Add experimental local credential broker

[winston-openai]

Why

Codex child processes can inherit injectable local credentials directly, which lets commands read and exfiltrate the real values. This first experimental slice keeps supported workflows working while moving those credentials behind the existing managed network proxy.

What changed

• add credential_broker = true under [features.network_proxy]
• discover supported process environment variables during child setup, retain their real values only in the in-memory proxy broker, and replace them with deterministic lookalike dummies
• preserve recognized provider prefixes, token length, separators, and broad character shape so GitHub and OpenAI clients continue to accept the dummy values
• inject the selected real credential only into a matching MITM request; a presented dummy selects among multiple credentials of the same kind
• preserve explicit Authorization headers that do not contain a broker dummy
• bind GitHub cloud credentials only to GitHub cloud hosts, bind GitHub Enterprise credentials only to an explicit non-cloud GH_HOST, and bind OpenAI keys only to api.openai.com
• leave unbound GitHub Enterprise credentials usable but unbrokered
• define credential sources in one proxy-owned table, so each source automatically participates in discovery, dummy cleanup, and shell-snapshot restoration while per-kind header placement stays localized
• carry an internal dummy-to-environment mapping through shell snapshots, then strip only values that still exactly match broker dummies when commands leave proxy containment; user overrides remain intact
• replay brokered credential keys through shell snapshots only when the proxy-issued broker marker is exactly 1, preventing ordinary proxy sessions from restoring ambient credentials
• keep discovery, token shaping, state, MITM selection, and header injection in codex-network-proxy; the small codex-core integration only maps feature config and handles the existing shell snapshot and escalation boundaries

Scope

• supported credentials: GH_TOKEN, GITHUB_TOKEN, GH_ENTERPRISE_TOKEN, GITHUB_ENTERPRISE_TOKEN, and OPENAI_API_KEY
• GitHub cloud credentials match github.com, api.github.com, and *.ghe.com
• GitHub Enterprise credentials match only the normalized non-cloud GH_HOST
• OpenAI API keys match only api.openai.com
• this does not cover SSH agents, kube client certificates, filesystem secret discovery, context-injected secret scrubbing, or removing credentials from snapshot files at rest

Validation

• just test -p codex-network-proxy (184 passed)
• just test -p codex-features (52 passed)
• focused codex-core checks for active broker shell-snapshot replay and inactive broker credential omission
• scoped Clippy checks for codex-network-proxy, codex-features, and codex-core

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 006a77a3d6

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".