[codex] Route Fed ChatGPT auth through Fed edge (#17151)

## Summary
- parse chatgpt_account_is_fedramp from signed ChatGPT auth metadata
- add _account_is_fedramp=true to ChatGPT backend-api requests only for
FedRAMP ChatGPT-auth accounts

codex-rs/codex-api/src/api_bridge_tests.rs

@@ -136,6 +136,7 @@ fn core_auth_provider_reports_when_auth_header_will_attach() {
     let auth = CoreAuthProvider {
         token: Some("access-token".to_string()),
         account_id: None,
+        is_fedramp_account: false,
     };
 
     assert!(auth.auth_header_attached());
@@ -162,3 +163,22 @@ fn core_auth_provider_adds_auth_headers() {
         Some("workspace-123")
     );
 }
+
+#[test]
+fn core_auth_provider_adds_fedramp_routing_header_for_fedramp_accounts() {
+    let auth = CoreAuthProvider {
+        token: Some("access-token".to_string()),
+        account_id: Some("workspace-123".to_string()),
+        is_fedramp_account: true,
+    };
+    let mut headers = HeaderMap::new();
+
+    crate::AuthProvider::add_auth_headers(&auth, &mut headers);
+
+    assert_eq!(
+        headers
+            .get("X-OpenAI-Fedramp")
+            .and_then(|value| value.to_str().ok()),
+        Some("true")
+    );
+}