Allow global network allowlist wildcard (#15549)

## Problem

Today `codex-network-proxy` rejects a global `*` in
`network.allowed_domains`, so there is no static way to configure a
denylist-only posture for public hosts. Users have to enumerate broad
allowlist patterns instead.

## Approach

- Make global wildcard acceptance field-specific: `allowed_domains` can
use `*`, while `denied_domains` still rejects a global wildcard.
- Keep the existing evaluation order, so explicit denies still win first
and local/private protections still apply unless separately enabled.
- Add coverage for the denylist-only behavior and update the README to
document it.

## Validation

- `just fmt`
- `cargo test -p codex-network-proxy` (full run had one unrelated flaky
telemetry test:
`network_policy::tests::emit_block_decision_audit_event_emits_non_domain_event`;
reran in isolation and it passed)
- `cargo test -p codex-network-proxy
network_policy::tests::emit_block_decision_audit_event_emits_non_domain_event
-- --exact --nocapture`
- `just fix -p codex-network-proxy`
- `just argument-comment-lint`

codex-rs/network-proxy/src/state.rs

@@ -2,7 +2,8 @@ use crate::config::NetworkMode;
 use crate::config::NetworkProxyConfig;
 use crate::mitm::MitmState;
 use crate::policy::DomainPattern;
-use crate::policy::compile_globset;
+use crate::policy::compile_allowlist_globset;
+use crate::policy::compile_denylist_globset;
 use crate::policy::is_global_wildcard_domain_pattern;
 use crate::runtime::ConfigState;
 use serde::Deserialize;
@@ -59,12 +60,10 @@ pub fn build_config_state(
     constraints: NetworkProxyConstraints,
 ) -> anyhow::Result<ConfigState> {
     crate::config::validate_unix_socket_allowlist_paths(&config)?;
-    validate_domain_patterns("network.allowed_domains", &config.network.allowed_domains)
+    validate_denylist_domain_patterns("network.denied_domains", &config.network.denied_domains)
         .map_err(NetworkProxyConstraintError::into_anyhow)?;
-    validate_domain_patterns("network.denied_domains", &config.network.denied_domains)
-        .map_err(NetworkProxyConstraintError::into_anyhow)?;
-    let deny_set = compile_globset(&config.network.denied_domains)?;
-    let allow_set = compile_globset(&config.network.allowed_domains)?;
+    let deny_set = compile_denylist_globset(&config.network.denied_domains)?;
+    let allow_set = compile_allowlist_globset(&config.network.allowed_domains)?;
     let mitm = if config.network.mitm {
         Some(Arc::new(MitmState::new(
             config.network.allow_upstream_proxy,
@@ -107,8 +106,7 @@ pub fn validate_policy_against_constraints(
     }
 
     let enabled = config.network.enabled;
-    validate_domain_patterns("network.allowed_domains", &config.network.allowed_domains)?;
-    validate_domain_patterns("network.denied_domains", &config.network.denied_domains)?;
+    validate_denylist_domain_patterns("network.denied_domains", &config.network.denied_domains)?;
     if let Some(max_enabled) = constraints.enabled {
         validate(enabled, move |candidate| {
             if *candidate && !max_enabled {
@@ -208,7 +206,6 @@ pub fn validate_policy_against_constraints(
     }
 
     if let Some(allowed_domains) = &constraints.allowed_domains {
-        validate_domain_patterns("network.allowed_domains", allowed_domains)?;
         match constraints.allowlist_expansion_enabled {
             Some(true) => {
                 let required_set: HashSet<String> = allowed_domains
@@ -288,7 +285,7 @@ pub fn validate_policy_against_constraints(
     }
 
     if let Some(denied_domains) = &constraints.denied_domains {
-        validate_domain_patterns("network.denied_domains", denied_domains)?;
+        validate_denylist_domain_patterns("network.denied_domains", denied_domains)?;
         let required_set: HashSet<String> = denied_domains
             .iter()
             .map(|s| s.to_ascii_lowercase())
@@ -364,7 +361,7 @@ pub fn validate_policy_against_constraints(
     Ok(())
 }
 
-fn validate_domain_patterns(
+fn validate_denylist_domain_patterns(
     field_name: &'static str,
     patterns: &[String],
 ) -> Result<(), NetworkProxyConstraintError> {