Use app-server auth status for Codex readiness

[dkundel-openai]

Summary

This updates the Codex plugin auth/readiness flow to rely on the app-server account/read and config/read APIs instead of codex login status.

For actual task/review execution, the plugin now only checks that Codex is available and then starts the real app-server task. That lets Codex handle refreshable/expired sessions naturally, and if the run is rejected, the real app-server error is passed back to Claude.

Changes

• Replaced codex login status readiness checks with app-server account/read + config/read.
• Treat API key auth as ready but unverified.
• Treat configured providers that do not require OpenAI auth as ready.
• Surface config/read failures as not-ready setup status.
• Removed auth preflight from task/review execution and stop-review gate execution.
• Kept Codex availability checks before starting task/review runs.
• Added regression tests for API key auth, non-OpenAI providers, stale/refreshable auth, real auth failures, and config/read failures.

Test Plan

• node --test --test-name-pattern "setup" tests/runtime.test.mjs
• npm test passes, 71/71 tests.