fix(sandbox): add missing writable paths for tool state directories

[RyderFreeman4Logos]

Summary

• Add ~/.gemini to with_tool_defaults() for gemini-cli (OAuth tokens, session history, project settings)
• Add CSA project-level state root and global slots directory for all tools (fork-call session creation, lock files)
• Add 6 new tests covering gemini-cli/opencode defaults and CSA state path injection

Not added (by design):

• ~/.claude-mem: MCP servers run outside bwrap, no filesystem sandbox needed
• Entire CSA state root: too broad scope, only project-specific dir + slots

Test plan

• cargo test -p csa-resource -- test_tool_defaults (4 tests pass)
• cargo test -p cli-sub-agent -- csa_state_paths (2 tests pass)
• just pre-commit passes (fmt, clippy, 2766 tests, e2e)
• CSA review (tier-4-critical) clean

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 25b52df8a5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid binding ~/.gemini before the directory exists

On Linux hosts that use bubblewrap, this new writable path will break sandboxed gemini-cli launches whenever ~/.gemini has not been created yet (for example, first-time users or setups that only have the XDG config dir). with_tool_defaults() now always appends ~/.gemini, and csa-resource/src/bwrap.rs turns every writable path into --bind src src without checking that src exists, so the child fails before Gemini can create the directory itself. Binding an existing parent or creating the directory up front avoids that regression.

Useful? React with 👍 / 👎.