• Stop mounting the live original worktree into containers.
• Expose committed host changes through a Sand-owned, read-only bare mirror or .git-only snapshot under Sand's app data directory.
• Keep sandbox inspection state in a Sand-owned bare/cache repository instead of fetching sandbox refs into the original host repo automatically.
• Make importing sandbox work into the original checkout an explicit user operation.
• Run sandbox inspection either inside the container or through a hardened host Git wrapper that disables user/repo config, pagers, filters, fsmonitor, external diff etc.

[banksean]

• Live original worktree is no longer mounted as sandbox origin; the container gets a read-only Sand-managed mirror at /run/git-origin-ro: internal/cloning/base_configuration.go:158
• Committed host changes are exposed through a shared bare mirror under Sand app data: internal/cloning/git_mirror.go:36
• Sandbox origin is rewritten to the read-only mirror and push is explicitly disabled: internal/cloning/base_configuration.go:264
• Sandbox inspection refs are fetched into a Sand-owned bare cache, not the original host repository: internal/cli/git_inspection.go:100
• Host-side inspection runs through a hardened Git wrapper that disables user/system config, pagers, fsmonitor, hooks, attributes, external diff, and prompts: internal/cli/git_inspection.go:31
• sand git status, sand git log, and diff paths use the hardened wrapper/cache flow: internal/cli/git_cmd.go:109
• Tests assert sandbox refs are not fetched into the host repo automatically: internal/cloning/git_setup_test.go:129