v0.3.2: shell safety, :system :eval approval, skill sandbox

1. Shell actuator: remove double bash -c wrapping (format ~s produces
   S-expression-safe strings, not shell-safe). Now passes cmd directly
   to (timeout N bash -c cmd) via run-program arg list.

2. Dispatcher: extend high-impact approval gate to :system :eval.
   Previously only :shell, :tool "shell", and :emacs :eval triggered
   HITL. Now :system :eval also requires Flight Plan approval.

3. Skill sandbox: before promoting a skill from its jailed package to
   :passepartout, scan for restricted symbol references (uiop:run-program,
   uiop:shell, uiop:run-shell-command). Block promotion on violation.
   New skill-entry status :sandbox-blocked for blocked skills.

Test: 91 pass, 0 fail across 13 suites.

lisp/system-actuator-shell.lisp

@@ -1,16 +1,15 @@
 (defun actuator-shell-execute (action context)
-  "Executes a bash command with timeout (via timeout(1)) and output limit."
+  "Executes a shell command via the OS timeout binary with output limit."
   (declare (ignore context))
   (let* ((payload (getf action :payload))
          (cmd (getf payload :cmd))
          (timeout-sym (find-symbol "*BOUNCER-SHELL-TIMEOUT*" :passepartout))
          (timeout (or (getf payload :timeout) (if timeout-sym (symbol-value timeout-sym) 30)))
          (max-sym (find-symbol "*BOUNCER-SHELL-MAX-OUTPUT*" :passepartout))
-         (max-output (or (getf payload :max-output) (if max-sym (symbol-value max-sym) 100000)))
-         (wrapped-cmd (format nil "timeout ~a bash -c ~s" timeout cmd)))
+         (max-output (or (getf payload :max-output) (if max-sym (symbol-value max-sym) 100000))))
     (log-message "ACT [Shell]: ~a (timeout: ~as)" cmd timeout)
     (multiple-value-bind (out err code)
-        (uiop:run-program (list "bash" "-c" wrapped-cmd)
+        (uiop:run-program (list "timeout" (format nil "~a" timeout) "bash" "-c" cmd)
                           :output :string :error-output :string
                           :ignore-error-status t)
       (cond