Prepare managed network sandbox context

[jif-oai]

Why

Managed network configures commands to use local HTTP and SOCKS proxies. For commands delegated to the exec server, the proxy environment and the sandbox policy were prepared separately. On macOS, that meant a command could receive HTTPS_PROXY=http://127.0.0.1:43123 while Seatbelt still denied access to port 43123.

What changed

NetworkProxy now prepares the command environment and sandbox context together from the same runtime snapshot:

Prepared managed network
├── command environment: HTTPS_PROXY=http://127.0.0.1:43123
└── sandbox context: allow outbound to 127.0.0.1:43123

That context travels with remote exec requests. The exec server preserves the managed proxy and CA environment, and macOS Seatbelt allows only the prepared loopback proxy ports without enabling broad network access or local binding.

The protocol field is optional and the existing enforcement flag remains in place, preserving compatibility with callers that do not send the new context. Windows direct-spawn enforcement also continues to honor managed-network mode.

[jif-oai]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 869f37eadd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".