CM-62984: Align Codex integration with session-start refactor

Post-merge fixes after #434 (session-start refactor) landed on main:

- consts.py: Codex SessionStart now calls CYCODE_SESSION_START_COMMAND
  with --ide codex, matching the Cursor/Claude-code pattern (the old
  CYCODE_ENSURE_AUTH_COMMAND constant was removed).
- session_start_command.py: add Codex branch to _build_session_payload
  so session_start works for the Codex IDE.
- handlers.py: drop ai_client.create_conversation() call from
  handle_before_command_exec; conversation creation now happens in the
  session-start command, matching the other three handlers.
- test_hooks_manager.py: update Codex SessionStart test to assert on
  CYCODE_SESSION_START_COMMAND + --ide codex.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: MaorDavidzon

cycode/cli/apps/ai_guardrails/consts.py

@@ -170,6 +170,7 @@ def _get_codex_hooks_config(async_mode: bool = False) -> dict:
     reads are not exposed to hooks.
     """
     command = f'{CYCODE_SCAN_PROMPT_COMMAND} --ide {AIIDEType.CODEX.value}'
+    session_start_command = f'{CYCODE_SESSION_START_COMMAND} --ide {AIIDEType.CODEX.value}'
 
     hook_entry = {'type': 'command', 'command': command}
     if async_mode:
@@ -181,7 +182,7 @@ def _get_codex_hooks_config(async_mode: bool = False) -> dict:
             'SessionStart': [
                 {
                     'matcher': 'startup',
-                    'hooks': [{'type': 'command', 'command': CYCODE_ENSURE_AUTH_COMMAND}],
+                    'hooks': [{'type': 'command', 'command': session_start_command}],
                 }
             ],
             'UserPromptSubmit': [

cycode/cli/apps/ai_guardrails/scan/handlers.py

@@ -269,7 +269,6 @@ def handle_before_command_exec(ctx: typer.Context, payload: AIHookPayload, polic
     response_builder = get_response_builder(ide)
 
     command_config = get_policy_value(policy, 'command_exec', default={})
-    ai_client.create_conversation(payload)
     if not get_policy_value(command_config, 'enabled', default=True):
         ai_client.create_event(payload, AiHookEventType.COMMAND_EXEC, AIHookOutcome.ALLOWED)
         return response_builder.allow_permission()

cycode/cli/apps/ai_guardrails/session_start_command.py

@@ -41,6 +41,15 @@ def _build_session_payload(payload: dict, ide: str) -> AIHookPayload:
             ide_version=ide_version,
         )
 
+    if ide == AIIDEType.CODEX:
+        return AIHookPayload(
+            conversation_id=payload.get('session_id'),
+            generation_id=payload.get('turn_id'),
+            model=payload.get('model'),
+            ide_provider=AIIDEType.CODEX.value,
+            ide_version=payload.get('codex_version'),
+        )
+
     # Cursor
     return AIHookPayload(
         conversation_id=payload.get('conversation_id'),

tests/cli/commands/ai_guardrails/test_hooks_manager.py

@@ -151,12 +151,13 @@ def test_get_hooks_config_codex_async() -> None:
 
 
 def test_get_hooks_config_codex_session_start() -> None:
-    """Test Codex hooks config includes SessionStart auth check."""
+    """Test Codex hooks config includes SessionStart with --ide flag."""
     config = get_hooks_config(AIIDEType.CODEX)
     assert 'SessionStart' in config['hooks']
     entries = config['hooks']['SessionStart']
     assert len(entries) == 1
-    assert entries[0]['hooks'][0]['command'] == CYCODE_ENSURE_AUTH_COMMAND
+    assert CYCODE_SESSION_START_COMMAND in entries[0]['hooks'][0]['command']
+    assert '--ide codex' in entries[0]['hooks'][0]['command']
 
 
 def test_get_hooks_config_codex_pretooluse_bash_only() -> None: