Enhancement: finalize codex-cli replies from --output-last-message artifact instead of relying on stdout

[Wpoithge]

Summary

OpenClaw's direct codex-cli execution path currently relies too heavily on stdout / JSONL / exit status to determine the final user-visible reply.

In practice, this creates a reliability gap:

• Codex can finish successfully but the final result is not surfaced in the most stable way
• stdout and structured stream output are useful, but not always the best source of truth for the final answer
• automation/orchestration ends up needing extra glue to know what the real final result was

A more reliable contract is available today in Codex CLI itself:

• --output-last-message <file>

This issue proposes that OpenClaw's codex-cli runner should use that artifact as the finalization source of truth for the final reply payload, instead of depending primarily on stdout / JSONL / exit code.

Problem

Today the codex-cli direct runner path is roughly:

1. build CLI args
2. spawn codex exec
3. parse stdout / JSONL / text output
4. return final payloads to OpenClaw

That works in many cases, but it has a few reliability problems:

• stdout can contain progress-oriented or transport-oriented output rather than the clean final answer
• exit code alone is not enough to determine semantic success/failure
• downstream orchestrators still need a stable "final answer" contract
• when the final result is not surfaced cleanly, users can end up asking follow-up questions like "did it finish?" or "what was the result?"

There is already a related bug report in this area:

• [Bug]: OpenClaw treats codex exec sandbox-denied runs as success because codex exits 0 #39317 — OpenClaw can treat a semantically failed Codex run as success because Codex may still exit 0 while the failure only appears in output content

This issue is related, but narrower and more structural:

For successful or quasi-successful Codex CLI runs, OpenClaw should have a deterministic final result source, and that source should be the --output-last-message artifact.

Proposed solution

1. Add result-artifact finalization to the direct codex-cli runner

For the direct CLI path (codex-cli backend), automatically allocate a temp file and append:

--output-last-message <temp-file>

2. Prefer artifact over stdout for the final reply

After the Codex process exits:

• first parse stdout / JSONL as today
• then read the output-last-message artifact if it exists
• if artifact text is non-empty, use it as the final payloads[].text
• clean up the temp file afterward

3. Keep stdout/JSONL for process telemetry, but not as the primary final-answer source

This preserves the existing stream/debug behavior while making final result handling deterministic.

4. Optionally expose a generic finalization strategy contract

A more general version of this idea is:

• stream
• artifact
• hybrid

where codex-cli would default to artifact or hybrid, while other runtimes can remain stream.

Why this matters

This improves the OpenClaw → exec → Codex CLI → reply chain in a practical way:

• more reliable final replies
• less ambiguity between progress output and final result
• better orchestration behavior
• cleaner UX in long-running or delegated coding tasks
• more robust automation than relying on stdout/exit status alone

Evidence / local validation

I locally validated this design with a package-level runtime hotfix and two kinds of tests.

A. Real direct codex-cli round-trip

Using OpenClaw's real codex-cli provider path, I was able to route a run through Codex CLI and receive the final payload back through OpenClaw successfully.

B. Strong artifact-vs-stdout conflict test

I also built an isolated test gateway / state root and ran a fake codex-cli backend that intentionally returned conflicting outputs:

• stdout / parsed JSON text: STDOUT_ONLY_20260411
• --output-last-message file content: ARTIFACT_WINS_20260411

Observed final OpenClaw payload:

• ARTIFACT_WINS_20260411

This confirms that an artifact-preferred finalization path is practical and works exactly as intended.

Scope

This request is not about changing all providers or all conversations globally.

It should be scoped to:

• direct codex-cli execution paths
• and optionally other CLI backends that explicitly support a stable final-result artifact

Normal model replies, normal tool calls, and unrelated runtimes do not need to use this mechanism.

Suggested implementation area

Most likely implementation area:

• the direct CLI runner path (runCliAgent(...) / CLI backend argument builder / final output parsing path)

This seems like a better fit than ACP protocol internals, because this is specifically a CLI-backend finalization problem.

Expected behavior after fix

For codex-cli runs:

1. OpenClaw launches Codex with --output-last-message <file>
2. Codex completes
3. OpenClaw reads the result artifact
4. If artifact text exists, OpenClaw uses it as the final reply payload
5. The user receives the stable final answer without needing manual log-followup

Impact

Affected users:

• people using codex-cli/* as a direct CLI backend
• users delegating coding tasks to Codex via OpenClaw
• anyone wanting more reliable final-result handling for Codex CLI automation

Severity:

• medium to high as a reliability / UX gap
• especially noticeable in delegated coding flows and follow-up-heavy sessions

Related

• [Bug]: OpenClaw treats codex exec sandbox-denied runs as success because codex exits 0 #39317 — semantic failure can be hidden when Codex exits 0
• [Bug]: CLI-backed model fails in follow-up path (codex-cli/gpt-5.4) #64251 — follow-up path issues for codex-cli/gpt-5.4

This proposal complements those issues by making final-result handling deterministic.

[Wpoithge]

A bit more implementation / validation detail from the local prototype, in case it's useful for upstream design discussion.

Local validation details

I tested this in two stages.

1. Real direct codex-cli path

I first verified that OpenClaw could route a run through the real codex-cli backend and return the final payload back to the session successfully.

That proved the direct runner path was the right place to focus.

2. Strong artifact-vs-stdout conflict test

Then I ran an isolated test gateway / isolated state root and swapped the codex-cli backend to a fake local script that intentionally returned conflicting outputs:

• parsed stdout/JSON text: STDOUT_ONLY_20260411
• --output-last-message file content: ARTIFACT_WINS_20260411

Observed final OpenClaw payload:

• ARTIFACT_WINS_20260411

So this was not just a smoke test — it was a true priority test showing that artifact-based finalization can deterministically override stdout when desired.

Local implementation shape

The minimal hotfix I tested locally was roughly:

1. In the direct CLI runner, detect codex-cli
2. Allocate a temp result file path
3. Append:
   • --output-last-message <temp-file>
4. Let the existing stdout / JSONL parsing run as usual
5. After process exit, read the temp file
6. If the file contains non-empty text, replace the final payloads[].text with that artifact text
7. Remove the temp file

So the behavioral rule was:

• keep stdout/JSONL for transport/debug/telemetry
• but use artifact as the final user-facing reply source when present

Why I think this belongs in the direct CLI runner

During local tracing, the cleanest implementation point was the direct codex-cli runner path rather than ACP internals.

Reason:

• this is specifically a CLI-backend finalization concern
• it should not affect unrelated provider/model paths
• the direct runner already owns arg construction, process launch, stdout parsing, and final payload construction

So the change can stay narrow and provider-specific.

Optional extension idea

A generalized version could expose a finalization mode like:

• stream
• artifact
• hybrid

with codex-cli defaulting to artifact or hybrid, while most other backends remain stream.

But even without the general abstraction, the direct codex-cli improvement is already useful on its own.

[clawsweeper]

Closing this as duplicate or superseded after Codex automated review.

Issue #65074 asks OpenClaw to finalize direct codex-cli replies from Codex CLI's --output-last-message artifact. Current main has not shipped that behavior: the bundled codex-cli backend still passes only exec/json args, and the runner still derives the final reply from parsed stdout/JSONL. However, the provided GitHub context shows open PR #66081 is a focused implementation PR for exactly this request, explicitly marked "Closes #65074" and covering artifact-preferred finalization with stdout fallback tests, so the issue can close as superseded by that canonical PR rather than as implemented.

Best possible solution:

Keep #66081 as the canonical implementation and review surface for this request. The best fix is to land #66081 or an equivalent narrow change that adds --output-last-message for codex-cli, prefers a non-empty artifact over stdout for final payloads, cleans up the temp file, and keeps tests for artifact-wins plus stdout fallback behavior. If #66081 is closed without landing, maintainers should reopen this issue or file a narrower follow-up.

What I checked:

• Canonical PR tracks exact remaining work: Provided GitHub context shows PR feat(codex-cli): prefer output-last-message artifacts #66081, "feat(codex-cli): prefer output-last-message artifacts", is open, references "Closes Enhancement: finalize codex-cli replies from --output-last-message artifact instead of relying on stdout #65074", and describes adding a temp --output-last-message file, preferring non-empty artifact text over stdout, and testing artifact-vs-stdout precedence plus empty-artifact fallback. (9aea402bc3dc)
• Current runner still finalizes from stdout: After a successful managed CLI process, executePreparedCliRun trims result.stdout, passes it into parseCliOutput, then returns parsed.text/rawText as the assistant output; there is no artifact allocation or artifact read in this path. (src/agents/cli-runner/execute.ts:522, bc24b547d088)
• Bundled codex-cli args do not request the artifact on main: The bundled OpenAI codex-cli backend config uses args ["exec", "--json", "--color", "never", ...] and resumeArgs ["exec", "resume", "{sessionId}", ...] with output jsonl/text settings, but no --output-last-message flag. (extensions/openai/cli-backend.ts:25, bc24b547d088)
• Repo-wide source search finds no shipped artifact hook: A focused search for output-last-message across source, plugins, docs, and package metadata returned no matches on current main. (bc24b547d088)
• Current docs describe stdout/JSONL final output contract: CLI backend docs still describe output jsonl as extracting the final agent message from JSONL and output text as treating stdout as the final response, consistent with the current implementation rather than the requested artifact contract. Public docs: docs/gateway/cli-backends.md. (docs/gateway/cli-backends.md:241, bc24b547d088)

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against bc24b547d088.