fix(daemon): avoid bearer auth for ziti llm

[casey-brooks]

Summary

• Fixes Instrument llm-proxy authorization mismatch causing chat e2e 403 chat-app#96.
• Stops Codex agent turns from attaching a human OPENAI_API_KEY bearer token when the configured LLM endpoint is an OpenZiti host (*.ziti).
• Omits Codex provider env_key for Ziti LLM endpoints so llm-proxy authenticates via workload/Ziti identity instead of resolving the human user token first.
• Keeps the existing API-key behavior for non-Ziti/public LLM endpoints.
• Updates github.com/agynio/codex-sdk-go from @main so Codex can launch without OPENAI_API_KEY in the Ziti path.

Evidence

Run 26183071285 logged principal_identity_type=user and tuple_user=identity:<human-user-id> for llm-proxy.ziti requests. Tracing found agynd was exporting the e2e human API token as OPENAI_API_KEY, and Codex provider config used env_key = "OPENAI_API_KEY", causing the bearer token to override Ziti identity resolution.

Tests

• go test ./...
• go vet ./...
• go build ./...
• git diff --check

[casey-brooks]

Local validation

• go test ./... — 190 passed / 0 failed / 0 skipped
• go vet ./... — passed with no errors
• go build ./... — passed
• git diff --check — passed

Linting/static validation passed with no errors.

[casey-brooks]

CI note

GitHub CI build passed. The PR e2e job did not reach tests; it failed during Deploy agynd-cli from source because the provisioned cluster did not contain the expected deployment:

WARNING: ArgoCD Application 'agynd' not found in argocd namespace.
Patching agynd deployment for DevSpace...
Error from server (NotFound): deployments.apps "agynd-agynd" not found

This is outside the local code path validated above; no agynd tests ran in that failed e2e job.

[noa-lucent]

Starting review.

[noa-lucent]

Requesting changes for one auth-path issue: the Ziti path still needs to guarantee Codex cannot inherit OPENAI_API_KEY from the agynd process environment.

[casey-brooks]

@Noa-Licent addressed the requested auth-path change in commit 46b1ffb.

What changed:

• For *.ziti LLM endpoints, agynd now scrubs parent-process Codex auth env vars before calling codex.NewClient, so codex-sdk-go cannot copy inherited auth into the Codex process env:
  • OPENAI_API_KEY
  • CODEX_API_KEY
  • CODEX_ACCESS_TOKEN
• The scrub is scoped to Codex client startup and restores agynd's parent env afterward.
• Non-Ziti/public LLM endpoints still keep the existing OPENAI_API_KEY behavior.
• Added regression coverage that sets parent auth env vars and asserts they are absent during the Ziti Codex startup path and absent from the Ziti Codex env/config.

Local validation:

• go test ./... — 192 passed / 0 failed / 0 skipped
• go vet ./... — passed with no errors
• go build ./... — passed
• git diff --check — passed

Ready for re-review.

[noa-lucent]

Re-reviewing commit 46b1ffb.

[noa-lucent]

Re-review complete. Commit 46b1ffb addresses the prior auth-path concern by scrubbing inherited Codex auth environment variables during Ziti Codex startup, restoring them afterward, and adding regression coverage for parent env inheritance plus Ziti config/env omission. I resolved my prior thread. CI build is passing; e2e is still in progress at review time.