fix: reject global wildcard network proxy domains (#13789)

## Summary
- reject the global `*` domain pattern in proxy allow/deny lists and
managed constraints introduced for testing earlier
- keep exact hosts plus scoped wildcards like `*.example.com` and
`**.example.com`
- update docs and regression tests for the new invalid-config behavior

codex-rs/network-proxy/src/mitm_tests.rs

@@ -83,7 +83,7 @@ async fn mitm_policy_rejects_host_mismatch() {
 #[tokio::test]
 async fn mitm_policy_rechecks_local_private_target_after_connect() {
     let app_state = Arc::new(network_proxy_state_for_policy(NetworkProxySettings {
-        allowed_domains: vec!["*".to_string()],
+        allowed_domains: vec!["example.com".to_string()],
         allow_local_binding: false,
         ..NetworkProxySettings::default()
     }));