login: treat provider auth refresh_interval_ms=0 as no auto-refresh

[bolinfest]

Why

Follow-up to #16288: the new dynamic provider auth token flow currently defaults refresh_interval_ms to a non-zero value and rejects 0 entirely.

For command-backed bearer auth, 0 should mean "never auto-refresh". That lets callers keep using the cached token until the backend actually returns 401 Unauthorized, at which point Codex can rerun the auth command as part of the existing retry path.

What changed

• changed ModelProviderAuthInfo.refresh_interval_ms to accept 0 and documented that value as disabling proactive refresh
• updated the external bearer token refresher to treat refresh_interval_ms = 0 as an indefinitely reusable cached token, while still rerunning the auth command during unauthorized recovery
• regenerated core/config.schema.json so the schema minimum is 0 and the new behavior is described in the field docs
• added coverage for both config deserialization and the no-auto-refresh plus 401 recovery behavior

How tested

• cargo test -p codex-protocol
• cargo test -p codex-login
• cargo test -p codex-core test_deserialize_provider_auth_config_

[bolinfest]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Keep it up!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".