Config surface

New config key: [network_proxy.policy].allow_unix_sockets (string array), stored/edited via network_proxy.rs.
Entries support:
SSH_AUTH_SOCK / ${SSH_AUTH_SOCK}
preset aliases: ssh-agent, ssh_auth_sock, ssh_auth_socket
Entries are resolved at runtime to canonical absolute socket paths before generating Seatbelt rules.
macOS Seatbelt integration

seatbelt.rs now:
allows only loopback proxy ports (localhost:<port>) + explicitly allowed unix socket paths
does not emit per-domain (remote tcp ...) rules (those break under sandbox-exec)
Unix socket allowlist resolution is done via network_proxy::resolve_unix_socket_allowlist(...).
Prompt-on-deny UX (TUI)

When an exec approval happens and the command appears to need the SSH agent socket (ssh/scp/sftp/ssh-add, or git with ssh-style remotes), and the socket isn’t already allowed:
TUI shows an approval modal for the unix socket.
Allow for session: writes the resolved socket path to config (and removes it on exit, like session domain approvals).
Allow always: writes SSH_AUTH_SOCK to allow_unix_sockets for portability across restarts.

docs/example-config.md

@@ -133,6 +133,10 @@ poll_interval_ms = 1000
 # Allow localhost binds inside the sandbox (macOS only). Default: false
 allow_local_binding = false
 # Allow Unix socket paths inside the sandbox (macOS only). Default: []
+# Common values:
+# - "$SSH_AUTH_SOCK" (recommended) or "${SSH_AUTH_SOCK}"
+# - "ssh-agent" (alias: "ssh_auth_sock", "ssh_auth_socket")
+# - an absolute socket path like "/private/tmp/..." (or a directory containing sockets)
 allow_unix_sockets = []
 # Optional domain allow/deny lists (denylist wins)
 allowed_domains = []