Add sandboxed exec-server filesystem helpers

[starr-openai]

Summary

• add optional filesystem sandbox policy plumbing to fs requests and the exec-server filesystem abstraction
• re-invoke LocalFileSystem operations in a hidden codex-exec-server --internal-fs-op helper process when sandboxing is requested
• add coverage for the helper-path wiring and the direct-enforcement fallback for split filesystem policies

Validation

• remote on dev: cargo test -p codex-exec-server helper_legacy_policy_falls_back_to_external_sandbox_for_direct_runtime_enforcement
• remote on dev: cargo test -p codex-exec-server file_system && cargo test -p codex-app-server suite::v2::fs

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 17bb4317da

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Respect Windows sandbox policy in helper execution

prepare_helper_request hardcodes WindowsSandboxLevel::Disabled when choosing and transforming the sandbox request. On Windows this drives select_initial to SandboxType::None, so *_with_sandbox_policy executes --internal-fs-op without sandboxing even for restricted policies. That silently bypasses requested filesystem restrictions.

Useful? React with 👍 / 👎.

[starr-openai]

Fixed in b85bee8c: the sandboxed filesystem helper now uses RestrictedToken for helper-side sandbox selection/transform instead of hardcoding Disabled, so Windows helper execution no longer silently bypasses the requested policy.