[codex] Centralize runtime configuration

[snbafana]

Summary

This PR replaces the broad CUED_* environment-variable surface with a smaller configuration model:

• centralizes non-secret runtime defaults in src/core/config.ts
• limits .env.example and dotenv use to secrets / credential file paths
• resolves dotenv from the Cued package root instead of the caller cwd
• replaces CUED_HOME / CUED_DB_PATH process isolation with --config path/to/config.json
• moves adapter worker cursor/config data from env vars to structured stdin invocation
• converts Slack helper test API routing from env to --api-url
• removes script-only Cued env knobs for benchmarks, smoke runs, release metadata, node paths, and cache paths
• narrows macOS daemon.env loading to a credential allowlist
• writes packaged app metadata during release builds so the daemon keeps the correct release channel
• keeps packaged Chromium and permissions-script discovery aligned with the app bundle layout
• restores explicit installer channel selection with --channel stable|internal

This is stacked on codex/agent-example-prompts to keep this PR diff scoped to the config cleanup. Once that branch lands, this can be retargeted to main.

Diff shape

Current PR size is 100 files, +1918/-1497. The breadth comes from systematically replacing env reads at each call site, updating tests that used env for isolation, and replacing worker env IPC with structured stdin. The largest buckets are:

• central config/defaults and path handling: src/core/config.ts
• worker invocation and platform worker call sites
• macOS runtime/config forwarding and tests
• script argument changes for release/smoke/benchmark flows
• docs and .env.example cleanup

The remaining direct process.env usage is intentionally limited to secrets, test/process sentinels, subprocess environment pass-through, and shell-script internals.

Validation

Local checks run before commit/push:

• pnpm check:biome
• pnpm typecheck
• pnpm test (75 files, 496 tests)
• pnpm exec vitest run src/core/config.test.ts src/cli-paths.test.ts
• go test ./... in native/helpers/slack-go
• swift test --package-path native/macos/CuedNative -c release
• bash -n on touched shell scripts

Commit/push hooks also passed:

• pnpm check:ci-local, including check:app-quality, pnpm build, pnpm test, and check:native:macos.

Review follow-up

Two review-agent passes were run. The first found release metadata, Chromium path, permissions script lookup, and dotenv cwd-scope issues. The second found packaged permissions context, explicit macOS config fallback, and installer channel regressions. The current commit fixes those findings.