core: adopt host_executable() rules in zsh-fork

[bolinfest]

Why

#12964 added host_executable() support to codex-execpolicy, but the zsh-fork interception path in unix_escalation.rs was still evaluating commands with the default exact-token matcher.

That meant an intercepted absolute executable such as /usr/bin/git status could still miss basename rules like prefix_rule(pattern = ["git", "status"]), even when the policy also defined a matching host_executable(name = "git", ...) entry.

This PR adopts the new matching behavior in the zsh-fork runtime only. That keeps the rollout intentionally narrow: zsh-fork already requires explicit user opt-in, so it is a safer first caller to exercise the new host_executable() scheme before expanding it to other execpolicy call sites.

It also brings zsh-fork back in line with the current prefix_rule() execution model. Until prefix rules can carry their own permission profiles, a matched prefix_rule() is expected to rerun the intercepted command unsandboxed on allow, or after the user accepts prompt, instead of merely continuing inside the inherited shell sandbox.

What Changed

• added evaluate_intercepted_exec_policy() in core/src/tools/runtimes/shell/unix_escalation.rs to centralize execpolicy evaluation for intercepted commands
• switched intercepted direct execs in the zsh-fork path to check_multiple_with_options(...) with MatchOptions { resolve_host_executables: true }
• added commands_for_intercepted_exec_policy() so zsh-fork policy evaluation works from intercepted (program, argv) data instead of reconstructing a synthetic command before matching
• left shell-wrapper parsing intentionally disabled by default behind ENABLE_INTERCEPTED_EXEC_POLICY_SHELL_WRAPPER_PARSING, so path-sensitive matching relies on later direct exec interception rather than shell-script parsing
• made matched prefix_rule() decisions rerun intercepted commands with EscalationExecution::Unsandboxed, while unmatched-command fallback keeps the existing sandbox-preserving behavior
• extracted the zsh-fork test harness into core/tests/common/zsh_fork.rs so both the skill-focused and approval-focused integration suites can exercise the same runtime setup
• limited this change to the intercepted zsh-fork path rather than changing every execpolicy caller at once
• added runtime coverage in core/src/tools/runtimes/shell/unix_escalation_tests.rs for allowed and disallowed host_executable() mappings and the wrapper-parsing modes
• added integration coverage in core/tests/suite/approvals.rs to verify a saved prefix_rule(pattern=["touch"], decision="allow") reruns under zsh-fork outside a restrictive WorkspaceWrite sandbox

---

Stack created with Sapling. Best reviewed with ReviewStack.

• core: resolve host_executable() rules during preflight #13065
• -> core: adopt host_executable() rules in zsh-fork #13046

[owenlin0]

love it, it's all coming together!