fix(config): resolve cloud requirements deny-read globs

[viyatb-oai]

Why

Cloud-managed requirements.toml contents were deserialized without an AbsolutePathBuf base directory. Relative managed permissions.filesystem.deny_read glob entries therefore failed while the equivalent local system requirements path succeeded under its AbsolutePathBufGuard. This follows the codex_home base path convention clarified in #15707.

What changed

• Resolve cloud requirements TOML under an AbsolutePathBufGuard rooted at codex_home.
• Reuse the same base for cloud requirements loaded from the signed cache.
• Add a regression test for a relative cloud-managed deny_read glob.

Validation

• just fmt
• cargo test -p codex-cloud-requirements
• cargo clippy -p codex-cloud-requirements --all-targets --no-deps
• just bazel-lock-update
• just bazel-lock-check
• git diff --check