Run exec-server fs operations through sandbox helper (#17294)

## Summary
- run exec-server filesystem RPCs requiring sandboxing through a
`codex-fs` arg0 helper over stdin/stdout
- keep direct local filesystem execution for `DangerFullAccess` and
external sandbox policies
- remove the standalone exec-server binary path in favor of top-level
arg0 dispatch/runtime paths
- add sandbox escape regression coverage for local and remote filesystem
paths

## Validation
- `just fmt`
- `git diff --check`
- remote devbox: `cd codex-rs && bazel test --bes_backend=
--bes_results_url= //codex-rs/exec-server:all` (6/6 passed)

---------

Co-authored-by: Codex <noreply@openai.com>

codex-rs/exec-server/src/lib.rs

@@ -3,6 +3,9 @@ mod client_api;
 mod connection;
 mod environment;
 mod file_system;
+mod fs_helper;
+mod fs_helper_main;
+mod fs_sandbox;
 mod local_file_system;
 mod local_process;
 mod process;
@@ -11,6 +14,8 @@ mod protocol;
 mod remote_file_system;
 mod remote_process;
 mod rpc;
+mod runtime_paths;
+mod sandboxed_file_system;
 mod server;
 
 pub use client::ExecServerClient;
@@ -25,9 +30,13 @@ pub use file_system::CreateDirectoryOptions;
 pub use file_system::ExecutorFileSystem;
 pub use file_system::FileMetadata;
 pub use file_system::FileSystemResult;
+pub use file_system::FileSystemSandboxContext;
 pub use file_system::ReadDirectoryEntry;
 pub use file_system::RemoveOptions;
+pub use fs_helper::CODEX_FS_HELPER_ARG1;
+pub use fs_helper_main::main as run_fs_helper_main;
 pub use local_file_system::LOCAL_FS;
+pub use local_file_system::LocalFileSystem;
 pub use process::ExecBackend;
 pub use process::ExecProcess;
 pub use process::StartedExecProcess;
@@ -62,7 +71,7 @@ pub use protocol::TerminateResponse;
 pub use protocol::WriteParams;
 pub use protocol::WriteResponse;
 pub use protocol::WriteStatus;
+pub use runtime_paths::ExecServerRuntimePaths;
 pub use server::DEFAULT_LISTEN_URL;
 pub use server::ExecServerListenUrlParseError;
 pub use server::run_main;
-pub use server::run_main_with_listen_url;