fix(config): use deny for Unix socket permissions

[viyatb-oai]

Why

Unix socket permissions still accepted and displayed "none" while file permissions use the clearer "deny" spelling. This keeps network Unix socket policy vocabulary consistent with filesystem policy vocabulary.

What changed

• Replace the Unix socket permission variant and serialized spelling from none to deny across config, feature configuration, and network proxy types.
• Update app-server v2 serialization, TUI debug output, focused tests, and generated schemas to expose "deny".
• Add coverage for denied Unix socket entries in managed requirements and profile overlay behavior.

Security

This is a vocabulary change for explicit Unix socket rejection, not a network access expansion. Denied entries continue to be omitted from the effective allowlist.

Validation

• just fmt
• just write-config-schema
• just write-app-server-schema
• just test -p codex-config -p codex-core -p codex-app-server-protocol -p codex-tui -E 'test(network_requirements_are_preserved_as_constraints_with_source) | test(network_permission_containers_project_allowed_and_denied_entries) | test(network_toml_overlays_unix_socket_permissions_by_path) | test(permissions_profiles_resolve_extends_parent_first_with_child_overrides) | test(network_requirements_serializes_canonical_and_legacy_fields) | test(debug_config_output_formats_unix_socket_permissions)'\n- Automatic bench-smoke follow-up from just test\n- cargo clippy -p codex-config -p codex-core -p codex-features -p codex-network-proxy -p codex-app-server-protocol -p codex-app-server -p codex-tui --all-targets -- -D warnings

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6d06d290b0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Retain legacy none parsing for socket denies

For any existing user/profile config that already has [permissions.*.network.unix_sockets] entries set to "none", this enum now deserializes only "allow"/"deny", so Codex will reject the config during startup instead of treating that entry as a denied override. The new outward spelling can still be "deny", but Deny should keep a #[serde(alias = "none")] compatibility alias here and on the mirrored managed/feature/proxy config enums, matching the filesystem permission migration pattern.

Useful? React with 👍 / 👎.