[doc] README: document the security model + clarify ModuleWithheldError contract

[vt128]

Independent re-review (2026-06-20) confirmed the four code fixes (#24/#25) are effective and verified, but flagged that the real security boundary lived only in policy.go godoc and Plane comments — not the README. This syncs the README with the actual release semantics and pins down one open contract question.

README — new sections

• Security model: the load gate (Policy/NewWithPolicy, default-deny, four-tier module sets), the SetFS exception, and why the per-call fs/net/cmd/secret exec gate is out of Starbox scope (lives at the loader-construction layer).
• Execution budgets & output limits (SetMaxExecutionSteps / SetMaxOutputEntries, enforced on every run path incl. RunnerConfig.Execute()).
• Inspection without execution (Check → Diagnostic, DescribeSurface → Surface), both Policy-aware.
• Structured results (output()/GetResult, per-run) and console capture (EnableConsoleCapture/Drain).
• Typed errors (RunError{Kind}, ModuleWithheldError, OutputLimitExceededError).

ModuleWithheldError contract (re-review "保留观察")

Clarified in godoc: a withheld error is for a known builtin excluded by the set/policy; a policy-denied non-builtin (custom/dynamic/script) module is simply absent (load() fails as not-found), not typed-withheld — the sandbox is deliberately not told that a host-private module exists but is forbidden. This is the intended, documented behavior (information hiding), resolving the open question.

Doc/comment-only — no behavior change. gofmt/vet/build/go test clean locally; full matrix runs in CI.

Not in this PR (separate, user-gated): the v0.2.0 tag + release notes (A7), and the BOX-04 Plane description which was updated directly to the honest load-gate-only scope.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.95%. Comparing base (66e4463) to head (1a5b006).

Additional details and impacted files

@@           Coverage Diff           @@
##           master      #27   +/-   ##
=======================================
  Coverage   98.95%   98.95%           
=======================================
  Files          12       12           
  Lines         862      862           
=======================================
  Hits          853      853           
  Misses          5        5           
  Partials        4        4           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}