feat(proxy): repair account-bound egress routing

[Komzpa]

Summary

• replaces feat(proxy): add account-bound Codex upstream routing #873 because its source branch is Soju06:repair/pr-869-proxy-pool-egress with maintainerCanModify=false
• folds account-bound upstream proxy routing with the per-account OAuth proxy support from feat(accounts): add per-account OAuth proxy support #804 on top of current main
• keeps local codex-lb account slots separate from raw upstream ChatGPT account IDs across HTTP, compact, websocket, transcribe, file, model, and usage validation paths
• uses account-scoped HTTP leases and account-local cache invalidation for account-bound egress, without sending local account IDs as upstream chatgpt-account-id
• carries the upstream goal/control/raw endpoint proxy coverage and the file finalize account pinning regression tests into the consolidated branch

Folded PRs

• Surviving PR: feat(proxy): repair account-bound egress routing #875
• Supersedes/replaces: feat(proxy): add account-bound Codex upstream routing #873
• Folds/includes: feat(accounts): add per-account OAuth proxy support #804 and the original feat(proxy): add account-bound Codex upstream routing #869 repair scope
• Base: main
• Current head: 215e3d58726e509d6136362ce7dbb8fc50a6bf2b
• Current CI: pending for 215e3d58726e509d6136362ce7dbb8fc50a6bf2b
• Current Codex review: pending for the current head after the OAuth redirect, account-proxy token-refresh, duplicate-identity fail-closed, and SOCKS scheme fixes

Validation

• uv run pytest tests/unit/test_files_client.py::test_create_file_splits_local_lease_id_from_upstream_account_header tests/unit/test_files_client.py::test_finalize_file_splits_local_lease_id_from_upstream_account_header tests/unit/test_model_fetcher.py::test_fetch_models_for_plan_uses_lease_account_id_for_direct_session tests/unit/test_model_fetcher.py::test_fetch_models_for_plan_uses_resolved_codex_route tests/unit/test_usage_updater.py::test_usage_updater_passes_resolved_route_to_fetch_usage tests/integration/test_proxy_api_extended.py::test_thread_goal_get_forwards_upstream_goal tests/integration/test_proxy_files.py::test_backend_files_finalize_pins_to_create_account -q
• uv run pytest tests/integration/test_oauth_flow.py::test_oauth_redirect_uri_ignores_callback_host_when_present tests/integration/test_oauth_flow.py::test_oauth_redirect_uri_preserves_configured_uri_without_callback_host tests/integration/test_oauth_flow.py::test_browser_oauth_redirect_uses_registered_uri_and_matches_token_exchange -q
• uv run pytest tests/unit/test_auth_manager.py::test_refresh_account_passes_account_id_for_direct_account_proxy tests/unit/test_auth_manager.py::test_refresh_account_preserves_plan_type_when_missing tests/unit/test_auth_manager.py::test_refresh_account_converts_upstream_route_failure_to_refresh_error -q
• uv run pytest tests/integration/test_codex_usage_api.py::test_codex_usage_identity_fails_closed_for_duplicate_workspace tests/unit/test_upstream_proxy_resolver.py::test_account_binding_uses_bound_pool_and_same_pool_fallbacks -q
• uv run ruff check app/core/clients/files.py app/core/clients/model_fetcher.py app/modules/usage/updater.py tests/unit/test_files_client.py tests/unit/test_model_fetcher.py tests/unit/test_usage_updater.py tests/integration/test_proxy_api_extended.py tests/integration/test_proxy_files.py
• uv run ruff check app/modules/oauth/service.py tests/integration/test_oauth_flow.py
• uv run ruff check app/modules/accounts/auth_manager.py tests/unit/test_auth_manager.py
• uv run ruff check app/core/auth/dependencies.py app/core/upstream_proxy/types.py tests/integration/test_codex_usage_api.py tests/unit/test_upstream_proxy_resolver.py
• uv run ruff format --check app/core/clients/files.py app/core/clients/model_fetcher.py app/modules/usage/updater.py tests/unit/test_files_client.py tests/unit/test_model_fetcher.py tests/unit/test_usage_updater.py tests/integration/test_proxy_api_extended.py tests/integration/test_proxy_files.py
• uv run ruff format --check app/modules/oauth/service.py tests/integration/test_oauth_flow.py
• uv run ruff format --check app/modules/accounts/auth_manager.py tests/unit/test_auth_manager.py
• uv run ruff format --check app/core/auth/dependencies.py app/core/upstream_proxy/types.py tests/integration/test_codex_usage_api.py tests/unit/test_upstream_proxy_resolver.py
• uv run ty check app/core/clients/files.py app/core/clients/model_fetcher.py app/modules/usage/updater.py tests/unit/test_files_client.py tests/unit/test_model_fetcher.py tests/unit/test_usage_updater.py tests/integration/test_proxy_api_extended.py tests/integration/test_proxy_files.py
• uv run ty check app/modules/oauth/service.py tests/integration/test_oauth_flow.py
• uv run ty check app/modules/accounts/auth_manager.py tests/unit/test_auth_manager.py
• uv run ty check app/core/auth/dependencies.py app/core/upstream_proxy/types.py tests/integration/test_codex_usage_api.py tests/unit/test_upstream_proxy_resolver.py

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 072e29cb78

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Komzpa]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b69f018134

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Komzpa]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 872512008f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Soju06]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cec9f6aa16

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Soju06]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c14eafd3cb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Soju06]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 215e3d5872

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Soju06]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ff99ba50fb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Komzpa]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2da5bf5c98

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Komzpa]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 221cb5ba06

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Komzpa]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 082067bf06

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Soju06]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 376642947d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Align websocket proxy default documentation

This new wording says websocket handshakes connect directly by default, but app/core/config/settings.py still defaults upstream_websocket_trust_env to true whenever standard proxy environment variables are present. In deployments with HTTP_PROXY/HTTPS_PROXY set, operators following this text may not set CODEX_LB_UPSTREAM_WEBSOCKET_TRUST_ENV=false and will still route upstream websockets through the environment proxy.

Useful? React with 👍 / 👎.

[Soju06]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a14452640b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore lease-token estimates for HTTP bridge selection

This new direct _create_http_bridge_session call drops the request usage budget that used to be forwarded into session creation, and _create_http_bridge_session now selects a lease_kind="stream" account without any estimated_lease_tokens. For large HTTP bridge /backend-api/codex/responses requests, the load balancer records the stream lease with estimated_tokens=0, so leased-token pressure is invisible while the request is in flight and concurrent bridge sessions can keep piling onto the same account instead of being routed away like the direct stream/websocket paths.

Useful? React with 👍 / 👎.