feat(linux-sandbox): implement proxy-only egress via TCP-UDS-TCP bridge (#11293)

## Summary
- Implement Linux proxy-only routing in `codex-rs/linux-sandbox` with a
two-stage bridge: host namespace `loopback TCP proxy endpoint -> UDS`,
then bwrap netns `loopback TCP listener -> host UDS`.
- Add hidden `--proxy-route-spec` plumbing for outer-to-inner stage
handoff.
- Fail closed in proxy mode when no valid loopback proxy endpoints can
be routed.
- Introduce explicit network seccomp modes: `Restricted` (legacy
restricted networking) and `ProxyRouted` (allow INET/INET6 for routed
proxy access, deny `AF_UNIX` and `socketpair`).
- Enforce that proxy bridge/routing is bwrap-only by validating
`--apply-seccomp-then-exec` requires `--use-bwrap-sandbox`.
- Keep landlock-only flows unchanged (no proxy bridge behavior outside
bwrap).

---------

Co-authored-by: Codex <199175422+chatgpt-codex-connector[bot]@users.noreply.github.com>

codex-rs/linux-sandbox/README.md

@@ -28,6 +28,11 @@ into this binary.
 - When enabled, the helper isolates the PID namespace via `--unshare-pid`.
 - When enabled and network is restricted without proxy routing, the helper also
   isolates the network namespace via `--unshare-net`.
+- In managed proxy mode, the helper uses `--unshare-net` plus an internal
+  TCP->UDS->TCP routing bridge so tool traffic reaches only configured proxy
+  endpoints.
+- In managed proxy mode, after the bridge is live, seccomp blocks new
+  AF_UNIX/socketpair creation for the user command.
 - When enabled, it mounts a fresh `/proc` via `--proc /proc` by default, but
   you can skip this in restrictive container environments with `--no-proc`.