rmcp-client: fix auth crash (#11692)

Don't load auth tokens if bearer token is present. This fixes a crash I was getting on Linux: ``` 2026-02-12T23:26:24.999408Z DEBUG session_init: codex_core::codex: Configuring session: model=gpt-5.3-codex-spark; provider=ModelProviderInfo { name: "OpenAI", base_url: None, env_key: None, env_key_instructions: No ne, experimental_bearer_token: None, wire_api: Responses, query_params: None, http_headers: Some({"version": "0.0.0"}), env_http_headers: Some({"OpenAI-Project": "OPENAI_PROJECT", "OpenAI-Organization": "OPENAI_ORGA NIZATION"}), request_max_retries: None, stream_max_retries: None, stream_idle_timeout_ms: None, requires_openai_auth: true, supports_websockets: true } 2026-02-12T23:26:24.999799Z TRACE session_init: codex_keyring_store: keyring.load start, service=Codex MCP Credentials, account=codex_apps|20398391ad12d90b thread 'tokio-runtime-worker' (96190) has overflowed its stack fatal runtime error: stack overflow, aborting Finished `dev` profile [unoptimized + debuginfo] target(s) in 1.35s ```
2026-05-03 10:56:37 +00:00 · 2026-02-13 14:32:01 -08:00
parent 6c0a924203
commit 395729910c
2 changed files with 99 additions and 11 deletions
--- a/codex-rs/rmcp-client/src/rmcp_client.rs
+++ b/codex-rs/rmcp-client/src/rmcp_client.rs
@@ -11,6 +11,7 @@ use anyhow::anyhow;
 use futures::FutureExt;
 use futures::future::BoxFuture;
 use oauth2::TokenResponse;
+use reqwest::header::AUTHORIZATION;
 use reqwest::header::HeaderMap;
 use rmcp::model::CallToolRequestParams;
 use rmcp::model::CallToolResult;
@@ -244,16 +245,18 @@ impl RmcpClient {
    ) -> Result<Self> {
        let default_headers = build_default_headers(http_headers, env_http_headers)?;

-        let initial_oauth_tokens = match bearer_token {
-            Some(_) => None,
-            None => match load_oauth_tokens(server_name, url, store_mode) {
-                Ok(tokens) => tokens,
-                Err(err) => {
-                    warn!("failed to read tokens for server `{server_name}`: {err}");
-                    None
+        let initial_oauth_tokens =
+            if bearer_token.is_none() && !default_headers.contains_key(AUTHORIZATION) {
+                match load_oauth_tokens(server_name, url, store_mode) {
+                    Ok(tokens) => tokens,
+                    Err(err) => {
+                        warn!("failed to read tokens for server `{server_name}`: {err}");
+                        None
+                    }
                }
-            },
-        };
+            } else {
+                None
+            };

        let transport = if let Some(initial_tokens) = initial_oauth_tokens.clone() {
            match create_oauth_transport_and_runtime(