[do not merge] add managed filesystem deny_read blocklist

[viyatb-oai]

Summary

Implements a managed filesystem read blocklist (deny_read) enforced from requirements.toml, with enforcement in both direct file tools and OS sandbox backends on macOS/Linux.

This adds the path-policy foundation needed for cases like blocking reads of files without relying on command-pattern blocking.

• requirements.toml support for [permissions.filesystem].deny_read
• limited * / ** glob support in managed deny_read, expanded to concrete matches when config is loaded
• SandboxPolicy / protocol / app-server schema plumbing for deny_read_paths
• direct tool enforcement (read_file, list_dir, view_image, grep_files overlap guard)
• macOS Seatbelt deny-read rules (file-read* + unlink hardening)
• Linux bubblewrap deny-read overlays (--tmpfs for dirs, /dev/null for files)
• legacy Linux Landlock fail-closed when deny_read is configured
• Windows best-effort warning (tool-level enforcement only)

Implementation notes

• Exact paths keep exact path + subtree semantics.
• Glob support is limited to * / **.
• Glob patterns are expanded to concrete matches when config loads, so only files and directories that exist at that time are covered until config reload.
• Matching in direct tools checks normalized and canonicalized paths to reduce symlink alias bypasses.
• grep_files currently shells out to rg outside the sandboxed shell path, so this PR rejects overlapping search roots instead of post-filtering.
• Linux restricted-read mode only applies deny overlays for paths that overlap mounted readable/writable roots (avoids invalid overlays for paths not visible in the sandbox).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5030b4fe71

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4dd8a79798

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[github-actions]

Closing this pull request because it has had no updates for more than 14 days. If you plan to continue working on it, feel free to reopen or open a new PR.