chore: add cleanroom config

[lox]

Draft

This PR is stacked on top of #3839 and should not be merged until that PR lands first.

Summary

Add a repo-level cleanroom.yaml based on the existing Buildkite Agent example in the cleanroom repo.

This gives the agent repo a checked-in cleanroom policy for running inside a sandbox with deny-by-default egress, explicit mise bootstrap, and cached Go module dependency warmup.

Changes

• add cleanroom.yaml at the repo root
• copy the policy from ../cleanroom/examples/buildkite-agent/cleanroom.yaml
• update the dependency cache key to use mise.toml instead of .mise.toml
• enable default repo bootstrap so cleanroom exec -- mise ... works from this checkout

Why

This keeps the cleanroom policy alongside the repo it is meant to run, instead of only existing as an external example.

It also depends on the earlier mise.toml rename in #3839, since the dependency-stage cache key now points at mise.toml.

Testing

• cleanroom policy validate
• cleanroom exec -- mise x -- go version

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 173aefe748

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".