Avoid auto-launching blocked Codex CLI candidates

[m-rokai]

Summary

• add a macOS Codex launch preflight for non-override CLI candidates before CodexBar auto-launches them
• detect npm codex.js shims and assess their vendored native Codex binary without launching it
• skip candidates with quarantine/malware xattrs or explicit policy failures such as revoked signing certificates, then fall back to the signed Codex.app CLI when present

Why

A local repro machine kept seeing macOS "malware" warnings even though CodexBar.app itself was notarized and accepted by Gatekeeper. The suspicious launch target was the Codex CLI candidate selected from PATH:

/usr/local/bin/codex -> ../lib/node_modules/@openai/codex/bin/codex.js
/usr/local/lib/node_modules/@openai/codex/.../vendor/aarch64-apple-darwin/codex/codex: CSSMERR_TP_CERT_REVOKED

The same machine also had a signed Codex.app CLI available:

/Applications/Codex.app/Contents/Resources/codex --version
codex-cli 0.131.0-alpha.9

Before this change, CodexBar would pick the PATH shim first and could keep touching the blocked native binary through background/version probes. This change makes Codex resolution treat blocked candidates as unavailable for automatic selection, while preserving CODEX_CLI_PATH as an explicit user override.

Validation

• swift test --filter PathBuilderTests
• swift test --filter CodexCLILaunchGateTests
• git diff --check

Not run: swiftformat / swiftlint because they are not installed in this local environment.