Codex app-server rotates context-engine bootstrap threads after large first turns

[100yenadmin]

Summary

On the current main branch and the latest stable release I verified (v2026.5.22, published 2026-05-24), Codex app-server sessions can repeatedly lose their warmed native thread after a large context-engine bootstrap turn. The observed release log shape is:

codex app-server native transcript exceeded active token limit; starting a fresh thread

This is not Discord losing messages and it is not the model context limit. It is OpenClaw clearing the saved Codex app-server native thread binding before the context-engine compatibility path can decide whether that thread is still valid.

Impact

For long-running Codex-backed agents with contextEngine projection mode thread_bootstrap, a large first/bootstrap native turn can exceed the local 70k native active-token guard. Once that happens, each later turn can cold-start the native Codex thread instead of using thread/resume, causing repeated bootstrap/projection work and loss of the warmed app-server fast path.

That matches the token/latency symptom we are seeing in long Discord sessions: the Gateway still routes the turn, but the Codex-side native wrapper repeatedly starts fresh threads and burns tokens/CPU.

Root Cause

extensions/codex/src/app-server/run-attempt.ts calls rotateOversizedCodexAppServerStartupBinding(...) immediately after reading the startup binding. That helper reads the native Codex rollout/session token stats and clears the binding when the latest usage is at or above CODEX_APP_SERVER_NATIVE_THREAD_MAX_TOKENS (70_000).

For context-engine thread_bootstrap, that ordering is wrong: the bootstrap turn is expected to be large, and later turns should be able to reuse the same native thread as long as the stored context-engine projection metadata still matches the current engine/policy/epoch. The later context-engine reuse logic already knows how to decide whether the binding is compatible, but it never gets the chance because the startup guard deletes the binding first.

Expected Behavior

A saved Codex native thread binding with contextEngine.projection.mode === "thread_bootstrap" should survive the startup native transcript size guard. Compatibility should then be decided by the context-engine projection/epoch checks and the existing per-turn overflow recovery path. If the epoch or policy changes, OpenClaw should still rotate and reproject.

Proposed Fix

Defer the startup native token/byte guard for context-engine thread_bootstrap bindings. Keep the existing guard behavior for non-context-engine and non-bootstrap native sessions.

I have a focused regression test and patch in progress that proves:

• an 86k-token bootstrap rollout still resumes with thread/resume
• the following turn sends only the current user prompt, not the assembled bootstrap context again
• existing non-bootstrap native over-budget rotation tests still pass

Validation So Far

Local validation ran from the Lexar-backed worktree:

/Volumes/LEXAR/repos/worktrees/openclaw-codex-native-thread-reuse

Focused checks:

OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.context-engine.test.ts --run
OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts --run -t "starts a fresh Codex thread before resume when the native rollout is over budget|uses current rollout token usage before cumulative usage|clears native rollouts at the configured byte limit"
pnpm exec oxfmt --check --threads=1 extensions/codex/src/app-server/run-attempt.ts extensions/codex/src/app-server/run-attempt.context-engine.test.ts
git diff --check

Parallel review also checked Pi runtime risk. The proposed change is limited to the Codex app-server startup binding guard and should not change Pi embedded-runner compaction semantics.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Latest ClawSweeper review: 2026-05-24 08:07 UTC / May 24, 2026, 4:07 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This issue should stay open: current main still clears an oversized Codex app-server startup binding before the context-engine thread-bootstrap compatibility decision can inspect it, and the latest release has the same guard shape.

Reproducibility: yes. as a source-level reproduction path: with truncateAfterCompaction enabled, a saved thread_bootstrap binding whose rollout or session usage reaches 70,000 tokens is cleared before the projection compatibility check can decide to resume it. I did not run a live or Vitest repro because this review is read-only.

Next step
This is a narrow, source-proven Codex app-server repair with clear files and focused regression tests.

Review details

Best possible solution:

Keep this open and land a narrow Codex app-server fix that lets compatible thread_bootstrap bindings reach the projection/epoch checks while preserving existing rotation for ordinary oversized native sessions.

Do we have a high-confidence way to reproduce the issue?

Yes, as a source-level reproduction path: with truncateAfterCompaction enabled, a saved thread_bootstrap binding whose rollout or session usage reaches 70,000 tokens is cleared before the projection compatibility check can decide to resume it. I did not run a live or Vitest repro because this review is read-only.

Is this the best way to solve the issue?

Yes: deferring or skipping the startup size guard only for context-engine thread_bootstrap bindings is the narrow maintainable fix, provided epoch/policy mismatch and non-bootstrap over-budget rotation remain covered by tests.

Label changes:

• add P2: This is a concrete Codex app-server stability bug with limited blast radius to context-engine thread-bootstrap sessions.
• add impact:session-state: The reported failure clears a persisted native thread binding and loses the warmed Codex app-server session state for later turns.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P2: This is a concrete Codex app-server stability bug with limited blast radius to context-engine thread-bootstrap sessions.
• impact:session-state: The reported failure clears a persisted native thread binding and loses the warmed Codex app-server session state for later turns.

Acceptance criteria:

• OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.context-engine.test.ts --run
• OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts --run -t "starts a fresh Codex thread before resume when the native rollout is over budget|uses current rollout token usage before cumulative usage|clears native rollouts at the configured byte limit"
• pnpm exec oxfmt --check --threads=1 extensions/codex/src/app-server/run-attempt.ts extensions/codex/src/app-server/run-attempt.context-engine.test.ts
• git diff --check

What I checked:

• Current main clears the binding before projection checks: runCodexAppServerAttempt reads the saved binding and immediately passes it through rotateOversizedCodexAppServerStartupBinding before context-engine projection logic runs. (extensions/codex/src/app-server/run-attempt.ts:996, a4ef3a2c9ab5)
• Startup guard has no thread-bootstrap exemption: The startup guard clears the saved binding when token usage is at least 70,000, with no check for binding.contextEngine.projection.mode === "thread_bootstrap". (extensions/codex/src/app-server/run-attempt.ts:891, a4ef3a2c9ab5)
• Context-engine compatibility needs the binding: The later projection decision can skip reprojection only when it receives the previous startup binding and sees a matching thread-bootstrap projection, epoch, policy, and dynamic-tool fingerprint. (extensions/codex/src/app-server/run-attempt.ts:1331, a4ef3a2c9ab5)
• Existing tests prove the intended reuse behavior, but not the oversized-bootstrap case: The context-engine test suite already expects a matching thread-bootstrap binding to use thread/resume and send only the current prompt on the next turn; searches found no over-budget/thread-bootstrap regression variant. (extensions/codex/src/app-server/run-attempt.context-engine.test.ts:461, a4ef3a2c9ab5)
• Non-bootstrap over-budget behavior is intentional and must be preserved: The current non-context-engine regression test expects an over-budget native rollout to start a fresh thread and avoid thread/resume. (extensions/codex/src/app-server/run-attempt.test.ts:9312, a4ef3a2c9ab5)
• Latest release has the same unresolved guard: Tag v2026.5.22 contains the same startup helper and token-limit clear path, so this is not already fixed in the latest release. (extensions/codex/src/app-server/run-attempt.ts:820, a374c3a5bfd5)

Likely related people:

• Enjou: Local blame for the central startup-rotation helper and context-engine test file in this checkout points to Enjou's grafted commit, though the checkout history is shallow around that file. (role: recent area contributor; confidence: medium; commits: 3b3b2cca9c8c; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/run-attempt.context-engine.test.ts)
• Josh Lehman (@jalehman): The changelog credits @jalehman for the Codex harness/context-engine bootstrap, assembly, maintenance, and compaction work, and local history also shows Josh Lehman on context-engine runtime commits. (role: context-engine feature contributor; confidence: medium; commits: e46e32b98c04, a327b6750dbe; files: CHANGELOG.md, src/context-engine/types.ts, src/agents/pi-embedded-runner/run/attempt.ts)

Remaining risk / open question:

• No live Codex app-server run was performed in this read-only sweep; the fix still needs focused regression proof.
• A careless exemption could weaken existing oversized native-thread rotation, so tests need to cover both thread-bootstrap preservation and non-bootstrap rotation.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a4ef3a2c9ab5.

[TimToxopeus]

I merged your PR locally to test it, but Discord is still pretty slow. After checking with my agent, it reports:

This channel is over the native Codex active token limit
At 12:14:21: nativeTokens=116268, max 70000, so OpenClaw starts a fresh thread. Then it reinjects/truncates big bootstrap files:AGENTS.md, USER.md, MEMORY.md.
So each turn is paying context rebuild pressure, not just normal reply latency.

So while your PR removes some of the churn, it doesn't fix the issue fully yet.