[plugins] Add marketplace source requirements

[xl-openai]

Why

Managed deployments need a mergeable way to declare which marketplace sources Codex may use. An enterprise-keyed TOML table avoids array merge ambiguity and lets every requirements layer use the existing config precedence rules without a marketplace-specific merger.

Requirements shape

[marketplaces]
restrict_to_allowed_sources = true

[marketplaces.allowed_sources.company_plugins]
source = "git"
url = "https://github.com/example/company-plugins.git"
ref = "main"

[marketplaces.allowed_sources.internal_git]
source = "host_pattern"
host_pattern = "^git\\.example\\.com$"

[marketplaces.allowed_sources.local_plugins]
source = "local"
path = "/opt/company/codex-plugins"

restrict_to_allowed_sources follows normal scalar precedence. allowed_sources follows normal recursive TOML table merge behavior: distinct keys accumulate and fields under the same key use normal layer precedence. The final source value later selects which fields the marketplace admission policy interprets.

The raw rule fields remain optional while requirements layers are composed, so a higher-priority layer can override only ref, url, or another individual field. Source-specific validation and normalization intentionally belong to the marketplace admission layer, not requirements merging.

This initial shape includes git, host_pattern, and local sources. It does not add npm or path-pattern rules.

What changed

• Add the marketplace requirements TOML shape to ConfigRequirementsToml, ConfigRequirementsWithSources, and ConfigRequirements.
• Carry marketplace requirements through the existing regular requirements merge path.
• Keep allowed-source entries as raw partial tables for downstream policy interpretation.
• Cover partial same-key overlays, source changes, unknown fields, and unmodified local paths.

This PR defines and composes the requirements only. Source admission is implemented by the next PR in the stack.

Stack

This is PR 1 of 3. #29753 adds source admission on top of this PR; draft #29691 will add runtime enforcement after it is rebased later.

Test plan

• just test -p codex-config marketplace_

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2917cca2e1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[xl-openai]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b6afbd3625

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[xl-openai]

@codex review again

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Already looking forward to the next diff.

Reviewed commit: 730a101ca6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".