You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Harden the Codex app-server native execution bridge for OpenClaw sandboxed runs. The change keeps core sandbox policy in OpenClaw while exposing the process, filesystem, and HTTP relay behavior Codex needs inside a scoped exec server.
The large exec-server/test files were split into focused modules before landing, and the PR was rebased onto current main with focused tests, Testbox changed checks, CI, and Codex autoreview green.
Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com>
- Matrix/config: accept `messages.queue.byChannel.matrix` queue overrides and keep queue provider schema/type keys aligned for Matrix, Google Chat, and Mattermost. Thanks @bdjben.
132
132
- CLI: format `openclaw acp client` failures through the shared error formatter so object-shaped errors stay readable instead of printing `[object Object]`. Fixes #83904. (#84080)
133
133
- Providers/Ollama: default unknown-capabilities models to tool-capable so discovered native Ollama models can use tools when `/api/show` omits capabilities. (#84055) Thanks @dutifulbob.
134
+
- Codex app-server: disable native Code Mode, user MCP, and app-backed plugin execution while OpenClaw sandboxing is active, routing shell access through `sandbox_exec`/`sandbox_process` instead. (#84388) Thanks @joshavant.
134
135
- Installer/Windows: launch `install.ps1` onboarding as an attached child process so fresh native Windows installs do not freeze visibly at `Starting setup...` or corrupt the wizard's terminal rendering.
135
136
- CLI/update: keep restart health checks working across one-version CLI/Gateway protocol skew and use the managed Gateway service Node for all follow-up commands even when the package root is unchanged, so `openclaw update` no longer silently switches the gateway to a different Node binary when multiple Node installations are present. Thanks @amknight.
136
137
- CLI/gateway: include the running Gateway version in `gateway status` JSON output, preserving existing server metadata while falling back to status RPC data for read probes. Fixes #56222. Thanks @galiniliev.
| Local model runtime |`agents.defaults.experimental.localModelLean`, `agents.list[].experimental.localModelLean`| A smaller or stricter local backend chokes on OpenClaw's full default tool surface |[Local Models](/gateway/local-models)|
27
-
| Memory search |`agents.defaults.memorySearch.experimental.sessionMemory`| You want `memory_search` to index prior session transcripts and accept the extra storage/indexing cost |[Memory configuration reference](/reference/memory-config#session-memory-search-experimental)|
28
-
| Structured planning tool |`tools.experimental.planTool`| You want the structured `update_plan` tool exposed for multi-step work tracking in compatible runtimes and UIs |[Gateway configuration reference](/gateway/config-tools#toolsexperimental)|
| Local model runtime |`agents.defaults.experimental.localModelLean`, `agents.list[].experimental.localModelLean`| A smaller or stricter local backend chokes on OpenClaw's full default tool surface |[Local Models](/gateway/local-models)|
27
+
| Memory search |`agents.defaults.memorySearch.experimental.sessionMemory`| You want `memory_search` to index prior session transcripts and accept the extra storage/indexing cost |[Memory configuration reference](/reference/memory-config#session-memory-search-experimental)|
28
+
| Codex harness |`plugins.entries.codex.config.appServer.experimental.sandboxExecServer`| You want native Codex app-server 0.132.0 or newer to target an OpenClaw sandbox-backed exec-server instead of disabling Code Mode |[Codex harness reference](/plugins/codex-harness-reference#sandboxed-native-execution)|
29
+
| Structured planning tool |`tools.experimental.planTool`| You want the structured `update_plan` tool exposed for multi-step work tracking in compatible runtimes and UIs |[Gateway configuration reference](/gateway/config-tools#toolsexperimental)|
Copy file name to clipboardExpand all lines: docs/gateway/sandboxing.md
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -98,12 +98,13 @@ If you deploy the OpenClaw Gateway itself as a Docker container, it orchestrates
98
98
99
99
-**Config requires host paths**: The `openclaw.json``workspace` configuration MUST contain the **Host's absolute path** (e.g. `/home/user/.openclaw/workspaces`), not the internal Gateway container path. When OpenClaw asks the Docker daemon to spawn a sandbox, the daemon evaluates paths relative to the Host OS namespace, not the Gateway namespace.
100
100
-**FS bridge parity (identical volume map)**: The OpenClaw Gateway native process also writes heartbeat and bridge files to the `workspace` directory. Because the Gateway evaluates the exact same string (the host path) from within its own containerized environment, the Gateway deployment MUST include an identical volume map linking the host namespace natively (`-v /home/user/.openclaw:/home/user/.openclaw`).
101
-
-**Codex code mode**: When an OpenClaw sandbox is active, OpenClaw constrains Codex app-server turns to Codex `workspace-write` sandboxing even if the Codex plugin default is `danger-full-access`. The Codex turn network flag follows the OpenClaw sandbox egress setting, so Docker `network: "none"` stays offline and `network: "bridge"` or a custom Docker network allows outbound access. Do not mount the host Docker socket into agent sandbox containers or custom Codex sandboxes.
101
+
-**Codex code mode**: When an OpenClaw sandbox is active, OpenClaw disables Codex app-server native Code Mode, user MCP servers, and app-backed plugin execution for that turn because those native surfaces run from the Gateway-host app-server process instead of the OpenClaw sandbox backend. Shell access is exposed through OpenClaw sandbox-backed tools such as `sandbox_exec` and `sandbox_process` when the normal exec/process tools are available. Do not mount the host Docker socket into agent sandbox containers or custom Codex sandboxes.
102
102
103
103
On Ubuntu/AppArmor hosts, Codex `workspace-write` can fail before shell startup
104
-
when the service user is not allowed to create unprivileged user namespaces.
105
-
When Docker sandbox egress is disabled (`network: "none"`, the default),
106
-
Codex also needs an unprivileged network namespace. Common symptoms are
104
+
when you intentionally run native Codex `workspace-write` without active
105
+
OpenClaw sandboxing and the service user is not allowed to create unprivileged
106
+
user namespaces. When Docker sandbox egress is disabled (`network: "none"`, the
107
+
default), Codex also needs an unprivileged network namespace. Common symptoms are
107
108
`bwrap: setting up uid map: Permission denied` and
108
109
`bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted`. Run
109
110
`openclaw doctor`; if it reports a Codex bwrap namespace probe failure, prefer
0 commit comments