feat(execd): trust mitm proxy by default

[Pangjiping]

Summary

• trust mitm proxy by default

Testing

• Not run (explain why)
• Unit tests
• Integration tests
• e2e / manual verification

Breaking Changes

• None
• Yes (describe impact and migration path)

Checklist

• Linked Issue or clearly described motivation
• Added/updated docs (if needed)
• Added/updated tests (if needed)
• Security impact considered
• Backward compatibility considered

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 478c093b19

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Avoid hard-failing bootstrap when installing MITM CA

When OPENSANDBOX_EGRESS_MITMPROXY_TRANSPARENT is enabled, this path writes into system trust directories before starting execd; on non-root containers or read-only root filesystems, cp fails and set -e terminates the whole bootstrap, so the sandbox never starts. This is a compatibility regression because bootstrap.sh previously treated similar setup steps as best-effort (warning-only) for constrained images.

Useful? React with 👍 / 👎.