Codex long-running sessions should use semantic thread/bootstrap cache ownership

[100yenadmin]

Codex long-running sessions should use semantic thread/bootstrap cache ownership instead of hard native-token rotation

Problem

Long-running Discord/Codex sessions can still become slow after #85978 when they do not enter or retain the context-engine thread_bootstrap path. The local Codex app-server startup guard can still log:

codex app-server native transcript exceeded active token limit; starting a fresh thread
nativeTokens=116268, max 70000

That means OpenClaw clears the saved native Codex thread and starts cold, even though the selected model may have much more context headroom. The 70k number is an OpenClaw native-thread reuse guard, not the model context window.

Current Understanding

• Pi embedded runner normally reloads and injects bootstrap files every turn, then relies on stable prompt-prefix/provider-cache behavior to amortize repeated bytes.
• Codex app-server has a different efficient path: persistent native thread reuse. Context engines can return contextProjection.mode = "thread_bootstrap" so OpenClaw injects assembled history once for a stable epoch and then resumes the same native thread.
• Current lossless-claw main appears designed for this path: it returns thread_bootstrap with an epoch derived from summary context state rather than ordinary fresh-tail growth.
• Fix Codex native thread reuse for context-engine bootstraps #85978 fixes one bug in this path by preventing the startup size guard from deleting a still-valid bootstrapped binding before compatibility is checked. It now also keeps stale/no-active-engine bindings safe.
• The broader architecture gap remains for legacy/non-bootstrap sessions, old lossless-claw builds, session-file rollover, blunt compaction invalidation, workspace bootstrap surfaces outside the projection contract, and insufficient rotation diagnostics.

Desired Architecture

For Codex app-server, native-thread rotation should be primarily semantic:

• rotate on /new or /reset;
• rotate on model/provider/auth/tool/MCP/app/environment incompatibility;
• rotate on context-engine policy or projection epoch/fingerprint change;
• rotate when a saved context-engine binding has no current active context engine;
• rotate when the app-server reports the native thread is gone or actually overflows;
• do not rotate solely because a compatible thread_bootstrap native rollout is above a hard-coded 70k guard.

The native thread should be treated as a projection cache keyed by stable session/channel identity plus context-engine conversation/projection identity, not only by sessionFile + ".codex-app-server.json".

Proposed Follow-Ups

1. Add a Codex native-thread rotation reason enum and diagnostics block.
   Log current/saved engine id, policy fingerprint, epoch/fingerprint, dynamic tools, MCP/app/environment/auth/model fingerprints, token source, native/session tokens, and whether mirrored history was projected.

2. Make the native reuse guard model/config/context-owner aware.
   Keep strict clearing for legacy or ownerless sessions, but treat compatible context-engine thread_bootstrap sessions as semantically owned by the context engine unless the app-server actually rejects the turn.

3. Preserve or migrate Codex bindings across LCM/session-file rollover when conversation identity and projection epoch remain compatible.

4. Add explicit workspace bootstrap fingerprints to Codex thread binding/diagnostics.
   Track stable inherited developer instructions, turn-scoped collaboration instructions, prompt context contributors, and native project-doc loading separately.

5. Revisit compaction invalidation.
   Successful context-engine-owned compaction currently clears Codex bindings. If compaction does not change projection epoch/fingerprint, native reuse may be preservable.

Acceptance Criteria

• A long-running single-agent Codex/Discord session with stable lossless-claw thread_bootstrap epoch can exceed 70k native rollout tokens without cold-starting every turn.
• When a turn cold-starts, logs state exactly which semantic or runtime compatibility dimension forced it.
• If LCM compacts, rotates, or rewrites the transcript, OpenClaw either preserves the compatible Codex binding or logs the exact epoch/policy/session identity reason it could not.
• /doctor or equivalent status output distinguishes model/provider context overflow from OpenClaw native-thread reuse guard rotation.

Related

• Codex app-server rotates context-engine bootstrap threads after large first turns #85975
• Fix Codex native thread reuse for context-engine bootstraps #85978
• Architecture note: /Volumes/LEXAR/Codex/openclaw-codex-long-session-architecture-20260524.md

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 24, 2026, 11:27 AM ET / 15:27 UTC.

Summary
Keep open: current main still has the fixed 70,000-token Codex app-server startup rotation guard and context-engine compaction still invalidates Codex thread bindings. The linked open PRs cover useful slices, but this issue remains the broader architecture tracker for semantic rotation reasons, binding ownership across rollover/compaction, workspace bootstrap fingerprints, and doctor/status diagnostics.

Reproducibility: no. for a high-confidence live Discord/Codex slowdown reproduction in this read-only pass. Source inspection does show the fixed 70,000-token startup guard and compaction binding invalidation paths that motivate the architecture request.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.
• Share version, platform, channel/provider, and relevant config details.

Next step
This needs maintainer sequencing and product judgment because open PRs already cover slices while the remaining work changes Codex app-server lifecycle, context-engine ownership, diagnostics, and user-facing config/status behavior.

Review details

Best possible solution:

Keep this as the canonical architecture tracker, land or close the narrow linked PRs independently, then split the remaining work into reason-coded rotation diagnostics and semantic binding ownership changes with focused Codex app-server/context-engine tests.

Do we have a high-confidence way to reproduce the issue?

No for a high-confidence live Discord/Codex slowdown reproduction in this read-only pass. Source inspection does show the fixed 70,000-token startup guard and compaction binding invalidation paths that motivate the architecture request.

Is this the best way to solve the issue?

Unclear as one implementation: the direction matches the existing thread-bootstrap contract, but the requested work crosses several lifecycle and diagnostics decisions. The maintainable solution is smaller reviewed steps after the existing narrow PRs are resolved.

Remaining risk / open question:

• The full long-running Discord/Codex slowdown has not been live-reproduced in this review; source evidence is strongest for the startup guard and compaction invalidation subpaths.
• The issue intentionally spans diagnostics, binding keys, rollover, workspace bootstrap fingerprints, compaction, and doctor/status output, so a single unreviewed implementation could overreach the Codex/context-engine contract.
• Two open PRs cover narrower slices, so maintainers should avoid closing this tracker until those slices are landed or superseded and the remaining architecture decision is explicitly resolved.

Codex review notes: model gpt-5.5, reasoning high; reviewed against c643370fd85b.

Label changes

Label changes:

• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P2: This is a normal-priority Codex session-continuity and performance architecture issue with a bounded but nontrivial runtime surface.
• impact:session-state: The issue is about preserving or intentionally rotating Codex native thread/cache state across long-running sessions, projection, rollover, and compaction.

Evidence reviewed

Acceptance criteria:

• node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.context-engine.test.ts --run
• node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts --run -t "native rollout|context-engine|thread"
• node scripts/run-vitest.mjs extensions/codex/src/app-server/compact.test.ts --run
• pnpm config:docs:check

What I checked:

• Current main hard guard: Current main defines CODEX_APP_SERVER_NATIVE_THREAD_MAX_TOKENS as 70,000 and clears the saved Codex app-server binding when max(sessionTokens, nativeTokens) reaches that value. (extensions/codex/src/app-server/run-attempt.ts:664, c643370fd85b)
• Startup guard still runs before active context-engine setup: The run path reads and rotates the startup binding before resolving activeContextEngine, so semantic context-engine ownership is not the first authority for startup retention on main. (extensions/codex/src/app-server/run-attempt.ts:996, c643370fd85b)
• Thread-bootstrap reuse exists but is narrower than the issue: Current main can skip reprojecting a matching thread_bootstrap epoch, but the decision is limited to the existing binding/projection compatibility path and does not cover the broader startup guard, rollover, or compaction ownership requests. (extensions/codex/src/app-server/run-attempt.ts:4493, c643370fd85b)
• Context-engine compaction still invalidates bindings: When an owning context engine compacts, current main clears the old and compacted Codex app-server bindings and reports codexThreadBindingInvalidated, so preserve-when-compatible compaction is not implemented. (extensions/codex/src/app-server/compact.ts:151, c643370fd85b)
• Docs describe abandon-on-compaction behavior: The runtime docs say owning context engines cause OpenClaw to abandon the old Codex backend thread after compaction, matching current code rather than the requested preservation architecture. Public docs: docs/plugins/codex-harness-runtime.md. (docs/plugins/codex-harness-runtime.md:203, c643370fd85b)
• Related implementation slices are still open: Live GitHub data shows Fix Codex native thread reuse for context-engine bootstraps #85978 and fix(codex): make native thread token guard configurable #86069 are open slice PRs; their bodies explicitly leave the larger semantic compaction-preservation, binding ownership, and diagnostics work to this issue.

Likely related people:

• steipete: Local blame for the current Codex app-server startup guard, context-engine lifecycle, and compaction invalidation regions maps to a broad current-main commit authored by Peter Steinberger in this checkout. (role: recent area contributor; confidence: medium; commits: 2cd93f1c0d91; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/compact.ts, extensions/codex/src/app-server/thread-lifecycle.ts)
• 100yenadmin: The issue author supplied the architecture analysis and opened the two current open PR slices for the startup-guard and configurable-token-guard work, so they have the clearest current reproduction and branch context. (role: reporter and linked implementation author; confidence: medium; commits: d16f8144073e, 98d1082b27dd, 80da76695cf8; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/run-attempt.context-engine.test.ts, extensions/codex/src/app-server/run-attempt.test.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[100yenadmin]

Follow-up implementation branch prepared for the configurable native-token guard slice:

• Branch: 100yenadmin:codex/semantic-native-reuse-guard
• Commit: 80da76695c (fix(codex): make native thread token guard configurable)
• Stacked on: Fix Codex native thread reuse for context-engine bootstraps #85978 (codex/native-thread-reuse-budget)

I am not opening this as a clean upstream PR yet because #85978 is still open. Opening against openclaw/openclaw:main right now would include the earlier native-thread-reuse commits in the diff. Once #85978 lands, this branch can be rebased onto upstream/main and opened as the follow-up PR for this issue.

What the branch implements:

• Adds agents.defaults.compaction.maxActiveTranscriptTokens for Codex app-server native-thread reuse.
• Preserves the existing default behavior: unset/invalid values still use the current 70000 proactive token guard.
• Allows positive numeric values or token-count strings such as "120k" / "1.5k".
• Allows 0 to disable only the proactive native-token guard.
• Keeps byte rotation active when token rotation is disabled.
• Keeps semantic binding invalidation unchanged.
• Skips Codex rollout-directory scans when both native byte and token guards are disabled.
• Updates config schema/types/help/labels and regenerates the config docs baseline hash.

Focused local validation from /Volumes/LEXAR/repos/worktrees/openclaw-codex-semantic-reuse-guard:

OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts --run -t "configured native rollout token|token rotation when configured to zero|configured token limit below|session totals|byte rotation active|skips rollout directory scans"
OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs src/config/zod-schema.agent-defaults.test.ts src/config/config.schema-regressions.test.ts src/config/config.compaction-settings.test.ts src/config/schema.help.quality.test.ts --run -t "compaction.truncateAfterCompaction|preserves memory flush|agent compaction safeguards"
pnpm exec oxfmt --check --threads=1 extensions/codex/src/app-server/run-attempt.ts extensions/codex/src/app-server/run-attempt.test.ts src/config/types.agent-defaults.ts src/config/zod-schema.agent-defaults.ts src/config/zod-schema.agent-defaults.test.ts src/config/config.schema-regressions.test.ts src/config/config.compaction-settings.test.ts src/config/schema.help.ts src/config/schema.labels.ts src/config/schema.help.quality.test.ts
pnpm config:schema:check
pnpm config:docs:check
git diff --check
pnpm tsgo:core:test
pnpm tsgo:extensions:test

Results: all passed locally.

I also ran four read-only adversarial review agents over the uncommitted diff. Two returned zero >=95% findings; two found test/efficiency gaps, all addressed before commit:

• strengthened help-copy assertions so the documented Codex/native/fresh-thread/default/disable/byte-limit contract is actually tested;
• added runtime/schema coverage for "120k" / "50k" string token limits;
• added session-total-only coverage so the configured limit applies to both rollout token usage and sessions.json.totalTokens;
• added byte-limit-preservation coverage when maxActiveTranscriptTokens: 0;
• moved guard resolution before rollout directory scans so disabled guards do not still pay traversal cost.

Scope note: this branch solves the hard-coded native-token-guard configurability slice. It does not yet implement the larger semantic compaction-preservation / binding ownership / doctor diagnostics architecture from this issue.

[100yenadmin]

Architecture clarification after the configurable-guard PR:

I think there are three separate budgets getting conflated here, and that is why 70000 is confusing:

1. Model/runtime context budget
   For openai-codex/gpt-5.5, current docs say the Codex catalog native context window is 400000, while the default OpenClaw runtime contextTokens shape is 272000. This is the budget the final Codex turn must fit inside.

2. OpenClaw assembly / LCM projection budget
   Lossless-claw / context-engine assembly needs enough room for the assembled view, current user request, developer instructions, tool/schema overhead, and response/tool-loop reserve. Codex projection code currently uses a default 20000 projection reserve and scales projected context from contextTokenBudget, not from the hard 70000 native reuse cap.

3. Codex app-server native-thread reuse guard
   The current startup guard reads the saved native thread binding and computes max(sessionTokens, nativeTokens). If that reaches the configured native guard, it clears the binding before startup. Before Fix Codex native thread reuse for context-engine bootstraps #85978/fix(codex): make native thread token guard configurable #86069 this was hard-coded to 70000. It is only a local warm-thread reuse policy, not the model context window and not a direct LCM assembly budget.

So, "why not 258k/272k?" has two answers:

• It should not be 70000 for semantically compatible thread_bootstrap sessions, because a 90k-120k bootstrap can exceed 70k on turn 1 and then force cold native thread startup every later turn.
• It also should not blindly be 258k or 272k, because if the hidden native thread is already near that size, the next turn still has to add developer instructions, current prompt/projection, tool/app config, and response/tool-loop reserve. A cap equal to the whole runtime context would allow avoidable provider-context overflow.

Concrete scenarios:

• Good thread_bootstrap case: LCM assembles a 100k bootstrap for a 272k runtime budget. Turn 1 starts a native Codex thread. Turns 2-10 should resume the same native thread while the LCM projection epoch/fingerprint still matches. Replayed bootstrap pressure is roughly one 100k bootstrap plus deltas.
• Bad fixed-70k case: The same 100k bootstrap records native usage over 70k. Next turn clears the native binding before semantic compatibility can help, so every turn cold-starts and rebuilds/reinjects the bootstrap. Ten turns can look like roughly 10x bootstrap pressure before counting normal deltas and gateway assembly work.
• Bad naive-272k case: A native thread at 250k still needs a new rendered turn, developer instructions, tool schemas/config, and output/tool-loop headroom. Reusing blindly can overflow even though no semantic state changed.

Best architecture:

• Treat Codex native threads as a semantic projection cache.
• Rotate on explicit reset/new, model/provider/auth/tool/MCP/app/environment mismatch, missing native thread, actual app-server/provider overflow, or context-engine projection epoch/fingerprint/policy change.
• Do not rotate solely because a compatible thread_bootstrap native rollout crossed a fixed local number.
• Keep a numeric guard only as a fallback for legacy/ownerless sessions or as a computed safety guard: contextTokenBudget - response/tool reserve - estimated next-turn rendered prompt/developer/tool overhead - margin.
• For LCM/context-engine compaction, preserve or rotate based on the context engine's projection identity. If compaction changes the projection epoch/fingerprint, rotation is correct. If only the local session file rolled over and the semantic projection identity is unchanged, preserving the native binding is likely correct.

I agree this warrants a third architecture PR, but I would not make it one giant behavior refactor. The maintainable third PR should be the architecture foundation:

1. Add structured Codex native-thread rotation reason codes and diagnostics.
2. Log the budget inputs separately: contextTokenBudget, nativeTokens, sessionTokens, rendered developer/prompt estimate, reserve, binding mode, projection epoch/fingerprint, and whether workspace bootstrap contributed.
3. Add tests proving every rotation path reports a reason and that compatible thread_bootstrap sessions are governed by semantic compatibility rather than the legacy hard guard.
4. Add /doctor or status-facing output that distinguishes model/provider context overflow from OpenClaw native-thread reuse rotation.

After that foundation lands, the next behavior PR can safely tackle the harder part: preserving/migrating Codex native bindings across LCM/session-file rollover and context-engine-owned compaction only when the projection identity remains compatible.

[100yenadmin]

2026-05-25 update: semantic preservation PR filed

I filed the fourth stacked PR: #86160.

This changes the proposed architecture from “diagnose rotation” to “preserve the warm Codex thread when semantic identity proves it is safe.” The 70k guard remains in place for legacy/stale bindings; the healthy Codex + context-engine path is now semantic thread_bootstrap ownership.

Why 70k alone cannot be the long-term architecture

The 70k value came from #82981 as a pragmatic guard for oversized native Codex rollouts. That made sense for legacy bindings: if OpenClaw has no semantic proof that the saved native thread still represents the current context, forcing a fresh thread is safer than resuming an overgrown stale thread.

But for context engines using thread_bootstrap, the native thread is a projection cache keyed by engine id, policy fingerprint, projection epoch/fingerprint, and runtime/tool identity. In that mode, rotating solely because the warmed native rollout crossed 70k defeats the Codex app-server fast path.

Value	Meaning	70k as share
70000	OpenClaw proactive native-thread reuse guard for legacy/stale bindings	100%
272000	Codex runtime input cap used by OpenClaw GPT-5.5 forward-compat rows	25.7%
400000	GPT-5.5 native/context window in current OpenClaw catalog/test fixtures	17.5%

Compaction math is the tell:

• 30% of 258k = 77.4k
• 30% of 272k = 81.6k

So a post-compaction long-running agent can still be above 70k. If that alone forces rotation, the system can immediately re-enter cold-start/reprojection pressure after compaction.

Local bootstrap data

I ran a bounded local scan of named bootstrap candidates (AGENTS.md, USER.md, MEMORY.md, SOUL.md, IDENTITY.md, TOOLS.md, BOOTSTRAP.md) under /Volumes/LEXAR/repos, /Volumes/LEXAR/Codex, ~/.openclaw, and ~/.codex, estimating tokens as ceil(bytes / 4).

Metric	Result
Candidate files	3,235
Aggregate directories	2,032
Aggregate p50	~637 tokens
Aggregate p90	~3.8k tokens
Aggregate p99	~13.5k tokens
Max aggregate	~117.7k tokens (~/.codex/memories/MEMORY.md)
Largest repeated AGENTS candidate	~23.6k tokens

Conclusion: the issue is not that every bootstrap file is >70k. It is that total rendered pressure can exceed 70k quickly: compacted history + context-engine projection + developer instructions/bootstrap + native rollout growth. Once Codex has a semantically valid warmed thread, the token-efficient path is preserving that thread, not reprojecting the stable payload every turn.

Architecture after #86160

flowchart TD
  A["Long-running Codex session"] --> B{"Saved native binding?"}
  B -- "Legacy / ownerless / non-bootstrap" --> C{"native/session tokens >= 70k guard?"}
  C -- "yes" --> D["Rotate cold: thread/start + reproject context"]
  C -- "no" --> E["Try normal resume"]
  B -- "context-engine thread_bootstrap" --> F{"Engine + policy + epoch/fingerprint + tools match?"}
  F -- "no" --> D
  F -- "yes" --> G["Resume warm native thread"]
  G --> H["Send current prompt only"]
  H --> I{"Context-engine compaction?"}
  I -- "same file, identity stable" --> J["Preserve binding in place"]
  I -- "successor rollover, identity stable" --> K["Copy binding to successor; clear archived original"]
  I -- "identity changes or app-server rejects" --> D
  J --> G
  K --> G

Loading

What #86160 changes

• Preserves thread_bootstrap Codex bindings after successful context-engine-owned compaction.
• Copies compatible bindings to successor session files during transcript rollover.
• Rereads the active binding after forced compaction before rebuilding the Codex prompt.
• Emits context-engine-compaction-preserved-binding vs context-engine-compaction-invalidated-binding diagnostics.
• Keeps app-server overflow/rejection retry clearing intact.
• Keeps Pi behavior unchanged.
• Keeps the default 70k guard unchanged for legacy/non-bootstrap paths.

Remaining follow-up

/doctor or status UI can now consume the lifecycle reasons added by #86094/#86160. Raising the default guard should still be a separate policy decision, and should be made from lifecycle data rather than guessing.