[Bug]: Agent shell tool ignores /exec host=node and still runs in container

[samiralibabic]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

After /exec host=node node=<remote-macos-node> security=full ask=off, agent shell/exec commands still execute in the gateway/container Linux environment instead of the selected macOS node.

Steps to reproduce

1. Run OpenClaw gateway on a Linux gateway/container host.
2. Connect a macOS node, for example <remote-macos-node>.
3. In a TUI session, set node execution for the session:

   /exec host=node node=<remote-macos-node> security=full ask=off
   

4. Ask the agent to run a shell command that identifies the execution host:

   uname -s && hostname && pwd && whoami

5. Restart TUI and retry in the same session.
6. Start a new TUI session and retry the same /exec host=node node=<remote-macos-node> ... flow.

Expected behavior

When the session exec defaults select host=node and node=<remote-macos-node>, subsequent agent shell/exec tool calls in that session should execute on the selected macOS node and report Darwin / the node environment.

The gateway/container should remain the default runtime for sessions without this explicit /exec host=node ... session override.

Actual behavior

The /exec command is accepted and the session appears to have the node exec default set, but the next available agent shell tool still executes in the Linux container on the gateway host.

Observed output from the shell command:

uname=Linux
hostname=<gateway-container-hostname>
pwd=/home/node/.openclaw/workspace
whoami=node

Restarting TUI did not change the result. A fresh TUI session also still returned Linux after setting /exec host=node node=<remote-macos-node> ....

OpenClaw version

2026.5.12

Operating system

Gateway/runtime: Linux container host
Node: macOS node
Client: TUI over SSH

Install method

Gateway/container runtime; exact install method not verified from this report.

Model

openai/gpt-5.5

Provider / routing chain

TUI → OpenClaw gateway/session on Linux gateway/container host → OpenAI Codex agent runtime/tool bridge → agent shell/exec command

Additional provider/model setup details

The TUI status line shows Runtime: OpenAI Codex / openai/gpt-5.5. This appears to refer to the OpenAI OAuth/provider runtime used by OpenClaw, not the Codex CLI.

Logs, screenshots, and evidence

The node access work immediately before this test established:
- The macOS node is connected as an optional trusted node.
- Node exec approvals are set to security=full, ask=off, askFallback=full.
- File transfer for allowed macOS node paths works.
- Normal agent exec still runs on the Linux gateway/container by default.

Then, after setting /exec host=node node=<remote-macos-node>, the agent shell check still returned:

uname=Linux
hostname=<gateway-container-hostname>
pwd=/home/node/.openclaw/workspace
whoami=node

The behavior persisted after closing/restarting TUI and after trying a new session.

Related prior issue: #20669 reported the same class of failure (Agent exec ignores node binding — always routes to gateway despite correct config). That issue was closed as stale/not planned, with the bot saying to open a new issue with fresh repro steps if it still happens on a later release. This is a fresh repro on 2026.5.12.

Impact and severity

Affected: users who want OpenClaw to keep gateway/container as the default runtime while allowing the agent to explicitly use a paired local or remote node for node-local work.

Severity: High for multi-node workflows. The user can connect and configure a macOS node, but the agent shell path does not honor the session node routing and still runs in the gateway/container.

Frequency: 100% in the observed tests: same session after restart and fresh session both returned Linux after /exec host=node node=<remote-macos-node>.

Consequence: node-local files/apps/environment cannot be accessed through the normal agent shell execution path. The setup can only use separate node/file-transfer surfaces, while the main shell tool remains bound to the gateway/container.

Additional information

A likely source-level area to inspect is the bridge between session exec defaults and the OpenAI Codex agent runtime's exec_command shell tool. The generic OpenClaw exec docs imply host=node is supported, but the observed shell tool appears to spawn in the local container instead of going through the node exec router.

This report is intentionally limited to the observed behavior. I have not confirmed whether direct CLI openclaw nodes run --node <remote-macos-node> ... succeeds in this exact environment.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This should stay open: the documented /exec host=node behavior is an existing contract, and current source still leaves the Codex app-server native shell surface enabled without checking the session node exec override.

Reproducibility: yes. at source level: set /exec host=node node=<mac-node> in a Codex app-server-backed session, then ask for uname -s; the source path leaves native Codex shell enabled without checking the node override. I did not live-run the required Linux gateway plus macOS node setup.

Next step
This needs maintainer/security review of how Codex native shell should interact with /exec host=node; it is not a safe autonomous repair lane yet.

Security
Needs attention: The issue is security-sensitive because shell commands can execute on a different trusted host boundary than the session selected.

Review details

Best possible solution:

Make the session exec target a single source of truth for all agent shell surfaces: when a session is host=node, Codex native shell should be disabled or routed through OpenClaw's node-backed exec path, with regression coverage and a real multi-node proof.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level: set /exec host=node node=<mac-node> in a Codex app-server-backed session, then ask for uname -s; the source path leaves native Codex shell enabled without checking the node override. I did not live-run the required Linux gateway plus macOS node setup.

Is this the best way to solve the issue?

No, current main is not the complete solution because it threads exec overrides into OpenClaw dynamic tools but does not make Codex native shell execution honor or yield to host=node. The maintainable fix should gate or reroute the native shell path rather than relying on model choice between two shell surfaces.

Label changes:

• add P1: The report describes a broken multi-node agent shell workflow where explicit node execution still runs on the gateway/container.
• add impact:security: The issue concerns a shell execution boundary: commands run on the gateway despite an explicit node target.
• add impact:session-state: The session accepts and persists exec host/node defaults, but the Codex native shell path appears not to honor them.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-product-decision: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P1: The report describes a broken multi-node agent shell workflow where explicit node execution still runs on the gateway/container.
• impact:security: The issue concerns a shell execution boundary: commands run on the gateway despite an explicit node target.
• impact:session-state: The session accepts and persists exec host/node defaults, but the Codex native shell path appears not to honor them.

Security concerns:

• [medium] Codex native shell can ignore node execution boundary — extensions/codex/src/app-server/run-attempt.ts:3443
  The inspected Codex app-server native code mode gate does not consider execOverrides.host, so a session configured for node execution can still expose a native shell surface that runs in the app-server/gateway environment.
  Confidence: 0.76

Acceptance criteria:

• Source regression around extensions/codex/src/app-server/run-attempt.ts proving native code mode is disabled or rerouted when execOverrides.host is node.
• Focused tests for src/auto-reply/reply/get-reply-exec-overrides.test.ts, src/agents/pi-tools-agent-config.exec.test.ts, src/agents/harness/native-hook-relay.test.ts, and extensions/codex/src/app-server/run-attempt.test.ts.
• Real multi-node proof: Linux gateway/container plus connected macOS node, /exec host=node node=<id> security=full ask=off, then uname -s && hostname && pwd && whoami must report the node environment.

What I checked:

• Documented exec contract: The exec docs say host=node is a supported execution target, node selects the node id/name, and /exec sets per-session defaults for host/security/ask/node. Public docs: docs/tools/exec.md. (docs/tools/exec.md:58, 9f2c0a80b40f)
• Session override persistence: The directive handler reports current exec defaults and persists execHost, execSecurity, execAsk, and execNode into the session entry when /exec options are accepted. (src/auto-reply/reply/directive-handling.impl.ts:429, 9f2c0a80b40f)
• Session defaults reach normal OpenClaw tools: Reply execution resolves execOverrides from directives/session entry/agent defaults, and the embedded runner passes them into createOpenClawCodingTools. (src/auto-reply/reply/get-reply-exec-overrides.ts:12, 9f2c0a80b40f)
• OpenClaw exec tool can route to nodes: The exec tool resolves the effective host from defaults/request params and dispatches host === "node" through executeNodeHostCommand, which invokes node.invoke system.run. (src/agents/bash-tools.exec.ts:1524, 9f2c0a80b40f)
• Codex native shell surface is not gated by exec host: The Codex app-server enables native code mode from toolsAllow/sandbox capability and passes nativeCodeModeEnabled to thread startup; this path does not check params.execOverrides.host === "node". (extensions/codex/src/app-server/run-attempt.ts:3443, 9f2c0a80b40f)
• Codex native exec_command is policy-relayed, not rerouted: The native hook relay aliases Codex exec_command to OpenClaw exec for before-tool policy/approval hooks and returns a no-op when not blocked; it does not execute the command through the node router. (src/agents/harness/native-hook-relay.ts:238, 9f2c0a80b40f)

Likely related people:

• steipete: Blame and log history show Peter Steinberger authored the current exec target resolution, session /exec persistence, Codex native hook relay, and Codex dynamic-tool pass-through commit that now owns the inspected path. (role: recent area contributor; confidence: high; commits: 2fd02c206064; files: src/agents/bash-tools.exec.ts, src/auto-reply/reply/directive-handling.impl.ts, src/agents/harness/native-hook-relay.ts)
• Neerav Makwana: Recent history on the Codex app-server run attempt path includes a context-engine/session-key fix, making this a plausible adjacent routing owner for Codex runtime behavior. (role: recent adjacent contributor; confidence: medium; commits: 66dcc4ee8fd1; files: extensions/codex/src/app-server/run-attempt.ts)

Remaining risk / open question:

• I did not run a live Linux-gateway plus macOS-node reproduction during this read-only review, so the proof is source-level plus the reporter's detailed logs.
• A fix crosses a shell execution security boundary and Codex native tool selection, so maintainers should choose the routing policy before automation changes code.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9f2c0a80b40f.

[samiralibabic]

Additional verification: the remote macOS node itself is reachable and a direct node-side platform check returns Darwin. The failure appears limited to the normal agent command path, which still runs in the Linux container after the session has been configured to target the remote node.

Expected behavior should be either:

1. the normal agent command path honors the effective session node target; or
2. OpenClaw explicitly reports that this runtime path does not support node routing.

The current behavior is misleading because the session accepts the node routing setting while the visible command path still runs elsewhere.