feat(app-server): migrate remote control to server tokens

[apanasenko-oai]

Why

codex-backend now authenticates remote-control server websocket connections with short-lived server tokens instead of the user's ChatGPT access token. app-server needs to mint and refresh those server tokens without persisting them, so a restart can reconnect from durable enrollment identity while keeping the bearer token memory-only.

What Changed

Updated the remote-control transport to consume remote_control_token and expires_at from server enroll responses and added /server/refresh support for persisted enrollments or expiring cached tokens.

Websocket handshakes now send Authorization: Bearer <remote_control_token> with the existing server identity headers, and no longer send the ChatGPT bearer token or chatgpt-account-id on that websocket path.

The in-memory enrollment state now owns the ephemeral server token cache, while SQLite still persists only server_id, environment_id, and server_name. Websocket 401/403 clears only the cached token for refresh on reconnect; websocket or refresh 404 clears stale persisted enrollment and re-enrolls. Response body previews redact remote_control_token before surfacing parse errors.

Verification

Targeted remote-control transport coverage now exercises restart refresh, cached-token reconnects, websocket token invalidation, stale enrollment re-enrollment, and server-token handshake headers in codex-app-server-transport tests.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4fd28a6f61

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".