core: preserve constrained approval/sandbox policies in TurnContext

[bolinfest]

Why

Config.permissions stores approval_policy and sandbox_policy as Constrained<...>, and that wrapper is part of the safety guarantee.

TurnContext was converting those fields to raw AskForApproval / SandboxPolicy values, so code operating on TurnContext no longer had a guarantee that the per-turn policies still honored the original constraints.

This change preserves the Constrained wrappers in TurnContext so turn-level policy data carries the same guarantees as Permissions.

Admittedly, there are still other types that maintain a reference to the raw value (such as ExecApprovalRequest), but we'll defer changing that to subsequent PRs.

What Changed

• Changed TurnContext.approval_policy and TurnContext.sandbox_policy to Constrained<...>.
• Updated TurnContext construction to clone the constrained values from session/config state instead of stripping them to raw values.
• Updated downstream call sites to explicitly read .value() / .get() only where raw policy values are required (tool orchestration, safety checks, MCP/network checks, and context serialization/diffing).
• Updated tests/helpers that mutate turn policies to call .set(...) on the constrained wrappers.

Verification

• cargo check -p codex-core
• cargo test -p codex-core (local run failed only in unrelated skills::loader tests due extra user-scoped skills present in this environment; touched codex, unified_exec, multi_agents, and js_repl tests passed)