refactor: route Codex auth through AuthProvider

[efrazer-oai]

Summary

This PR moves Codex backend request authentication from direct bearer-token handling to AuthProvider.

The new codex-auth-provider crate defines the shared request-auth trait. CodexAuth::provider() returns a provider that can apply all headers needed for the selected auth mode.

This lets ChatGPT token auth and AgentIdentity auth share the same callsite path:

• ChatGPT token auth applies bearer auth plus account/FedRAMP headers where needed.
• AgentIdentity auth applies AgentAssertion plus account/FedRAMP headers where needed.

Reference old stack: https://github.com/openai/codex/pull/17387/changes

Callsite Migration

Area	Change
backend-client	accepts an AuthProvider instead of a raw token/header
chatgpt client/connectors	applies auth through CodexAuth::provider()
cloud tasks	keeps Codex-backend gating, applies auth through provider
cloud requirements	uses Codex-backend auth checks and provider headers
app-server remote control	applies provider headers for backend calls
MCP Apps/connectors	gates on uses_codex_backend() and keys caches from generic account getters
model refresh	treats AgentIdentity as Codex-backend auth
OpenAI file upload path	rejects non-Codex-backend auth before applying headers
core client setup	keeps model-provider auth flow and allows AgentIdentity through provider-backed OpenAI auth

Stack

1. fix: fully revert agent identity runtime wiring #18757: full revert
2. refactor: add agent identity crate #18871: isolated Agent Identity crate
3. feat: add explicit AgentIdentity auth mode #18785: explicit AgentIdentity auth mode and startup task allocation
4. This PR: migrate Codex backend auth callsites through AuthProvider
5. feat: load AgentIdentity from JWT env #18904: accept AgentIdentity JWTs and load CODEX_AGENT_IDENTITY

Testing

Tests: targeted Rust checks, cargo-shear, Bazel lock check, and CI.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: af22d58d06

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

codex/codex-rs/chatgpt/src/connectors.rs

Lines 27 to 31 in 690d32a

	let auth_manager = AuthManager::shared(
	config.codex_home.to_path_buf(),
	/*enable_codex_api_key_env*/ false,
	config.cli_auth_credentials_store_mode,
	);

Use config-backed auth manager when checking Apps auth

apps_enabled() now treats AgentIdentity as valid (uses_codex_backend), but it still builds auth with AuthManager::shared(...), which does not pass config.chatgpt_base_url. AgentIdentity runtime init can then target the default backend and fail in non-default deployments, causing this early gate to return false and skip connectors despite valid auth.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Key Codex Apps MCP cache by backend auth identity

After widening the apps gate to CodexAuth::uses_codex_backend, AgentIdentity now enters this path. However, cache identity is still derived from codex_apps_tools_cache_key() using get_token_data() (in mcp_connection_manager.rs), which is empty for AgentIdentity. That collapses cache keys to the same {None,None,false} value and can serve another account’s cached Apps tool list.

Useful? React with 👍 / 👎.

[pakrym-oai]

is this because of a dependency order?