feat(agents): add manifest-driven gator agent

[johntmyers]

Summary

Add a manifest-driven sandbox agent launcher and the first concrete agent, Gator, for validating and monitoring OpenShell issues and PRs. The launcher packages shared runtime adapters, provider profiles, skills, subagents, and prompts into supervised OpenShell sandboxes so gator can run bounded Codex cycles in watch mode.

Related Issue

None.

Changes

• Add openshell-agents/run.sh, shared runtime entrypoint, supervisor, Codex harness adapter, and subagent dispatch support.
• Add the openshell-agents/gator/ manifest, prompt, README, Dockerfile, scoped GitHub/Codex provider profiles, and sandbox policy.
• Add the gator-gate skill for the gator state machine, validation rules, human-response disposition, reviewer invocation, CI/test gating, and scoped GitHub auth guidance.
• Add gateway-managed Codex access-token refresh handling and preserve/repair behavior for long-running watch sandboxes.
• Harden watch mode so transient transport failures, malformed cycle results, and legacy failure statuses retry without exiting the sandbox.
• Document the agent runtime and provider placeholder behavior in openshell-agents/README.md.

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Additional checks:

• bash openshell-agents/runtime/supervisor_test.sh
• Live gator sandboxes relaunched and observed Ready on docker-dev
• Verified provider-backed Codex and GitHub placeholder resolution inside gator sandboxes

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (not applicable; agent docs live under openshell-agents/)