fix: chatwidget was not honoring approval_id for an ExecApprovalRequestEvent

[bolinfest]

Why

ExecApprovalRequestEvent can carry a distinct approval_id for subcommand approvals, including the execve-intercepted zsh-fork path.

The session registers the pending approval callback under approval_id when one is present, but ChatWidget was stashing call_id in the approval modal state. When the user approved the command in the TUI, the response was sent back with the wrong identifier, so the pending approval could not be matched and the approval callback would not resolve.

Note approval_id was introduced in #12051.

What changed

• In tui/src/chatwidget.rs, ChatWidget now uses ExecApprovalRequestEvent::effective_approval_id() when constructing ApprovalRequest::Exec.
• That preserves the existing behavior for normal shell and unified_exec approvals, where approval_id is absent and the effective id still falls back to call_id.
• For subcommand approvals that provide a distinct approval_id, the TUI now sends back the same key that Session::request_command_approval() registered.

Verification

• Traced the approval flow end to end to confirm the same effective approval id is now used on both sides of the round trip:
  • Session::request_command_approval() registers the pending callback under approval_id.unwrap_or(call_id).
  • ChatWidget now emits Op::ExecApproval with that same effective id.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 69f91d03b6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep replay-tracking key aligned with approval response ID

handle_exec_approval_now now sets ApprovalRequest::Exec.id to ev.effective_approval_id(), but pending interactive replay still indexes exec approvals by ev.call_id and later clears them using outbound Op::ExecApproval.id (codex-rs/tui/src/app/pending_interactive_replay.rs, note_event at lines 113-119 and note_outbound_op at lines 60-67). When approval_id differs from call_id (subcommand approvals), approving in the TUI no longer removes the tracked pending prompt, so should_replay_snapshot_event (lines 219-222) can replay an already-resolved approval after a thread/agent switch before TurnComplete arrives.

Useful? React with 👍 / 👎.