refactor: make bubblewrap the default Linux sandbox (#13996)

## Summary
- make bubblewrap the default Linux sandbox and keep
`use_legacy_landlock` as the only override
- remove `use_linux_sandbox_bwrap` from feature, config, schema, and
docs surfaces
- update Linux sandbox selection, CLI/config plumbing, and related
tests/docs to match the new default
- fold in the follow-up CI fixes for request-permissions responses and
Linux read-only sandbox error text

codex-rs/utils/cli/src/config_override.rs

@@ -89,8 +89,8 @@ impl CliConfigOverrides {
 }
 
 fn canonicalize_override_key(key: &str) -> String {
-    if key == "use_linux_sandbox_bwrap" {
-        "features.use_linux_sandbox_bwrap".to_string()
+    if key == "use_legacy_landlock" {
+        "features.use_legacy_landlock".to_string()
     } else {
         key.to_string()
     }
@@ -181,12 +181,12 @@ mod tests {
     }
 
     #[test]
-    fn canonicalizes_use_linux_sandbox_bwrap_alias() {
+    fn canonicalizes_use_legacy_landlock_alias() {
         let overrides = CliConfigOverrides {
-            raw_overrides: vec!["use_linux_sandbox_bwrap=true".to_string()],
+            raw_overrides: vec!["use_legacy_landlock=true".to_string()],
         };
         let parsed = overrides.parse_overrides().expect("parse_overrides");
-        assert_eq!(parsed[0].0.as_str(), "features.use_linux_sandbox_bwrap");
+        assert_eq!(parsed[0].0.as_str(), "features.use_legacy_landlock");
         assert_eq!(parsed[0].1.as_bool(), Some(true));
     }