feat(network-proxy): add MITM support and gate limited-mode CONNECT (#9859)

## Description
- Adds MITM support (CA load/issue, TLS termination, optional body
inspection).
- Adds `codex-network-proxy init` to create
`CODEX_HOME/network_proxy/mitm`.
- Enforces limited-mode HTTPS correctly: `CONNECT` requires MITM,
otherwise blocked with `mitm_required`.
- Keeps `origin/main` layering/reload semantics (managed layers included
in reload checks).
- Centralizes block reasons (`REASON_MITM_REQUIRED`) and removes
`println!`.
- Scope is MITM-only (no SOCKS changes).

gated by `mitm=false` (default)

codex-rs/network-proxy/src/state.rs

@@ -1,10 +1,12 @@
 use crate::config::NetworkMode;
 use crate::config::NetworkProxyConfig;
+use crate::mitm::MitmState;
 use crate::policy::DomainPattern;
 use crate::policy::compile_globset;
 use crate::runtime::ConfigState;
 use serde::Deserialize;
 use std::collections::HashSet;
+use std::sync::Arc;
 
 pub use crate::runtime::BlockedRequest;
 pub use crate::runtime::BlockedRequestArgs;
@@ -57,10 +59,18 @@ pub fn build_config_state(
     crate::config::validate_unix_socket_allowlist_paths(&config)?;
     let deny_set = compile_globset(&config.network.denied_domains)?;
     let allow_set = compile_globset(&config.network.allowed_domains)?;
+    let mitm = if config.network.mitm {
+        Some(Arc::new(MitmState::new(
+            config.network.allow_upstream_proxy,
+        )?))
+    } else {
+        None
+    };
     Ok(ConfigState {
         config,
         allow_set,
         deny_set,
+        mitm,
         constraints,
         blocked: std::collections::VecDeque::new(),
         blocked_total: 0,