feat: allow limited git writes in workspace sandbox

[viyatb-oai]

Summary

Adds allow_limited_git_writes for workspace-write sandboxes so Codex can run Git commands that update repository metadata without making repository config or hooks writable.

This is wired through both config surfaces:

[sandbox_workspace_write]
allow_limited_git_writes = true

default_permissions = "workspace"

[permissions.workspace.filesystem]
allow_limited_git_writes = true
":project_roots" = "write"

Permission model

• default behavior is unchanged: writable roots still get a read-only Git metadata carveout
• with allow_limited_git_writes = true, .git / resolved gitdir metadata stays inside the writable root policy
• <gitdir>/config and <gitdir>/hooks are still read-only and readable
• worktree/submodule .git pointer files resolve to the real gitdir before adding config/hooks protections
• permissions profiles only apply the Git relaxation to writable filesystem entries; the flag alone does not grant any writable roots

Sandbox coverage

• bwrap: emits read-only binds for protected config/hooks paths after writable root binds
• seatbelt: carries the protected config/hooks paths as write-deny subpaths
• Windows: allows the writable roots and adds deny-write ACLs for protected config/hooks paths

Other changes

• exposes the flag through legacy workspace-write config, permissions profiles, app-server protocol/schema, and sandbox summaries
• centralizes default protected-subpath generation in codex-protocol so legacy and permissions-profile paths stay aligned
• updates README guidance and generated schema fixtures

Fixes #15505