feat(multi-env): manifest provider + per-env tool family + system prompt block

[imryao]

Summary

End-to-end multi-environment support in our agentserver codex fork. 33 commits ahead of main. Lets a single codex session run shell/file ops against multiple execution environments declared via a JSON manifest, with per-environment auth tokens and an LLM-facing tool family that explicitly carries environment_id.

What landed (4 layers)

P1 — manifest loader (exec-server crate)

• ManifestEnvironmentProvider reads CODEX_EXEC_SERVERS_JSON, validates entries (no dupe ids, default present), resolves per-entry bearer tokens from env vars
• Environment::remote_with_auth(...) constructor; Environment.description: Option<String>
• LazyRemoteExecServerClient::with_auth(...) injects Authorization: Bearer … on connect
• Legacy CODEX_EXEC_SERVER_URL path preserved byte-identically; manifest wins when both set (with tracing::warn!)
• Integration tests in exec-server/tests/manifest_provider.rs

P2 — env selection in core

• TurnContext::select_environment(Option<&str>) -> Option<&TurnEnvironment> (None → primary)
• UnifiedExecRequest.environment_id and ApplyPatchRequest.environment_id fields
• Runtime call sites switched from primary_environment() → select_environment(env_id)
• intercept_apply_patch(env_id) lets shell→apply_patch chains carry env

P3 — schema honesty (REVERSAL from original plan)

Initial implementation added environment_id to native shell / apply_patch schemas. Reverted in commits 0d820d5961 / bbba7c6ac2 / ddeb163d17 / aefa1f7d95 to preserve upstream training compatibility — native tools must keep schemas the model has seen during pretraining. See `fix(core): shell schema honesty …` for rationale.

Replacement: a parallel `*_in_environment` tool family (gated on `env_count >= 2`):

• `exec_command_in_environment`
• `apply_patch_in_environment` (JSON only — Lark grammar can't express the field)
• `list_environments` (read-only catalog)
• `list_dir_in_environment`
• `read_file_in_environment` / `write_file_in_environment`
• `view_image_in_environment`

All file-system tools route through `Environment::get_filesystem()`, no direct `tokio::fs`.

P4 — system prompt block

• New `AvailableEnvironmentsInstructions` fragment in `core/src/context/`
• Renders markdown table (`id | description | default`) plus an inline list of the new tool family so LLM knows when/how to use them
• Wired into `session/mod.rs` developer_sections, gated on `environments.len() >= 2`
• Single-env sessions emit no block (zero prompt change)

Backwards compatibility

• Native `shell` / `exec_command` / `apply_patch` schemas are byte-identical to upstream (training compat)
• All new fields are `Option` with `#[serde(default)]`
• `EnvironmentProvider::default_environment_id` has a default impl returning `None`
• `Environment::remote_inner` retained as compat shim
• Single-env users see no behavior change

Out of scope (known limitations)

• `apply_patch` Lark/freeform variant has no `environment_id` (grammar limitation)
• `multi_agents` / `agent_jobs` sub-agent dispatch still resolves to primary env only
• MCP runtime environment selection is fixed to primary
• Native `view_image` / `list_dir` etc. still target primary; cross-env access goes through the new family

Test Plan

Local verification (run from `/root/codex-multi-env/codex-rs` on this branch):

• `cargo check -p codex-exec-server -p codex-core -p codex-tools -p codex-protocol` — clean (one pre-existing dead_code warning on `LazyRemoteExecServerClient::new`)
• `cargo test -p codex-exec-server -p codex-tools -p codex-protocol` — 152 passed, 0 failed (includes manifest_provider integration, all new `*_in_environment` tool spec tests, required-field validation)
• `RUST_MIN_STACK=16777216 cargo test -p codex-core --lib` for multi-env-touched modules: `tools::handlers::`, `session::turn_context`, `session::mcp`, `context::available_environments_instructions`, `tools::runtimes::`, `environment_selection`, `unified_exec` — all passing
• `intercept_apply_patch_routes_by_environment_id` — passes (P3 reversal regression test)
• `multi-env tool family end-to-end integration` — passes
• CI to verify: 12 `codex-core --lib` test failures observed locally are all in cwd/git-context-sensitive modules (`turn_diff_tracker`, `config::config_loader_tests`, `git_info_tests::resolve_root_git_project_for_trust_returns_none_outside_repo`, `realtime_context::*`) — none in multi-env paths. Strongly suspected to be artifacts of running tests inside a nested git worktree (`/root/codex-multi-env`); need CI on a clean checkout to confirm.
• CI: full `cargo test --workspace`
• CI: clippy + fmt

Notes for reviewers

• Commit history includes the P3 reverts intentionally — they document the reasoning for why we chose the parallel-tool approach over schema field. Worth preserving rather than squashing.
• Upstream `origin/main` already has one multi-env commit (`Surface multi-environment choices in environment context openai/codex#20646`); this branch builds on top of it (already in our `main`).

🤖 Generated with Claude Code