fix(codex): restore filesystem boundary on /codex review bare path

[genisis0x]

Summary

Closes #1503.

v1.34.2.0 (#1478, fixing #1428) shipped a dual-path approach for /codex review on Codex CLI ≥0.130.0 because --base <branch> and a custom prompt are now mutually exclusive at argv level. The default (bare) path calls codex review --base directly with no custom prompt, which means the previously-prefixed filesystem-boundary instruction ("do not read files under ~/.claude/, .claude/skills/, agents/, ~/.agents/") is no longer in front of the model when the diff touches those paths. On large diffs that include skill templates (which gstack itself does regularly) codex can spend a meaningful fraction of its token budget reading skill definitions meant for a different AI system.

This PR applies the issue's option C: detect skill-file paths in the diff and bail out of the bare path into the existing exec path, which already carries the boundary.

Implementation

codex/SKILL.md.tmpl Step 2A picks up a single new precondition before path selection:

_DIFF_TOUCHES_SKILLS=0
if git diff --name-only "<base>...HEAD" 2>/dev/null \
  | grep -Eq '^(\.claude/|\.claude/skills/|agents/|\.agents/)'; then
  _DIFF_TOUCHES_SKILLS=1
fi

Path selection becomes:

User instructions	_DIFF_TOUCHES_SKILLS	Route	Boundary carried
empty	0	codex review --base bare	n/a (no skill paths touched, nothing to wander into)
empty	1	codex exec with boundary	yes
present	0 or 1	codex exec with boundary + custom focus	yes

The exec branch's prompt build now makes the Custom focus: line conditional on $_USER_INSTRUCTIONS so the synthetic boundary-only fallthrough doesn't render an empty focus line.

Why not the other two options from the issue

• Option A: push the boundary into Codex CLI as a system-prompt arg if/when 0.130.0+ exposes one. Not exposed yet; this PR works against the CLI shape that's actually shipped.
• Option B: ~/.codex/AGENTS.md opt-in. Cross-machine config that lives outside the gstack tree, so users on fresh installs would still see the leak. The in-skill detection covers everyone running gstack regardless of their codex config.

Option C reuses every boundary-related construct already in the exec route (DIFF_START/DIFF_END delimiters, exec read-only sandbox, [P1]/[P2] gate marker contract), so the gate verdict in step 4 still works without any change.

Verification

$ bun run gen:skill-docs
[gen-llms-txt] gstack/llms.txt: 48 skills, 75 browse commands
(no warnings on codex skill)

$ bun test test/gen-skill-docs.test.ts test/skill-validation.test.ts
712 pass, 0 fail

Behavior on diffs that don't touch .claude/, .claude/skills/, agents/, or .agents/ is unchanged — the bare review path keeps Codex's internal review-prompt tuning, which is exactly what v1.34.2.0 went after.

Both codex/SKILL.md.tmpl (source of truth) and the regenerated codex/SKILL.md are in the diff per the SKILL.md workflow rule in CLAUDE.md.

No newsfragment

Per CLAUDE.md ("Contributor PR authors should not edit CHANGELOG.md; maintainer/AI adds entries during landing/merge").