Deny transport for local-only Git operations

[bookholt-oai]

Why

Some internal Git commands are intended to inspect only local repository state, but Git can implicitly fetch a missing object from a partial clone's promisor remote. A repository can select that remote and its transport helpers, so a passive diff or branch-summary lookup could cross a network/process boundary even though Codex did not issue an explicit fetch command.

What

• Add a shared local-only Git environment policy that denies every Git transport.
• Apply it to Git metadata, operation, patch-apply, branch-summary, and /diff command wrappers.
• Add real blobless-clone regressions proving missing promisor blobs fail closed without executing a repository-selected transport helper.
• Preserve ordinary complete-repository diff behavior and leave intentional clone/fetch paths unchanged.

How

Local-only commands set GIT_ALLOW_PROTOCOL to an empty allowlist, which prevents all Git protocols even when repository config allows a helper explicitly. They also set GIT_NO_LAZY_FETCH=1 as defense in depth on newer Git versions. The TUI uses the same policy for workspace commands executed through either embedded or remote app-server sessions.

Testing

• just test -p codex-git-utils — 27 passed.
• just test -p codex-tui branch_summary::tests — 6 passed.
• just test -p codex-tui get_git_diff::tests — 7 passed.
• Full TUI suite on the prior base: 2,924 passed; two unrelated Guardian tests reproduced on main and were subsequently changed upstream; 4 skipped.
• just fix -p codex-git-utils
• just fix -p codex-tui
• just fmt