Refactor auth providers to mutate request headers (#17866)

## Summary
- Move auth header construction into the
`AuthProvider::add_auth_headers` contract.
- Inline `CoreAuthProvider` header mutation in its provider impl and
remove the shared header-map helper.
- Update HTTP, websocket, file upload, sideband websocket, and test auth
callsites to use the provider method.
- Add direct coverage for `CoreAuthProvider` auth header mutation.

## Testing
- `just fmt`
- `cargo test -p codex-api`
- `cargo test -p codex-core
client::tests::auth_request_telemetry_context_tracks_attached_auth_and_retry_phase`
- `cargo test -p codex-core` failed on unrelated/reproducible
`tools::handlers::multi_agents::tests::multi_agent_v2_followup_task_interrupts_busy_child_without_losing_message`

---------

Co-authored-by: Celia Chen <celia@openai.com>

codex-rs/codex-api/src/files.rs

@@ -256,17 +256,14 @@ fn authorized_request(
     method: reqwest::Method,
     url: &str,
 ) -> reqwest::RequestBuilder {
+    let mut headers = http::HeaderMap::new();
+    auth.add_auth_headers(&mut headers);
+
     let client = build_reqwest_client();
-    let mut request = client
+    client
         .request(method, url)
-        .timeout(OPENAI_FILE_REQUEST_TIMEOUT);
-    if let Some(token) = auth.bearer_token() {
-        request = request.bearer_auth(token);
-    }
-    if let Some(account_id) = auth.account_id() {
-        request = request.header("chatgpt-account-id", account_id);
-    }
-    request
+        .timeout(OPENAI_FILE_REQUEST_TIMEOUT)
+        .headers(headers)
 }
 
 fn build_reqwest_client() -> reqwest::Client {