Scope MCP sandbox metadata to server environment

[jif-oai]

Scope MCP sandbox metadata to the MCP server's owning environment.

Previously, codex/sandbox-state-meta always used the turn's primary cwd and rebuilt a legacy sandbox policy from that cwd. That can be wrong for MCP servers owned by a different execution environment.

This now sends the owning environment cwd as a file: URI in sandboxCwd, keeps permissionProfile as the permission source of truth, and omits sandbox-state metadata when a non-default server environment is not selected for the turn. Local/default MCP servers keep the existing fallback cwd behavior.

Tests:

• just fmt
• just bazel-lock-update
• just bazel-lock-check
• just test -p codex-mcp
• just test -p codex-core mcp_sandbox_cwd
• cargo build -p codex-rmcp-client --bin test_stdio_server
• just test -p codex-core stdio_mcp_tool_call_includes_sandbox_state_meta

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2d76490729

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".