feat: split codex-common into smaller utils crates (#11422)

We are removing feature-gated shared crates from the `codex-rs`
workspace. `codex-common` grouped several unrelated utilities behind
`[features]`, which made dependency boundaries harder to reason about
and worked against the ongoing effort to eliminate feature flags from
workspace crates.

Splitting these utilities into dedicated crates under `utils/` aligns
this area with existing workspace structure and keeps each dependency
explicit at the crate boundary.

## What changed

- Removed `codex-rs/common` (`codex-common`) from workspace members and
workspace dependencies.
- Added six new utility crates under `codex-rs/utils/`:
  - `codex-utils-cli`
  - `codex-utils-elapsed`
  - `codex-utils-sandbox-summary`
  - `codex-utils-approval-presets`
  - `codex-utils-oss`
  - `codex-utils-fuzzy-match`
- Migrated the corresponding modules out of `codex-common` into these
crates (with tests), and added matching `BUILD.bazel` targets.
- Updated direct consumers to use the new crates instead of
`codex-common`:
  - `codex-rs/cli`
  - `codex-rs/tui`
  - `codex-rs/exec`
  - `codex-rs/app-server`
  - `codex-rs/mcp-server`
  - `codex-rs/chatgpt`
  - `codex-rs/cloud-tasks`
- Updated workspace lockfile entries to reflect the new dependency graph
and removal of `codex-common`.

codex-rs/utils/sandbox-summary/src/config_summary.rs

@@ -0,0 +1,33 @@
+use codex_core::WireApi;
+use codex_core::config::Config;
+
+use crate::sandbox_summary::summarize_sandbox_policy;
+
+/// Build a list of key/value pairs summarizing the effective configuration.
+pub fn create_config_summary_entries(config: &Config, model: &str) -> Vec<(&'static str, String)> {
+    let mut entries = vec![
+        ("workdir", config.cwd.display().to_string()),
+        ("model", model.to_string()),
+        ("provider", config.model_provider_id.clone()),
+        ("approval", config.approval_policy.value().to_string()),
+        (
+            "sandbox",
+            summarize_sandbox_policy(config.sandbox_policy.get()),
+        ),
+    ];
+    if config.model_provider.wire_api == WireApi::Responses {
+        let reasoning_effort = config
+            .model_reasoning_effort
+            .map(|effort| effort.to_string());
+        entries.push((
+            "reasoning effort",
+            reasoning_effort.unwrap_or_else(|| "none".to_string()),
+        ));
+        entries.push((
+            "reasoning summaries",
+            config.model_reasoning_summary.to_string(),
+        ));
+    }
+
+    entries
+}

codex-rs/utils/sandbox-summary/src/lib.rs

@@ -0,0 +1,5 @@
+mod config_summary;
+mod sandbox_summary;
+
+pub use config_summary::create_config_summary_entries;
+pub use sandbox_summary::summarize_sandbox_policy;

codex-rs/utils/sandbox-summary/src/sandbox_summary.rs

@@ -0,0 +1,86 @@
+use codex_core::protocol::NetworkAccess;
+use codex_core::protocol::SandboxPolicy;
+
+pub fn summarize_sandbox_policy(sandbox_policy: &SandboxPolicy) -> String {
+    match sandbox_policy {
+        SandboxPolicy::DangerFullAccess => "danger-full-access".to_string(),
+        SandboxPolicy::ReadOnly => "read-only".to_string(),
+        SandboxPolicy::ExternalSandbox { network_access } => {
+            let mut summary = "external-sandbox".to_string();
+            if matches!(network_access, NetworkAccess::Enabled) {
+                summary.push_str(" (network access enabled)");
+            }
+            summary
+        }
+        SandboxPolicy::WorkspaceWrite {
+            writable_roots,
+            network_access,
+            exclude_tmpdir_env_var,
+            exclude_slash_tmp,
+        } => {
+            let mut summary = "workspace-write".to_string();
+
+            let mut writable_entries = Vec::<String>::new();
+            writable_entries.push("workdir".to_string());
+            if !*exclude_slash_tmp {
+                writable_entries.push("/tmp".to_string());
+            }
+            if !*exclude_tmpdir_env_var {
+                writable_entries.push("$TMPDIR".to_string());
+            }
+            writable_entries.extend(
+                writable_roots
+                    .iter()
+                    .map(|p| p.to_string_lossy().to_string()),
+            );
+
+            summary.push_str(&format!(" [{}]", writable_entries.join(", ")));
+            if *network_access {
+                summary.push_str(" (network access enabled)");
+            }
+            summary
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use codex_utils_absolute_path::AbsolutePathBuf;
+    use pretty_assertions::assert_eq;
+
+    #[test]
+    fn summarizes_external_sandbox_without_network_access_suffix() {
+        let summary = summarize_sandbox_policy(&SandboxPolicy::ExternalSandbox {
+            network_access: NetworkAccess::Restricted,
+        });
+        assert_eq!(summary, "external-sandbox");
+    }
+
+    #[test]
+    fn summarizes_external_sandbox_with_enabled_network() {
+        let summary = summarize_sandbox_policy(&SandboxPolicy::ExternalSandbox {
+            network_access: NetworkAccess::Enabled,
+        });
+        assert_eq!(summary, "external-sandbox (network access enabled)");
+    }
+
+    #[test]
+    fn workspace_write_summary_still_includes_network_access() {
+        let root = if cfg!(windows) { "C:\\repo" } else { "/repo" };
+        let writable_root = AbsolutePathBuf::try_from(root).unwrap();
+        let summary = summarize_sandbox_policy(&SandboxPolicy::WorkspaceWrite {
+            writable_roots: vec![writable_root.clone()],
+            network_access: true,
+            exclude_tmpdir_env_var: true,
+            exclude_slash_tmp: true,
+        });
+        assert_eq!(
+            summary,
+            format!(
+                "workspace-write [workdir, {}] (network access enabled)",
+                writable_root.to_string_lossy()
+            )
+        );
+    }
+}