fix: add /bin/sh symlink to sandbox so hooks can exec sh

Claude Code hooks invoke /bin/sh which doesn't exist in the bwrap
sandbox. Symlink bash to /bin/sh alongside the existing /usr/bin/env
symlink so all hook-based tooling (GSD statusline, project hooks)
works correctly inside claudebox.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

claudebox.sh

@@ -361,6 +361,7 @@ if [[ "$DRY_RUN" == true ]]; then
     echo "  --ro-bind /etc/nsswitch.conf /etc/nsswitch.conf \\"
     echo "  --ro-bind /etc/nix /etc/nix \\"
     printf '  --symlink %q /usr/bin/env \\\n' "$(readlink -f "$(command -v env)")"
+    printf '  --symlink %q /bin/sh \\\n' "$(readlink -f "$(command -v bash)")"
     echo "  --tmpfs $HOME \\"
     echo "  --bind $HOME/.claude $HOME/.claude \\"
     echo "  --bind $INSTANCE_DIR $HOME/.claude/projects \\"
@@ -398,6 +399,7 @@ BWRAP_ARGS=(
   --ro-bind /etc/nsswitch.conf /etc/nsswitch.conf
   --ro-bind /etc/nix /etc/nix
   --symlink "$(readlink -f "$(command -v env)")" /usr/bin/env
+  --symlink "$(readlink -f "$(command -v bash)")" /bin/sh
   --tmpfs "$HOME"
   # Phase 5: direct ~/.claude bind (D-01) — all plugins/skills/hooks/MCP visible
   --bind "$HOME/.claude" "$HOME/.claude"