fix: squid, OAuth, skills, MCP, tmux improvements

[thecodeassassin]

Summary

• Squid proxy reliability: subdomain dedup prevents FATAL config errors, skip reconfigure when unchanged, auto-restart on stale PID, DNS caching
• OAuth authentication: publish callback ports for OpenCode/Codex with socat relay, port availability check, xdg-open stub for URL display
• Skill management: GitHub blob URL support (converts to raw), recursive tree fetch for nested dirs, per-skill symlinks into agent config dirs
• MCP server support: persist ~/.cache for Claude so OAuth tokens survive sessions, sandbox instructions confirm MCP works in sandbox
• tmux UX: OSC 52 clipboard, URL-friendly word separators, disable right-click menu passthrough
• Sandbox instructions: root-domain-only for exitbox-allow, share gh auth across agents, MCP guidance

Test plan

• go build ./... passes
• go test ./... passes
• exitbox run opencode -- auth login completes OAuth flow with firewall active
• exitbox skills install https://github.com/anthropics/skills/tree/main/skills/frontend-design fetches all files including nested dirs
• exitbox skills install https://github.com/user/repo/blob/main/SKILL.md fetches markdown, not HTML
• Squid reconfigure warning no longer appears on repeated runs with unchanged config
• Allowlist with subdomain+parent domain (e.g. icy-veins.com + www.icy-veins.com) does not crash squid
• MCP server auth persists across container restarts (Claude)
• Right-click in tmux passes through to terminal native menu

[github-actions]

Merging this branch will not change overall coverage

Impacted Packages	Coverage Δ	🤖
github.com/Cloud-Exit/ExitBox/cmd	0.00% (ø)
github.com/Cloud-Exit/ExitBox/internal/agents/claude	0.00% (ø)
github.com/Cloud-Exit/ExitBox/internal/agents/codex	0.00% (ø)
github.com/Cloud-Exit/ExitBox/internal/image	0.00% (ø)
github.com/Cloud-Exit/ExitBox/internal/plugins	0.00% (ø)
github.com/Cloud-Exit/ExitBox/internal/profile	0.00% (ø)
github.com/Cloud-Exit/ExitBox/internal/skills	0.00% (ø)
github.com/Cloud-Exit/ExitBox/internal/wizard	0.00% (ø)

---

Coverage by file

Changed files (no unit tests)

Changed File	Coverage Δ	Total	Covered	Missed	🤖
github.com/Cloud-Exit/ExitBox/cmd/codex.go	0.00% (ø)	0	0	0
github.com/Cloud-Exit/ExitBox/cmd/plugin.go	0.00% (ø)	0	0	0
github.com/Cloud-Exit/ExitBox/internal/agents/claude/claude.go	0.00% (ø)	0	0	0
github.com/Cloud-Exit/ExitBox/internal/agents/codex/accounts.go	0.00% (ø)	0	0	0
github.com/Cloud-Exit/ExitBox/internal/agents/codex/docker.go	0.00% (ø)	0	0	0
github.com/Cloud-Exit/ExitBox/internal/image/tools.go	0.00% (ø)	0	0	0
github.com/Cloud-Exit/ExitBox/internal/plugins/plugins.go	0.00% (ø)	0	0	0
github.com/Cloud-Exit/ExitBox/internal/profile/dockerfile.go	0.00% (ø)	0	0	0
github.com/Cloud-Exit/ExitBox/internal/skills/fetch.go	0.00% (ø)	0	0	0
github.com/Cloud-Exit/ExitBox/internal/wizard/roles.go	0.00% (ø)	0	0	0

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

Changed unit test files

• github.com/Cloud-Exit/ExitBox/internal/agents/codex/accounts_test.go
• github.com/Cloud-Exit/ExitBox/internal/agents/codex/codex_test.go
• github.com/Cloud-Exit/ExitBox/internal/image/image_test.go
• github.com/Cloud-Exit/ExitBox/internal/plugins/plugins_test.go
• github.com/Cloud-Exit/ExitBox/internal/skills/skills_test.go
• github.com/Cloud-Exit/ExitBox/internal/wizard/roles_test.go