refactor(proxy): distinguish CONNECT_L7 from CONNECT in policy logs

[johntmyers]

🏗️ build-from-issue-agent

Summary

Split the CONNECT log emission so log consumers can distinguish standalone L4 policy decisions (CONNECT) from tunnel lifecycle events that precede L7 inspection (CONNECT_L7). Previously, L7-configured endpoints emitted a CONNECT action=allow that looked like an independent policy decision when it was really just context for the L7_REQUEST entries that follow.

Related Issue

Closes #362

Changes

• crates/openshell-sandbox/src/proxy.rs: Split the CONNECT log into two sites — denied connections log immediately as CONNECT, allowed connections defer logging until after query_l7_config() and emit CONNECT (L4-only) or CONNECT_L7 (L7 inspection follows). Removed unused action_str variable.
• crates/openshell-tui/src/ui/sandbox_logs.rs: Added clarifying comment on starts_with("CONNECT") match that covers both message types. Added plain_format_connect_l7_field_order unit test.

Deviations from Plan

None — implemented as planned.

Testing

• cargo fmt --all -- --check passes
• cargo clippy --workspace --all-targets passes (no new warnings)
• cargo test --workspace passes
• Unit tests added

Tests added:

• Unit: plain_format_connect_l7_field_order in crates/openshell-tui/src/ui/sandbox_logs.rs — verifies CONNECT_L7 messages use the same field ordering as CONNECT
• Integration: N/A
• E2E: N/A — no changes under e2e/

Checklist

• Follows Conventional Commits
• No architecture docs needed (no existing docs describe the log format)

Note: This is a minor breaking change to log format. Any external tooling that filters on message == "CONNECT" will need to also match "CONNECT_L7" to capture all connections.