Add require_sandbox validation with settings.json check

[geoffjay]

Context

Child of #78. Depends on #116.

Changes

Add sandbox configuration validation during agent launch in spawn_agent():

When require_sandbox: true

Check for Claude Code's settings.json sandbox configuration at:

• ~/.claude/settings.json
• ~/.claude/settings.local.json

Parse just enough to look for {"sandbox": {"enabled": true}}. If not found, fail agent creation with a descriptive error explaining that sandbox must be configured in Claude Code settings.

When require_sandbox: false (default)

• If skip_permissions is true and no sandbox config detected: log tracing::warn!
• If agent has no permission restrictions at all (no permission_mode, no tools, no allowed_tools, no disallowed_tools, and tool_policy is AllowAll): log tracing::warn!

Implementation Notes

• Keep the settings.json check lightweight — no full Claude settings schema, just serde_json::Value navigation
• The check should be a helper function for testability

Files

• crates/orchestrator/src/manager.rs — validation in spawn_agent(), helper function
• crates/orchestrator/src/types.rs — require_sandbox field (may already exist from Add permission mode and tool restriction fields to AgentConfig #116)

Acceptance Criteria

• require_sandbox: true blocks launch when settings.json has no sandbox config
• require_sandbox: false logs warnings but proceeds
• Warning logged when skip_permissions: true without sandbox
• Warning logged when agent has zero permission restrictions
• Unit tests for the validation helper
• cargo build --workspace and cargo test pass