[codex] Improve bootstrap setup and terminal policy blocks

[Anmolnoor]

Summary

• resolve and validate Python 3.12 before creating the virtualenv
• discover common Homebrew Python 3.12 paths on macOS
• print OS/package-manager-specific install hints instead of raw command not found
• add setup docs for Ollama Cloud, local Ollama, and OpenAI provider configuration
• add terminal_policy_block so outside-workspace writes stop immediately instead of entering the replan loop
• keep outside-workspace reads on the existing approval path, while outside-workspace writes remain a hard block
• prevent zero-action final answers from claiming file creation/modification without a successful write/edit result
• document the AnmolNoor exception to the repo's autonomous PR rule

Root Cause

Out-of-scope writes were already blocked by policy, but the orchestrator treated them like ordinary blocked actions. That allowed replanning to continue or final answers to repeat unsupported model claims. The planner prompt also only described out-of-scope read approval, so the model did not get a clear instruction that out-of-scope writes cannot be approved from the current workspace.

Validation

• bash -n scripts/bootstrap.sh
• ./scripts/uv run pytest tests/test_orchestrator.py
• ./scripts/uv run pytest
• ./scripts/uv run ruff check src tests
• ./scripts/uv run ruff format --check src tests
• git diff --check