cli: support --profile for codex sandbox

[bolinfest]

Why

codex sandbox now always runs the host sandbox backend, so it should accept the same profile selection mechanism as the rest of the runtime CLI surface. Without --profile, sandbox debugging can exercise only the default config stack unless users manually translate profile config into ad hoc -c overrides.

Supporting --profile lets sandbox invocations load $CODEX_HOME/<name>.config.toml, including permission profile configuration, before resolving the sandbox policy for the command being run.

What Changed

• Added --profile NAME / -p NAME to the host-specific codex sandbox argument structs as config_profile.
• Allowed root-level codex --profile NAME sandbox ... and made a sandbox-local codex sandbox --profile NAME ... override the root selection.
• Threaded LoaderOverrides through sandbox config loading so selected config profile files participate in permission resolution before the legacy read-only fallback.
• Documented the new sandbox flag in codex-rs/README.md.

Verification

• Added parser coverage for codex sandbox --profile.
• Added sandbox config-loader coverage that verifies selected config profile loader overrides select the profile config rather than falling back to read-only.
• Ran cargo test -p codex-cli.