Fix command rewriting issues when terminal sandboxing is enabled (#303859)

* fix: command rewriting issues when terminal sandboxing is enabled

Fixes two issues with sandboxed terminal commands:

1. Sandboxed commands end up in shell history (#303769): The
   PreventHistoryRewriter was running before SandboxRewriter, so the
   leading space was applied to the inner command but not the final
   sandbox-wrapped command. Moved PreventHistoryRewriter to run last.

2. cd CWD prefix not stripped in sandbox mode (#303848): The
   SandboxedCommandLinePresenter was using the original (un-rewritten)
   command for display, bypassing cd prefix stripping. Changed to use
   forDisplay instead.

3. Fixed forDisplay being clobbered: The rewriter loop unconditionally
   overwrote forDisplay, so later rewriters without a forDisplay
   (like PreventHistoryRewriter) would clear the sandbox's display
   value. Changed to only update when explicitly provided.

Fixes #303769
Fixes #303848

* update doc comment for SandboxedCommandLinePresenter

* improve execute strategy logging for CI diagnostics

Upgrade strategy selection and completion logs to info level in
runInTerminalTool. In richExecuteStrategy, log at info level when
running in CI (for diagnosing shell integration race conditions)
and debug otherwise.

* fix: include ignorespace in bash shell integration history verification

When VSCODE_PREVENT_SHELL_HISTORY=1 is set (which it is for all tool
terminals created by the run_in_terminal tool), the bash shell
integration script sets HISTCONTROL="ignorespace" (line 67). This
causes bash to exclude space-prefixed commands from history.

Later in the same script (line 200), a regex decides whether to use
`history 1` or $BASH_COMMAND to capture the current command in
__vsc_preexec. The regex checks for erasedups, ignoreboth, and
ignoredups — but NOT ignorespace. This is a bug because:

1. The same script sets HISTCONTROL=ignorespace 130 lines earlier
2. ignoreboth (which IS in the regex) is defined by bash as
   "ignorespace + ignoredups" — so the compound form was handled
   but the simple form was not

The consequence: with HISTCONTROL=ignorespace and __vsc_history_verify=1,
__vsc_preexec calls `history 1` to get the current command. But the
command has a leading space (added by PreventHistoryRewriter), so bash
history never recorded it. `history 1` returns the PREVIOUS command
or nothing. This causes __vsc_current_command to be wrong or empty.

In __vsc_command_complete, when __vsc_current_command is empty, the
script sends the OSC sequence 633;D WITHOUT an exit code (line 373).
The VS Code side then receives onCommandFinished with exitCode=undefined,
breaking exit code detection for ALL tool terminal commands on bash.

The fix adds ignorespace to the existing regex, so bash falls back to
$BASH_COMMAND (which always works regardless of history settings).
This matches the behavior already provided when ignoreboth is set.

* docs: improve fix-ci-failures skill with faster log retrieval workflow