diff --git a/codex-rs/app-server-protocol/schema/json/AttestationGenerateResponse.json b/codex-rs/app-server-protocol/schema/json/AttestationGenerateResponse.json index 921cc6f494..e6bd59ec25 100644 --- a/codex-rs/app-server-protocol/schema/json/AttestationGenerateResponse.json +++ b/codex-rs/app-server-protocol/schema/json/AttestationGenerateResponse.json @@ -1,13 +1,13 @@ { "$schema": "http://json-schema.org/draft-07/schema#", "properties": { - "headerValue": { - "description": "Opaque client attestation payload to embed in the upstream header envelope.", + "token": { + "description": "Opaque client attestation token.", "type": "string" } }, "required": [ - "headerValue" + "token" ], "title": "AttestationGenerateResponse", "type": "object" diff --git a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json index 9cbb3e8c37..c68795c015 100644 --- a/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json +++ b/codex-rs/app-server-protocol/schema/json/codex_app_server_protocol.schemas.json @@ -91,13 +91,13 @@ "AttestationGenerateResponse": { "$schema": "http://json-schema.org/draft-07/schema#", "properties": { - "headerValue": { - "description": "Opaque client attestation payload to embed in the upstream header envelope.", + "token": { + "description": "Opaque client attestation token.", "type": "string" } }, "required": [ - "headerValue" + "token" ], "title": "AttestationGenerateResponse", "type": "object" @@ -18438,4 +18438,4 @@ }, "title": "CodexAppServerProtocol", "type": "object" -} +} \ No newline at end of file diff --git a/codex-rs/app-server-protocol/schema/typescript/v2/AttestationGenerateResponse.ts b/codex-rs/app-server-protocol/schema/typescript/v2/AttestationGenerateResponse.ts index 7f11e8364f..6821c898ec 100644 --- a/codex-rs/app-server-protocol/schema/typescript/v2/AttestationGenerateResponse.ts +++ b/codex-rs/app-server-protocol/schema/typescript/v2/AttestationGenerateResponse.ts @@ -4,6 +4,6 @@ export type AttestationGenerateResponse = { /** - * Opaque client attestation payload to embed in the upstream header envelope. + * Opaque client attestation token. */ -headerValue: string, }; +token: string, }; diff --git a/codex-rs/app-server-protocol/src/protocol/v2/attestation.rs b/codex-rs/app-server-protocol/src/protocol/v2/attestation.rs index d2ad34b879..ef8828b580 100644 --- a/codex-rs/app-server-protocol/src/protocol/v2/attestation.rs +++ b/codex-rs/app-server-protocol/src/protocol/v2/attestation.rs @@ -12,6 +12,6 @@ pub struct AttestationGenerateParams {} #[serde(rename_all = "camelCase")] #[ts(export_to = "v2/")] pub struct AttestationGenerateResponse { - /// Opaque client attestation payload to embed in the upstream header envelope. - pub header_value: String, + /// Opaque client attestation token. + pub token: String, } diff --git a/codex-rs/app-server/README.md b/codex-rs/app-server/README.md index 6c48ac9b8a..6a3e6f4b3a 100644 --- a/codex-rs/app-server/README.md +++ b/codex-rs/app-server/README.md @@ -1324,7 +1324,7 @@ When the client responds to `item/tool/requestUserInput`, the server emits `serv ### Attestation generation -Desktop hosts that provide upstream attestation should set `capabilities.requestAttestation` during `initialize` and handle the server-initiated `attestation/generate` request. App-server issues it just in time before ChatGPT Codex requests that forward `x-oai-attestation`; the client responds with `{ "headerValue": "v1." }`, where `headerValue` is an opaque client-owned payload. When app-server receives a client response, it forwards a consistent outer envelope such as `{ "v": 1, "s": 0, "t": "v1." }`, where `t` contains the client payload unchanged. If app-server attempts attestation but fails within its own boundary, it sends the same envelope shape with an app-server status code and without `t` (`1 = timeout`, `2 = request failed`, `3 = request canceled`, `4 = malformed response`). If no initialized client opted into attestation, app-server omits `x-oai-attestation` for that upstream request. +Desktop hosts that provide upstream attestation should set `capabilities.requestAttestation` during `initialize` and handle the server-initiated `attestation/generate` request. App-server issues it just in time before ChatGPT Codex requests that forward `x-oai-attestation`; the client responds with `{ "token": "v1." }`, where `token` is an opaque client-owned value. When app-server receives a client response, it forwards a consistent outer envelope such as `{ "v": 1, "s": 0, "t": "v1." }`, where `t` contains the client token unchanged. If app-server attempts attestation but fails within its own boundary, it sends the same envelope shape with an app-server status code and without `t` (`1 = timeout`, `2 = request failed`, `3 = request canceled`, `4 = malformed response`). If no initialized client opted into attestation, app-server omits `x-oai-attestation` for that upstream request. ### MCP server elicitations diff --git a/codex-rs/app-server/src/attestation.rs b/codex-rs/app-server/src/attestation.rs index 75c57107c2..b1fbf6945a 100644 --- a/codex-rs/app-server/src/attestation.rs +++ b/codex-rs/app-server/src/attestation.rs @@ -116,7 +116,7 @@ async fn request_attestation_header_value_with_timeout( match serde_json::from_value::(result) { Ok(response) => app_server_attestation_header_value( AppServerAttestationStatus::Ok, - Some(&response.header_value), + Some(&response.token), ), Err(err) => { warn!("failed to deserialize attestation generation response: {err}"); diff --git a/codex-rs/app-server/tests/suite/v2/attestation.rs b/codex-rs/app-server/tests/suite/v2/attestation.rs index 101d7192a9..d0565e2571 100644 --- a/codex-rs/app-server/tests/suite/v2/attestation.rs +++ b/codex-rs/app-server/tests/suite/v2/attestation.rs @@ -137,7 +137,7 @@ async fn attestation_generate_round_trip_adds_header_to_responses_websocket_hand mcp.send_response( request_id, serde_json::to_value(AttestationGenerateResponse { - header_value: ATTESTATION_HEADER.to_string(), + token: ATTESTATION_HEADER.to_string(), })?, ) .await?;