fix(sandbox): remove double response relay in passthrough credential path (#610)

relay_passthrough_with_credentials called relay_http_request_with_resolver
(which internally relays the upstream response back to the client) and then
immediately called relay_response_to_client a second time. The second call
blocked forever waiting for a response that would never arrive, deadlocking
every CONNECT tunnel after its first request/response pair.

This caused npm install (and any HTTP/1.1 keep-alive client) to hang
indefinitely when routed through the sandbox proxy without L7 rules.

The L7-inspection path (relay_rest) was not affected — it correctly makes
a single call to relay_http_request_with_resolver.

Author: johntmyers

crates/openshell-sandbox/src/l7/relay.rs

@@ -275,16 +275,14 @@ where
             "HTTP_REQUEST",
         );
 
-        // Forward request with credential rewriting.
-        let keep_alive =
+        // Forward request with credential rewriting and relay the response.
+        // relay_http_request_with_resolver handles both directions: it sends
+        // the request upstream and reads the response back to the client.
+        let reusable =
             crate::l7::rest::relay_http_request_with_resolver(&req, client, upstream, resolver)
                 .await?;
 
-        // Relay response back to client.
-        let reusable =
-            crate::l7::rest::relay_response_to_client(upstream, client, &req.action).await?;
-
-        if !keep_alive || !reusable {
+        if !reusable {
             break;
         }
     }