Harden agent: sandbox to workspace-write, ban shortcut patterns, add concrete examples

- Switch sandbox from danger-full-access to workspace-write with
  approvalPolicy: never — agent can only access its workspace and
  the explicitly listed additionalDirectories (TS source, existing
  client). It can no longer browse river-python or other repos.

- Prompt overhaul:
  - Quality bar framing: output will be discarded if not clean/readable
  - BANNED patterns section: RootModel, make_schema_model,
    __get_pydantic_json_schema__, SchemaAdapter, create_model, raw
    JSON Schema dicts — all explicitly rejected
  - 6 concrete TypeBox-to-Pydantic translation examples covering
    Type.Object, $kind unions, error unions, Optional/Record/Array,
    recursive types, and Type.Intersect flattening
  - Directory scope section: only access workspace + TS source
  - Stronger anti-shortcut language throughout

- Verification script improvements:
  - Code quality pre-check: scans all .py files for banned patterns
    before comparing schemas, fails with exit code 2 if found
  - New normalizations: Uint8Array->string, strip type alongside
    const, enum->anyOf+const, strip null variant from 2-element
    anyOf (handles TypeBox Optional vs Pydantic Optional mismatch),
    strip discriminator and additionalProperties metadata

Author: Monkatraz

codegen-llm/src/codegen.ts

@@ -53,7 +53,8 @@ export async function runCodegen(opts: CodegenOptions): Promise<void> {
 
     const thread = codex.startThread({
       model: opts.model,
-      sandboxMode: "danger-full-access",
+      sandboxMode: "workspace-write",
+      approvalPolicy: "never",
       modelReasoningEffort: opts.effort,
       workingDirectory: workDir,
       skipGitRepoCheck: true,