Register agent tasks behind use_agent_identity

[adrian-openai]

Summary

Stack PR3 for feature-gated agent identity support.

This PR adds per-thread agent task registration behind features.use_agent_identity. Tasks are minted on the first real user turn and cached in thread runtime state for later turns.

Stack

• PR1: Add use_agent_identity feature flag #17385 - add features.use_agent_identity
• PR2: Register agent identities behind use_agent_identity #17386 - register agent identities when enabled
• PR3: Register agent tasks behind use_agent_identity #17387 - this PR, original task registration slice
• PR3.1: Persist and prewarm agent tasks per thread #17978 - persist and prewarm registered tasks per thread
• PR4: [codex] Use AgentAssertion downstream behind use_agent_identity #17980 - use AgentAssertion downstream when enabled

Validation

Covered as part of the local stack validation pass:

• just fmt
• cargo test -p codex-core --lib agent_identity
• cargo test -p codex-core --lib agent_assertion
• cargo test -p codex-core --lib websocket_agent_task
• cargo test -p codex-api api_bridge
• cargo build -p codex-cli --bin codex

Notes

The full local app-server E2E path is still being debugged after PR creation. The current branch stack is directionally ready for review while that follow-up continues.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5f089f4a53

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Revalidate cached agent task against current auth binding

ensure_agent_task_registered returns a cached agent_task without checking whether auth/workspace binding changed. After re-auth or workspace switch, turns can keep using a task minted for the old binding because register_task() (the only path that recomputes current_binding) is skipped. This can cause authorization failures or cross-account credential reuse.

Useful? React with 👍 / 👎.

[efrazer-oai]

I don't think we need this auth_binding concept with our auth.json changes. Can do smth like below:

match auth { CodexAuth::ChatgptAuthTokens(tokens) => { if let Some(agent_identity) = tokens.registered_agent_identity() { // preregistered path register_task_with_agent_identity(agent_identity).await } else if let Some(access_token) = tokens.authorization_bearer_token() { // human bootstrap path bootstrap_and_register_task(access_token, tokens.workspace_id()).await } else { Ok(None) } } _ => Ok(None), }

We shouldn't exist in a state where the agent workspace_id doesn't match up with the user workspace_id

[efrazer-oai]

Session lifecycle

In the status quo, we fully persist session details on disk. With this change, we're creating an ephemeral 'task' in memory associated with a session. This is a bit off for a few reasons I think:

1. It means if we turn off codex and start working on the same session later, it shows up as two different 'tasks' which seems like undesirable backend state.
2. It means we add latency to every initial turn in order to make this HTTP call to create the task (idt it'd be too severe, but latency is a huge focus and we try to make most interactions go through websockets; if we can avoid i would).
3. There are some API calls we make that are not session scoped, and some that are session scoped but aren't in the path where we create agent_task. If we're in a regime where there's no user token (i.e. programmatic codex), i believe these will just fail -- would need to make it robust to those.

I wonder if there's a cleaner implementation that loses some fidelity but just creates it on start?

Or if we can pass the session id itself as the task id?

[efrazer-oai]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Keep them coming!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[efrazer-oai]

Approved to unblock, make sure to smoke test the path where there's no logged in chat user token locally! (i.e. programmatic agent identity)