[codex] Add generated token auth to app-server WebSockets

[mikhail-oai]

Summary

• always generate and print a 256-bit, URL-safe connection token for app-server WebSocket listeners
• require the token query parameter when generated-token authentication is active
• add --no-token-check, which still generates and prints the token but accepts missing or incorrect tokens with a warning for every affected connection
• keep printing the generated query token when capability-token or signed-bearer-token authentication is selected, while enforcing only the selected explicit authentication mode
• avoid logging token-bearing request URIs

Motivation

Loopback app-server WebSocket listeners previously accepted connections without a per-process secret. A generated capability in the connection URL prevents unrelated local clients from connecting by default while keeping startup and client configuration simple. Printing the same URL shape in every mode also gives launchers a consistent startup contract.

User impact

Starting codex app-server --listen ws://127.0.0.1:4500 always prints a URL such as:

ws://127.0.0.1:4500/?token=<generated-token>

The query token is enforced by default. --no-token-check disables that enforcement. Explicit --ws-auth modes also disable query-token enforcement and continue to require their configured bearer authentication.

Validation

• just test -p codex-app-server-transport (126 tests)
• just test -p codex-app-server websocket_transport_ (14 focused WebSocket tests)
• just test -p codex-cli app_server_no_token_check (2 tests)
• just fix -p codex-app-server-transport -p codex-app-server -p codex-cli
• just fmt