feat: introduce ExternalSandbox policy (#8290)

## Description

Introduced `ExternalSandbox` policy to cover use case when sandbox
defined by outside environment, effectively it translates to
`SandboxMode#DangerFullAccess` for file system (since sandbox configured
on container level) and configurable `network_access` (either Restricted
or Enabled by outside environment).

as example you can configure `ExternalSandbox` policy as part of
`sendUserTurn` v1 app_server API:

```
 {
            "conversationId": <id>,
            "cwd": <cwd>,
            "approvalPolicy": "never",
            "sandboxPolicy": {
                  "type": ""external-sandbox",
                  "network_access": "enabled"/"restricted"
            },
            "model": <model>,
            "effort": <effort>,
            ....
        }
```

codex-rs/windows-sandbox-rs/src/command_runner_win.rs

@@ -106,7 +106,9 @@ pub fn main() -> Result<()> {
             SandboxPolicy::WorkspaceWrite { .. } => {
                 create_workspace_write_token_with_cap_from(base, psid_cap)
             }
-            SandboxPolicy::DangerFullAccess => unreachable!(),
+            SandboxPolicy::DangerFullAccess | SandboxPolicy::ExternalSandbox { .. } => {
+                unreachable!()
+            }
         }
     };
     let (h_token, psid_to_use) = token_res?;