openclaw
diff --git a/‎extensions/codex/harness.ts‎
Lines changed: 6 additions & 3 deletions b/‎extensions/codex/harness.ts‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎extensions/codex/index.test.ts‎
Lines changed: 58 additions & 0 deletions b/‎extensions/codex/index.test.ts‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎extensions/codex/index.ts‎
Lines changed: 3 additions & 1 deletion b/‎extensions/codex/index.ts‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎extensions/codex/src/app-server/app-inventory-cache.test.ts‎
Lines changed: 38 additions & 3 deletions b/‎extensions/codex/src/app-server/app-inventory-cache.test.ts‎
Lines changed: 38 additions & 3 deletions
diff --git a/‎extensions/codex/src/app-server/app-inventory-cache.ts‎
Lines changed: 102 additions & 3 deletions b/‎extensions/codex/src/app-server/app-inventory-cache.ts‎
Lines changed: 102 additions & 3 deletions
@@ -14,6 +14,7 @@ export function createCodexAppServerAgentHarness(options?: {
   label?: string;
   providerIds?: Iterable<string>;
   pluginConfig?: unknown;
+  resolvePluginConfig?: () => unknown;
 }): AgentHarness {
   const providerIds = new Set(
     [...(options?.providerIds ?? DEFAULT_CODEX_HARNESS_PROVIDER_IDS)].map((id) =>
@@ -39,20 +40,22 @@ export function createCodexAppServerAgentHarness(options?: {
     runAttempt: async (params) => {
       const { runCodexAppServerAttempt } = await import("./src/app-server/run-attempt.js");
       return runCodexAppServerAttempt(params, {
-        pluginConfig: options?.pluginConfig,
+        pluginConfig: options?.resolvePluginConfig?.() ?? options?.pluginConfig,
         nativeHookRelay: { enabled: true },
       });
     },
     runSideQuestion: async (params) => {
       const { runCodexAppServerSideQuestion } = await import("./src/app-server/side-question.js");
       return runCodexAppServerSideQuestion(params, {
-        pluginConfig: options?.pluginConfig,
+        pluginConfig: options?.resolvePluginConfig?.() ?? options?.pluginConfig,
         nativeHookRelay: { enabled: true },
       });
     },
     compact: async (params) => {
       const { maybeCompactCodexAppServerSession } = await import("./src/app-server/compact.js");
-      return maybeCompactCodexAppServerSession(params, { pluginConfig: options?.pluginConfig });
+      return maybeCompactCodexAppServerSession(params, {
+        pluginConfig: options?.resolvePluginConfig?.() ?? options?.pluginConfig,
+      });
     },
     reset: async (params) => {
       if (params.sessionFile) {
 
@@ -150,6 +150,64 @@ describe("codex plugin", () => {
     );
   });
 
+  it("passes live Codex plugin config into public Codex app-server attempts", async () => {
+    const registerAgentHarness = vi.fn();
+    const liveConfig = {
+      plugins: {
+        entries: {
+          codex: {
+            config: {
+              codexPlugins: {
+                enabled: true,
+                plugins: {
+                  "google-calendar": {
+                    marketplaceName: "openai-curated",
+                    pluginName: "google-calendar",
+                  },
+                },
+              },
+            },
+          },
+        },
+      },
+    };
+    plugin.register(
+      createTestPluginApi({
+        id: "codex",
+        name: "Codex",
+        source: "test",
+        config: {},
+        pluginConfig: { codexPlugins: { enabled: false } },
+        runtime: {
+          config: {
+            current: () => liveConfig,
+          },
+        } as never,
+        registerAgentHarness,
+        registerCommand: vi.fn(),
+        registerMediaUnderstandingProvider: vi.fn(),
+        registerMigrationProvider: vi.fn(),
+        registerProvider: vi.fn(),
+        on: vi.fn(),
+      }),
+    );
+    const harness = mockCallArg(registerAgentHarness) as ReturnType<
+      typeof createCodexAppServerAgentHarness
+    >;
+    const result = { success: true };
+    runCodexAppServerAttemptMock.mockResolvedValueOnce(result);
+
+    await expect(harness.runAttempt({ prompt: "calendar" } as never)).resolves.toBe(result);
+
+    expect(runCodexAppServerAttemptMock).toHaveBeenCalledWith(
+      { prompt: "calendar" },
+      {
+        pluginConfig: liveConfig.plugins.entries.codex.config,
+        nativeHookRelay: { enabled: true },
+      },
+    );
+  });
+
   it("enables the native hook relay for public Codex side questions", async () => {
     const harness = createCodexAppServerAgentHarness({ pluginConfig: { appServer: {} } });
     const runSideQuestion = harness.runSideQuestion;
 
@@ -31,7 +31,9 @@ export default definePluginEntry({
         "codex",
         api.pluginConfig as Record<string, unknown>,
       ) ?? api.pluginConfig;
-    api.registerAgentHarness(createCodexAppServerAgentHarness({ pluginConfig: api.pluginConfig }));
+    api.registerAgentHarness(
+      createCodexAppServerAgentHarness({ resolvePluginConfig: resolveCurrentPluginConfig }),
+    );
     api.registerProvider(buildCodexProvider({ pluginConfig: api.pluginConfig }));
     api.registerMediaUnderstandingProvider(
       buildCodexMediaUnderstandingProvider({ pluginConfig: api.pluginConfig }),
 
@@ -1,5 +1,9 @@
 import { describe, expect, it, vi } from "vitest";
-import { CodexAppInventoryCache, buildCodexAppInventoryCacheKey } from "./app-inventory-cache.js";
+import {
+  CodexAppInventoryCache,
+  buildCodexAppInventoryCacheKey,
+  serializeCodexAppInventoryError,
+} from "./app-inventory-cache.js";
 import type { v2 } from "./protocol.js";
 
 describe("Codex app inventory cache", () => {
@@ -27,7 +31,27 @@ describe("Codex app inventory cache", () => {
     expect(fresh.snapshot?.apps.map((item) => item.id)).toEqual(["app-1", "app-2"]);
   });
 
-  it("uses stale inventory for the current read while refreshing asynchronously", async () => {
+  it("can read missing inventory without scheduling app/list", async () => {
+    const cache = new CodexAppInventoryCache({ ttlMs: 100 });
+    const request = vi.fn(async () => {
+      return {
+        data: [app("app-1")],
+        nextCursor: null,
+      } satisfies v2.AppsListResponse;
+    });
+
+    const read = cache.read({
+      key: "runtime",
+      request,
+      suppressRefresh: true,
+    });
+
+    expect(read.state).toBe("missing");
+    expect(read.refreshScheduled).toBe(false);
+    expect(request).not.toHaveBeenCalled();
+  });
+
+  it("uses stale inventory for the current read while still refreshing asynchronously", async () => {
     const cache = new CodexAppInventoryCache({ ttlMs: 10 });
     const request = vi.fn(async () => {
       return {
@@ -38,7 +62,7 @@ describe("Codex app inventory cache", () => {
     const key = "runtime";
     await cache.refreshNow({ key, request, nowMs: 0 });
 
-    const stale = cache.read({ key, request, nowMs: 11 });
+    const stale = cache.read({ key, request, nowMs: 11, suppressRefresh: true });
     expect(stale.state).toBe("stale");
     expect(stale.snapshot?.apps.map((item) => item.id)).toEqual(["app-1"]);
     expect(stale.refreshScheduled).toBe(true);
@@ -75,6 +99,17 @@ describe("Codex app inventory cache", () => {
     expect(read.diagnostic?.message).toBe("app list failed");
   });
 
+  it("omits challenge HTML when serializing app/list errors", () => {
+    const error = new Error(
+      'failed to list apps: Request failed with status 403 Forbidden: <html><script src="/backend-api/connectors/directory/list?__cf_chl_tk=secret-token"></script></html>',
+    );
+    const serialized = serializeCodexAppInventoryError(error);
+
+    expect(serialized.message).toBe(
+      "failed to list apps: Request failed with status 403 Forbidden: [HTML response body omitted]",
+    );
+  });
+
   it("forces a post-install refresh past an older in-flight app/list", async () => {
     const cache = new CodexAppInventoryCache({ ttlMs: 1_000 });
     const key = "runtime";
 
@@ -1,6 +1,8 @@
-import type { v2 } from "./protocol.js";
+import { embeddedAgentLog } from "openclaw/plugin-sdk/agent-harness-runtime";
+import type { JsonValue, v2 } from "./protocol.js";
 
 export const CODEX_APP_INVENTORY_CACHE_TTL_MS = 60 * 60 * 1_000;
+const MAX_SERIALIZED_ERROR_MESSAGE_LENGTH = 500;
 
 export type CodexAppInventoryRequest = (
   method: "app/list",
@@ -50,12 +52,15 @@ type RefreshParams = {
   request: CodexAppInventoryRequest;
   nowMs?: number;
   forceRefetch?: boolean;
+  suppressRefresh?: boolean;
 };
 
 export class CodexAppInventoryCache {
   private readonly ttlMs: number;
   private readonly entries = new Map<string, CacheEntry>();
   private readonly inFlight = new Map<string, Promise<CodexAppInventorySnapshot>>();
+  // Per-key refresh generation. Each refresh attempt claims the next token so
+  // an older request that finishes late cannot overwrite a newer snapshot.
   private readonly refreshTokens = new Map<string, number>();
   private readonly diagnostics = new Map<string, CodexAppInventoryCacheDiagnostic>();
   private revision = 0;
@@ -68,7 +73,7 @@ export class CodexAppInventoryCache {
     const nowMs = params.nowMs ?? Date.now();
     const entry = this.entries.get(params.key);
     if (!entry) {
-      const refreshScheduled = this.scheduleRefresh(params);
+      const refreshScheduled = params.suppressRefresh ? false : this.scheduleRefresh(params);
       return {
         state: "missing",
         key: params.key,
@@ -168,26 +173,49 @@ export class CodexAppInventoryCache {
         expiresAtMs: nowMs + this.ttlMs,
         revision: this.revision,
       };
+      // Only publish this snapshot if no newer refresh started for the same key
+      // while this request was in flight.
       if (this.refreshTokens.get(params.key) === refreshToken) {
         this.entries.set(params.key, { ...snapshot, invalidated: false });
         this.diagnostics.delete(params.key);
       }
       return snapshot;
     } catch (error) {
       const diagnostic = {
-        message: error instanceof Error ? error.message : String(error),
+        message: sanitizeErrorMessage(error instanceof Error ? error.message : String(error)),
         atMs: nowMs,
       };
       this.diagnostics.set(params.key, diagnostic);
       const entry = this.entries.get(params.key);
       if (entry) {
         entry.lastError = diagnostic;
       }
+      embeddedAgentLog.warn("codex app inventory refresh failed", {
+        forceRefetch: params.forceRefetch === true,
+        keyFingerprint: fingerprintInventoryCacheKey(params.key),
+        error: serializeCodexAppInventoryError(error),
+      });
       throw error;
     }
   }
 }
 
+export function serializeCodexAppInventoryError(error: unknown): Record<string, unknown> {
+  const record = isRecord(error) ? error : undefined;
+  const data = record && "data" in record ? redactErrorData(record.data) : undefined;
+  return {
+    name:
+      error instanceof Error
+        ? error.name
+        : typeof record?.name === "string"
+          ? record.name
+          : undefined,
+    message: sanitizeErrorMessage(error instanceof Error ? error.message : String(error)),
+    ...(typeof record?.code === "number" ? { code: record.code } : {}),
+    ...(data !== undefined ? { data } : {}),
+  };
+}
+
 export const defaultCodexAppInventoryCache = new CodexAppInventoryCache();
 
 export function buildCodexAppInventoryCacheKey(input: CodexAppInventoryCacheKeyInput): string {
@@ -223,3 +251,74 @@ function stripEntryState(entry: CacheEntry): CodexAppInventorySnapshot {
   const { invalidated: _invalidated, ...snapshot } = entry;
   return snapshot;
 }
+
+function fingerprintInventoryCacheKey(key: string): string {
+  let hash = 0;
+  for (let index = 0; index < key.length; index += 1) {
+    hash = (hash * 31 + key.charCodeAt(index)) >>> 0;
+  }
+  return hash.toString(16).padStart(8, "0");
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+
+function redactErrorData(value: unknown, depth = 0): JsonValue | undefined {
+  if (value === undefined) {
+    return undefined;
+  }
+  if (value === null || typeof value === "boolean" || typeof value === "number") {
+    return value;
+  }
+  if (depth > 6) {
+    return "[truncated]";
+  }
+  if (Array.isArray(value)) {
+    return value.map((entry) => redactErrorData(entry, depth + 1) ?? null);
+  }
+  if (isRecord(value)) {
+    const redacted: Record<string, JsonValue> = {};
+    for (const [key, entry] of Object.entries(value)) {
+      redacted[key] = isSensitiveErrorDataKey(key)
+        ? "<redacted>"
+        : (redactErrorData(entry, depth + 1) ?? null);
+    }
+    return redacted;
+  }
+  if (typeof value === "string" && value.length > 500) {
+    return `${value.slice(0, 500)}...`;
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "bigint") {
+    return value.toString();
+  }
+  if (typeof value === "symbol") {
+    return value.description ? `Symbol(${value.description})` : "Symbol()";
+  }
+  if (typeof value === "function") {
+    return value.name ? `[function ${value.name}]` : "[function]";
+  }
+  return "[unserializable]";
+}
+
+function sanitizeErrorMessage(message: string): string {
+  const htmlStart = message.search(/<html[\s>]/i);
+  const withoutHtml =
+    htmlStart >= 0
+      ? `${message.slice(0, htmlStart).trimEnd()} [HTML response body omitted]`
+      : message;
+  const redacted = withoutHtml.replace(
+    /([?&][^=\s"'<>]*(?:api[_-]?key|authorization|cookie|credential|password|secret|token|tk)[^=\s"'<>]*=)[^&\s"'<>]+/gi,
+    "$1<redacted>",
+  );
+  return redacted.length > MAX_SERIALIZED_ERROR_MESSAGE_LENGTH
+    ? `${redacted.slice(0, MAX_SERIALIZED_ERROR_MESSAGE_LENGTH)}...`
+    : redacted;
+}
+
+function isSensitiveErrorDataKey(key: string): boolean {
+  return /api[_-]?key|authorization|cookie|credential|password|secret|token/i.test(key);
+}