fix(sandbox): deny forward proxy for l7-configured endpoints

[drew]

Motivation

• The forward-proxy path forwarded rewritten HTTP requests after only L4 checks and allowed_ips validation, which allowed sandboxed clients to bypass endpoint L7 method/path rules that are enforced in the CONNECT/L7 inspection path.
• The change prevents an untrusted process from using HTTP_PROXY + plain http:// requests to reach endpoints that have L7 policies, closing a high-severity policy bypass.

Description

• Added a guard in handle_forward_proxy() that calls query_l7_config(...) and returns HTTP/1.1 403 Forbidden when the matched endpoint has L7 configuration, so forward-proxy requests cannot bypass per-request L7 inspection.
• Emitted structured denial logging and a denial-event via emit_denial_simple(..., "forward_l7") for visibility and auditing.
• Updated architecture/security-policy.md to document that forward-proxy requests are rejected for endpoints with L7 config and that CONNECT must be used for L7-inspected endpoints.

Testing

• Ran cargo fmt --all --check, which succeeded.
• Attempted mise run pre-commit, which failed due to environment/tooling remote resolution and trust warnings in this container, not due to code changes.
• Attempted cargo test -p openshell-sandbox --lib proxy::tests -- --nocapture, which began compilation in this environment but did not complete within the session (heavy dependency build); thus unit tests were not fully executed here.

---

Codex Task

[github-actions]

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:

---

I have read the DCO document and I hereby sign the DCO.

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.}

[johntmyers]

Closing in favor of consolidated re-implementation. See #350 for tracking.