## Summary
- Use the preview request origin for Vercel-backed InvestOS runtime launches instead of pinning preview sandboxes to `https://tilt.io`.
- Broker Vercel preview protection through sandbox firewall header transforms so protected preview callbacks work without exposing the bypass secret to the sandbox env.
- Refresh the network policy on hot-reused and resident-worker sandboxes once the per-run callback URL is known.

## Testing
- `./node_modules/.bin/biome check apps/web/src/lib/investos-runtime/executor-bootstrap.ts apps/web/src/lib/investos-runtime/runtime-network-policy-refresh.ts apps/web/src/lib/investos-runtime/vercel-preview-bypass-rule.ts apps/web/src/lib/investos-runtime/vercel-start-worker.ts apps/web/src/lib/investos-runtime/vercel-resident-worker.ts apps/web/src/lib/investos-runtime/executor-launch.test.ts apps/web/src/lib/investos-runtime/executor.test.ts apps/web/src/lib/investos-runtime/api-helpers.ts apps/web/src/lib/investos-runtime/api-helpers.test.ts apps/web/src/lib/investos-runtime/vercel-runtime-env.ts apps/web/src/lib/investos-runtime/vercel-runtime-env.test.ts`
- `npx tsx scripts/lint-file-rules.ts`
- `(cd apps/web && ../../node_modules/.bin/vitest run --project default src/lib/investos-runtime/api-helpers.test.ts src/lib/investos-runtime/executor.test.ts src/lib/investos-runtime/executor-launch.test.ts src/lib/investos-runtime/vercel-runtime-env.test.ts)`