Add Codex Apps sediment file remapping

[caseychow-oai]

Summary

• bridge Codex Apps MCP declared file inputs/outputs through the OpenAI files flow behind the apps_file_bridge feature flag
• upload local file path inputs for declared openai/fileParams fields and rewrite them into canonical OpenAI file payload objects
• auto-download declared openai/fileOutputs sediment://{file_id} results into managed temp paths and expose the explicit download_openai_file tool when the feature is enabled
• scope managed OpenAI file downloads to a per-session temp root and add that root to the session sandbox only when the feature is enabled

Notes

• Remote MCP file references in the argument rewrite path must be explicit sediment://...; bare file_* / file-* strings are treated as local paths.
• During cleanup, removing the earlier macOS-specific model_availability_nux test relaxation reproduced the local Bazel failure unexpected exit code from codex resume: 1; output: ^C, so that narrow allowance remains.
• The test-only shell snapshot timing adjustment remains in suite::shell_snapshot::shell_command_snapshot_still_intercepts_apply_patch because removing it reproduced the macOS x86 local Bazel failure timed out waiting for file .../snapshot-apply.txt.

Verification

• cargo test -p codex-core rewrite_single_argument_string_ -- --nocapture
• cargo test -p codex-core openai_file_ -- --nocapture
• cargo test -p codex-core mcp_tool_to_openai_tool_ -- --nocapture
• cargo test -p codex-core prompt_tools_are_consistent_across_requests -- --nocapture
• cargo test -p codex-core serialize_tool_search_output_tools_ -- --nocapture
• cargo test -p codex-features
• ~/.cargo/bin/just fmt

[mzeng-openai]

there's one real bug here: in rewrite_single_argument_string we parse bare file_*/file-* as OpenAI file IDs before trying to resolve a local path, so a local file like file_report.csv gets rewritten to sediment://file_report.csv instead of being uploaded. can we either require sediment:// for remote handles in this path, or check local path existence first?

also, can we split out the unrelated cleanup from this PR? the nextest / approval-matrix / code-mode timing changes, cargo-bin refactor, apply_patch fallback, and app-server fileChange test relaxation don't seem tied to the sediment bridge.

[caseychow-oai]

there's one real bug here: in rewrite_single_argument_string we parse bare file_*/file-* as OpenAI file IDs before trying to resolve a local path, so a local file like file_report.csv gets rewritten to sediment://file_report.csv instead of being uploaded. can we either require sediment:// for remote handles in this path, or check local path existence first?

will investigate

also, can we split out the unrelated cleanup from this PR? the nextest / approval-matrix / code-mode timing changes, cargo-bin refactor, apply_patch fallback, and app-server fileChange test relaxation don't seem tied to the sediment bridge.

wilco, was trying to remove as much of that as possible but kept breaking CI. if i can make it work without i'll try to remove

[caseychow-oai]

Removing local fallback entirely, we should always assume it's sediment:// for remote files here.

[mzeng-openai]

Can we clean up the unrelated diffs here and in other places.

[mzeng-openai]

Why do we need change the core flow here? Can we move the file transformation logic out of the core flow as much as possible? Essentially you only need to rewrite a few special params and I don't think you have to change the whole core flow to achieve that.

[mzeng-openai]

Same here, do we have to change the core flow?

[mzeng-openai]

I don't think you need to add it to tool search.

[caseychow-oai]

There's two main things that we have to make sure to expose to the model, and the tool results seems to be the best thing. First is that we need to modify the parameter so that it is showing the model file shape instead of the path. The second is that we need to indicate to the model that that is what is happening on both the upload and the download flows.

I've gone ahead and tried to streamline it as much as possible to isolate it to just the case that we're caring about. If you feel like we can go further I'm happy to take a shot.

[mzeng-openai]

Also please clean up here.

[mzeng-openai]

Can you confirm with @bolinfest if this is ok with the sandbox policy?