initial draft

codex-rs/app-server-protocol/schema/json/ClientRequest.json

@@ -5,6 +5,15 @@
       "description": "A path that is guaranteed to be absolute and normalized (though it is not guaranteed to be canonicalized or exist on the filesystem).\n\nIMPORTANT: When deserializing an `AbsolutePathBuf`, a base path must be set using [AbsolutePathBufGuard::new]. If no base path is set, the deserialization will fail unless the path being deserialized is already absolute.",
       "type": "string"
     },
+    "ApprovalSourceMetadata": {
+      "enum": [
+        "guardian",
+        "user",
+        "policy",
+        "unknown"
+      ],
+      "type": "string"
+    },
     "ApprovalsReviewer": {
       "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
       "enum": [
@@ -1992,6 +2001,16 @@
     },
     "ResponseItemMetadata": {
       "properties": {
+        "approval_source": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/ApprovalSourceMetadata"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
         "is_tool_call_escalated": {
           "type": [
             "boolean",

codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json

@@ -5272,6 +5272,15 @@
       "AppToolsConfig": {
         "type": "object"
       },
+      "ApprovalSourceMetadata": {
+        "enum": [
+          "guardian",
+          "user",
+          "policy",
+          "unknown"
+        ],
+        "type": "string"
+      },
       "ApprovalsReviewer": {
         "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
         "enum": [
@@ -10659,6 +10668,16 @@
       },
       "ResponseItemMetadata": {
         "properties": {
+          "approval_source": {
+            "anyOf": [
+              {
+                "$ref": "#/definitions/v2/ApprovalSourceMetadata"
+              },
+              {
+                "type": "null"
+              }
+            ]
+          },
           "is_tool_call_escalated": {
             "type": [
               "boolean",

codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json

@@ -532,6 +532,15 @@
     "AppToolsConfig": {
       "type": "object"
     },
+    "ApprovalSourceMetadata": {
+      "enum": [
+        "guardian",
+        "user",
+        "policy",
+        "unknown"
+      ],
+      "type": "string"
+    },
     "ApprovalsReviewer": {
       "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
       "enum": [
@@ -7447,6 +7456,16 @@
     },
     "ResponseItemMetadata": {
       "properties": {
+        "approval_source": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/ApprovalSourceMetadata"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
         "is_tool_call_escalated": {
           "type": [
             "boolean",

codex-rs/app-server-protocol/schema/json/v2/RawResponseItemCompletedNotification.json

@@ -1,6 +1,15 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "definitions": {
+    "ApprovalSourceMetadata": {
+      "enum": [
+        "guardian",
+        "user",
+        "policy",
+        "unknown"
+      ],
+      "type": "string"
+    },
     "ContentItem": {
       "oneOf": [
         {
@@ -840,6 +849,16 @@
     },
     "ResponseItemMetadata": {
       "properties": {
+        "approval_source": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/ApprovalSourceMetadata"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
         "is_tool_call_escalated": {
           "type": [
             "boolean",

codex-rs/app-server-protocol/schema/json/v2/ThreadResumeParams.json

@@ -1,6 +1,15 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "definitions": {
+    "ApprovalSourceMetadata": {
+      "enum": [
+        "guardian",
+        "user",
+        "policy",
+        "unknown"
+      ],
+      "type": "string"
+    },
     "ApprovalsReviewer": {
       "description": "Configures who approval requests are routed to for review. Examples include sandbox escapes, blocked network access, MCP approval prompts, and ARC escalations. Defaults to `user`. `guardian_subagent` uses a carefully prompted subagent to gather relevant context and apply a risk-based decision framework before approving or denying the request.",
       "enum": [
@@ -906,6 +915,16 @@
     },
     "ResponseItemMetadata": {
       "properties": {
+        "approval_source": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/ApprovalSourceMetadata"
+            },
+            {
+              "type": "null"
+            }
+          ]
+        },
         "is_tool_call_escalated": {
           "type": [
             "boolean",