openclaw
diff --git a/‎extensions/codex/src/app-server/native-execution-policy.test.ts‎
Lines changed: 106 additions & 0 deletions b/‎extensions/codex/src/app-server/native-execution-policy.test.ts‎
Lines changed: 106 additions & 0 deletions
diff --git a/‎extensions/codex/src/app-server/native-execution-policy.ts‎
Lines changed: 132 additions & 47 deletions b/‎extensions/codex/src/app-server/native-execution-policy.ts‎
Lines changed: 132 additions & 47 deletions
diff --git a/‎extensions/codex/src/app-server/request.test.ts‎
Lines changed: 38 additions & 0 deletions b/‎extensions/codex/src/app-server/request.test.ts‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎extensions/codex/src/app-server/run-attempt.ts‎
Lines changed: 6 additions & 1 deletion b/‎extensions/codex/src/app-server/run-attempt.ts‎
Lines changed: 6 additions & 1 deletion
@@ -0,0 +1,106 @@
+import { describe, expect, it } from "vitest";
+import { resolveCodexNativeExecutionPolicy } from "./native-execution-policy.js";
+
+describe("resolveCodexNativeExecutionPolicy", () => {
+  it("allows Codex native execution for gateway exec hosts", () => {
+    expect(
+      resolveCodexNativeExecutionPolicy({
+        config: { tools: { exec: { host: "gateway" } } },
+        sessionKey: "session-1",
+      }),
+    ).toMatchObject({
+      nativeToolSurfaceAllowed: true,
+      requestedExecHost: "gateway",
+      effectiveExecHost: "gateway",
+    });
+  });
+
+  it("resolves auto to gateway when no sandbox is active", () => {
+    expect(
+      resolveCodexNativeExecutionPolicy({
+        config: { tools: { exec: { host: "auto" } } },
+        sessionKey: "session-1",
+        sandboxAvailable: false,
+      }),
+    ).toMatchObject({
+      nativeToolSurfaceAllowed: true,
+      requestedExecHost: "auto",
+      effectiveExecHost: "gateway",
+    });
+  });
+
+  it("resolves auto to sandbox when a sandbox is active", () => {
+    expect(
+      resolveCodexNativeExecutionPolicy({
+        config: { tools: { exec: { host: "auto" } } },
+        sessionKey: "session-1",
+        sandboxAvailable: true,
+      }),
+    ).toMatchObject({
+      nativeToolSurfaceAllowed: true,
+      requestedExecHost: "auto",
+      effectiveExecHost: "sandbox",
+    });
+  });
+
+  it("disables Codex native execution when exec host resolves to node", () => {
+    expect(
+      resolveCodexNativeExecutionPolicy({
+        config: { tools: { exec: { host: "node", node: "worker-1" } } },
+        sessionKey: "session-1",
+      }),
+    ).toMatchObject({
+      nativeToolSurfaceAllowed: false,
+      requestedExecHost: "node",
+      effectiveExecHost: "node",
+      node: "worker-1",
+    });
+  });
+
+  it("honors per-attempt node exec overrides before config defaults", () => {
+    expect(
+      resolveCodexNativeExecutionPolicy({
+        config: { tools: { exec: { host: "gateway" } } },
+        sessionKey: "session-1",
+        execOverrides: { host: "node", node: "worker-2" },
+      }),
+    ).toMatchObject({
+      nativeToolSurfaceAllowed: false,
+      requestedExecHost: "node",
+      effectiveExecHost: "node",
+      node: "worker-2",
+    });
+  });
+
+  it("honors persisted session node exec hosts before config defaults", () => {
+    expect(
+      resolveCodexNativeExecutionPolicy({
+        config: { tools: { exec: { host: "gateway" } } },
+        sessionKey: "session-1",
+        sessionEntry: { execHost: "node", execNode: "worker-3" } as never,
+      }),
+    ).toMatchObject({
+      nativeToolSurfaceAllowed: false,
+      requestedExecHost: "node",
+      effectiveExecHost: "node",
+      node: "worker-3",
+    });
+  });
+
+  it("honors agent exec config before global exec config", () => {
+    expect(
+      resolveCodexNativeExecutionPolicy({
+        config: {
+          tools: { exec: { host: "gateway" } },
+          agents: { list: [{ id: "main", tools: { exec: { host: "node", node: "worker-4" } } }] },
+        },
+        sessionKey: "agent:main:session-1",
+      }),
+    ).toMatchObject({
+      nativeToolSurfaceAllowed: false,
+      requestedExecHost: "node",
+      effectiveExecHost: "node",
+      node: "worker-4",
+    });
+  });
+});
@@ -1,14 +1,22 @@
-import type { EmbeddedRunAttemptParams } from "openclaw/plugin-sdk/agent-harness-runtime";
-import { resolveRuntimeExecDefaults } from "openclaw/plugin-sdk/agent-runtime";
 import type { OpenClawConfig } from "openclaw/plugin-sdk/config-contracts";
 import { resolveSandboxRuntimeStatus } from "openclaw/plugin-sdk/sandbox";
+import { getSessionEntry, type SessionEntry } from "openclaw/plugin-sdk/session-store-runtime";
 
 type ExecHost = "sandbox" | "gateway" | "node";
 type ExecTarget = "auto" | ExecHost;
-type ExecHostOverride = Pick<
-  NonNullable<EmbeddedRunAttemptParams["execOverrides"]>,
-  "host" | "node"
->;
+
+type ExecHostOverride = {
+  host?: string;
+  node?: string;
+};
+
+type AgentEntry = NonNullable<NonNullable<OpenClawConfig["agents"]>["list"]>[number];
+
+const DEFAULT_AGENT_ID = "main";
+const VALID_AGENT_ID_PATTERN = /^[a-z0-9][a-z0-9_-]{0,63}$/i;
+const INVALID_AGENT_ID_CHARS_PATTERN = /[^a-z0-9_-]+/g;
+const LEADING_DASH_PATTERN = /^-+/;
+const TRAILING_DASH_PATTERN = /-+$/;
 
 export type CodexNativeExecutionPolicy = {
   nativeToolSurfaceAllowed: boolean;
@@ -20,34 +28,44 @@ export type CodexNativeExecutionPolicy = {
 
 export function resolveCodexNativeExecutionPolicy(params: {
   config?: OpenClawConfig;
+  sessionEntry?: SessionEntry;
   sessionKey?: string;
   sessionId?: string;
   agentId?: string;
   execOverrides?: ExecHostOverride;
   sandboxAvailable?: boolean;
   readRuntimeSessionEntry?: boolean;
 }): CodexNativeExecutionPolicy {
-  const sessionKey = params.sessionKey?.trim() || params.sessionId?.trim();
-  const sandboxAvailable = resolveSandboxAvailable({
-    config: params.config,
-    sessionKey,
-    sandboxAvailable: params.sandboxAvailable,
-  });
-  const defaults = resolveRuntimeExecDefaults({
-    cfg: params.config,
-    agentId: params.agentId,
-    sessionKey,
-    sandboxAvailable,
-    readRuntimeSessionEntry: params.readRuntimeSessionEntry,
-  });
-  const requestedExecHost = params.execOverrides?.host ?? defaults.host;
-  const effectiveExecHost = resolveEffectiveHost({
+  const config = params.config ?? {};
+  const sessionKey = params.sessionKey?.trim() || params.sessionId?.trim() || undefined;
+  const sessionEntry =
+    params.sessionEntry ??
+    (params.readRuntimeSessionEntry && sessionKey
+      ? readRuntimeSessionEntryBestEffort(sessionKey)
+      : undefined);
+  const sandboxAvailable =
+    params.sandboxAvailable ??
+    (sessionKey
+      ? resolveSandboxRuntimeStatus({
+          cfg: config,
+          sessionKey,
+        }).sandboxed
+      : false);
+  const agentId = resolvePolicyAgentId({ config, sessionKey, agentId: params.agentId });
+  const agentExec = resolvePolicyAgentExec({ config, agentId });
+  const globalExec = config.tools?.exec;
+  const requestedExecHost =
+    normalizeExecTarget(params.execOverrides?.host) ??
+    normalizeExecTarget(sessionEntry?.execHost) ??
+    normalizeExecTarget(agentExec?.host) ??
+    normalizeExecTarget(globalExec?.host) ??
+    "auto";
+  const effectiveExecHost = resolveEffectiveExecHost({
     requestedExecHost,
-    defaultExecHost: defaults.host,
-    defaultEffectiveHost: defaults.effectiveHost,
     sandboxAvailable,
   });
-  const node = params.execOverrides?.node ?? defaults.node;
+  const node =
+    params.execOverrides?.node ?? sessionEntry?.execNode ?? agentExec?.node ?? globalExec?.node;
   if (effectiveExecHost !== "node") {
     return {
       nativeToolSurfaceAllowed: true,
@@ -78,34 +96,101 @@ export function formatCodexNativeNodeExecBlock(params: {
   ].join(" ");
 }
 
-function resolveEffectiveHost(params: {
+function resolvePolicyAgentId(params: {
+  config: OpenClawConfig;
+  sessionKey?: string;
+  agentId?: string;
+}): string {
+  const explicitAgentId = normalizeAgentIdOrDefault(params.agentId);
+  if (explicitAgentId) {
+    return explicitAgentId;
+  }
+  const sessionAgentId = parseAgentIdFromSessionKey(params.sessionKey);
+  if (sessionAgentId) {
+    return sessionAgentId;
+  }
+  const agents = listAgentEntries(params.config);
+  const defaultEntry = agents.find((entry) => entry?.default) ?? agents[0];
+  return normalizeAgentId(defaultEntry?.id);
+}
+
+function resolvePolicyAgentExec(params: {
+  config: OpenClawConfig;
+  agentId: string;
+}): ExecHostOverride | undefined {
+  return listAgentEntries(params.config).find(
+    (entry) => normalizeAgentId(entry?.id) === params.agentId,
+  )?.tools?.exec;
+}
+
+function listAgentEntries(config: OpenClawConfig): AgentEntry[] {
+  return (config.agents?.list ?? []).filter(
+    (entry): entry is AgentEntry => entry !== null && typeof entry === "object",
+  );
+}
+
+function parseAgentIdFromSessionKey(sessionKey?: string): string | undefined {
+  const raw = sessionKey?.trim();
+  if (!raw) {
+    return undefined;
+  }
+  const parts = raw.toLowerCase().split(":").filter(Boolean);
+  if (parts.length < 3 || parts[0] !== "agent" || !parts[2]) {
+    return undefined;
+  }
+  return normalizeAgentIdOrDefault(parts[1]);
+}
+
+function normalizeAgentIdOrDefault(value?: string | null): string | undefined {
+  const normalized = normalizeAgentId(value);
+  return normalized === DEFAULT_AGENT_ID && !(value ?? "").trim() ? undefined : normalized;
+}
+
+function normalizeAgentId(value?: string | null): string {
+  const trimmed = (value ?? "").trim();
+  if (!trimmed) {
+    return DEFAULT_AGENT_ID;
+  }
+  const normalized = trimmed.toLowerCase();
+  if (VALID_AGENT_ID_PATTERN.test(trimmed)) {
+    return normalized;
+  }
+  return (
+    normalized
+      .replace(INVALID_AGENT_ID_CHARS_PATTERN, "-")
+      .replace(LEADING_DASH_PATTERN, "")
+      .replace(TRAILING_DASH_PATTERN, "")
+      .slice(0, 64) || DEFAULT_AGENT_ID
+  );
+}
+
+function normalizeExecTarget(value?: string | null): ExecTarget | undefined {
+  const normalized = value?.trim().toLowerCase();
+  if (
+    normalized === "auto" ||
+    normalized === "sandbox" ||
+    normalized === "gateway" ||
+    normalized === "node"
+  ) {
+    return normalized;
+  }
+  return undefined;
+}
+
+function resolveEffectiveExecHost(params: {
   requestedExecHost: ExecTarget;
-  defaultExecHost: ExecTarget;
-  defaultEffectiveHost: ExecHost;
   sandboxAvailable: boolean;
 }): ExecHost {
-  if (params.requestedExecHost !== "auto") {
-    return params.requestedExecHost;
-  }
-  if (params.defaultExecHost === "auto") {
-    return params.defaultEffectiveHost;
+  if (params.requestedExecHost === "auto") {
+    return params.sandboxAvailable ? "sandbox" : "gateway";
   }
-  return params.sandboxAvailable ? "sandbox" : "gateway";
+  return params.requestedExecHost;
 }
 
-function resolveSandboxAvailable(params: {
-  config?: OpenClawConfig;
-  sessionKey?: string;
-  sandboxAvailable?: boolean;
-}): boolean {
-  if (params.sandboxAvailable !== undefined) {
-    return params.sandboxAvailable;
-  }
-  if (!params.sessionKey) {
-    return false;
+function readRuntimeSessionEntryBestEffort(sessionKey: string): SessionEntry | undefined {
+  try {
+    return getSessionEntry({ sessionKey });
+  } catch {
+    return undefined;
   }
-  return resolveSandboxRuntimeStatus({
-    cfg: params.config,
-    sessionKey: params.sessionKey,
-  }).sandboxed;
 }
@@ -30,6 +30,21 @@ describe("requestCodexAppServerJson sandbox guard", () => {
     expect(sharedClientMocks.getSharedCodexAppServerClient).not.toHaveBeenCalled();
   });
 
+  it("fails closed before raw app-server bypass methods when exec host=node is active", async () => {
+    await expect(
+      requestCodexAppServerJson({
+        method: "command/exec",
+        requestParams: { command: ["sh", "-lc", "id"] },
+        config: { tools: { exec: { host: "node", node: "worker-1" } } },
+        sessionKey: "node-session",
+      }),
+    ).rejects.toThrow(
+      "Codex-native app-server method `command/exec` is unavailable because OpenClaw exec host=node is active for this session.",
+    );
+
+    expect(sharedClientMocks.getSharedCodexAppServerClient).not.toHaveBeenCalled();
+  });
+
   it("allows metadata methods in sandboxed sessions", async () => {
     const request = vi.fn(async () => ({ ok: true }));
     sharedClientMocks.getSharedCodexAppServerClient.mockResolvedValue({ request });
@@ -124,4 +139,27 @@ describe("requestCodexAppServerJson sandbox guard", () => {
 
     expect(request).toHaveBeenCalledWith("thread/start", params, { timeoutMs: 60_000 });
   });
+
+  it("blocks thread starts with sandbox environments when exec host=node is active", async () => {
+    const params = {
+      cwd: "/workspace",
+      environments: [{ environmentId: "openclaw-sandbox-abc123", cwd: "/workspace" }],
+    };
+
+    await expect(
+      requestCodexAppServerJson({
+        method: "thread/start",
+        requestParams: params,
+        config: {
+          agents: { defaults: { sandbox: { mode: "all" } } },
+          tools: { exec: { host: "node", node: "worker-1" } },
+        },
+        sessionKey: "node-session",
+      }),
+    ).rejects.toThrow(
+      "Codex-native app-server method `thread/start` is unavailable because OpenClaw exec host=node is active for this session.",
+    );
+
+    expect(sharedClientMocks.getSharedCodexAppServerClient).not.toHaveBeenCalled();
+  });
 });
@@ -948,12 +948,17 @@ export async function runCodexAppServerAttempt(
     : resolveCodexAppServerEnvApiKeyCacheKey({
         startOptions: appServer.start,
       });
+  const nodeExecBlocksNativeExecution = isCodexNativeExecutionBlockedByNodeExecHost(params, {
+    agentId: sessionAgentId,
+    runtimeSessionKey: sandboxSessionKey,
+    sandbox,
+  });
   const bundleMcpThreadConfig = await loadCodexBundleMcpThreadConfig({
     workspaceDir: effectiveWorkspace,
     cfg: params.config,
     toolsEnabled: supportsModelTools(params.model),
     disableTools: params.disableTools,
-    toolsAllow: params.toolsAllow,
+    toolsAllow: nodeExecBlocksNativeExecution ? [] : params.toolsAllow,
   });
   const sandboxExecServerEnabled = isCodexSandboxExecServerEnabled(pluginConfig);
   const nativeToolSurfaceEnabled = shouldEnableCodexAppServerNativeToolSurface(params, sandbox, {