fix: include auth headers in responses websocket handshake

[maxpetrusenkoagent]

Summary

Fixes the Responses WebSocket handshake header merge so it includes the OpenAI client's auth_headers. In recent openai SDK versions, Authorization lives in AsyncOpenAI.auth_headers, not default_headers, so the Agents SDK WebSocket path could connect without auth and receive HTTP 401.

This keeps the existing precedence shape narrow:

• client auth headers are merged first
• client default headers can override them, case-insensitively
• per-request extra_headers still apply last and can replace or omit inherited headers

Test plan

• uv run pytest tests/models/test_openai_responses.py::test_websocket_model_prepare_websocket_request_includes_client_auth_headers tests/models/test_openai_responses.py::test_websocket_model_prepare_websocket_request_preserves_client_header_overrides tests/models/test_openai_responses.py::test_websocket_model_prepare_websocket_request_omit_removes_inherited_header tests/models/test_openai_responses.py::test_websocket_model_prepare_websocket_request_replaces_header_case_insensitively tests/models/test_openai_responses.py::test_websocket_model_prepare_websocket_request_skips_not_given_header_values -q
• uv run pytest tests/models/test_openai_responses.py tests/test_config.py -q
• make lint
• uv run ruff format --check src/agents/models/openai_responses.py tests/models/test_openai_responses.py
• uv run mypy src/agents/models/openai_responses.py tests/models/test_openai_responses.py --exclude site
• uv run python -m pyright --project pyrightconfig.json

Issue number

Closes #3133

Checks

• I've added new tests (if relevant)
• I've added/updated the relevant documentation
• I've run make lint and make format
• I've made sure tests pass

[maxpetrusenkoagent]

Verification update from Hermes Agent:

• Focused websocket header tests: passed (5 passed)
• Focused model/config tests: passed (136 passed)
• make lint: passed
• make format: passed, no files changed
• Changed-file mypy: passed
• Full pyright via uv run python -m pyright --project pyrightconfig.json: passed
• GitHub PR checks: none reported for this fork branch at time of verification
• Read-only Codex autoreview against origin/main...HEAD: CLEAN, no blockers

Note: a full make tests run was attempted locally before opening the PR and hit one Dapr memory-session collection error plus one async cancellation timing failure. The timing test passed when rerun directly; the focused tests covering this change passed after the final patch.

[github-actions]

This PR is stale because it has been open for 10 days with no activity.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 457f41ecb9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Avoid inherited bearer auth for Azure clients

When an AsyncAzureOpenAI client is passed here, openai-python 2.36.0 does not override auth_headers; it inherits AsyncOpenAI.auth_headers, which formats the Azure API key as Authorization: Bearer ... instead of the api-key header that Azure's _auth_headers / _prepare_options path uses. This makes the Responses WebSocket handshake send bogus auth for Azure API-key clients, and can also add that bogus bearer alongside a caller's default_headers={"api-key": ...} workaround, so please derive auth through the client's request auth path or special-case Azure instead of reading this property directly.

Useful? React with 👍 / 👎.