refactor(core): move auth into codex-auth

[bolinfest]

Why

codex-core sits late in the build graph, and its auth implementation was still a large chunk of code and unit tests living inside that crate. That kept auth work on the critical path for codex-core builds and made the codex-core --lib test binary more expensive to compile.

This change moves that auth surface into its own workspace crate so it can compile and test independently, then removes the temporary codex-core auth/token-data reexports so downstream crates depend on codex-auth directly. codex-core keeps only the small pieces it still owns: the config-aware login restriction logic and the helper that reads auth through the core default HTTP client path.

What Changed

• added a new codex-auth crate and moved auth state, storage, token parsing, refresh logic, and their unit tests there
• added codex-rs/auth/BUILD.bazel so the new crate is addressable from Bazel as //codex-rs/auth:auth
• removed core/src/auth.rs and core/src/token_data.rs; downstream crates and test-support crates now import codex-auth directly instead of going through codex-core
• kept the remaining core-owned behavior in core/src/default_client_auth.rs and core/src/login_restrictions.rs so auth reads still use the core default client behavior for originator, residency, user-agent, and sandbox no_proxy, while login restriction enforcement stays config-aware
• split auth/src/lib.rs into smaller modules so lib.rs is mostly exports, and replaced the generic auth tests.rs file with file-specific test modules such as auth_storage_io_tests.rs
• updated workspace manifests and lockfiles for the new direct codex-auth dependency edges, including core_test_support and app_test_support

Verification

• CARGO_TARGET_DIR=/tmp/codex-auth-core-check cargo check -p codex-auth -p codex-core -p codex-app-server -p codex-backend-client -p codex-chatgpt -p codex-cli -p codex-cloud-requirements -p codex-exec -p codex-login -p codex-mcp-server -p codex-tui
• CARGO_TARGET_DIR=/tmp/codex-auth-core-check cargo test -p codex-auth --lib
• CARGO_TARGET_DIR=/tmp/codex-auth-core-check cargo test -p codex-core --lib
• CARGO_TARGET_DIR=/tmp/codex-auth-core-check cargo test -p codex-app-server --tests --no-run
• CARGO_TARGET_DIR=/tmp/codex-auth-core-check cargo test -p codex-login --tests --no-run
• cargo shear
• just bazel-lock-check

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c3eeca0cb6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Reuse default client for auth refresh requests

create_client now builds CodexHttpClient from reqwest::Client::new(), which drops the default client configuration previously used in this path (core/src/default_client.rs), including standard headers (originator/User-Agent/residency) and seatbelt no_proxy handling. As a result, OAuth refresh calls in request_chatgpt_token_refresh can behave differently from the rest of Codex networking and fail in environments that rely on those defaults (for example sandboxed/proxied setups or header-gated backends), turning a refactor into a runtime auth regression.

Useful? React with 👍 / 👎.

[bolinfest]

abandoning in favor of #15150