core: fix apply_patch request permissions test

[bolinfest]

Why

The Bazel test coverage change exposed approved_folder_write_request_permissions_unblocks_later_apply_patch, and rust-ci-full.yml showed the same test failing on main on macOS. There were two separate classes of problems here.

Clean CI failure

The test emits an apply_patch tool call, but its config did not enable the apply_patch tool, so the mocked response completed without an apply-patch-call output. After enabling the tool, the same path also needs the aggregate codex-core test binary to dispatch --codex-run-as-fs-helper; sandboxed apply_patch uses that helper under macOS Seatbelt.

The test now also canonicalizes the temporary patch target before building the patch payload so the path matches normalized grants on macOS, where /var paths often normalize to /private/var.

Local/enterprise config isolation

The core test harness now builds its default test config with managed config disabled, so host-managed enterprise config cannot alter these tests. The request-permissions turns in this test also explicitly use the user reviewer path, keeping the assertions focused on request_permissions behavior rather than reviewer defaults from the host.

What Changed

• Enable apply_patch in approved_folder_write_request_permissions_unblocks_later_apply_patch.
• Teach the core integration test binary to dispatch CODEX_FS_HELPER_ARG1, matching the existing apply-patch and linux-sandbox dispatch paths.
• Canonicalize the tempdir-backed patch target before creating the patch.
• Ignore managed config in default core test configs and explicitly pin this test to ApprovalsReviewer::User.

Verification

Run outside the Codex app sandbox because these macOS tests intentionally spawn Seatbelt:

• cargo test -p codex-core approved_folder_write_request_permissions_unblocks_later_apply_patch
• cargo test -p codex-core approved_folder_write_request_permissions_unblocks_later_exec_without_sandbox_args