feat: support allowed_sandbox_modes in requirements.toml (#8298)

This adds support for `allowed_sandbox_modes` in `requirements.toml` and
provides legacy support for constraining sandbox modes in
`managed_config.toml`. This is converted to `Constrained<SandboxPolicy>`
in `ConfigRequirements` and applied to `Config` such that constraints
are enforced throughout the harness.

Note that, because `managed_config.toml` is deprecated, we do not add
support for the new `external-sandbox` variant recently introduced in
https://github.com/openai/codex/pull/8290. As noted, that variant is not
supported in `config.toml` today, but can be configured programmatically
via app server.

codex-rs/exec/src/lib.rs

@@ -259,7 +259,7 @@ pub async fn run_main(cli: Cli, codex_linux_sandbox_exe: Option<PathBuf>) -> any
 
     let default_cwd = config.cwd.to_path_buf();
     let default_approval_policy = config.approval_policy.value();
-    let default_sandbox_policy = config.sandbox_policy.clone();
+    let default_sandbox_policy = config.sandbox_policy.get();
     let default_effort = config.model_reasoning_effort;
     let default_summary = config.model_reasoning_summary;
 
@@ -411,7 +411,7 @@ pub async fn run_main(cli: Cli, codex_linux_sandbox_exe: Option<PathBuf>) -> any
                     items,
                     cwd: default_cwd,
                     approval_policy: default_approval_policy,
-                    sandbox_policy: default_sandbox_policy,
+                    sandbox_policy: default_sandbox_policy.clone(),
                     model: default_model,
                     effort: default_effort,
                     summary: default_summary,