fix(mcp): use oauth for codex cli config

[runeb]

Description

Makes Codex CLI an OAuth-only editor in sanity mcp configure, so it no longer embeds a Sanity API token and instead relies on Codex's own OAuth flow (which now has improved auth messaging). Mirrors the same change made for Claude Code in #1118.

Resolves AIGRO-5053.

What to review

• editorConfigs.ts: Codex CLI now has oauthOnly: true; buildCodexCliServerConfig only writes http_headers when a token is actually present (matching defaultHttpConfig's empty-token handling).

Testing

Updated unit tests in editorConfigs.test.ts and configure.test.ts to cover the OAuth-only Codex path. Tests, typecheck, and lint pass.

---

Note

Low Risk
Narrows auth to OAuth for one editor using an existing oauthOnly pattern; reduces stored tokens in local config with no changes to core auth services.

Overview
Codex CLI is now treated as an OAuth-only editor in sanity mcp configure, matching Cursor and Claude Code. Configure will write only the HTTP MCP server URL/type to ~/.codex/config.toml (or CODEX_HOME) and will not mint or embed a Sanity API token in http_headers for fresh setups.

buildCodexCliServerConfig now accepts an optional token and only adds http_headers when a token is explicitly provided (e.g. reusing auth from another editor). Tests and the changeset were updated to assert the OAuth-only Codex path and that configure output no longer includes [mcp_servers.Sanity.http_headers] by default.

^{Reviewed by Cursor Bugbot for commit 6ba6ca2. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

📦 Bundle Stats — @sanity/cli

Compared against main (e051d475)

@sanity/cli

Metric	Value	vs main (e051d47)
Internal (raw)	2.1 KB	-
Internal (gzip)	799 B	-
Bundled (raw)	10.97 MB	-
Bundled (gzip)	2.06 MB	-
Import time	842ms	+2ms, +0.2%

bin:sanity

Metric	Value	vs main (e051d47)
Internal (raw)	1023 B	-
Internal (gzip)	486 B	-
Bundled (raw)	9.87 MB	-
Bundled (gzip)	1.77 MB	-
Import time	1.95s	-6ms, -0.3%

🗺️ View treemap · Artifacts

Details

• Import time regressions over 10% are flagged with ⚠️
• Sizes shown as raw / gzip 🗜️. Internal bytes = own code only. Total bytes = with all dependencies. Import time = Node.js cold-start median.

📦 Bundle Stats — @sanity/cli-core

Compared against main (e051d475)

Metric	Value	vs main (e051d47)
Internal (raw)	96.3 KB	-
Internal (gzip)	22.7 KB	-
Bundled (raw)	21.64 MB	-
Bundled (gzip)	3.43 MB	-
Import time	797ms	-4ms, -0.5%

🗺️ View treemap · Artifacts

Details

• Import time regressions over 10% are flagged with ⚠️
• Sizes shown as raw / gzip 🗜️. Internal bytes = own code only. Total bytes = with all dependencies. Import time = Node.js cold-start median.

📦 Bundle Stats — create-sanity

Compared against main (e051d475)

Metric	Value	vs main (e051d47)
Internal (raw)	908 B	-
Internal (gzip)	483 B	-
Bundled (raw)	931 B	-
Bundled (gzip)	491 B	-
Import time	❌ ChildProcess denied: node	-

Details

• Import time regressions over 10% are flagged with ⚠️
• Sizes shown as raw / gzip 🗜️. Internal bytes = own code only. Total bytes = with all dependencies. Import time = Node.js cold-start median.

[github-actions]

Coverage Delta

File	Statements
packages/@sanity/cli/src/actions/mcp/editorConfigs.ts	100.0% (±0%)

Comparing 1 changed file against main @ e051d475cae2e183706300793b1d797a7b876a1f

Overall Coverage

Metric	Coverage
Statements	84.4% (±0%)
Branches	74.5% (±0%)
Functions	84.2% (±0%)
Lines	84.9% (+ 0.0%)