feat(config): add managed deny-read requirements

[viyatb-oai]

Summary

This is the second PR in the deny-read stack.

It adds managed permissions.filesystem.deny_read requirements for exact paths and threads those requirements into the effective filesystem sandbox policy.

What This Changes

• Extends requirements parsing to accept managed permissions.filesystem.deny_read
• Applies managed deny-read entries to the effective FileSystemSandboxPolicy
• Constrains sandbox-mode selection so managed deny-read only runs in supported sandbox modes
• Emits the existing Windows best-effort warning for managed deny-read
• Surfaces active managed deny-read entries in:
  • environment context
  • /debug-config
• Updates cloud-requirements, config-loader, and related test/config fixtures to understand the new managed field

Why This Is Split Out

This PR is only about managed requirements plumbing and visibility.

The enforcement behavior lives in #15977, and glob semantics are intentionally deferred to #15979.

Not In This PR

• glob pattern parsing or matching
• macOS Seatbelt glob enforcement
• any new user config.toml shorthand beyond the existing permissions stack

Stack

• fix(permissions): enforce exact deny-read paths #15977: exact-path enforcement and bypass hardening
• feat(config): add managed deny-read requirements #15978: this PR
• feat(permissions): add glob deny-read policy support #15979: glob-pattern support on top of this PR

[viyatb-oai]

Closing this as superseded. I collapsed the managed deny-read plumbing into #15979 so the stack is now just #15977 -> #15979.