feat(linux-sandbox): add bwrap support (#9938)

## Summary
This PR introduces a gated Bubblewrap (bwrap) Linux sandbox path. The
curent Linux sandbox path relies on in-process restrictions (including
Landlock). Bubblewrap gives us a more uniform filesystem isolation
model, especially explicit writable roots with the option to make some
directories read-only and granular network controls.

This is behind a feature flag so we can validate behavior safely before
making it the default.

- Added temporary rollout flag:
  - `features.use_linux_sandbox_bwrap`
- Preserved existing default path when the flag is off.
- In Bubblewrap mode:
- Added internal retry without /proc when /proc mount is not permitted
by the host/container.

codex-rs/common/src/config_override.rs

@@ -71,7 +71,7 @@ impl CliConfigOverrides {
                     }
                 };
 
-                Ok((key.to_string(), value))
+                Ok((canonicalize_override_key(key), value))
             })
             .collect()
     }
@@ -88,6 +88,14 @@ impl CliConfigOverrides {
     }
 }
 
+fn canonicalize_override_key(key: &str) -> String {
+    if key == "use_linux_sandbox_bwrap" {
+        "features.use_linux_sandbox_bwrap".to_string()
+    } else {
+        key.to_string()
+    }
+}
+
 /// Apply a single override onto `root`, creating intermediate objects as
 /// necessary.
 fn apply_single_override(root: &mut Value, path: &str, value: Value) {
@@ -172,6 +180,16 @@ mod tests {
         assert_eq!(arr.len(), 3);
     }
 
+    #[test]
+    fn canonicalizes_use_linux_sandbox_bwrap_alias() {
+        let overrides = CliConfigOverrides {
+            raw_overrides: vec!["use_linux_sandbox_bwrap=true".to_string()],
+        };
+        let parsed = overrides.parse_overrides().expect("parse_overrides");
+        assert_eq!(parsed[0].0.as_str(), "features.use_linux_sandbox_bwrap");
+        assert_eq!(parsed[0].1.as_bool(), Some(true));
+    }
+
     #[test]
     fn parses_inline_table() {
         let v = parse_toml_value("{a = 1, b = 2}").expect("parse");