Add auth env observability

[ccy-oai]

CXC-410 Emit Env Var Status with /feedback report

Add more observability on top of #14611
Unset
Set

Summary

• Adds auth-env telemetry that records whether key auth-related env overrides were present on session start and request paths.
• Threads those auth-env fields through /responses, websocket, and /models telemetry and feedback metadata.
• Buckets custom provider env_key configuration to a safe "configured" value instead of emitting raw config text.
• Keeps the slice observability-only: no raw token values or raw URLs are emitted.

Rationale (from spec findings)

• 401 and auth-path debugging needs a way to distinguish env-driven auth paths from sessions with no auth env override.
• Startup and model-refresh failures need the same auth-env diagnostics as normal request failures.
• Feedback and Sentry tags need the same auth-env signal as OTel events so reports can be triaged consistently.
• Custom provider config is user-controlled text, so the telemetry contract must stay presence-only / bucketed.

Scope

• Adds a small AuthEnvTelemetry bundle for env presence collection and threads it through the main request/session telemetry paths.
• Does not add endpoint/base-url/provider-header/geo routing attribution or broader telemetry API redesign.

Trade-offs

• provider_env_key_name is bucketed to "configured" instead of preserving the literal configured env var name.
• /models is included because startup/model-refresh auth failures need the same diagnostics, but broader parity work remains out of scope.
• This slice keeps the existing telemetry APIs and layers auth-env fields onto them rather than redesigning the metadata model.

Client follow-up

• Add the separate endpoint/base-url attribution slice if routing-source diagnosis is still needed.
• Add provider-header or residency attribution only if auth-env presence proves insufficient in real reports.
• Revisit whether any additional auth-related env inputs need safe bucketing after more 401 triage data.

Testing

• cargo test -p codex-core emit_feedback_request_tags -- --nocapture
• cargo test -p codex-core collect_auth_env_telemetry_buckets_provider_env_key_name -- --nocapture
• cargo test -p codex-core models_request_telemetry_emits_auth_env_feedback_tags_on_failure -- --nocapture
• cargo test -p codex-otel otel_export_routing_policy_routes_api_request_auth_observability -- --nocapture
• cargo test -p codex-otel otel_export_routing_policy_routes_websocket_connect_auth_observability -- --nocapture
• cargo test -p codex-otel otel_export_routing_policy_routes_websocket_request_transport_observability -- --nocapture
• cargo test -p codex-core --no-run --message-format short
• cargo test -p codex-otel --no-run --message-format short

[etraut-openai]

Thanks for adding this!

[ccy-oai]

Thanks for adding this!

Thank you, Eric! Merging.