feat: introducing a network sandbox proxy (#8442)

This add a new crate, `codex-network-proxy`, a local network proxy
service used by Codex to enforce fine-grained network policy (domain
allow/deny) and to surface blocked network events for interactive
approvals.

- New crate: `codex-rs/network-proxy/` (`codex-network-proxy` binary +
library)
- Core capabilities:
  - HTTP proxy support (including CONNECT tunneling)
  - SOCKS5 proxy support (in the later PR)
- policy evaluation (allowed/denied domain lists; denylist wins;
wildcard support)
  - small admin API for polling/reload/mode changes
- optional MITM support for HTTPS CONNECT to enforce “limited mode”
method restrictions (later PR)

Will follow up integration with codex in subsequent PRs.

## Testing

- `cd codex-rs && cargo build -p codex-network-proxy`
- `cd codex-rs && cargo run -p codex-network-proxy -- proxy`

codex-rs/network-proxy/src/lib.rs

@@ -0,0 +1,29 @@
+#![deny(clippy::print_stdout, clippy::print_stderr)]
+
+mod admin;
+mod config;
+mod http_proxy;
+mod network_policy;
+mod policy;
+mod proxy;
+mod reasons;
+mod responses;
+mod runtime;
+mod state;
+mod upstream;
+
+use anyhow::Result;
+pub use network_policy::NetworkDecision;
+pub use network_policy::NetworkPolicyDecider;
+pub use network_policy::NetworkPolicyRequest;
+pub use network_policy::NetworkProtocol;
+pub use proxy::Args;
+pub use proxy::NetworkProxy;
+pub use proxy::NetworkProxyBuilder;
+pub use proxy::NetworkProxyHandle;
+
+pub async fn run_main(args: Args) -> Result<()> {
+    let _ = args;
+    let proxy = NetworkProxy::builder().build().await?;
+    proxy.run().await?.wait().await
+}