sandboxing: use OsString for SandboxCommand.program (#15897)

## Why

`SandboxCommand.program` represents an executable path, but keeping it
as `String` forced path-backed callers to run `to_string_lossy()` before
the sandbox layer ever touched the command. That loses fidelity earlier
than necessary and adds avoidable conversions in runtimes that already
have a `PathBuf`.

## What changed

- Changed `SandboxCommand.program` to `OsString`.
- Updated `SandboxManager::transform` to keep the program and argv in
`OsString` form until the `SandboxExecRequest` conversion boundary.
- Switched the path-backed `apply_patch` and `js_repl` runtimes to pass
`into_os_string()` instead of `to_string_lossy()`.
- Updated the remaining string-backed builders and tests to match the
new type while preserving the existing Linux helper `arg0` behavior.

## Verification

- `cargo test -p codex-sandboxing`
- `just argument-comment-lint -p codex-core -p codex-sandboxing`
- `cargo test -p codex-core` currently fails in unrelated existing
config tests: `config::tests::approvals_reviewer_*` and
`config::tests::smart_approvals_alias_*`

codex-rs/core/src/tools/js_repl/mod.rs

@@ -1045,7 +1045,7 @@ impl JsReplManager {
             has_managed_network_requirements,
         );
         let command = SandboxCommand {
-            program: node_path.to_string_lossy().to_string(),
+            program: node_path.into_os_string(),
             args: vec![
                 "--experimental-vm-modules".to_string(),
                 kernel_path.to_string_lossy().to_string(),