feat: support allowed_sandbox_modes in requirements.toml (#8298)

This adds support for `allowed_sandbox_modes` in `requirements.toml` and
provides legacy support for constraining sandbox modes in
`managed_config.toml`. This is converted to `Constrained<SandboxPolicy>`
in `ConfigRequirements` and applied to `Config` such that constraints
are enforced throughout the harness.

Note that, because `managed_config.toml` is deprecated, we do not add
support for the new `external-sandbox` variant recently introduced in
https://github.com/openai/codex/pull/8290. As noted, that variant is not
supported in `config.toml` today, but can be configured programmatically
via app server.

codex-rs/core/tests/suite/otel.rs

@@ -935,7 +935,7 @@ async fn handle_container_exec_autoapprove_from_config_records_tool_decision() {
     let TestCodex { codex, .. } = test_codex()
         .with_config(|config| {
             config.approval_policy = Constrained::allow_any(AskForApproval::OnRequest);
-            config.sandbox_policy = SandboxPolicy::DangerFullAccess;
+            config.sandbox_policy = Constrained::allow_any(SandboxPolicy::DangerFullAccess);
         })
         .build(&server)
         .await