chore: make cask upgrades greedy and expand AWS allowlist

[theomantz]

What changed

• mark every nix-darwin managed Homebrew cask as greedy = true by generating the cask list through mkGreedyCask
• expand codex/rules/default.rules with a broad explicit allowlist for common non-destructive AWS CLI commands
• record the rule-engine limitation in codex/LESSONS.md so future policy changes stay curated instead of allowing aws broadly

Why

• Homebrew skips some auto_updates casks during brew bundle unless they are marked greedy; this is why apps like Ghostty were falling behind during darwin-rebuild
• Codex approvals work on literal command-token prefixes, so avoiding prompts for safe AWS usage requires an explicit read-only allowlist rather than a broad aws rule

Expected impact

• darwin-rebuild should now upgrade all managed casks, including auto_updates casks such as Ghostty
• common AWS inspection and auth flows should stop prompting while mutating AWS commands remain gated

Risks

• making all casks greedy can increase activation-time upgrades for apps that self-update
• the AWS allowlist is intentionally incomplete; some safe commands may still prompt until added explicitly
• several allowed AWS commands can read sensitive data if the underlying AWS permissions allow it, so this change is scoped to non-destructive operations rather than non-sensitive ones

Validation

• CODEX_HOME=<tmpdir> codex --help
• git diff --check
• nix build .#darwinConfigurations.theo.system --no-link

Rollback

• revert this PR to restore the previous mixed cask configuration and narrower Codex approval policy

Follow-ups

• if there are additional AWS read-only workflows you use regularly, add them as explicit prefixes instead of broadening to aws