Samuel Aubertin
e7112db3d7
Harden launcher overrides and fix opencode backend regressions
- remove codex auth mounts from opencode run/shell paths
- reject opencode login and invalid backend values
- harden opencode config writes against symlink clobbering
- fix opencode build args and packages_extra handling
- enforce cap-drop and read-only rootfs in runtime commands
- reject dangerous runtime/build env overrides
- update README and test docs to match actual behavior
- extend regression coverage for backend safety and hardening