feat(network-proxy): add websocket proxy env support (#11784)

## Summary
- add managed proxy env wiring for websocket-specific variables
(`WS_PROXY`/`WSS_PROXY`, including lowercase)
- keep websocket proxy vars aligned with the existing managed HTTP proxy
endpoint
- add CONNECT regression tests to cover allowlist and denylist decisions
(websocket tunnel path)
- document websocket proxy usage and CONNECT policy behavior in the
network proxy README

## Testing
- just fmt
- cargo test -p codex-network-proxy
- cargo clippy -p codex-network-proxy

Co-authored-by: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>

codex-rs/network-proxy/README.md

@@ -62,6 +62,8 @@ For HTTP(S) traffic:
 ```bash
 export HTTP_PROXY="http://127.0.0.1:3128"
 export HTTPS_PROXY="http://127.0.0.1:3128"
+export WS_PROXY="http://127.0.0.1:3128"
+export WSS_PROXY="http://127.0.0.1:3128"
 ```
 
 For SOCKS5 traffic (when `enable_socks5 = true`):
@@ -83,6 +85,9 @@ When a request is blocked, the proxy responds with `403` and includes:
 In "limited" mode, only `GET`, `HEAD`, and `OPTIONS` are allowed. HTTPS `CONNECT` and SOCKS5 are
 blocked because they would bypass method enforcement.
 
+Websocket clients typically tunnel `wss://` through HTTPS `CONNECT`; those CONNECT targets still go
+through the same host allowlist/denylist checks.
+
 ## Library API
 
 `codex-network-proxy` can be embedded as a library with a thin API: