`btw spawn` with invalid bearer token triggers gateway/session disconnect

[dodge1218]

Summary

Running btw spawn codex 5.5 with an invalid or expired bearer token returns a 401 (expected), but also appears to destabilize the active OpenClaw gateway session, leading to a disconnect (gateway disconnected: closed | idle). This requires a manual openclaw gateway restart to recover.

Expected Behavior

• btw command fails gracefully with authentication error
• Active agent session and gateway remain stable
• No disconnect or need for restart

Actual Behavior

• btw returns:

  401 authentication_error: Invalid bearer token
  

• Immediately followed by:

  gateway disconnected: closed | idle
  

• Session becomes unusable until:

  openclaw gateway restart
  

Environment

• OpenClaw version: 2026.4.9
• OS: Linux Mint (Ubuntu/Debian-based)
• Hardware: ThinkPad X1 Carbon
• Active agent: github-copilot/claude-opus-4.7
• Running via terminal (local install, systemd service)

Steps to Reproduce

1. Start OpenClaw normally (openclaw or agent session active)

2. Ensure bearer token for btw/Codex route is invalid or expired

3. Run:

   btw spawn codex 5.5
   

4. Observe:

   • 401 error
   • gateway disconnect

Logs

btw failed: 401 {"type":"error","error":{"type":"authentication_error","message":"Invalid bearer token"}}

gateway disconnected: closed | idle

Impact

• Breaks active session unexpectedly
• Requires manual gateway restart
• Makes btw unsafe to test/debug in live sessions
• Poor failure isolation between auxiliary agent spawning and core gateway

Hypothesis

btw spawn may be:

• Sharing or mutating the same gateway client/session
• Not isolating failed auth paths
• Triggering a teardown on error instead of failing locally

Suggested Fix

• Isolate btw spawn calls from main gateway session
• Ensure auth failures do not propagate to gateway lifecycle
• Add retry-safe or sandboxed execution for helper agents

Additional Notes

This feels like a boundary violation between auxiliary agent execution (btw) and core session stability. Even with invalid credentials, the main agent should remain unaffected.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open because current main still has the shared Codex app-server startup cleanup path, and the linked closing PR is open and unmerged.

Reproducibility: yes. source-backed: the issue gives concrete invalid-token steps/logs, and current main routes startup through the shared app-server client before cleanup can close it. I did not run a live invalid-token gateway session in this read-only review.

Next step
No separate repair lane: the open closing PR already targets the narrow fix and should be reviewed, proved, landed, or closed by maintainers.

Review details

Best possible solution:

Land #72812 or an equivalent narrow spawned-helper Codex app-server isolation fix, then close this issue after it reaches main.

Do we have a high-confidence way to reproduce the issue?

Yes, source-backed: the issue gives concrete invalid-token steps/logs, and current main routes startup through the shared app-server client before cleanup can close it. I did not run a live invalid-token gateway session in this read-only review.

Is this the best way to solve the issue?

Yes, isolating spawned/helper Codex app-server startup clients while preserving normal shared-client reuse is the narrow maintainable fix; the linked PR is the active candidate but is not merged yet.

What I checked:

• Reporter reproduction: The issue body provides concrete invalid-token steps, observed 401 output, and the follow-on gateway disconnected: closed | idle log from OpenClaw 2026.4.9 on Linux Mint.
• Current main still defaults to shared client: The default Codex app-server client factory still resolves getSharedCodexAppServerClient, so ordinary run attempts enter the singleton shared-client path unless a caller injects another factory. (extensions/codex/src/app-server/client-factory.ts:16, 4859edd9f83d)
• Startup failure cleanup can clear the startup client: runCodexAppServerAttempt stores startupClientForCleanup after creating the app-server client and calls clearSharedCodexAppServerClientIfCurrent in startup retry/error cleanup. (extensions/codex/src/app-server/run-attempt.ts:780, 4859edd9f83d)
• Shared-client clearing closes the client: clearSharedCodexAppServerClientIfCurrent clears singleton state and calls client.close() when the supplied client is the current shared client. (extensions/codex/src/app-server/shared-client.ts:167, 4859edd9f83d)
• Auth errors can bubble from thread startup: startOrResumeThread sends thread/start through the selected app-server client; a 401 from that request can propagate into the startup cleanup path. (extensions/codex/src/app-server/thread-lifecycle.ts:294, 4859edd9f83d)
• Open closing PR owns the candidate fix: Live PR metadata shows Fix helper Codex app-server auth failures from tearing down the shared client #72812 is open, unmerged, labels include triage: needs-real-behavior-proof, and its body uses closing syntax for this issue. (fa5fdb120a28)

Likely related people:

• steipete: Recent commits in the same run-attempt/shared-client lifecycle area include app-server cleanup ownership, client-factory injection, and silent-turn timeout handling. (role: recent Codex app-server lifecycle contributor; confidence: high; commits: 089a3063ee5f, f12e9c41fa15, 1e31bd2ac29d; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/shared-client.ts, extensions/codex/src/app-server/client-factory.ts)
• vincentkoc: Recent auth-order work touched the app-server auth and shared-client surfaces that a fix must preserve. (role: recent Codex auth/runtime contributor; confidence: medium; commits: eb1a0aa574b5, 9518d12e131b; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/shared-client.ts, extensions/codex/src/app-server/client-factory.ts)
• pashpashpash: Recent history includes btw side-thread routing and managed Codex app-server work near the reported helper-spawn path. (role: adjacent Codex btw/app-server contributor; confidence: medium; commits: 42e259a696a2, edb618c6c4a9; files: extensions/codex/src/app-server/thread-lifecycle.ts, extensions/codex/src/app-server/shared-client.ts)
• yetval: They authored the open closing PR that isolates spawned/helper Codex app-server startup clients for this issue. (role: likely follow-up owner; confidence: medium; commits: fa5fdb120a28; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/run-attempt.test.ts, extensions/codex/src/app-server/shared-client.ts)

Remaining risk / open question:

• No live invalid-token gateway session was run during this read-only review, so the reproduction is source-backed rather than live-observed.
• The linked fix PR is still open and has a real-behavior-proof gate plus prior review feedback, so the issue should remain open until a fix actually lands.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4859edd9f83d.

[yetval]

Follow-up to the closed #72812: opened #87375 with the maintainer-requested fix shape — narrows the Codex app-server startup-failure cleanup policy so spawned helper runs that fail for logical reasons (auth, thread/start 401) no longer retire the shared singleton, while transport-closed failures still clear it. No new app-server processes, no isolated-client topology. spawnedBy only affects cleanup gating, not topology.

[WarrenJones]

I'll work on this. Let me investigate and submit a fix.

[dodge1218]

Thanks Warren. Just to keep the threads aligned: #72812 was closed because maintainers want to keep the single shared Codex app-server and fix cleanup policy instead of adding isolated spawned-helper app-server topology. Yuval opened #87375 with that requested shape. I think the remaining blocker there is real invalid-token spawned-helper proof showing the parent session/gateway stays alive.

[steipete]

Fixed.

Main: 74f9d6b via PR #87375.
Release 2026.5.27 backport: 00dabd6 on release/2026.5.27.

Proof: focused Codex app-server run-attempt suite passed 244 tests on the release branch after backport; pnpm tsgo:extensions passed. PR CI run 26534075812 is green after rerunning unrelated timeout flakes.