feat(sandbox): enforce proxy-aware network routing in sandbox (#11113)

## Summary
- expand proxy env injection to cover common tool env vars
(`HTTP_PROXY`/`HTTPS_PROXY`/`ALL_PROXY`/`NO_PROXY` families +
tool-specific variants)
- harden macOS Seatbelt network policy generation to route through
inferred loopback proxy endpoints and fail closed when proxy env is
malformed
- thread proxy-aware Linux sandbox flags and add minimal bwrap netns
isolation hook for restricted non-proxy runs
- add/refresh tests for proxy env wiring, Seatbelt policy generation,
and Linux sandbox argument wiring

codex-rs/cli/src/debug_sandbox.rs

@@ -130,7 +130,10 @@ async fn run_command_under_sandbox(
     let sandbox_policy_cwd = cwd.clone();
 
     let stdio_policy = StdioPolicy::Inherit;
-    let env = create_env(&config.shell_environment_policy, None);
+    let mut env = create_env(&config.shell_environment_policy, None);
+    if let Some(network) = config.network.as_ref() {
+        network.apply_to_env(&mut env);
+    }
 
     // Special-case Windows sandbox: execute and exit the process to emulate inherited stdio.
     if let SandboxType::Windows = sandbox_type {
@@ -222,6 +225,7 @@ async fn run_command_under_sandbox(
                 config.sandbox_policy.get(),
                 sandbox_policy_cwd.as_path(),
                 stdio_policy,
+                None,
                 env,
             )
             .await?
@@ -241,6 +245,7 @@ async fn run_command_under_sandbox(
                 sandbox_policy_cwd.as_path(),
                 use_bwrap_sandbox,
                 stdio_policy,
+                None,
                 env,
             )
             .await?