Register agent identities behind use_agent_identity

[adrian-openai]

Summary

Stack PR 2 of 4 for feature-gated agent identity support.

This PR adds agent identity registration behind features.use_agent_identity. It keeps the app-server protocol unchanged and starts registration after ChatGPT auth exists rather than requiring a client restart.

Stack

• PR1: Add use_agent_identity feature flag #17385 - add features.use_agent_identity
• PR2: Register agent identities behind use_agent_identity #17386 - this PR
• PR3: Register agent tasks behind use_agent_identity #17387 - register agent tasks when enabled
• PR4: Use AgentAssertion downstream behind use_agent_identity #17388 - use AgentAssertion downstream when enabled

Validation

Covered as part of the local stack validation pass:

• just fmt
• cargo test -p codex-core --lib agent_identity
• cargo test -p codex-core --lib agent_assertion
• cargo test -p codex-core --lib websocket_agent_task
• cargo test -p codex-api api_bridge
• cargo build -p codex-cli --bin codex

Notes

The full local app-server E2E path is still being debugged after PR creation. The current branch stack is directionally ready for review while that follow-up continues.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cd2ed352e6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[efrazer-oai]

I've been looking through the stack and I'm increasingly wondering about the following:

I wonder if this would be better organized by moving this core logic into

enum CodexAuth {
ApiKey(ApiKeyAuth),
Chatgpt(ChatgptAuth),
ChatgptAuthTokens(ChatgptAuthTokens),
}

It seems like it is a kinda 'different' method of auth and is intended to fully migrate away from Chatgpt auth as it exists right now when enabled (insomuch as it replaces every authorization header).

It's a bit weird to reason about a 'ChatGPT' user also being an agent identity (or using agent identity), then having these kinda 'subtle' overrides and all of this being managed in a separate auth struct.

We'll also need to add this variant later when we allow starting from a preregistered agent identity, so might be good to do now.

[efrazer-oai]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5589186a8e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[efrazer-oai]

Approved to unblock, tests & one nit if you have time!

[shijie-oai]

LGTM - I am building this locally to make sure it does function as expected.

[shijie-oai]

Built and existing flow works as expected.