refactor(egress): use provisioned_env instead of sentinel for Codex token (PRD 0030)

Add `provisioned_env: dict[str, str]` to `AgentProvisionPlan`. When
`forward_host_credentials=True`, `agent_provision_plan` reads the host
Codex access token at prepare time and stores it under
`CODEX_HOST_CREDENTIAL_TOKEN_REF`. Both backends merge `provisioned_env`
over `os.environ` before calling `egress_resolve_token_values`, so the
token slot resolves like any other manifest-declared token ref.

Removes `egress_resolve_token_values_with_provider` and the sentinel
`continue` skip from `egress_resolve_token_values`. The function is now
fully generic — it neither knows nor cares about provider identity.

tests/unit/test_agent_provider.py

@@ -145,6 +145,37 @@ class TestAgentProviderRuntime(unittest.TestCase):
         self.assertNotIn("CLAUDE_CODE_OAUTH_TOKEN", plan.env_vars)
         self.assertEqual(frozenset(), plan.hidden_env_names)
 
+    def test_codex_forward_host_credentials_populates_provisioned_env(self):
+        access = _jwt(2000000000)
+        with tempfile.TemporaryDirectory(prefix="bb-provider.") as tmp:
+            home = Path(tmp) / "host-codex"
+            home.mkdir()
+            (home / "auth.json").write_text(json.dumps({
+                "auth_mode": "chatgpt",
+                "tokens": {"access_token": access},
+            }))
+            plan = agent_provision_plan(
+                template="codex",
+                dockerfile="",
+                state_dir=Path(tmp),
+                forward_host_credentials=True,
+                host_env={"CODEX_HOME": str(home)},
+            )
+        self.assertEqual(
+            {CODEX_HOST_CREDENTIAL_TOKEN_REF: access},
+            plan.provisioned_env,
+        )
+
+    def test_codex_without_forward_host_credentials_has_empty_provisioned_env(self):
+        with tempfile.TemporaryDirectory(prefix="bb-provider.") as tmp:
+            plan = agent_provision_plan(
+                template="codex",
+                dockerfile="",
+                state_dir=Path(tmp),
+                forward_host_credentials=False,
+            )
+        self.assertEqual({}, plan.provisioned_env)
+
 
 if __name__ == "__main__":
     unittest.main()

tests/unit/test_egress.py

@@ -2,7 +2,6 @@
 resolution (PRD 0017)."""
 
 import unittest
-import unittest.mock
 
 from bot_bottle.egress import (
     CODEX_HOST_CREDENTIAL_TOKEN_REF,
@@ -10,7 +9,6 @@ from bot_bottle.egress import (
     egress_manifest_routes,
     egress_render_routes,
     egress_resolve_token_values,
-    egress_resolve_token_values_with_provider,
     egress_routes_for_bottle,
     egress_token_env_map,
 )
@@ -343,72 +341,13 @@ class TestResolveTokenValues(unittest.TestCase):
                 {"GH_PAT": ""},
             )
 
-    def test_codex_host_credential_ref_is_resolved_by_launch(self):
+    def test_codex_host_credential_ref_resolved_via_provisioned_env(self):
         out = egress_resolve_token_values(
             {"EGRESS_TOKEN_0": CODEX_HOST_CREDENTIAL_TOKEN_REF},
-            {},
+            {CODEX_HOST_CREDENTIAL_TOKEN_REF: "codex-access-token"},
         )
-        self.assertEqual({}, out)
-
-
-class TestResolveTokenValuesWithProvider(unittest.TestCase):
-    def test_empty_map_returns_empty(self):
-        out = egress_resolve_token_values_with_provider({}, False, {})
-        self.assertEqual({}, out)
-
-    def test_empty_map_with_forward_credentials_returns_empty(self):
-        # forward_host_credentials=True but no slots → no codex call needed.
-        out = egress_resolve_token_values_with_provider({}, True, {})
-        self.assertEqual({}, out)
-
-    def test_manifest_tokens_resolved_without_forward_credentials(self):
-        out = egress_resolve_token_values_with_provider(
-            {"EGRESS_TOKEN_0": "GH_PAT"},
-            False,
-            {"GH_PAT": "ghp_secret"},
-        )
-        self.assertEqual({"EGRESS_TOKEN_0": "ghp_secret"}, out)
-
-    def test_codex_token_slotted_in_when_forward_credentials_and_matching_ref(self):
-        with unittest.mock.patch(
-            "bot_bottle.egress.codex_host_access_token",
-            return_value="codex-access-token",
-        ):
-            out = egress_resolve_token_values_with_provider(
-                {"EGRESS_TOKEN_0": CODEX_HOST_CREDENTIAL_TOKEN_REF},
-                True,
-                {},
-            )
         self.assertEqual({"EGRESS_TOKEN_0": "codex-access-token"}, out)
 
-    def test_codex_token_not_slotted_when_no_matching_ref(self):
-        # forward_host_credentials=True but no CODEX_HOST_CREDENTIAL_TOKEN_REF
-        # slot in the map → manifest tokens only; Codex token is fetched but
-        # nothing to slot it into.
-        with unittest.mock.patch(
-            "bot_bottle.egress.codex_host_access_token",
-            return_value="codex-access-token",
-        ):
-            out = egress_resolve_token_values_with_provider(
-                {"EGRESS_TOKEN_0": "GH_PAT"},
-                True,
-                {"GH_PAT": "ghp_secret"},
-            )
-        self.assertEqual({"EGRESS_TOKEN_0": "ghp_secret"}, out)
-
-    def test_codex_not_called_when_forward_credentials_false(self):
-        called = []
-        with unittest.mock.patch(
-            "bot_bottle.egress.codex_host_access_token",
-            side_effect=lambda *_: called.append(1) or "tok",
-        ):
-            egress_resolve_token_values_with_provider(
-                {"EGRESS_TOKEN_0": "GH_PAT"},
-                False,
-                {"GH_PAT": "ghp_secret"},
-            )
-        self.assertEqual([], called)
-
 
 if __name__ == "__main__":
     unittest.main()