[Bug]: Codex dynamic tool calls can leave sessions stuck as blocked_tool_call

[rozmiarD]

Bug type

Crash / hang

Beta release blocker

No

Summary

Codex app-server dynamic tool calls can leave an OpenClaw session stuck in blocked_tool_call even after the tool request has returned a successful result to the UI/transcript.

I checked for existing reports before filing. This looks related to the orphaned tool-call family in #42112 and the failed-tool-call hang family in #8288, but I did not find an exact duplicate for this item/tool/call response path: the dynamic tool request returns, the UI shows the bash result as completed, but the gateway diagnostics keep activeTool=bash with recovery=none.

Steps to reproduce

1. Run OpenClaw with the bundled Codex harness / @openclaw/codex.
2. Start a Codex-backed agent turn that executes a dynamic bash tool request.
3. In the observed case, the tool command was:

/bin/bash -lc 'PYTHONDONTWRITEBYTECODE=1 .venv/bin/python scripts/validate_public_install.py --dev && PYTHONDONTWRITEBYTECODE=1 timeout 600 .venv/bin/python scripts/run_security_contract_validation.py --include-pytest'

The command ran in:

<redacted-local-worktree-path>

4. The tool UI/result reports: No output — tool completed successfully.
5. Do not restart the gateway immediately. Watch the active session diagnostics.

Expected behavior

After the dynamic tool response returns to Codex/OpenClaw, OpenClaw should clear the active tool bookkeeping and emit a terminal tool.execution.completed or tool.execution.error diagnostic for that toolCallId. The session should then either continue to the next model event or hit the normal post-tool completion guard, but it should not remain classified as an active blocked tool call.

Actual behavior

The session remains in state=processing and the gateway repeatedly classifies it as blocked_tool_call with activeTool=bash, even though the tool response has already been surfaced as completed.

Relevant gateway log excerpt from May 18, 2026:

2026-05-18T07:52:04.249+02:00 [diagnostic] stalled session: sessionId=<redacted-session-id> sessionKey=<redacted-session-key> state=processing age=143s queueDepth=0 reason=blocked_tool_call classification=blocked_tool_call activeWorkKind=tool_call lastProgress=codex_app_server:notification:thread/tokenUsage/updated lastProgressAge=141s activeTool=bash activeToolCallId=<redacted-tool-call-id> activeToolAge=148s recovery=none
2026-05-18T07:57:04.291+02:00 [diagnostic] stalled session: sessionId=<redacted-session-id> sessionKey=<redacted-session-key> state=processing age=443s queueDepth=0 reason=blocked_tool_call classification=blocked_tool_call activeWorkKind=tool_call lastProgress=codex_app_server:notification:thread/tokenUsage/updated lastProgressAge=441s activeTool=bash activeToolCallId=<redacted-tool-call-id> activeToolAge=448s recovery=none
2026-05-18T07:57:27.172+02:00 [gateway] draining 2 active task(s) and 1 active embedded run(s) before restart with timeout 300000ms
2026-05-18T07:57:57.185+02:00 [gateway] still draining 2 active task(s) and 1 active embedded run(s) before restart
openclaw-gateway.service: State 'stop-sigterm' timed out. Killing.

An older affected turn from the same session family eventually hit the long terminal idle timeout instead:

turn.terminal_idle_timeout ... idleMs=1800001 timeoutMs=1800000 lastActivityReason=notification:thread/tokenUsage/updated

OpenClaw version

Observed on installed OpenClaw / @openclaw/codex 2026.5.12. The affected source path still existed on current upstream main when checked on May 18, 2026, before preparing the linked PR.

OS

Linux x64, systemd user service. Host evidence was collected on 6.19.14+kali-amd64.

Install method

npm-managed OpenClaw install with user openclaw-gateway.service.

Model

Codex-backed OpenAI model routing. The affected session was using the OpenAI Codex provider override with gpt-5.4/Codex harness routing.

Provider / routing chain

OpenClaw gateway -> bundled @openclaw/codex -> Codex app-server / ChatGPT Codex transport.

Additional provider/model setup details

No API-key provider path is required for the observed issue; this was the Codex app-server dynamic tool bridge path.

Logs/screenshots/evidence

Evidence above includes:

• The exact dynamic bash command and redacted working-directory evidence.
• UI/tool-result state: No output — tool completed successfully.
• Gateway diagnostics repeatedly reporting blocked_tool_call activeTool=bash recovery=none with session and tool-call identifiers redacted.
• Gateway restart drain timing out because the embedded run remained active.
• A prior affected turn reaching turn.terminal_idle_timeout after 30 minutes.

Impact/severity

High for Codex-backed local agents. A successfully completed dynamic shell command can still leave the OpenClaw session unusable until timeout or gateway restart. Restart may also hang during drain and require systemd to kill the service.

Additional information

I prepared a PR that makes the dynamic item/tool/call request boundary emit terminal tool diagnostics and clear active dynamic tool bookkeeping in finally, so the gateway does not keep a completed dynamic tool as active.

Sensitive values in the evidence were redacted after filing while preserving the observed event order, diagnostic classification, active tool name, timings, and restart-drain behavior.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main still has the Codex dynamic-tool cleanup gap, and an open linked fix PR explicitly closes this issue, so the issue should remain open until that PR lands or is rejected.

Reproducibility: yes. at source level. The issue provides concrete production logs, and current main shows dynamic tool ids are tracked without terminal request-boundary cleanup; I did not run a live Codex app-server repro in this read-only review.

Next step
A linked open PR already closes this issue and changes the implicated files, so a separate ClawSweeper repair job would duplicate active review.

Review details

Best possible solution:

Review and land or reject #83476; the fix should emit terminal tool diagnostics and clear dynamic-tool request bookkeeping in the Codex app-server request boundary.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. The issue provides concrete production logs, and current main shows dynamic tool ids are tracked without terminal request-boundary cleanup; I did not run a live Codex app-server repro in this read-only review.

Is this the best way to solve the issue?

Yes, the best fix boundary is narrow: emit start/end diagnostic events and clear the tracked call id in finally around the dynamic item/tool/call request path. The linked PR is the current candidate and should be reviewed rather than opening a duplicate repair job.

Label justifications:

• P1: A completed Codex dynamic tool can leave an active session stuck in processing and interfere with gateway restart drain for affected users.
• impact:session-state: The stale active-tool bookkeeping leaves session diagnostics and run state out of sync with the completed tool result.
• impact:crash-loop: The report centers on a hang/process-availability failure where gateway drain timed out and systemd killed the service.

What I checked:

• Issue and linked PR context: The issue includes production logs from OpenClaw 2026.5.12 showing a successful no-output dynamic bash result followed by repeated blocked_tool_call activeTool=bash diagnostics and gateway drain timeout; the provided timeline cross-references open PR fix(codex): complete dynamic tool diagnostics #83476 with closing syntax.
• Current main tracks dynamic tool calls: The current app-server item/tool/call path adds the dynamic call id to activeOpenClawDynamicToolCallIds and emits tool_execution_started before awaiting the dynamic tool response. (extensions/codex/src/app-server/run-attempt.ts:2013, b7735f88fa27)
• Current main lacks request-boundary cleanup: The same finally block only decrements activeAppServerTurnRequests and touches request progress; it does not delete the dynamic call id or emit terminal tool diagnostics at the response boundary. (extensions/codex/src/app-server/run-attempt.ts:2094, b7735f88fa27)
• No terminal dynamic-tool cleanup symbol on current main: A targeted search found no activeOpenClawDynamicToolCallIds.delete, activeOpenClawDynamicToolCallIds.clear, tool_execution_completed, or tool_execution_error in the current run-attempt implementation or tests. (extensions/codex/src/app-server/run-attempt.ts, b7735f88fa27)
• Diagnostic activity contract requires terminal events: diagnostic-run-activity clears active tool state only on tool.execution.completed, tool.execution.error, or tool.execution.blocked; stale active tool state is then classified as blocked_tool_call by the attention classifier. (src/logging/diagnostic-run-activity.ts:183, b7735f88fa27)
• Linked fix PR is not on main: The linked PR head commit adds tool.execution.started, terminal completed/error diagnostic events, and activeOpenClawDynamicToolCallIds.delete(call.callId) in finally, but git merge-base --is-ancestor returned 1 for that commit against current HEAD. (extensions/codex/src/app-server/run-attempt.ts:2009, 78d41835d7a0)

Likely related people:

• Peter Steinberger: History shows repeated Codex app-server work, including the app-server controls, module split, interrupt shutdown, and the latest run-attempt change before this review. (role: feature owner / recent area contributor; confidence: high; commits: 31a0b7bd42a5, 8d72aafdbb8d, 545490c5920d; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/run-attempt.test.ts)
• Vincent Koc: Current-line blame for the dynamic-tool bookkeeping and diagnostic activity files points to the current-main base commit, and nearby history includes Codex app-server harness/auth work. (role: recent area contributor; confidence: medium; commits: fc16df30dd8c, b5dfeaab4ce3, f1cc8f0cfc7c; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/run-attempt.test.ts, src/logging/diagnostic-run-activity.ts)
• rozmiarD: The linked open PR provides the current candidate fix for this exact dynamic-tool diagnostic boundary and includes focused test changes. (role: proposed fix author; confidence: medium; commits: 78d41835d7a0; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/run-attempt.test.ts)

Remaining risk / open question:

• I did not run a live Codex app-server reproduction in this read-only sweep; the source path and production logs are strong, but live after-fix proof belongs with the linked PR review.
• The linked PR's own proof notes that a patched live Codex transport attempt did not reach tool execution, so maintainers may still want stronger live transport proof before landing.

Codex review notes: model gpt-5.5, reasoning high; reviewed against b7735f88fa27.

[rozmiarD]

Linked PR update: #83476 now includes the P2 follow-up commit 9a4816064d6ef66f6b2498d9977446b5fd4bbab3.

The PR proof comment is here: #83476 (comment)

Targeted proof passed:

Test Files  1 passed (1)
Tests       4 passed | 162 skipped (166)

The added fixture covers the duplicate terminal-diagnostic regression for wrapped Codex dynamic tool errors, and the retained fixture covers clearing active dynamic-tool diagnostics after a successful app-server tool response.

[steipete]

Fixed in #83476 / 1912be8.

The Codex app-server now owns OpenClaw dynamic-tool diagnostics at the item/tool/call request boundary: it emits the started event when the request arrives and emits exactly one terminal event for completed, error, timeout, abort, and blocked responses. The fix also suppresses hook-owned duplicate diagnostics for Codex dynamic tools and matches fallback suppression by strict run identity, so successful or blocked dynamic tools no longer leave activeTool / activeToolCallId stuck in diagnostic state.

Proof: focused Codex app-server tests, targeted dynamic diagnostic regressions, pnpm tsgo:prod, pnpm tsgo:extensions:test, package-boundary compile, final autoreview, and PR CI all passed.