fix(agents): exclude openai-codex from WebSocket transport + hooks soft/hard blockMode

[marioperezpereira]

What

1. Fix Codex tool execution regression: The WebSocket transport (d72cc7a3, PR fix: route codex responses over websocket and suppress gated core tool warnings #53702) hardcodes wss://api.openai.com/v1/responses, but Codex models use chatgpt.com/backend-api which has no compatible WebSocket endpoint. Routing Codex through WS caused tool calls to silently degrade. Fix: restrict shouldUseOpenAIWebSocketTransport to vanilla OpenAI only so Codex falls back to the working HTTP stream path. Fixes regression introduced in d72cc7a (fix: route codex responses over websocket and suppress gated core tool warnings #53702).

2. Add soft/hard blockMode to before_tool_call hooks: Non-security blocks were treated as unconditionally terminal, preventing lower-priority handlers from clearing them or routing through approval. Adds blockMode?: "hard" | "soft" to PluginHookBeforeToolCallResult (default "hard" for backward compat). Hard blocks short-circuit; soft blocks allow downstream handlers to clear with { block: false } or route through requireApproval.

3. Harden before_tool_call consumer for soft block + approval semantics:

   • Soft blocks without requireApproval still block by default.
   • Soft blocks with requireApproval from the same plugin go through the approval flow.
   • A lower-priority plugin cannot convert another plugin's soft block into an approval prompt without clearing the block first.

4. Fix live test env on Windows / non-bash shells: loadProfileEnv() now tries multiple bash candidates (including Git Bash paths on Windows) and falls back to static .profile parsing. Profile loading is restricted to explicit live test runs to avoid bleeding into normal CI.

Changes

• attempt.thread-helpers.ts / attempt.spawn-workspace.websocket.test.ts: Exclude openai-codex from WS transport selection
• hooks.ts: Soft/hard block merge logic with block ownership tracking
• types.ts: Add blockMode and blockOwnerPluginId fields
• pi-tools.before-tool-call.ts: Honor soft block + approval semantics in the consumer
• hooks.security.test.ts, hooks.before-tool-call.test.ts, hooks.test-helpers.ts: Tests for soft/hard semantics and approval ownership
• pi-tools.before-tool-call.e2e.test.ts: E2E tests for hard block, soft block, soft block + approval
• test/test-env.ts / test/test-env.test.ts: Cross-platform profile env loading, fallback on empty shell loads, restrict to live runs
• Docs (automation/hooks.md, concepts/agent-loop.md, plugins/building-plugins.md, plugins/sdk-overview.md, tools/plugin.md): Updated hook decision semantics, clarified { block: false } no-op against hard blocks

Testing

• All hook merger tests pass (25 tests)
• E2E approval flow tests pass
• test-env tests pass (5 tests, including bash-unavailable fallback)
• Extension contract tests pass
• Windows CI shards pass

AI Disclosure

AI-assisted (Claude + OpenAI Codex). Fully tested locally and in CI. All bot review conversations addressed.

[greptile-apps]

Greptile Summary

This PR fixes a regression where all before_tool_call blocks were treated as hard/terminal, causing non-security plugins' blocks to silently prevent lower-priority plugins from running any corrective or approval logic. The fix introduces a blockMode field ("hard" | "soft") on PluginHookBeforeToolCallResult, with "hard" as the default (preserving backward compatibility), and updates the hook-runner merge logic so that soft blocks can be cleared by a lower-priority handler returning { block: false }.

Key changes:

• src/plugins/types.ts — adds blockMode?: "hard" | "soft" to PluginHookBeforeToolCallResult
• src/plugins/hooks.ts — refactors mergeResults / shouldStop for before_tool_call: hard blocks still short-circuit; soft blocks allow downstream handlers to clear them
• src/plugins/hooks.security.test.ts — two new test cases covering soft-block clearing and omitted-blockMode defaults; the "hard-default" test contains redundant result fields alongside handler mocks (only the mock is used at runtime)
• Docs (5 files) — consistently updated to describe the new semantics, but three doc files remove the explicit note that { block: false } is a no-op against hard blocks

Confidence Score: 5/5

Safe to merge — the core logic is correct, backward-compatible, and covered by tests; remaining findings are P2 style/doc improvements.

All open findings are P2: a redundant result field in one test (no effect on correctness) and a minor documentation gap about { block: false } being a no-op for hard blocks. The implementation correctly normalises blockMode, guards the hard-block short-circuit, clears soft blocks only when appropriate, and does not regress any existing semantics. No P0 or P1 issues found.

src/plugins/hooks.security.test.ts (redundant result fields) and the three doc files that dropped the hard-block no-op clarification: docs/concepts/agent-loop.md, docs/plugins/sdk-overview.md, docs/tools/plugin.md.

Important Files Changed

Filename	Overview
src/plugins/hooks.ts	Refactors mergeResults and shouldStop for before_tool_call to support soft vs hard block semantics. Hard blocks short-circuit as before; soft blocks allow lower-priority handlers to clear them via { block: false }. Logic is correct and backward-compatible.
src/plugins/types.ts	Adds `blockMode?: "hard"
src/plugins/hooks.security.test.ts	Adds two new test cases for soft-block clearing and hard-default behaviour. The soft-block test is clean. The hard-default test provides redundant result fields alongside handler mocks — per addStaticTestHooks, the result fields are ignored when handler is present.
docs/automation/hooks.md	Documents blockMode field and updates block-vs-requireApproval precedence description. Accurate and complete relative to the implementation.
docs/concepts/agent-loop.md	Updates hook decision rules for soft/hard blocks but removes the explicit statement that { block: false } is a no-op against hard blocks, leaving a documentation gap.
docs/plugins/building-plugins.md	Consistent update to hook guard semantics section; accurately reflects new soft/hard block behaviour.
docs/plugins/sdk-overview.md	Removes explicit mention that { block: false } is a no-op (same gap as agent-loop.md); otherwise consistent with implementation.
docs/tools/plugin.md	Same no-op documentation gap as the other doc files; logic otherwise correct.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/plugins/hooks.security.test.ts
Line: 127-144

Comment:
**Redundant `result` fields when `handler` is provided**

In both hook entries of this test, a `handler` mock and a `result` object are specified simultaneously. Per `addStaticTestHooks` in `hooks.test-helpers.ts` (line 113):

```typescript
handler: (handler ?? (() => result)) as PluginHookRegistration["handler"],
```

When `handler` is provided, `result` is completely ignored and the mock function is used directly. This means the two `result` fields here are dead code — they have no effect on what the handler actually returns. The test still passes correctly (because the mocks return the same values as the `result` fields), but the extra `result` entries add noise and could mislead a future maintainer into thinking they influence hook behaviour.

Consider removing the redundant `result` fields for clarity:

```suggestion
  it("treats omitted blockMode as hard and remains terminal", async () => {
    const high = vi.fn().mockReturnValue({ block: true, blockReason: "hard-default" });
    const low = vi.fn().mockReturnValue({ block: false });
    const result = await runBeforeToolCallWithHooks(registry, [
      {
        pluginId: "high",
        priority: 100,
        handler: high,
      },
      { pluginId: "low", priority: 10, handler: low },
    ]);
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: docs/concepts/agent-loop.md
Line: 94-102

Comment:
**`block: false` no-op behaviour for hard blocks no longer documented**

The previous bullet —

> `before_tool_call`: `{ block: false }` is a no-op and does not clear a prior block.

— has been removed from this file, and from `docs/plugins/sdk-overview.md` and `docs/tools/plugin.md` as well. The new phrasing ("soft blocks *may* be cleared …") implies that hard blocks cannot be cleared, but it no longer states this explicitly.

A plugin author who sees that `{ block: false }` can clear a soft block may reasonably wonder: "Can I also use `{ block: false }` to override a hard block from a higher-priority plugin?" Without a direct answer in the docs they would need to read the source to be sure.

Consider adding a clarifying bullet, e.g.:

```
- `before_tool_call`: `{ block: false }` is a no-op against a `"hard"` block and does not clear it.
```

The same gap exists in `docs/plugins/sdk-overview.md` and `docs/tools/plugin.md`.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "tests: align hard block default expectat..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

https://github.com/openclaw/openclaw/blob/22adbcbc4e5d1a62c866909313cd9a7c8850f205/openclaw-2026.3.27.tgz#L1
Remove bundled release archives from repository history

This commit adds openclaw-2026.3.27.tgz (and a matching -fixed tarball) at repo root even though *.tgz is gitignored and these archives are not referenced by source or tests (repo-wide search). Keeping large packed artifacts in git history adds tens of MB of permanent bloat, slowing clone/fetch and CI cache churn for every developer without improving runtime behavior, so these files should be dropped from the change.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 01fa271c09

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ab77e10dc4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 50b3ff457b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chosen67one-source]

🤛

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bd1ed79b69

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chosen67one-source]

👌
Fixes #

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 308075a617

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 605095eab9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 56b24ef39f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[marioperezpereira]

Ready for review 👌🏻

[openclaw-barnacle]

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[clawsweeper]

Codex review: found issues before merge.

Summary
The PR restricts OpenAI WebSocket transport selection, adds soft/hard before_tool_call blockMode semantics with docs/tests/consumer changes, adjusts live .profile env loading, and updates the .tgz gitignore pattern.

Reproducibility: yes. Static inspection gives high-confidence reproduction paths: merge a soft block plus approval followed by lower-priority { block: false }, or merge an earlier approval followed by a different plugin's soft block; for profile loading, make the first shell emit an unrelated absent env var while failing to source .profile.

Next step before merge
The remaining blockers are narrow, but the PR changes security-sensitive tool approval semantics and is stale against current main, so maintainer review should confirm the intended ownership model before repair automation runs.

Security
Needs attention: The diff touches tool approval semantics and currently lets stale or unrelated approvals survive soft-block ownership changes.

Review findings

• [P2] Clear approvals when clearing soft blocks — src/plugins/hooks.ts:723-728
• [P2] Drop unrelated approvals for new soft blocks — src/plugins/hooks.ts:751-752
• [P2] Require profile-derived env before returning — test/test-env.ts:92-98

Review details

Best possible solution:

Rebase onto current main, keep the newer endpoint-aware WebSocket guard, implement blockMode in the current hook-types.ts public contract and runner/consumer paths, clear/drop approval ownership whenever soft-block ownership changes, make profile loading require profile-derived vars before returning, and add focused tests plus a changelog entry.

Do we have a high-confidence way to reproduce the issue?

Yes. Static inspection gives high-confidence reproduction paths: merge a soft block plus approval followed by lower-priority { block: false }, or merge an earlier approval followed by a different plugin's soft block; for profile loading, make the first shell emit an unrelated absent env var while failing to source .profile.

Is this the best way to solve the issue?

No, not as-is. The direction is plausible, but current main already has the better Codex transport guard and this branch needs the approval ownership, profile fallback, rebase, and changelog defects fixed before it is the narrow maintainable solution.

Full review comments:

• [P2] Clear approvals when clearing soft blocks — src/plugins/hooks.ts:723-728
  When a lower-priority hook returns { block: false }, this branch clears the soft block fields but leaves acc.requireApproval in the merged result. The consumer can still prompt for approval even though the soft block was explicitly cleared, so clearing a soft block is incomplete.
  Confidence: 0.8
• [P2] Drop unrelated approvals for new soft blocks — src/plugins/hooks.ts:751-752
  This merge keeps acc.requireApproval before considering that next may be a soft block from a different plugin. A prior approval can therefore authorize a later plugin's soft block, even though soft blocks are supposed to block by default unless their owner also requested approval or the block is cleared.
  Confidence: 0.77
• [P2] Require profile-derived env before returning — test/test-env.ts:92-98
applied counts any new variable emitted by the shell's full env -0 output. If the first shell fails to source .profile but emits an unrelated absent variable, this returns early and skips later shell candidates and static parsing, so profile-only live credentials can still be missed.
  Confidence: 0.74
• [P3] Add the required changelog entry — src/plugins/types.ts:2152-2155
  This PR changes user-facing agent transport behavior and the public plugin hook contract, but it does not add a CHANGELOG.md entry. OpenClaw release policy requires a single-line user-facing entry before this lands.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.84

Security concerns:

• [medium] Soft-block approval ownership can be bypassed — src/plugins/hooks.ts:751
  Because the merger preserves existing approvals when a soft block is cleared or when a different plugin later soft-blocks, a tool call can enter approval flow when it should either be unblocked cleanly or blocked by default. That is a concrete policy-control regression in a tool execution path.
  Confidence: 0.76

What I checked:

• Current main already rejects Codex for OpenAI WebSocket: shouldUseOpenAIWebSocketTransport returns false unless modelApi is openai-responses, provider is openai, and the endpoint resolves to the public/default OpenAI class; the adjacent test rejects openai-codex plus openai-codex-responses. (src/agents/pi-embedded-runner/run/attempt.thread-helpers.ts:46, 4655ee803d27)
• Current main lacks the proposed hook field: PluginHookBeforeToolCallResult currently exposes params, block, blockReason, and requireApproval; there is no blockMode or block-owner field on current main. (src/plugins/hook-types.ts:421, 4655ee803d27)
• Current main still treats every block as terminal: The current hook merger returns early on any prior block === true and shouldStop stops on any true block, so lower-priority hooks cannot clear a soft block today. (src/plugins/hooks.ts:1014, 4655ee803d27)
• PR merge logic leaves stale approvals attached: The PR clears soft-block fields on { block: false } but does not clear acc.requireApproval; it also preserves acc.requireApproval before checking whether a later soft block is owned by a different plugin. (src/plugins/hooks.ts:723, 56b24ef39f4e)
• PR profile fallback can stop on unrelated env: The PR returns after any newly applied entry from a shell's full env -0 output, not after proving that a .profile-derived variable loaded, so later shell/static fallbacks can still be skipped. (test/test-env.ts:92, 56b24ef39f4e)
• Changelog coverage is still missing: Searching the current changelog found no blockMode or PR-specific entry; the only nearby WebSocket entry is older and describes making openai-codex WebSocket-first, not this PR's reversal plus hook contract change. (CHANGELOG.md:5873, 4655ee803d27)

Likely related people:

• steipete: Recent current-main history owns the live test env area and several agent/tool transport and tool-loop fixes adjacent to this PR's runtime surfaces. (role: recent maintainer and adjacent owner; confidence: high; commits: b1cfba2fc285, 4407c317f38e, ac5af483cbcd; files: src/agents/pi-tools.before-tool-call.ts, src/agents/pi-embedded-runner/run/attempt.thread-helpers.ts, test/test-env.ts)
• vincentkoc: Recent GitHub commit history shows repeated work on plugin hook surfaces, diagnostics carried through hooks, and OpenAI Responses transport behavior around the affected files. (role: hook contract and plugin runtime maintainer; confidence: high; commits: bcdacfa1b3df, cead2ea4b106, 1b25dcf57a9f; files: src/plugins/hooks.ts, src/plugins/hook-types.ts, src/agents/pi-embedded-runner/run/attempt.thread-helpers.ts)
• 100yenadmin: Related merged work added generic plugin host-hook contracts and Codex/Pi harness seams, including discussion that references this PR and preserves OpenAI-Codex WebSocket safety boundaries. (role: recent plugin SDK and Codex harness contributor; confidence: medium; commits: 1adaa28dc86b, 600cdedee473, 9f72d93e8fef; files: src/plugins/hook-types.ts, src/plugins/hooks.ts, src/agents/pi-embedded-runner/run/attempt.thread-helpers.ts)

Remaining risk / open question:

• The branch is stale against current main's hook-type split and newer endpoint-aware WebSocket guard, so a rebase will need real conflict resolution rather than a mechanical merge.
• The PR changes tool blocking and approval policy, so the soft-block ownership model needs maintainer confirmation before merge.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4655ee803d27.