fix: harden execute_code env and approvals

[YLChen-007]

Fixes #27303

Summary

• harden execute_code child environment scrubbing with an explicit safe allowlist
• stop passing broad HERMES_* variables into sandboxed child processes by default
• block common secret env names such as DATABASE_URL, SLACK_WEBHOOK, AWS_ACCESS_ID, and SENTRY_DSN
• run the approval guard before dispatching terminal() calls requested from inside the execute-code sandbox
• add regression coverage for env scrubbing and terminal approval enforcement

Tests

• /root/project/xclaw-project/hermes-agent/.venv/bin/python -m pytest -o addopts= --ignore=tests/integration --ignore=tests/e2e -m 'not integration' tests/tools/test_env_passthrough.py tests/tools/test_code_execution.py::TestExecuteCode::test_terminal_tool_call_runs_approval_guard -q (20 passed)

Note: the broader tests/tools/test_code_execution.py file currently has two unrelated failures in this environment because psutil is not importable from the shared venv when timeout/interrupt tests call _kill_process_group.

[Bartok9]

I rechecked this against current origin/main (519657aa9). The _scrub_child_env / _sanitize_subprocess_env path in tools/environments/local.py still uses the prefix-based blocklist approach, so patterns like DATABASE_URL, SLACK_WEBHOOK, and SENTRY_DSN are not blocked in the current tree. The terminal-approval guard at the execute-code RPC boundary is also absent on main. Both gaps remain open. This PR correctly addresses them.

[teknium1]

Superseded by #34497 (merged). The consolidated fix took the env-scrub direction from your PR — explicit safe allowlist, dropped broad HERMES_* passthrough, and DSN/WEBHOOK secret-name coverage — alongside the approval-context restoration. Thanks for the work here; credited in the salvage.

#34497