feat(devcontainer): add codex-dev and secure profile variants

.devcontainer/devcontainer.json

@@ -4,6 +4,7 @@
   "build": {
     "dockerfile": "Dockerfile",
     "context": "..",
+    "platform": "linux/arm64",
     "args": {
       "TZ": "${localEnv:TZ:UTC}",
       "NODE_MAJOR": "22",
@@ -12,8 +13,7 @@
     }
   },
   "runArgs": [
-    "--cap-add=NET_ADMIN",
-    "--cap-add=NET_RAW"
+    "--platform=linux/arm64"
   ],
   "init": true,
   "updateRemoteUserUID": true,
@@ -31,22 +31,17 @@
   ],
   "containerEnv": {
     "RUST_BACKTRACE": "1",
-    "CODEX_UNSAFE_ALLOW_NO_SANDBOX": "1",
-    "CODEX_ENABLE_FIREWALL": "1",
-    "CODEX_INCLUDE_GITHUB_META_RANGES": "1",
-    "OPENAI_ALLOWED_DOMAINS": "api.openai.com auth.openai.com github.com api.github.com codeload.github.com raw.githubusercontent.com objects.githubusercontent.com crates.io index.crates.io static.crates.io static.rust-lang.org registry.npmjs.org pypi.org files.pythonhosted.org",
-    "CARGO_TARGET_DIR": "/workspace/.cache/cargo-target",
+    "CARGO_TARGET_DIR": "${containerWorkspaceFolder}/codex-rs/target-arm64",
     "GIT_CONFIG_GLOBAL": "/home/vscode/.gitconfig.local",
     "COREPACK_ENABLE_DOWNLOAD_PROMPT": "0",
     "PYTHONDONTWRITEBYTECODE": "1",
-    "PIP_DISABLE_PIP_VERSION_CHECK": "1"
+    "PIP_DISABLE_PIP_VERSION_CHECK": "1",
+    "CODEX_ENABLE_FIREWALL": "0"
   },
   "remoteEnv": {
     "OPENAI_API_KEY": "${localEnv:OPENAI_API_KEY}"
   },
   "postCreateCommand": "python3 /opt/post_install.py",
-  "postStartCommand": "bash /opt/post_start.sh",
-  "waitFor": "postStartCommand",
   "customizations": {
     "vscode": {
       "settings": {