feat: support allowed_sandbox_modes in requirements.toml (#8298)

This adds support for `allowed_sandbox_modes` in `requirements.toml` and
provides legacy support for constraining sandbox modes in
`managed_config.toml`. This is converted to `Constrained<SandboxPolicy>`
in `ConfigRequirements` and applied to `Config` such that constraints
are enforced throughout the harness.

Note that, because `managed_config.toml` is deprecated, we do not add
support for the new `external-sandbox` variant recently introduced in
https://github.com/openai/codex/pull/8290. As noted, that variant is not
supported in `config.toml` today, but can be configured programmatically
via app server.

codex-rs/core/tests/suite/codex_delegate.rs

@@ -63,7 +63,7 @@ async fn codex_delegate_forwards_exec_approval_and_proceeds_on_approval() {
     // routes ExecApprovalRequest via the parent.
     let mut builder = test_codex().with_model("gpt-5.1").with_config(|config| {
         config.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
-        config.sandbox_policy = SandboxPolicy::ReadOnly;
+        config.sandbox_policy = Constrained::allow_any(SandboxPolicy::ReadOnly);
     });
     let test = builder.build(&server).await.expect("build test codex");
 
@@ -140,7 +140,7 @@ async fn codex_delegate_forwards_patch_approval_and_proceeds_on_decision() {
     let mut builder = test_codex().with_model("gpt-5.1").with_config(|config| {
         config.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
         // Use a restricted sandbox so patch approval is required
-        config.sandbox_policy = SandboxPolicy::ReadOnly;
+        config.sandbox_policy = Constrained::allow_any(SandboxPolicy::ReadOnly);
         config.include_apply_patch_tool = true;
     });
     let test = builder.build(&server).await.expect("build test codex");