feat: load ExecPolicyManager from ConfigLayerStack (#8453)

https://github.com/openai/codex/pull/8354 added support for in-repo
`.config/` files, so this PR updates the logic for loading `*.rules`
files to load `*.rules` files from all relevant layers. The main change
to the business logic is `load_exec_policy()` in
`codex-rs/core/src/exec_policy.rs`.

Note this adds a `config_folder()` method to `ConfigLayerSource` that
returns `Option<AbsolutePathBuf>` so that it is straightforward to
iterate over the sources and get the associated config folder, if any.

codex-rs/exec-server/src/posix.rs

@@ -230,7 +230,21 @@ fn format_program_name(path: &Path, preserve_program_paths: bool) -> Option<Stri
 
 async fn load_exec_policy() -> anyhow::Result<Policy> {
     let codex_home = find_codex_home().context("failed to resolve codex_home for execpolicy")?;
-    codex_core::load_exec_policy(&codex_home)
+
+    // TODO(mbolin): At a minimum, `cwd` should be configurable via
+    // `codex/sandbox-state/update` or some other custom MCP call.
+    let cwd = None;
+    let cli_overrides = Vec::new();
+    let overrides = codex_core::config_loader::LoaderOverrides::default();
+    let config_layer_stack = codex_core::config_loader::load_config_layers_state(
+        &codex_home,
+        cwd,
+        &cli_overrides,
+        overrides,
+    )
+    .await?;
+
+    codex_core::load_exec_policy(&config_layer_stack)
         .await
         .map_err(anyhow::Error::from)
 }