Add feature-gated agent identity flow

[adrian-openai]

Summary

• add a feature-gated use_agent_identity flow for ChatGPT-authenticated sessions in codex-core
• persist one agent identity per workspace/account, mint one plaintext task_id per thread on first user prompt, and attach that task to backend/model + connector gateway requests
• add targeted coverage for identity persistence, per-thread task creation/reuse, response/websocket headers, connector gateway propagation, config schema, and dependency lockfiles

Details

This wires the new agent identity flow into shared core services without changing the app-server RPC surface. When features.use_agent_identity is enabled and ChatGPT auth is active, Codex will register or reuse a persistent agent identity, store the long-lived key material in codex-secrets, create a thread-scoped task on first user turn, and propagate the resulting task_id only to the Responses/Codex backend path and the apps connector gateway path.

Testing

• cargo +1.93.1 test -p codex-core suite::agent_identity
• cargo +1.93.1 test -p codex-core agent_task_header
• just write-config-schema
• just bazel-lock-update
• just bazel-lock-check
• just fix -p codex-core
• just fmt

Notes

• cargo +1.93.1 test -p codex-core still has unrelated baseline/environment-sensitive failures outside this change set (for example in seatbelt, git_info, js_repl, and unified_exec paths), so this PR keeps validation focused on the new agent identity flow.

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[adrian-openai]

I have read the CLA Document and I hereby sign the CLA

[adrian-openai]

Closing this standalone PR in favor of the stacked rollout that now starts at #15587. Reviewers should start with #15587 and then move through #15588, #15589, and #15590 in order.