core: expose permission profile picker metadata

[viyatb-oai]

Why

The /permissions picker needs a config-level way to distinguish legacy anonymous presets from named permission-profile mode. That signal cannot be inferred reliably in the TUI, especially for the edge case where default_permissions = ":workspace" is present without a [permissions] table.

What changed

• Expose whether the merged config is explicitly in permission-profile mode.
• Expose the configured custom permission profile IDs alongside the built-in profile semantics.
• Add regression coverage for profile mode detection and custom profile metadata, including the default_permissions = ":workspace" case.
• Update the thread-manager sample config literal to match the expanded config shape.

Stack

1. This PR: config metadata needed by downstream permission-profile consumers.
2. #22931: refresh active permission profiles through runtime/session/network state.
3. #21559: switch /permissions to the profile-aware TUI picker.

Verification

• cargo check -p codex-thread-manager-sample
• cargo test -p codex-core default_permissions_can_select_builtin_profile_without_permissions_table
• cargo test -p codex-core permissions_profiles_allow_direct_write_roots_outside_workspace_root