Enable always-on snapshot isolation

[JAORMX]

Summary

• COW snapshot isolation is now active on every run, not just when --review is passed
• Git credential sanitization and security-pattern exclusion (.env*, *.pem, .ssh/, .git/config) run unconditionally — closes credential leak vector when --review was forgotten
• --review now only controls interactive per-file approval; without it, a new AutoAcceptReviewer auto-accepts all changes (same end result as the old direct mount, but with snapshot safety)
• Fixes snapshot directory leak on non-zero agent exit by explicitly cleaning up before os.Exit

Changes

File	Change
internal/infra/review/auto.go	New AutoAcceptReviewer implementing snapshot.Reviewer
internal/infra/review/auto_test.go	Table-driven tests
cmd/bbox/main.go	Always wire snapshot deps, switch reviewer based on --review, remove credential warning, fix os.Exit leak
cmd/bbox/main_test.go	Update warning expectation
CLAUDE.md	Update snapshot isolation docs

Test plan

• task verify passes (fmt + lint + test with race detector)
• Reviewed by Linux systems expert agent — no race conditions, lifecycle sound
• Reviewed by security expert agent — no regressions, net security improvement
• Manual: bbox claude-code — creates snapshot, auto-accepts all changes
• Manual: bbox claude-code --review — creates snapshot, interactive per-file review
• Manual: bbox claude-code --exclude "*.log" — exclude patterns work without --review

🤖 Generated with Claude Code