fix(pr-review): always derive repo context from the PR webhook, not the bot's own cwd

The Gemini and Codex reviewer bots were reviewing their OWN source tree
instead of the PR under review (false "wrong repo" blocking reviews, e.g.
gbharg/exult #11, where Gemini/Codex claimed the repo was
"gemini-pr-reviewer"/"codex-pr-reviewer", a Probot app).

Root cause: the agentic CLIs (gemini -y / codex exec) inherit the bot's
working directory (the reviewer app source) and inspect it for repo
context, ignoring the diff supplied via stdin. Claude was unaffected
because it runs with --max-turns 1 and no tools, so it can't read the FS.

Fixes (minimal, mirror Claude's tool-disabled posture):
- ask-ai.js: run every CLI in a throwaway empty temp dir (configurable
  cwd) so there is nothing local for the model to read.
- review-handler.js: add a repo-context guard — assert the webhook repo
  (context.payload.repository.full_name) matches the PR base repo before
  invoking the model; abort on mismatch. Also abort on an empty diff.
- gemini index.js: replace -y (yolo, all tools) with --approval-mode plan
  (read-only, no tool execution).
- codex index.js: add --skip-git-repo-check so it doesn't attach to / scan
  a repo from cwd.
- Tests for the sandbox cwd and the repo-context guard.

Note: requires redeploying/restarting the gemini-pr-reviewer and
codex-pr-reviewer probot processes for the fix to take effect.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>