[codex] Use background task auth for additional backend calls (#18260)

## Summary Splits the larger PR4.1 background task auth rollout by moving additional backend/control-plane call sites into this downstream PR. This PR keeps callers on the same design as PR4.1: most code asks `AuthManager` for the default ChatGPT backend authorization header, and `AuthManager` decides bearer vs background AgentAssertion internally. Task-pinned inference auth remains separate because it needs the thread's registered task id. ## Stack - PR1: https://github.com/openai/codex/pull/17385 - add `features.use_agent_identity` - PR2: https://github.com/openai/codex/pull/17386 - register agent identities when enabled - PR3: https://github.com/openai/codex/pull/17387 - register agent tasks when enabled - PR3.1: https://github.com/openai/codex/pull/17978 - persist and prewarm registered tasks per thread - PR4: https://github.com/openai/codex/pull/17980 - use task-scoped `AgentAssertion` for downstream calls - PR4.1: https://github.com/openai/codex/pull/18094 - introduce AuthManager-owned background/control-plane `AgentAssertion` auth - PR4.2: this PR - use background task auth for additional backend/control-plane calls ## What Changed - pass full authorization header values through backend-client and cloud-tasks-client call paths where needed - move ChatGPT client, cloud requirements, cloud tasks, thread-manager, and models-manager background auth usage into this downstream slice - make app-server remote control enrollment/websocket auth ask `AuthManager` for the local backend authorization header instead of threading a background auth mode through transport options - keep the same feature-gated bearer fallback behavior from PR4.1 ## Validation - `just fmt` - `cargo check -p codex-core -p codex-login -p codex-analytics -p codex-app-server -p codex-cloud-requirements -p codex-cloud-tasks -p codex-models-manager -p codex-chatgpt -p codex-model-provider -p codex-mcp -p codex-core-skills` - `cargo test -p codex-login agent_identity` - `cargo test -p codex-model-provider bearer_auth_provider` - `cargo test -p codex-core agent_assertion` - `cargo test -p codex-app-server remote_control` - `cargo test -p codex-cloud-requirements fetch_cloud_requirements` - `cargo test -p codex-models-manager manager::tests` - `cargo test -p codex-chatgpt` - `cargo test -p codex-cloud-tasks` - `just fix -p codex-core -p codex-login -p codex-analytics -p codex-app-server -p codex-cloud-requirements -p codex-cloud-tasks -p codex-models-manager -p codex-chatgpt -p codex-model-provider -p codex-mcp -p codex-core-skills` - `just fix -p codex-app-server` - `git diff --check`
2026-05-03 12:52:11 +03:00 · 2026-04-20 07:24:29 -07:00
parent fa0e2ba87c
commit 19e2f21827
14 changed files with 364 additions and 98 deletions
--- a/codex-rs/cloud-requirements/src/lib.rs
+++ b/codex-rs/cloud-requirements/src/lib.rs
@@ -195,11 +195,15 @@ trait RequirementsFetcher: Send + Sync {

 struct BackendRequirementsFetcher {
    base_url: String,
+    auth_manager: Arc<AuthManager>,
 }

 impl BackendRequirementsFetcher {
-    fn new(base_url: String) -> Self {
-        Self { base_url }
+    fn new(auth_manager: Arc<AuthManager>, base_url: String) -> Self {
+        Self {
+            base_url,
+            auth_manager,
+        }
    }
 }

@@ -209,7 +213,14 @@ impl RequirementsFetcher for BackendRequirementsFetcher {
        &self,
        auth: &CodexAuth,
    ) -> Result<Option<String>, FetchAttemptError> {
-        let client = BackendClient::from_auth(self.base_url.clone(), auth)
+        let authorization_header_value = self
+            .auth_manager
+            .chatgpt_authorization_header_for_auth(auth)
+            .await;
+        let mut client = BackendClient::new(self.base_url.clone())
+            .map(|client| {
+                client.with_user_agent(codex_login::default_client::get_codex_user_agent())
+            })
            .inspect_err(|err| {
                tracing::warn!(
                    error = %err,
@@ -217,6 +228,15 @@ impl RequirementsFetcher for BackendRequirementsFetcher {
                );
            })
            .map_err(|_| FetchAttemptError::Retryable(RetryableFailureKind::BackendClientInit))?;
+        if let Some(authorization_header_value) = authorization_header_value {
+            client = client.with_authorization_header_value(authorization_header_value);
+        }
+        if let Some(account_id) = auth.get_account_id() {
+            client = client.with_chatgpt_account_id(account_id);
+        }
+        if auth.is_fedramp_account() {
+            client = client.with_fedramp_routing_header();
+        }

        let response = client
            .get_config_requirements_file()
@@ -693,8 +713,11 @@ pub fn cloud_requirements_loader(
    codex_home: PathBuf,
 ) -> CloudRequirementsLoader {
    let service = CloudRequirementsService::new(
-        auth_manager,
-        Arc::new(BackendRequirementsFetcher::new(chatgpt_base_url)),
+        auth_manager.clone(),
+        Arc::new(BackendRequirementsFetcher::new(
+            auth_manager,
+            chatgpt_base_url,
+        )),
        codex_home,
        CLOUD_REQUIREMENTS_TIMEOUT,
    );