sandbox: remove dead seatbelt helper and update tests

[bolinfest]

Why

spawn_command_under_seatbelt() in codex-rs/core/src/seatbelt.rs had fallen out of production use and was only referenced by test-only wrappers. That left us with sandbox tests that could stay green even if the actual seatbelt exec path regressed, because production shell execution now flows through SandboxManager::transform() and ExecRequest::from_sandbox_exec_request() instead of that helper.

Removing the dead helper also exposed one downstream codex-exec integration test that still imported it, which broke just clippy.

What Changed

• Removed codex-rs/core/src/seatbelt.rs and stopped exporting codex_core::seatbelt.
• Removed the redundant codex-rs/core/tests/suite/seatbelt.rs coverage that only exercised the dead helper.
• Kept the openpty regression check, but moved it into codex-rs/core/tests/suite/exec.rs so it now runs through process_exec_tool_call().
• Fixed the seatbelt denial test in codex-rs/core/tests/suite/exec.rs to use /usr/bin/touch, so it actually exercises the sandbox instead of a nonexistent path.
• Updated codex-rs/exec/tests/suite/sandbox.rs on macOS to build the sandboxed command through build_exec_request() and spawn the transformed command, instead of importing the removed helper.
• Left the lower-level seatbelt policy coverage in codex-rs/sandboxing/src/seatbelt_tests.rs, where the policy generator is still covered directly.

Verification

• cargo test -p codex-core suite::exec::
• cargo test -p codex-exec
• cargo clippy -p codex-exec --tests -- -D warnings