[Bug]: OpenClaw treats codex exec sandbox-denied runs as success because codex exits 0

[sebastianlang84]

Bug type

Behavior bug (incorrect output/state without crash)

Summary

OpenClaw can treat failed codex exec --json runs as successful because Codex may emit sandbox/write-denied failure information in JSONL agent output while still exiting with status code 0.

Steps to reproduce

1. Use OpenClaw 2026.3.2 with the built-in codex-cli backend.
2. Trigger a Codex-backed subagent write task in an effective read-only Codex sandbox, or reproduce directly with Codex:

   codex exec "Write a new file named TEST_RO.md with the content 'hello'." --json --color never --sandbox read-only --skip-git-repo-check

3. Observe that no file is created.
4. Observe that Codex emits JSONL events describing the write failure as agent output.
5. Observe that the Codex process still exits with EXIT_CODE=0.
6. In OpenClaw, the run can then be interpreted as completed/successful even though the requested mutation never happened.

Expected behavior

OpenClaw should inspect Codex JSONL output for failed action/tool signals and propagate the run as failed when the underlying file mutation or command execution was denied or rejected.

Actual behavior

A Codex run can fail semantically while still looking successful to OpenClaw because:

• the process exit code is 0
• the failure is surfaced only in JSONL event content
• no file is actually created or modified

This can cause subagent orchestration to record a run as completed even though the requested write never happened.

OpenClaw version

2026.3.2 (52a583035f)

Operating system

Debian GNU/Linux 13 (trixie)

Install method

Local source checkout / dev run

Logs, screenshots, and evidence

Direct Codex repro:

codex exec "Write a new file named TEST_RO.md with the content 'hello'." --json --color never --sandbox read-only --skip-git-repo-check

Observed:
- No file created
- Codex JSONL includes an agent message explaining the write was blocked by a read-only filesystem / write approval policy
- Process exit code is still 0

Control repro:
- Same command with --sandbox workspace-write creates the file successfully

Impact and severity

Affected: Users relying on Codex-backed subagents or Codex fallback runs for coding/file tasks
Severity: High, because failed work can be misreported as successful
Frequency: Reproducible whenever Codex surfaces the failure only through JSONL content while exiting 0
Consequence: Silent false positives in subagent execution, misleading summaries, and harder debugging of failed automation

Additional information

A robust fix is to parse Codex JSONL for failed command_execution / shell_command / file_change items and known sandbox-denied agent messages instead of relying only on process exit status.

[rnrnstar2]

Priority: P1 - 実行状態管理の欠陥。サンドボックス拒否を成功と誤認し、セキュリティリスクとデバッグ困難性を引き起こす。

[rnrnstar2]

🔥 P1 Priority - OpenClaw treats codex exec sandbox-denied runs as success because codex exits 0. This causes silent failures in subagent workflows. Requires exit code handling fix.

[mvanhorn]

Submitted a fix in #39460.

The approach: scan structured JSONL fields (error items, tool-call outputs, status fields) for sandbox-denied signals after Codex exits 0. When detected, the CLI runner throws a FailoverError with reason "sandbox_denied" instead of passing the agent's failure reasoning as successful output.

Key design choice: detection only checks structured fields (item.type === "error", tool/command items, top-level error), not regular message text. This prevents false positives when an agent merely discusses sandboxing without actually being denied.

Also added "sandbox_denied" as a new FailoverReason (mapped to 403) and excluded it from auth profile failure tracking since it's a local config issue.

11 regression tests covering detection and false-positive prevention.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main still does not classify exit-0 Codex JSONL sandbox denials as failures; the focused fix was closed unmerged, and the output-last-message PR is complementary rather than a failure-classification fix.

Reproducibility: yes. source-reproducible. The reported codex exec --json --sandbox read-only path maps to current code where exit-0 JSONL output bypasses failover handling and can be recorded as a completed success; I did not run a live Codex command in this read-only pass.

Next step
Queue a focused repair because the affected parser/runner/failover paths, prior unmerged implementation, and validation surface are clear with no product or config decision required.

Review details

Best possible solution:

Add structured Codex JSONL sandbox-denial classification before success result construction, with regression coverage and no change to sandbox defaults or artifact-finalization scope.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible. The reported codex exec --json --sandbox read-only path maps to current code where exit-0 JSONL output bypasses failover handling and can be recorded as a completed success; I did not run a live Codex command in this read-only pass.

Is this the best way to solve the issue?

Yes. A structured-field detector like the approach in #39460 is the narrowest maintainable fix; artifact finalization in #66081 does not classify semantic failures.

Acceptance criteria:

• pnpm test src/agents/cli-output.test.ts src/agents/cli-runner.spawn.test.ts src/agents/cli-runner.reliability.test.ts src/agents/failover-error.test.ts src/agents/pi-embedded-runner/run/auth-profile-failure-policy.test.ts
• pnpm exec oxfmt --check --threads=1 src/agents/cli-output.ts src/agents/cli-runner/execute.ts src/agents/cli-runner.ts src/agents/failover-error.ts src/agents/pi-embedded-helpers/types.ts src/agents/auth-profiles/types.ts src/agents/pi-embedded-runner/run/auth-profile-failure-policy.ts
• pnpm check:changed

What I checked:

• Exit-0 CLI runs bypass failover handling: executePreparedCliRun enters failover handling only for nonzero exit codes or non-exit reasons; exit-0 output proceeds to JSONL parsing and normal return construction. (src/agents/cli-runner/execute.ts:619, 0e19167a6b98)
• JSONL parser has no semantic failure channel: CliOutput only carries text/session/usage/final-prompt fields, and parseCliJsonl collects message-like item.text without returning structured sandbox-denied metadata. (src/agents/cli-output.ts:14, 0e19167a6b98)
• Parsed CLI output is recorded as success: Once CLI output returns, buildCliRunResult records the attempt as result: "success" with stopReason: "completed". (src/agents/cli-runner.ts:323, 0e19167a6b98)
• Bundled Codex backend still uses JSONL path: The OpenAI Codex backend invokes codex exec --json and declares output: "jsonl"; the workspace-write default reduces the common trigger but does not classify semantic denial events. (extensions/openai/cli-backend.ts:25, 0e19167a6b98)
• No sandbox-denied failover contract exists: FailoverReason, AuthProfileFailureReason, and resolveFailoverStatus still have no sandbox_denied reason or 403 mapping. (src/agents/pi-embedded-helpers/types.ts:3, 0e19167a6b98)
• Focused prior fix is not merged: Live PR metadata shows fix(agents): detect codex sandbox-denied runs that exit 0 as failures #39460 is closed and unmerged, though it proposed structured sandbox-denied detection and tests for this exact issue. (6ebd0459848a)

Likely related people:

• steipete: Current blame and commit metadata for the CLI parser, runner, and OpenAI Codex backend point to recent maintainer work across the affected code path. (role: recent maintainer / likely follow-up owner; confidence: high; commits: 0e19167a6b98, 1fbd8e9dfbd1, cf1991d27deb; files: src/agents/cli-output.ts, src/agents/cli-runner/execute.ts, src/agents/cli-runner.ts)
• mvanhorn: Authored the focused prior PR with structured sandbox-denied JSONL detection, a sandbox_denied failover reason, and regression tests for this issue. (role: closed unmerged implementation candidate author; confidence: high; commits: 15b25584b029, 374504914898, 6ebd0459848a; files: src/agents/cli-output.ts, src/agents/cli-runner.ts, src/agents/failover-error.ts)
• 0xtangping: Contributed the adjacent Codex CLI sandbox-default change that reduced the default trigger but did not address exit-0 semantic failure classification. (role: adjacent contributor; confidence: medium; commits: e46bbd2cf65d, 5b257c65d5a7; files: extensions/openai/cli-backend.ts, src/agents/cli-backends.test.ts, CHANGELOG.md)

Remaining risk / open question:

• A repair should validate the current Codex JSONL denial event shape from a live run or saved fixture so detection matches structured fields without false-positive scanning ordinary assistant prose.
• Adding sandbox_denied touches failover status and auth-profile failure policy; the fix should keep it local/terminal and avoid poisoning provider auth health.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 0e19167a6b98.