fix(guardian, app-server): introduce guardian review ids (#17298)

## Description This PR introduces `review_id` as the stable identifier for guardian reviews and exposes it in app-server `item/autoApprovalReview/started` and `item/autoApprovalReview/completed` events. Internally, guardian rejection state is now keyed by `review_id` instead of the reviewed tool item ID. `target_item_id` is still included when a review maps to a concrete thread item, but it is no longer overloaded as the review lifecycle identifier. ## Motivation We'd like to give users the ability to preempt a guardian review while it's running (approve or decline). However, we can't implement the API that allows the user to override a running guardian review because we didn't have a unique `review_id` per guardian review. Using `target_item_id` is not correct since: - with execve reviews, there can be multiple execve calls (and therefore guardian reviews) per shell command - with network policy reviews, there is no target item ID The PR that actually implements user overrides will use `review_id` as the stable identifier.
2026-04-25 07:05:38 +00:00 · 2026-04-10 16:21:02 -07:00
parent 7999b0f60f
commit a3be74143a
36 changed files with 577 additions and 172 deletions
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.v2.schemas.json
@@ -802,6 +802,13 @@
        }
      ]
    },
+    "AutoReviewDecisionSource": {
+      "description": "[UNSTABLE] Source that produced a terminal guardian approval review decision.",
+      "enum": [
+        "agent"
+      ],
+      "type": "string"
+    },
    "ByteRange": {
      "properties": {
        "end": {
@@ -5502,17 +5509,28 @@
    },
    "ItemGuardianApprovalReviewCompletedNotification": {
      "$schema": "http://json-schema.org/draft-07/schema#",
-      "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.\n\nTODO(ccunningham): Attach guardian review state to the reviewed tool item's lifecycle instead of sending separate standalone review notifications so the app-server API can persist and replay review state via `thread/read`.",
+      "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.",
      "properties": {
        "action": {
          "$ref": "#/definitions/GuardianApprovalReviewAction"
        },
+        "decisionSource": {
+          "$ref": "#/definitions/AutoReviewDecisionSource"
+        },
        "review": {
          "$ref": "#/definitions/GuardianApprovalReview"
        },
-        "targetItemId": {
+        "reviewId": {
+          "description": "Stable identifier for this review.",
          "type": "string"
        },
+        "targetItemId": {
+          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "threadId": {
          "type": "string"
        },
@@ -5522,8 +5540,9 @@
      },
      "required": [
        "action",
+        "decisionSource",
        "review",
-        "targetItemId",
+        "reviewId",
        "threadId",
        "turnId"
      ],
@@ -5532,7 +5551,7 @@
    },
    "ItemGuardianApprovalReviewStartedNotification": {
      "$schema": "http://json-schema.org/draft-07/schema#",
-      "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.\n\nTODO(ccunningham): Attach guardian review state to the reviewed tool item's lifecycle instead of sending separate standalone review notifications so the app-server API can persist and replay review state via `thread/read`.",
+      "description": "[UNSTABLE] Temporary notification payload for guardian automatic approval review. This shape is expected to change soon.",
      "properties": {
        "action": {
          "$ref": "#/definitions/GuardianApprovalReviewAction"
@@ -5540,9 +5559,17 @@
        "review": {
          "$ref": "#/definitions/GuardianApprovalReview"
        },
-        "targetItemId": {
+        "reviewId": {
+          "description": "Stable identifier for this review.",
          "type": "string"
        },
+        "targetItemId": {
+          "description": "Identifier for the reviewed item or tool call when one exists.\n\nIn most cases, one review maps to one target item. The exceptions are - execve reviews, where a single command may contain multiple execve calls to review (only possible when using the shell_zsh_fork feature) - network policy reviews, where there is no target item\n\nA network call is triggered by a CommandExecution item, so having a target_item_id set to the CommandExecution item would be misleading because the review is about the network call, not the command execution. Therefore, target_item_id is set to None for network policy reviews.",
+          "type": [
+            "string",
+            "null"
+          ]
+        },
        "threadId": {
          "type": "string"
        },
@@ -5553,7 +5580,7 @@
      "required": [
        "action",
        "review",
-        "targetItemId",
+        "reviewId",
        "threadId",
        "turnId"
      ],