feat: use run agent task auth for inference

[adrian-openai]

Stack

This is PR 3 of the simplified HAI single-run-task stack:

• #19047 Agent Identity assertion and task-registration primitives, including the shared run-task helper used by existing Agent Identity JWT auth.
• #19049 Disabled-by-default ChatGPT auth opt-in that provisions/reuses persisted Agent Identity runtime auth and its single run task.
• #19051 Run-scoped provider auth that uses one backend-owned task id for first-party inference and compaction requests.

#19054 collapsed out of the active stack because the simplified design no longer needs a separate background/control-plane task helper.

Summary

This PR moves Agent Identity usage into provider auth resolution. That keeps AgentAssertion auth tied to first-party OpenAI provider requests instead of applying a late session-wide override that could affect local, custom, Bedrock, API-key, or external-bearer providers.

What changed:

• adds a small ProviderAuthScope struct carrying the run auth policy and session source needed by provider-scoped auth resolution
• lets Session opt the existing ModelClient into ChatGptAuth policy when use_agent_identity is enabled, without adding a second model-client constructor
• resolves Agent Identity only for first-party OpenAI provider auth paths
• uses the persisted run task id from the AgentIdentityAuth record to build AgentAssertion auth for Responses requests
• routes shared request setup through scoped provider auth so unary compact requests use the same run-task assertion path as inference turns
• keeps local/custom/Bedrock/env-key/external-bearer provider auth unchanged
• lets missing run-task state surface through the existing model-request error path instead of silently falling back to bearer auth

This PR intentionally does not create thread-scoped, target-scoped, or background-scoped task identities. The run task is the only task Codex registers in this POC shape.

Testing

• just test -p codex-model-provider
• just test -p codex-core client::tests::provider_auth_scope_uses
• just test -p codex-core remote_compact_uses_agent_identity_assertion

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 733de4454c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pass thread task auth to compact Responses calls

ModelClient::current_client_setup always forwards agent_task_auth as None. compact_conversation_history (and other unary Responses paths) use this helper, so they never attach the thread-scoped AgentAssertion introduced for inference turns. In Agent Identity mode, compaction can run under bearer/process auth instead of the active thread task, which breaks the stated migration intent.

Useful? React with 👍 / 👎.