Protect first-time project .codex creation across sandboxes

[rreichel3-oai]

Update protocol path protection so a missing top-level project .codex still requires approval before writes.

Fix the macOS seatbelt sandbox to deny both the exact protected path and descendants, which closes the first-creation gap for .codex/config.toml.

Fix the Windows sandbox to reserve missing writable-root .codex directories before applying deny ACLs, while keeping .agents and .git behavior unchanged.

Add regressions for protocol path protection, seatbelt policy generation, apply-patch safety checks, and Windows writable-root/.codex reservation.

External (non-OpenAI) Pull Request Requirements

Before opening this Pull Request, please read the dedicated "Contributing" markdown file or your PR may be closed:
https://github.com/openai/codex/blob/main/docs/contributing.md

If your PR conforms to our contribution guidelines, replace this text with a detailed and high quality description of your changes.

Include a link to a bug report or enhancement request.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dd61525cf7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Handle relative cwd without panicking in legacy conversion

FileSystemSandboxPolicy::from_legacy_sandbox_policy now calls AbsolutePathBuf::from_absolute_path(cwd).expect(...). A relative cwd (still accepted by the &Path API) now crashes the process instead of degrading gracefully. This is a behavior regression from the prior non-panicking path handling and can turn bad caller input into a hard failure.

Useful? React with 👍 / 👎.