[codex] Bypass managed network for escalated exec

[viyatb-oai]

Why

sandbox_permissions = "require_escalated" is treated as an explicit request to approve the command and run it outside the filesystem/platform sandbox. Before this change, shell and unified exec still registered managed network approval context and could inject Codex-managed proxy state into the child process, which meant an approved escalated command could still hit a second network approval path.

This PR makes that escalation boundary consistent: once a command is explicitly approved to run outside the sandbox, Codex does not also route that process through the managed network proxy.

Security impact

Command/filesystem sandbox approval now implies network approval for that command. If an untrusted command or script is allowed to run with require_escalated, its network calls are unsandboxed: Codex-managed network allowlists and denylists are not respected for that process, so the command can exfiltrate any data it can read.

What changed

• Skip managed network approval specs for SandboxPermissions::RequireEscalated.
• Pass network: None into shell, zsh-fork shell, and unified exec sandbox preparation for explicitly escalated requests.
• Strip Codex-managed proxy environment variables when CODEX_NETWORK_PROXY_ACTIVE is present, while preserving user proxy env when the Codex marker is absent.
• Add regression coverage for the prepared exec request so the old behavior cannot silently reappear.

Verification

• cargo test -p codex-core explicit_escalation
• cargo clippy -p codex-core --all-targets -- -D warnings

[dylan-hurd-oai]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Can't wait for the next one!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[bolinfest]

I think this is the right change, though I'm a little uncomfortable that these three files require similar changes:

codex-rs/core/src/tools/runtimes/shell/unix_escalation.rs
codex-rs/core/src/tools/runtimes/shell.rs
codex-rs/core/src/tools/runtimes/unified_exec.rs

I don't see a great way to consolidate them, but it admittedly takes effort to ensure we are applying this sort of logic consistently across our various shell tools.