Steve Coffey c57dee98b7 Allow API-key auth for remote exec-server registration (#24666) ...

## Overview
Allow remote `codex exec-server` registration to use existing API-key
auth while restricting where those credentials can be sent.

- Accept `CodexAuth::ApiKey` for the normal `--remote` registration
path.
- Restrict API-key remote registration to HTTPS `openai.com` and
`openai.org` hosts and subdomains, with explicit HTTP loopback support
for local development.
- Disable registry registration redirects so credentials cannot be
forwarded to an unvalidated destination.
- Retain `--use-agent-identity-auth` as the explicit Agent Identity
path.
- Document remote registration using `CODEX_API_KEY`.

## Big picture
Callers can now provide an API key directly to `exec-server`
registration without first establishing ChatGPT login state:

```sh
CODEX_API_KEY="$OPENAI_API_KEY" \
codex exec-server \
  --remote "https://<host>.openai.org/api" \
  --environment-id "$ENVIRONMENT_ID"
```

## Validation
- `cargo fmt --all` (`just fmt` is not installed on this host)
- `cargo test -p codex-cli -p codex-exec-server`

2026-05-27 21:17:38 +00:00

..

src

Allow API-key auth for remote exec-server registration (#24666)

2026-05-27 21:17:38 +00:00

tests

Move memory state to a dedicated SQLite DB (#24591)

2026-05-26 20:07:25 +02:00

BUILD.bazel

Wire realtime WebRTC native media into Bazel (#17145)

2026-04-08 15:15:55 -07:00

build.rs

Add WebRTC media transport to realtime TUI (#17058)

2026-04-08 10:26:55 -07:00

Cargo.toml

Allow API-key auth for remote exec-server registration (#24666)

2026-05-27 21:17:38 +00:00