feat(sandbox): add OPENSHELL_OCSF_JSONL opt-in for standalone mode

[dims]

Summary

The OCSF JSONL audit layer in openshell-sandbox is gated by an AtomicBool that the policy poll loop swaps when the gateway-side ocsf_json_enabled setting changes. The poll loop only spawns when OPENSHELL_ENDPOINT is set, so a supervisor running standalone has no way to flip the flag and /var/log/openshell-ocsf.YYYY-MM-DD.log stays empty. Seed the initial value from a new OPENSHELL_OCSF_JSONL env var so standalone supervisors can opt in.

Related Issue

None.

Changes

• Add OPENSHELL_OCSF_JSONL constant in openshell-core::sandbox_env.
• Seed ocsf_enabled: AtomicBool from that env var at supervisor startup, using the same boolean-env parsing pattern as OPENSHELL_NO_BROWSER (v == "1" || v.eq_ignore_ascii_case("true")).
• Document the standalone-mode opt-in in docs/observability/ocsf-json-export.mdx.

The default is unchanged: an unset variable still starts the flag at false. In gateway-connected mode the first poll cycle overwrites the seeded value with the gateway setting, so the env var only meaningfully changes behavior when no endpoint is configured.

Testing

• cargo clippy -p openshell-core -p openshell-sandbox --tests --no-deps -- -D warnings clean for the touched code
• mise run pre-commit passes (fails in upstream rust:lint on unrelated crates/openshell-sandbox/src/process.rs:23 unused import: warn — present on pristine main before this branch)
• Unit tests added/updated (not applicable — change is a 3-line env-var read using the same pattern as OPENSHELL_NO_BROWSER, which is also untested)
• E2E tests added/updated (not applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (not applicable)