fix(permissions): enforce exact deny-read paths

[viyatb-oai]

Summary

This PR makes exact-path FileSystemSandboxPolicy entries with access = none enforceable as deny-read policy inside Codex core.

The policy already had a split filesystem model that could express unreadable paths, but several core execution paths still treated those entries as advisory metadata. In practice, exact deny-read entries could be lost while rebuilding policy from legacy sandbox_mode, surfaced through list_dir, or bypassed when an exec-policy allow rule / explicit escalation / sandbox-denial retry caused a command to run outside the sandbox.

This PR is the exact-path/subtree enforcement foundation only. It does not add glob syntax, managed config parsing, or new platform sandbox backends.

What Changed

• Adds FileSystemReadDenyMatcher to codex-rs/protocol/src/permissions.rs so core code can evaluate exact deny-read semantics consistently.
• Treats access = none entries as exact path plus subtree denies.
• Handles root-deny policies with readable carveouts, including nested explicit denies inside a readable subtree.
• Matches normalized/effective/canonical path candidates so symlink aliases do not bypass exact deny entries.
• Preserves explicit deny entries when SessionConfiguration rebuilds split filesystem policy from a coarse legacy sandbox_mode update.
• Applies deny-read filtering to list_dir:
  • listing a denied directory is rejected
  • denied files/directories are hidden from parent listings
  • denied subtrees are pruned from recursive listings
• Keeps shell/unified-exec approval flow intact while preserving deny-read restrictions:
  • exec-policy allow rules no longer imply sandbox bypass when deny-read restrictions exist
  • explicit escalation / additional-permissions first attempts remain sandboxed when deny-read restrictions exist
  • automatic no-sandbox retry after sandbox denial is disabled when deny-read restrictions exist

Security Boundary

Deny-read entries are security-relevant policy. Approvals can still allow broader execution, but they should not silently discard explicit read-deny restrictions by switching the first attempt or retry path to an unsandboxed execution mode.

view_image integration with sandbox-backed reads: #15213.

[github-actions]

Closing this pull request because it has had no updates for more than 14 days. If you plan to continue working on it, feel free to reopen or open a new PR.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a5d463d15e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".