feat(agentex): forward user session cookie to agent pods via acp headers

[cdvillegas]

Pull Request Summary

PR #245 added x-acting-user-api-key for API-key callers. Browser and Ops Hub users authenticate with the _identityJwt session cookie, so agent pods still had no delegatable credential.

This PR extends runtime delegation v1 for cookie-based auth:

• After auth validates a user principal (not agent-as-self), agentex builds outbound ACP headers from the inbound request.
• x-api-key present: forward as x-acting-user-api-key (unchanged from feat(agentex): forward user api key to agent pods via acp headers #245).
• Session cookie only: parse the inbound Cookie header and forward only allowlisted name=value pairs on x-acting-user-cookie. Never replay the full browser Cookie header (no CSRF, analytics, or third-party cookies).
• Default allowlist: _identityJwt (Scale Ops Hub / EGP / Spark). No Helm change required for default deployments.
• Override: AGENTEX_DELEGATION_SESSION_COOKIE_NAMES (comma-separated). Unset = default. Empty string = cookie delegation disabled (API key path only).
• Precedence: API key wins when both API key and cookie are sent.
• Anti-spoofing: x-acting-user-cookie, x-selected-account-id, x-api-key, and raw cookie remain blocked on client passthrough; delegation values are server-set only.
• Logging: inbound request logs redact keys matching cookie (in addition to existing api-key redaction).

Agent SDK PassthroughResolver and agent-side SGP consumption remain follow-up work.

Test Plan

• tests/unit/domain/test_delegation_headers.py: API key and cookie paths, API key precedence, env unset/empty/override for cookie names, skip when no principal or agent identity, no credential.
• test_send_message_includes_cookie_delegation_headers on AgentACPService: asserts only _identityJwt is forwarded when extra cookies are present.
• TestFilterRequestHeaders: acting cookie and selected-account-id spoof headers stripped from passthrough.

Linear Issue

Resolves AGX1-293

Greptile Summary

This PR extends ACP runtime delegation for browser/Ops Hub users who authenticate via the _identityJwt session cookie rather than an API key. After successful auth, agentex parses the inbound Cookie header and forwards only allowlisted cookie name-value pairs (default: _identityJwt) on the new x-acting-user-cookie header; API key takes precedence when both are present.

• Cookie allowlist filtering (delegation_headers.py): _minimal_session_cookie uses Python's SimpleCookie to parse and extract only configured cookie names, controlled by AGENTEX_DELEGATION_SESSION_COOKIE_NAMES (unset = _identityJwt; empty = disabled; comma-separated = override).
• Anti-spoofing hardening (agent_acp_service.py): x-acting-user-cookie and x-selected-account-id added to BLOCKED_HEADERS so clients cannot inject these into agent-pod-bound requests; delegation values are set server-side only.
• Logging redaction (request_utils.py): r"cookie" added to the key blacklist so raw cookie values are stripped from request logs.

Confidence Score: 5/5

Safe to merge. The cookie delegation logic is well-scoped: only allowlisted cookie names are extracted and forwarded, the full browser Cookie header never reaches agent pods, and newly added BLOCKED_HEADERS entries close the client-spoofing gap on both the new and existing delegation headers.

The allowlist approach with SimpleCookie is correct — morsel.value returns only the parsed value without surrounding whitespace or quoting artefacts, and the try/except CookieError provides a safe fallback. The merge order in get_headers ensures server-set delegation values always win over any client passthrough. Test coverage spans every documented behavioral variant. No logic errors or security gaps were found.

No files require special attention.

Important Files Changed

Filename	Overview
agentex/src/domain/delegation_headers.py	Core delegation logic: adds cookie-based delegation via _minimal_session_cookie allowlist filter using SimpleCookie, env-configured cookie names, and API-key precedence. Logic is correct and secure.
agentex/src/domain/services/agent_acp_service.py	Adds x-acting-user-cookie and x-selected-account-id to BLOCKED_HEADERS, preventing client spoofing of delegation and account-selection headers. Correct anti-spoofing change.
agentex/src/utils/request_utils.py	Adds r"cookie" to the logging redaction blacklist so raw cookie values are stripped from request logs. Correct and minimal change.
agentex/tests/unit/domain/test_delegation_headers.py	New unit tests covering API-key path, cookie path, allowlist filtering, env-var overrides, API-key precedence, no-principal, agent-identity skip, and no-credential cases.
agentex/tests/unit/services/test_agent_acp_service.py	Adds integration test asserting only _identityJwt is forwarded and updates spoofing test to include new blocked headers.

_{Reviews (3): Last reviewed commit: "fix(agentex): forward only configured se..." | Re-trigger Greptile}

[cdvillegas]

@greptile