feat(dx): develop openshell in openshell

[drew]

Summary

Add a scripts/devshell workflow for creating or reconnecting to a VM-backed OpenShell development sandbox. The devshell now uses Providers v2 profiles for GitHub, Codex, Claude, and development toolchain egress instead of a default policy YAML.

Related Issue

N/A

Changes

• Add scripts/devshell to import Providers v2 profiles, ensure provider records, attach the toolchain provider, and bootstrap a GitHub checkout inside the sandbox.
• Add devshell provider profiles for Codex and OpenShell development toolchains.
• Add an in-image/injected devshell bootstrap script for mise, native deps, repo clone, and Python environment setup.
• Update the CI image so mise tooling lives under /usr/local/share/openshell/mise, which works with the default sandbox filesystem policy.
• Improve VM rootfs/cache handling so guest init changes affect cache identity and overlay images are repaired after image-prep mutation.
• Skip missing proxy TOFU ancestor paths on Linux so sandbox filesystem probing tolerates paths that do not exist in the guest image.

Testing

• bash -n scripts/devshell
• bash -n deploy/docker/devshell-bootstrap.sh
• shellcheck scripts/devshell deploy/docker/devshell-bootstrap.sh tasks/scripts/docker-build-ci.sh
• git diff --check
• ./scripts/bin/openshell provider profile lint --from scripts/devshell.profiles
• Fresh no-policy devshell smoke sandbox with Providers v2 profiles using ghcr.io/nvidia/openshell-community/sandboxes/base:latest
• mise run python:proto
• mise run pre-commit

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)

Notes

mise run test inside the nested OpenShell sandbox still needs a core decision for the nested seccomp test behavior. This PR wires up the devshell path and removes the default custom policy YAML from that workflow.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.