fix(selfhost): isolate subscription cli environments

[JSONbored]

Motivation

• Close a self-host security regression where subscription CLI subprocesses could inherit the full worker process.env, exposing runtime secrets to prompt-injectable reviewer subprocesses.
• Ensure locally-authenticated CLIs (Claude Code / Codex) run with only the minimal environment and an isolated working directory so attacker-controlled PR text cannot induce secret exfiltration.

Description

• Add a strict allowlist SUBSCRIPTION_CLI_ENV_ALLOWLIST and subscriptionCliEnv() to build a minimal env for subscription CLIs instead of spreading process.env into subprocesses.
• Introduce isolatedCliCwd() and thread cwd through the shared SpawnFn/defaultSpawn() so each CLI runs from an isolated temporary directory.
• Update createClaudeCodeAi() and createCodexAi() to use subscriptionCliEnv() and launch subprocesses with the isolated cwd and the allowlisted env only.
• Update unit tests in test/unit/selfhost-ai.test.ts to assert the subprocess env is allowlisted, that Codex flags/args remain correct, and that the subprocess cwd is isolated.

Testing

• Ran the targeted unit file npx vitest run test/unit/selfhost-ai.test.ts --reporter=dot, which passed (45 tests passed).
• Ran type checking with npm run typecheck, which completed successfully.
• Attempted full coverage with npm run test:coverage, but coverage remapping failed due to a toolchain error (ast-v8-to-istanbul TypeError: jsTokens is not a function), so coverage reporting could not be produced in this environment.

---

Codex Task

[superagent-security]

Superagent didn't find any vulnerabilities or security issues in this PR.