fix: Revert danger-full-access denylist-only mode (#17732)

## Summary

- Reverts openai/codex#16946 and removes the danger-full-access
denylist-only network mode.
- Removes the corresponding config requirements, app-server
protocol/schema, config API, TUI debug output, and network proxy
behavior.
- Drops stale tests that depended on the reverted mode while preserving
newer managed allowlist-only coverage.

## Verification

- `just write-app-server-schema`
- `just fmt`
- `cargo test -p codex-config network_requirements`
- `cargo test -p codex-core network_proxy_spec`
- `cargo test -p codex-core
managed_network_proxy_decider_survives_full_access_start`
- `cargo test -p codex-app-server map_requirements_toml_to_api`
- `cargo test -p codex-tui debug_config_output`
- `cargo test -p codex-app-server-protocol`
- `just fix -p codex-config -p codex-core -p codex-app-server-protocol
-p codex-app-server -p codex-tui`
- `git diff --cached --check`

Not run: full workspace `cargo test` (repo instructions ask for
confirmation before that broader run).

.github/scripts/run-bazel-ci.sh

@@ -92,7 +92,7 @@ print_bazel_test_log_tails() {
 
   for target in "${failed_targets[@]}"; do
     local rel_path="${target#//}"
-    rel_path="${rel_path/:/\/}"
+    rel_path="${rel_path/://}"
     local test_log="${testlogs_dir}/${rel_path}/test.log"
 
     echo "::group::Bazel test log tail for ${target}"