[exec-server] Add bounded file reads

[soheil-oai]

Context

This is PR 1 of a five-PR prerequisite stack for CCA-50 and the CCA file-transfer RFC.

The previous whole-file relay approach in #28337 can exceed the 64 MiB Noise message limit and puts file bytes on the CCA control plane. The replacement architecture keeps file bytes inside the selected executor. Its first prerequisite is a bounded filesystem read that works identically through both direct and sandbox-helper paths.

Stack order:

1. bounded executor reads (this PR)
2. versioned prepared-upload protocol
3. prepared snapshot lifecycle
4. protected HTTPS upload execution
5. spawned-server transport and reconnect E2E

What changed

• Add optional maxBytes to fs/readFile without changing legacy callers.
• Enforce the limit before returning oversized contents from direct reads.
• Forward and enforce the same limit through the sandbox helper.
• Return a stable protocol error without relaying oversized bytes.

This PR does not add file-transfer RPCs or enable any new CCA behavior.

Test plan

• just test -p codex-exec-server --test bounded_read (1 passed)
• cargo check -p codex-exec-server (passed during exact-stack validation)

Reviewed as part of the complete stack by independent architecture, security, and Rust/conventions reviewers; no P0/P1/P2 findings remain.

[github-actions]

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}