Apply sandbox intent inside remote exec servers

[jif-oai]

Why

PR #29108 lets the orchestrator send sandbox intent with process/start without wrapping the command for its own operating system.

This PR completes that boundary by making the executor interpret and enforce the intent using its own filesystem paths and sandbox implementation.

For example, a macOS TUI targeting a Linux devbox sends /bin/bash -lc pwd. The Linux executor turns that into its own codex-linux-sandbox ... /bin/bash -lc pwd launch.

What changes

• Keep process/start unchanged when no sandbox intent is present.
• Convert sandbox PathUri values into native paths on the executor.
• Bind symbolic :workspace_roots permissions to the executor's native sandbox cwd.
• Select the sandbox implementation on the executor and wrap the original command immediately before spawning it.
• Reject sandbox-required execution before spawning when the executor cannot enforce the intent.
• Pass exec-server runtime paths into process creation so Linux can locate codex-linux-sandbox.

The boundary is therefore:

orchestrator                         executor
original argv + sandbox intent  ->  select and enforce local sandbox

This PR intentionally treats a denied remote command as an ordinary command failure. Draft follow-up #29424 carries a semantic sandboxDenied result back to unified exec for the existing approval and retry flow.

Platform scope

Linux and macOS use their existing direct-spawn sandbox transforms.

Windows sandboxed remote process launch is intentionally unsupported in this PR. The current Windows direct-spawn wrapper does not correctly preserve arbitrary argv, TTY behavior, or pass the full child environment out of band. The executor rejects the request instead of running it incorrectly or unsandboxed.

Known follow-ups

• The transported permission profile can still contain orchestrator-materialized helper or explicit paths. A TODO(jif) marks where the executor boundary should receive pre-host-materialization permission intent.
• The sandbox wrapper currently replaces a requested custom inner arg0. A TODO(jif) marks where this must be preserved or rejected explicitly.
• Draft PR Report remote sandbox denials semantically #29424 contains the deferred sandbox-denial classification and approval/retry behavior.

Rollout assumption

This executor-sandbox stack is unreleased and its client and executor are expected to move together. This PR does not add mixed-version negotiation with older exec servers.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 36f562b950

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[jif-oai]

@codex review

[jif-oai]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e9c548f317

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".