Share trusted Codex Desktop installation discovery

[abhinav-oai]

Why

The CLI and app-bundled features need one answer for where Codex Desktop is installed and whether its resources are trusted. Centralizing that policy avoids separate platform lookup and validation paths drifting apart.

What changed

• add a shared codex-desktop-installation crate that locates and verifies Codex Desktop installations
• verify the macOS bundle identity or Windows MSIX package identity before exposing the app root and contained resources
• move codex app discovery and post-install verification onto the shared implementation

Stack

1. This PR — trusted Desktop installation discovery and validation
2. openai/codex#27953 — app-bundled internal hook loading and policy

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4633e26cff

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[abhinav-oai]

Previously Get-StartApps -Name 'Codex' only told us whether a Start-menu app with that name was registered. This now:

1. queries the OpenAI.Codex MSIX package identity
2. filters by the OpenAI PublisherId and reads InstallLocation
3. validates the packaged app/resources path

[abhinav-oai]

discover_desktop_installation shells out to platform services, so keep it behind spawn_blocking rather than tying up a Tokio worker while discovery waits.

[abhinav-oai]

Previously we accepted /Applications/Codex.app based on its path and name alone. This now:

1. asks LaunchServices for bundle ID com.openai.codex
2. verifies the .app shape and Contents/Resources
3. verifies the code-signing requirement