Exposes user Dsxir.Tools to sandboxed CodeAct code.

build/1 registers the tool set in the named public ETS table under a unique token and returns {token, prelude, prompt_fragment}. The prelude binds the token as a sandbox variable; the model calls Dsxir.Predictor.CodeExec.ToolBridge.call(token, name, args) from inside the sandbox, using the fully-qualified module name since the sandbox has no alias for it. call/3 is the only function exposed to the sandbox via Dsxir.Predictor.CodeExec.ToolAllowlist; it runs with full privileges (allowed, not shimmed) and dispatches to the real tool. User tools are trusted, exactly as in Dsxir.Predictor.ReAct.

This module is also the supervised owner of the :dsxir_codeact_tools ETS table: it creates the table at boot and holds it for the lifetime of the application, mirroring Dsxir.History.

Caller-owned cleanup: every build/1 call inserts a token entry that persists until cleanup/1 (or cleanup_all/0) is called; callers must clean up after each use to avoid unbounded registry growth.

Cross-call isolation: each call's tools are keyed by an unguessable random token that is bound only inside that call's sandbox prelude, so one sandbox cannot reach another call's tools without knowing its token.