[Bug]: 2026.5.7 @openclaw/codex missing openclaw peer link plus stale NODE_PATH causes hook stalls and password_missing

[lisandromachado]

Bug type

Regression / packaging-runtime resolution issue

Summary

On a Linux npm-global OpenClaw 2026.5.7 install, @openclaw/codex@2026.5.7 under the local OpenClaw npm tree could not resolve the host openclaw package from ~/.openclaw/npm/node_modules. This produced ERR_MODULE_NOT_FOUND failures in cron/agent runs, and coincided with Codex native hook relay stalls, high gateway CPU, and repeated unauthenticated nativeHook.invoke calls (reason=password_missing).

This looks like the same peer-link failure class as #77959 and #78185, but it is still reproducible on 2026.5.7 on Linux/npm-global. There is also a second local-state problem: a systemd drop-in had a NODE_PATH pointing to a removed plugin-runtime-deps snapshot from 2026.4.23, so helper processes inherited a stale dependency path after the upgrade.

Environment

• OpenClaw: 2026.5.7 (eeef486)
• Node: v24.15.0
• @openclaw/codex: 2026.5.7
• @openai/codex: 0.128.0
• OS: Linux x64, systemd user gateway
• Install method: npm global
• Global package root: /usr/lib/node_modules/openclaw
• Local OpenClaw npm tree: /root/.openclaw/npm/node_modules
• Gateway command: /usr/bin/node /usr/lib/node_modules/openclaw/dist/index.js gateway --port 18789
• Gateway bind: loopback 127.0.0.1:18789

Observed broken state

The host package existed globally:

/usr/lib/node_modules/openclaw/package.json exists

But the local OpenClaw npm tree did not have the peer link before repair:

/root/.openclaw/npm/node_modules/@openclaw/codex/package.json exists
/root/.openclaw/npm/node_modules/openclaw missing

@openclaw/codex declares the host package as a peer:

{
  "name": "@openclaw/codex",
  "version": "2026.5.7",
  "peerDependencies": {
    "openclaw": ">=2026.5.7"
  }
}

But the bundled Codex runtime imports host SDK modules, for example:

from "openclaw/plugin-sdk/agent-harness-runtime"
from "openclaw/plugin-sdk/agent-runtime"
from "openclaw/plugin-sdk/windows-spawn"

A cron run failed with:

Error [ERR_MODULE_NOT_FOUND]: Cannot find package 'openclaw' imported from /root/.openclaw/npm/node_modules/@openclaw/codex/dist/client-BGbqC7jk.js

Additional stale NODE_PATH state

The running systemd service inherited this drop-in from a previous install/update:

Environment=NODE_PATH=/var/lib/openclaw/plugin-runtime-deps/openclaw-2026.4.23-4eca5026e977/node_modules

But /var/lib/openclaw/plugin-runtime-deps no longer contained that snapshot. So the gateway was 2026.5.7, while helper/child processes inherited a stale, non-existent 2026.4.23 runtime path.

Runtime symptoms

During the incident, the gateway was technically running but degraded:

OpenClaw 2026.5.7
Gateway active/running
Codex app-server 0.128.0

Observed symptoms:

• Gateway CPU stayed high, often around one core during stalls.
• Multiple openclaw hooks relay / openclaw child processes spiked to 100%+ CPU.
• Agent sessions stalled for many minutes around Codex hook progress.
• status, node.list, and device.pair.list calls reached ~140s in earlier windows.
• Codex app-server turns timed out.
• Logs showed repeated unauthenticated gateway calls:

[ws] unauthorized ... client=gateway:nativeHook.invoke backend v2026.5.7 ... auth=none ... reason=password_missing

The password_missing side appears related to helper processes running with agent-specific HOME/Codex environments and not resolving the real gateway config/auth. For example, openclaw doctor from an agent environment reported a config path under the Codex home and then failed to connect to the running gateway with missing auth.

Workaround applied locally

1. Link the host OpenClaw package into the local OpenClaw npm tree:

ln -s /usr/lib/node_modules/openclaw /root/.openclaw/npm/node_modules/openclaw

2. Replace the stale NODE_PATH systemd drop-in with the active package paths and force helper processes to read the real gateway config:

[Service]
Environment=NODE_PATH=/usr/lib/node_modules/openclaw/node_modules:/usr/lib/node_modules
Environment=OPENCLAW_CONFIG_PATH=/root/.openclaw/openclaw.json

3. Reload/restart:

systemctl --user daemon-reload
systemctl --user restart openclaw-gateway.service

Post-workaround verification

After restart, systemd picked up the corrected environment:

NODE_PATH=/usr/lib/node_modules/openclaw/node_modules:/usr/lib/node_modules
OPENCLAW_CONFIG_PATH=/root/.openclaw/openclaw.json

The gateway status probe succeeded:

Config (cli): /root/.openclaw/openclaw.json
Config (service): /root/.openclaw/openclaw.json
Runtime: running
Connectivity probe: ok

The Codex client import that previously failed now succeeds:

node --input-type=module -e "import('/root/.openclaw/npm/node_modules/@openclaw/codex/dist/client-BGbqC7jk.js').then(()=>console.log('codex-client-import-ok'))"
# codex-client-import-ok

In the post-restart window, the earlier Cannot find package 'openclaw', ERR_MODULE_NOT_FOUND, and password_missing messages did not reappear. Gateway memory also dropped substantially after restart, although CPU/event-loop delay still needs observation under normal workload.

Expected behavior

• @openclaw/codex should not be left in a state where it imports openclaw/plugin-sdk/* but no resolvable openclaw package exists in the local npm tree or ancestor path.
• Update/repair/startup should either create the peer link or fail loudly before agent turns/crons start.
• Managed systemd drop-ins should not keep pointing NODE_PATH at removed plugin-runtime-deps snapshots after an update.
• Codex native hook relay helpers should resolve gateway auth/config reliably, or avoid falling back to unauthenticated loopback calls that repeatedly log password_missing.

Actual behavior

• @openclaw/codex was installed and enabled, but openclaw was missing from /root/.openclaw/npm/node_modules.
• Cron/agent runs could fail with Cannot find package 'openclaw' imported from @openclaw/codex/dist/client-*.js.
• Systemd retained a stale NODE_PATH to a removed 2026.4.23 runtime deps snapshot while running 2026.5.7.
• Native hook relay/helper calls repeatedly hit the gateway with no auth (password_missing), contributing to stalls/noisy failure under load.

Related issues

• [Bug]: @openclaw/codex peerDependency link not created on install — gateway lanes crash with ERR_MODULE_NOT_FOUND for openclaw/plugin-sdk/* #77959 — same @openclaw/codex peer link class, but reported on 2026.5.4 and closed.
• [Bug]: @openclaw/codex fails before reply when local npm tree loses openclaw peer link #78185 — same local npm tree losing openclaw peer link, but reported on 2026.5.4 and closed.
• [Bug]: openclaw plugins install does not install peer dependency — plugin fails to load after install #53517 / Weixin Plugin Load Failure: Missing openclaw Package in Dependencies #54428 / [Bug]: plugins install does not resolve openclaw peerDependencies — causes plugin startup failure #70436 — broader plugin openclaw peer dependency resolution failures.
• [Bug]: Matrix channel missing matrix-js-sdk after 2026.5.4 host npm update #77896 — related package dependency resolution after 2026.5.4 host update.

This report is specifically for the same class still appearing on Linux/npm-global 2026.5.7, with the added stale NODE_PATH and nativeHook.invoke password_missing signals.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Codex review failed: timeout.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Next step
Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

What I checked:

• failure reason: timeout.
• codex failure detail: Codex review failed for this issue: spawnSync codex ETIMEDOUT.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

Remaining risk / open question:

• No close action taken because the review did not complete.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6e318f8aec06.

[holgergruenhagen]

Thanks for writing this up. I have another data point from a Linux npm-global install that looks closely related, although not identical.

Environment

• OpenClaw: 2026.5.7 (eeef486)
• Node: v22.22.2
• OS: Ubuntu 24.04 / Linux 6.8.0-106-generic x64
• Gateway supervision: systemd --user under root, with linger enabled
• Gateway command: /usr/bin/node /usr/lib/node_modules/openclaw/dist/index.js gateway --port 18789
• Runtime/model: native Codex runtime, openai/gpt-5.5, agentRuntime.id = codex
• Channel where the symptom is visible: Discord

What matches this issue

I am seeing the same general failure shape:

• Gateway is technically running and reachable.
• Discord may show as OK in openclaw status.
• User-facing Discord replies become extremely slow or effectively unusable.
• Gateway CPU/event-loop pressure appears during the bad windows.
• Logs include Codex app-server timeout / degraded runtime symptoms.
• Logs also include unauthenticated native hook calls, e.g. client=gateway:nativeHook.invoke ... auth=none ... reason=token_missing.

What does not match exactly

The local package resolution part does not appear broken in my case:

/root/.openclaw/npm/node_modules/@openclaw/codex 2026.5.7
/root/.openclaw/npm/node_modules/openclaw 2026.5.7
/usr/lib/node_modules/openclaw 2026.5.7

The Codex client import also succeeds:

codex-client-import-ok

The systemd service environment also does not appear to have a stale NODE_PATH from an old plugin-runtime snapshot.

Concrete latency measurement

After resetting the Discord main session with /new, I tested a trivial ping/pong message. The old conversation context was therefore not the main cause.

Measured from Discord snowflake time and OpenClaw session/trajectory timestamps:

• Discord user message created: 2026-05-08T22:23:15.201Z
• OpenClaw context.compiled: 2026-05-08T22:23:32.184Z
• Prompt submitted: 2026-05-08T22:23:32.215Z
• message.send tool call for the pong reply: 2026-05-08T22:24:09.111Z
• Reply mirrored into session delivery: 2026-05-08T22:24:09.736Z
• model.completed: 2026-05-08T22:24:12.777Z

So the total user-visible latency was about 54.5s for a trivial ping:

• about 17s before the prompt was submitted
• about 37s inside the Codex/agent runtime before the message send
• Discord delivery itself was fast once the message tool was called

Why I think this is related

This looks like the same degraded Codex/native-hook/gateway-runtime class even though the peer-link/NODE_PATH part is not currently present on this machine. In other words, the packaging issue in this report may be one trigger, but the runtime symptoms can still appear when package resolution checks look healthy.

Happy to provide more specific command output if useful, but I wanted to add the measured split because it shows the delay is not just Discord delivery and not just old session context.

[musalabalpha]

Adding another data point on a more recent release. The peer-link failure class described here looks like it still affects 2026.5.12 and can be triggered (not just observed post-mortem) by openclaw plugins install --pin.

Environment

• OpenClaw: 2026.5.12 (f066dd2), upgraded earlier from 2026.4.26
• OS: Linux (Raspberry Pi 5, Debian-based)
• Node: v24.x
• Install method: npm global (~/.npm-global/lib/node_modules/openclaw/)
• Local OpenClaw npm tree: ~/.openclaw/npm/node_modules/

Variant observed

Unlike the original report where the local tree was missing the openclaw peer link, in my case running:

openclaw plugins install @openclaw/codex --pin

caused the host package itself to be downgraded. After the install:

• /home/<user>/.npm-global/lib/node_modules/openclaw/dist/index.js was rewritten (filesystem mtime matches the install timestamp).
• openclaw --version flipped from 2026.5.12 (f066dd2) to 2026.4.26 (be8c246).
• The gateway process kept running on its existing in-memory bytecode (the host swap took effect only after the next systemctl restart).
• After the gateway restart, the CLI and gateway were both 4.26 while the config was 5.12-shaped (discovery.mdns schema present from 5.12). The CLI subsequently hangs ~30-90s on any openclaw agent invocation with zero stdout/stderr even under OPENCLAW_DEBUG=1.

So this is the same class of host-runtime / plugin-runtime split surfaced by #68385 / #77959 / #78185, but the entrypoint is plugins install --pin resolving peerDependencies.openclaw to an older version that satisfies the range, then silently overwriting the host package. The fix from #68385 (linkOpenClawPeerDependencies) protects plugin-local node_modules/openclaw, but doesn't appear to guard the npm-global host path against being replaced.

Reproduce

1. Have openclaw@2026.5.12 installed globally via npm.
2. Run openclaw plugins install @openclaw/codex --pin.
3. Run openclaw --version — observe it now reports 2026.4.26 instead of 2026.5.12.
4. Restart the gateway and observe lane wedging / CLI hangs.

Recovery in my case was a clean npm uninstall -g openclaw + npm install -g openclaw@2026.5.12.

[vincentkoc]

Thanks @lisandromachado, and thanks to everyone who added follow-up repro detail here.

This is fixed on main by #82289, including commit 89a9b4e. The landed fix preserves the linked active openclaw host package during managed peer repair while scrubbing stale managed-root ownership metadata, with regression coverage and package/upgrade proof.

This should be included in the next OpenClaw release.