[codex] request desktop attestation from app

codex-rs/analytics/src/analytics_client_tests.rs

@@ -636,6 +636,7 @@ fn sample_initialize_fact(connection_id: u64) -> AnalyticsFact {
             },
             capabilities: Some(InitializeCapabilities {
                 experimental_api: false,
+                request_attestation: false,
                 opt_out_notification_methods: None,
             }),
         },
@@ -1122,6 +1123,7 @@ async fn initialize_caches_client_and_thread_lifecycle_publishes_once_initialize
                     },
                     capabilities: Some(InitializeCapabilities {
                         experimental_api: false,
+                        request_attestation: false,
                         opt_out_notification_methods: None,
                     }),
                 },
@@ -1269,6 +1271,7 @@ async fn compaction_event_ingests_custom_fact() {
                     },
                     capabilities: Some(InitializeCapabilities {
                         experimental_api: false,
+                        request_attestation: false,
                         opt_out_notification_methods: None,
                     }),
                 },
@@ -1382,6 +1385,7 @@ async fn guardian_review_event_ingests_custom_fact_with_optional_target_item() {
                     },
                     capabilities: Some(InitializeCapabilities {
                         experimental_api: false,
+                        request_attestation: false,
                         opt_out_notification_methods: None,
                     }),
                 },

codex-rs/app-server-client/src/lib.rs

@@ -375,6 +375,7 @@ impl InProcessClientStartArgs {
     pub fn initialize_params(&self) -> InitializeParams {
         let capabilities = InitializeCapabilities {
             experimental_api: self.experimental_api,
+            request_attestation: false,
             opt_out_notification_methods: if self.opt_out_notification_methods.is_empty() {
                 None
             } else {

codex-rs/app-server-client/src/remote.rs

@@ -73,6 +73,7 @@ impl RemoteAppServerConnectArgs {
     fn initialize_params(&self) -> InitializeParams {
         let capabilities = InitializeCapabilities {
             experimental_api: self.experimental_api,
+            request_attestation: false,
             opt_out_notification_methods: if self.opt_out_notification_methods.is_empty() {
                 None
             } else {

codex-rs/app-server-protocol/src/protocol/common.rs

@@ -1305,6 +1305,12 @@ server_request_definitions! {
         response: v2::ChatgptAuthTokensRefreshResponse,
     },
 
+    /// Generate a fresh upstream attestation result on demand.
+    AttestationGenerate => "attestation/generate" {
+        params: v2::AttestationGenerateParams,
+        response: v2::AttestationGenerateResponse,
+    },
+
     /// DEPRECATED APIs below
     /// Request to approve a patch.
     /// This request is used for Turns started via the legacy APIs (i.e. SendUserTurn, SendUserMessage).
@@ -1891,6 +1897,7 @@ mod tests {
                 },
                 capabilities: Some(v1::InitializeCapabilities {
                     experimental_api: true,
+                    request_attestation: true,
                     opt_out_notification_methods: Some(vec![
                         "thread/started".to_string(),
                         "item/agentMessage/delta".to_string(),
@@ -1911,6 +1918,7 @@ mod tests {
                     },
                     "capabilities": {
                         "experimentalApi": true,
+                        "requestAttestation": true,
                         "optOutNotificationMethods": [
                             "thread/started",
                             "item/agentMessage/delta"
@@ -1936,6 +1944,7 @@ mod tests {
                 },
                 "capabilities": {
                     "experimentalApi": true,
+                    "requestAttestation": true,
                     "optOutNotificationMethods": [
                         "thread/started",
                         "item/agentMessage/delta"
@@ -1956,6 +1965,7 @@ mod tests {
                     },
                     capabilities: Some(v1::InitializeCapabilities {
                         experimental_api: true,
+                        request_attestation: true,
                         opt_out_notification_methods: Some(vec![
                             "thread/started".to_string(),
                             "item/agentMessage/delta".to_string(),
@@ -2072,6 +2082,28 @@ mod tests {
         Ok(())
     }
 
+    #[test]
+    fn serialize_attestation_generate_request() -> Result<()> {
+        let params = v2::AttestationGenerateParams {};
+        let request = ServerRequest::AttestationGenerate {
+            request_id: RequestId::Integer(9),
+            params: params.clone(),
+        };
+        assert_eq!(
+            json!({
+                "method": "attestation/generate",
+                "id": 9,
+                "params": {}
+            }),
+            serde_json::to_value(&request)?,
+        );
+
+        let payload = ServerRequestPayload::AttestationGenerate(params);
+        assert_eq!(request.id(), &RequestId::Integer(9));
+        assert_eq!(payload.request_with_id(RequestId::Integer(9)), request);
+        Ok(())
+    }
+
     #[test]
     fn serialize_server_response() -> Result<()> {
         let response = ServerResponse::CommandExecutionRequestApproval {

codex-rs/app-server-protocol/src/protocol/v1.rs

@@ -46,6 +46,9 @@ pub struct InitializeCapabilities {
     /// Opt into receiving experimental API methods and fields.
     #[serde(default)]
     pub experimental_api: bool,
+    /// Opt into `attestation/generate` requests for upstream `x-oai-attestation`.
+    #[serde(default)]
+    pub request_attestation: bool,
     /// Exact notification method names that should be suppressed for this
     /// connection (for example `thread/started`).
     #[ts(optional = nullable)]

codex-rs/app-server-protocol/src/protocol/v2/attestation.rs

@@ -0,0 +1,17 @@
+use schemars::JsonSchema;
+use serde::Deserialize;
+use serde::Serialize;
+use ts_rs::TS;
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS, Default)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct AttestationGenerateParams {}
+
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, JsonSchema, TS)]
+#[serde(rename_all = "camelCase")]
+#[ts(export_to = "v2/")]
+pub struct AttestationGenerateResponse {
+    /// Opaque client attestation token.
+    pub token: String,
+}

codex-rs/app-server-protocol/src/protocol/v2/mod.rs

@@ -2,6 +2,7 @@ mod shared;
 
 mod account;
 mod apps;
+mod attestation;
 mod collaboration_mode;
 mod command_exec;
 mod config;
@@ -26,6 +27,7 @@ mod windows_sandbox;
 
 pub use account::*;
 pub use apps::*;
+pub use attestation::*;
 pub use collaboration_mode::*;
 pub use command_exec::*;
 pub use config::*;