feat(run): collapse sandbox flags into --mode + Advanced help section

[WZ]

Why

`agent-gate run --help` had three issues from a dogfood pass:

1. The `--hijack-host` example pointed at `chatgpt.com` — exactly the case where it doesn't work. Anyone following the example would get empty 101 captures and assume agent-gate was broken.
2. The two sandbox-related flags (`--permissive`, `--airtight-fail`) presented as independent booleans, when they really name three states of one knob.
3. The advanced-but-niche flags (`--hijack-host`, `--upstream-ca`, `--upstream-insecure-skip-verify`) sat alphabetically interleaved with the everyday ones, making the everyday case noisier than it needed to be.

What changes

`--mode` replaces `--permissive` and `--airtight-fail`

```
--mode How to force the target's egress through the proxy.
DEFAULT: airtight (recommended for most users). Choose one of:

                airtight        Spawn the target inside the per-OS network jail
                                (macOS sandbox-exec / Linux netns). Falls back to
                                permissive with a stderr warning if unsupported.

                airtight-strict Same as airtight, but refuse to fall back. Abort
                                if the jail is unavailable. Use in CI.

                permissive      Skip the jail; just set HTTPS_PROXY env vars.
                                Agent CAN bypass capture. Use only when you
                                trust the agent or the platform can't jail.

```

The internal launcher surface is unchanged — `parseRunMode` translates the string to the same `(Mode, AirtightFail)` pair the runtime already understood.

Advanced Flags section

New `cmd/agent-gate/usage.go` adds a small custom UsageFunc that splits flags into a primary `Flags:` block and a trailing `Advanced Flags:` block, based on a flag annotation. `--hijack-host`, `--upstream-ca`, and `--upstream-insecure-skip-verify` move into Advanced.

Cleaner hijack-host copy

Now that the section heading does the heavy lifting, the description drops the redundant "Advanced — most users don't need this" preamble and just describes when the flag actually helps.

Boomerang updates

• README support matrix: `--airtight-fail` → `--mode=airtight-strict`, `--permissive` → `--mode=permissive`
• README `### Flags` block: rewritten to match the new layout
• `internal/e2e/airtight_test.go`: `--airtight-fail` → `--mode airtight-strict`
• `internal/launcher/sandbox_windows.go`: error string updated

What does NOT change (and why)

• `--enforce-allowlist` stays a separate flag. It controls a different dimension (proxy 403-on-non-allowlisted) than `--mode` (sandbox enforcement). Folding them would either multiply mode values to 6+ or eliminate combinations users legitimately need (`airtight` + enforce, `permissive` + enforce, etc.). `--enforce-allowlist` also has tri-state semantics today (nil = config decides) that a fixed mode value can't preserve.

Test plan

• `agent-gate run --help` renders the new layout cleanly (verified locally)
• `go test ./...` clean
• `go vet ./...` clean
• `gofmt -l .` clean
• e2e airtight test still works with the renamed flag (Linux netns path)

Breaking changes

`--permissive` and `--airtight-fail` are removed. Anyone scripting `agent-gate run` with those flags must migrate to `--mode permissive` or `--mode airtight-strict`. Acceptable for a v0.x project per the project's existing CLI evolution pattern.