feat: introduce codex_execpolicy crate for defining "safe" commands (#634)

As described in detail in `codex-rs/execpolicy/README.md` introduced in
this PR, `execpolicy` is a tool that lets you define a set of _patterns_
used to match [`execv(3)`](https://linux.die.net/man/3/execv)
invocations. When a pattern is matched, `execpolicy` returns the parsed
version in a structured form that is amenable to static analysis.

The primary use case is to define patterns match commands that should be
auto-approved by a tool such as Codex. This supports a richer pattern
matching mechanism that the sort of prefix-matching we have done to
date, e.g.:


5e40d9d221/codex-cli/src/approvals.ts (L333-L354)

Note we are still playing with the API and the `system_path` option in
particular still needs some work.

codex-rs/execpolicy/tests/parse_sed_command.rs

@@ -0,0 +1,23 @@
+use codex_execpolicy::parse_sed_command;
+use codex_execpolicy::Error;
+
+#[test]
+fn parses_simple_print_command() {
+    assert_eq!(parse_sed_command("122,202p"), Ok(()));
+}
+
+#[test]
+fn rejects_malformed_print_command() {
+    assert_eq!(
+        parse_sed_command("122,202"),
+        Err(Error::SedCommandNotProvablySafe {
+            command: "122,202".to_string(),
+        })
+    );
+    assert_eq!(
+        parse_sed_command("122202"),
+        Err(Error::SedCommandNotProvablySafe {
+            command: "122202".to_string(),
+        })
+    );
+}