codex: address PR review feedback (#20619)

2026-05-18 02:02:30 +00:00 · 2026-05-07 17:27:56 -07:00
parent a99661637c
commit eac9cff366
7 changed files with 14 additions and 14 deletions
--- a/codex-rs/app-server-protocol/schema/json/AttestationGenerateResponse.json
+++ b/codex-rs/app-server-protocol/schema/json/AttestationGenerateResponse.json
@@ -1,13 +1,13 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "properties": {
-    "headerValue": {
-      "description": "Opaque client attestation payload to embed in the upstream header envelope.",
+    "token": {
+      "description": "Opaque client attestation token.",
      "type": "string"
    }
  },
  "required": [
-    "headerValue"
+    "token"
  ],
  "title": "AttestationGenerateResponse",
  "type": "object"
--- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
+++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json
@@ -91,13 +91,13 @@
    "AttestationGenerateResponse": {
      "$schema": "http://json-schema.org/draft-07/schema#",
      "properties": {
-        "headerValue": {
-          "description": "Opaque client attestation payload to embed in the upstream header envelope.",
+        "token": {
+          "description": "Opaque client attestation token.",
          "type": "string"
        }
      },
      "required": [
-        "headerValue"
+        "token"
      ],
      "title": "AttestationGenerateResponse",
      "type": "object"
@@ -18438,4 +18438,4 @@
  },
  "title": "CodexAppServerProtocol",
  "type": "object"
-}
+}
--- a/codex-rs/app-server-protocol/schema/typescript/v2/AttestationGenerateResponse.ts
+++ b/codex-rs/app-server-protocol/schema/typescript/v2/AttestationGenerateResponse.ts
@@ -4,6 +4,6 @@

 export type AttestationGenerateResponse = {
 /**
- * Opaque client attestation payload to embed in the upstream header envelope.
+ * Opaque client attestation token.
 */
-headerValue: string, };
+token: string, };
--- a/codex-rs/app-server-protocol/src/protocol/v2/attestation.rs
+++ b/codex-rs/app-server-protocol/src/protocol/v2/attestation.rs
@@ -12,6 +12,6 @@ pub struct AttestationGenerateParams {}
 #[serde(rename_all = "camelCase")]
 #[ts(export_to = "v2/")]
 pub struct AttestationGenerateResponse {
-    /// Opaque client attestation payload to embed in the upstream header envelope.
-    pub header_value: String,
+    /// Opaque client attestation token.
+    pub token: String,
 }
--- a/codex-rs/app-server/README.md
+++ b/codex-rs/app-server/README.md
@@ -1324,7 +1324,7 @@ When the client responds to `item/tool/requestUserInput`, the server emits `serv

 ### Attestation generation

-Desktop hosts that provide upstream attestation should set `capabilities.requestAttestation` during `initialize` and handle the server-initiated `attestation/generate` request. App-server issues it just in time before ChatGPT Codex requests that forward `x-oai-attestation`; the client responds with `{ "headerValue": "v1.<opaque>" }`, where `headerValue` is an opaque client-owned payload. When app-server receives a client response, it forwards a consistent outer envelope such as `{ "v": 1, "s": 0, "t": "v1.<opaque>" }`, where `t` contains the client payload unchanged. If app-server attempts attestation but fails within its own boundary, it sends the same envelope shape with an app-server status code and without `t` (`1 = timeout`, `2 = request failed`, `3 = request canceled`, `4 = malformed response`). If no initialized client opted into attestation, app-server omits `x-oai-attestation` for that upstream request.
+Desktop hosts that provide upstream attestation should set `capabilities.requestAttestation` during `initialize` and handle the server-initiated `attestation/generate` request. App-server issues it just in time before ChatGPT Codex requests that forward `x-oai-attestation`; the client responds with `{ "token": "v1.<opaque>" }`, where `token` is an opaque client-owned value. When app-server receives a client response, it forwards a consistent outer envelope such as `{ "v": 1, "s": 0, "t": "v1.<opaque>" }`, where `t` contains the client token unchanged. If app-server attempts attestation but fails within its own boundary, it sends the same envelope shape with an app-server status code and without `t` (`1 = timeout`, `2 = request failed`, `3 = request canceled`, `4 = malformed response`). If no initialized client opted into attestation, app-server omits `x-oai-attestation` for that upstream request.

 ### MCP server elicitations

--- a/codex-rs/app-server/src/attestation.rs
+++ b/codex-rs/app-server/src/attestation.rs
@@ -116,7 +116,7 @@ async fn request_attestation_header_value_with_timeout(
    match serde_json::from_value::<AttestationGenerateResponse>(result) {
        Ok(response) => app_server_attestation_header_value(
            AppServerAttestationStatus::Ok,
-            Some(&response.header_value),
+            Some(&response.token),
        ),
        Err(err) => {
            warn!("failed to deserialize attestation generation response: {err}");
--- a/codex-rs/app-server/tests/suite/v2/attestation.rs
+++ b/codex-rs/app-server/tests/suite/v2/attestation.rs
@@ -137,7 +137,7 @@ async fn attestation_generate_round_trip_adds_header_to_responses_websocket_hand
                    mcp.send_response(
                        request_id,
                        serde_json::to_value(AttestationGenerateResponse {
-                            header_value: ATTESTATION_HEADER.to_string(),
+                            token: ATTESTATION_HEADER.to_string(),
                        })?,
                    )
                    .await?;