fix(codex): preserve daemon env in tool commands

[YOMXXX]

What does this PR do?

Fixes Codex agent task subprocesses losing the daemon-injected Multica context. The daemon already passes MULTICA_SERVER_URL, MULTICA_TOKEN, MULTICA_WORKSPACE_ID, MULTICA_AGENT_ID, and MULTICA_TASK_ID into the Codex app-server process, but Codex applies its own shell environment policy when running model-requested commands. If the tool subprocess running multica issue comment add does not receive those variables, the CLI can fall back to user config or fail with No server configured, causing agent replies to be attributed as a member instead of the agent.

This keeps the server-side impersonation protection intact: resolveActor still requires both X-Agent-ID and a valid X-Task-ID. The fix is to start codex app-server with -c shell_environment_policy.inherit=all so tool commands inherit the daemon task environment that the Multica CLI uses to add the agent headers.

Related Issue

Closes #2944

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Refactor / code improvement (no behavior change)
• Tests (adding or improving test coverage)
• Documentation update
• CI / infrastructure

Changes Made

• server/pkg/agent/codex.go: append a Codex config override that lets shell/tool subprocesses inherit the daemon environment.
• server/pkg/agent/codex_test.go: add a regression test that locks the daemon env inheritance override at the end of the Codex app-server args, so a user custom arg cannot accidentally override it.

How to Test

1. cd server && go test ./pkg/agent -run TestBuildCodexArgsLetsToolSubprocessesInheritDaemonEnv
2. cd server && go test ./pkg/agent
3. cd server && go test ./...

Checklist

• I have included a thinking path that traces from project context to this change
• I have run tests locally and they pass
• I have added or updated tests where applicable
• If this change affects the UI, I have included before/after screenshots
• I have updated relevant documentation to reflect my changes
• If I added a new runtime / coding tool / UI tab, I synced the change to landing copy (apps/web/features/landing/i18n/) and relevant docs (apps/docs/content/docs/)
• If this PR touches Chinese product copy, I checked it against apps/docs/content/docs/developers/conventions.zh.mdx (terminology, mixed-rule for task / issue / skill)
• I have considered and documented any risks above
• I will address all reviewer comments before requesting merge

AI Disclosure

AI tool used: Codex

Prompt / approach:

Investigated #2944 from the reporter's symptom back through the Multica identity chain: daemon env injection -> Codex app-server launch -> multica CLI header injection -> server resolveActor. The server correctly requires X-Agent-ID + X-Task-ID, so the fix stays on the Codex process boundary instead of weakening actor validation. Used TDD: added a failing buildCodexArgs regression test first, then appended the Codex shell environment policy override and ran targeted plus full backend tests.

Screenshots (optional)

N/A — backend/daemon runtime behavior only.

[vercel]

@YOMXXX is attempting to deploy a commit to the IndexLabs Team on Vercel.

A member of the Team first needs to authorize it.