fix(network-proxy): add unix socket allow-all and update seatbelt rules (#11368)

## Summary
Adds support for a Unix socket escape hatch so we can bypass socket
allowlisting when explicitly enabled.

## Description
* added a new flag, `network.dangerously_allow_all_unix_sockets` as an
explicit escape hatch
* In codex-network-proxy, enabling that flag now allows any absolute
Unix socket path from x-unix-socket instead of requiring each path to be
explicitly allowlisted. Relative paths are still rejected.
* updated the macOS seatbelt path in core so it enforces the same Unix
socket behavior:
  * allowlisted sockets generate explicit network* subpath rules
  * allow-all generates a broad network* (subpath "/") rule

---------

Co-authored-by: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>

codex-rs/tui/src/debug_config.rs

@@ -332,6 +332,7 @@ fn format_network_constraints(network: &NetworkConstraints) -> String {
         allow_upstream_proxy,
         dangerously_allow_non_loopback_proxy,
         dangerously_allow_non_loopback_admin,
+        dangerously_allow_all_unix_sockets,
         allowed_domains,
         denied_domains,
         allow_unix_sockets,
@@ -360,6 +361,11 @@ fn format_network_constraints(network: &NetworkConstraints) -> String {
             "dangerously_allow_non_loopback_admin={dangerously_allow_non_loopback_admin}"
         ));
     }
+    if let Some(dangerously_allow_all_unix_sockets) = dangerously_allow_all_unix_sockets {
+        parts.push(format!(
+            "dangerously_allow_all_unix_sockets={dangerously_allow_all_unix_sockets}"
+        ));
+    }
     if let Some(allowed_domains) = allowed_domains {
         parts.push(format!("allowed_domains=[{}]", allowed_domains.join(", ")));
     }