PAC 2 - Add shared auth system proxy contract

[canvrno-oai]

Summary

Stacked on #26706.

Adds the shared auth/system-proxy contract that later platform resolver PRs plug into. This PR moves Codex-owned auth and startup HTTP clients through a common route-aware boundary, but does not yet add Windows or macOS system proxy resolution.

The default path remains unchanged when respect_system_proxy is absent or disabled.

Implementation

• Adds codex-client/src/outbound_proxy.rs with the shared route-selection model:
  • OutboundProxyConfig;
  • ClientRouteClass;
  • RouteFailureClass;
  • build_reqwest_client_for_route.
• Preserves the existing reqwest/default-client behavior when no route config is supplied.
• Uses the fixed MVP routing policy when route config is supplied: platform system/PAC/WPAD discovery, then explicit env proxy variables, then direct connection.
• Keeps platform-specific system discovery behind the shared client boundary. This PR provides the contract and fallback behavior; later resolver PRs plug in Windows and macOS discovery.
• Adds login::AuthRouteConfig so auth call sites depend on a small policy type instead of platform resolver details.
• Maps the resolved Config.respect_system_proxy boolean into AuthRouteConfig for auth-owned clients.
• Wires the route config through browser login, device-code login, access-token login, login status, logout/revoke, token refresh, API-key exchange, app-server account login, TUI/app startup, cloud-config bootstrap, cloud tasks, plugin auth, and exec startup config loading.

End-user behavior

• No behavior changes by default.
• When respect_system_proxy = true, auth-owned clients opt into the shared route-aware client path.
• On platforms without a resolver implementation in this PR, system discovery is unavailable and the route-aware path falls back to explicit env proxy handling, then direct connection.
• Custom CA handling remains separate from proxy route selection and still runs through the shared client builder.
• No proxy URLs, PAC contents, or resolved platform details are exposed through the public config surface introduced here.

Tests

Adds or updates coverage for:

• preserving default auth-client fallback behavior when no route config is provided;
• injected environment-proxy fallback without mutating process environment;
• existing login-server E2E flows using explicit auth_route_config: None to guard unchanged default behavior;
• updated auth manager, login, logout, cloud-config, startup, and plugin-auth call sites passing route config explicitly.

[celia-oai]

approved for auth with comment. will let @anp-oai review codex client / proxy changes

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4d2e9883c1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".