Read faster model from safety buffering events

[ftoddywala]

Summary

Direct Codex third-party traffic receives safety-buffering metadata from the Responses WebSocket without the Codex first-party treatment headers. This change reads the new optional safety_buffering.faster_model wire field, forwards it through the existing app-server notification, and leaves the existing explicit user retry flow unchanged.

API review: https://app.notion.com/p/38c8e50b62b081308e4ae4719443db6b

Paired Responses API producer: https://github.com/openai/openai/pull/1082770

Behavior

• With no first-party treatment metadata, an object-valued safety-buffering signal is visible and uses the wire faster_model fallback.
• First-party treatment headers remain authoritative for both visibility and the retry target, including explicit disabled and enabled-without-target treatments.
• Treatment state resets for every response.create, even when the WebSocket connection is reused.
• Missing and explicit null wire fields remain compatible and produce no retry target.
• SSE behavior is unchanged: its existing treatment remains authoritative and ignores the WebSocket fallback.

The retry remains explicit and user initiated. It creates an ordinary request with the selected model; all ordinary access, safety, and rate-limit checks still apply.

Validation

• just test -p codex-api: 134 passed.
• Focused WebSocket parser/treatment tests: 6 passed independently in the final audit.
• just test -p codex-app-server --test all direct_websocket_safety_buffering_reaches_app_server_notification: passed. This uses a mock WebSocket server and proves the wire value reaches the real model/safetyBuffering/updated notification without leaking a disabled warmup treatment across responses on the same connection.
• just test -p codex-tui safety_buffering_offers_one_retry_with_app_wording: passed and proves the exact model becomes the existing RetrySafetyBufferedTurn action.
• just fix -p codex-api, just fix -p codex-app-server, and just fmt: passed.
• Paired Responses producer Tilt validation exercised real WebSocket route/emitter frames for configured string, explicit null, and disabled/omitted cases.

[github-actions]

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}

[ftoddywala]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 🎉

Reviewed commit: 2f818abb05

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".