Validate Codex app-server command overrides

[TurboTheTurtle]

Summary

• Reject Codex app-server command overrides that combine an executable with inline arguments, such as node C:\...\codex.js.
• Fail closed in the shared Windows spawn resolver before a malformed command can be treated as one .js entrypoint.
• Add a doctor warning that points users to managed Codex startup or appServer.args.

Closes #84365

Real behavior proof

Behavior or issue addressed:
On Windows, a manual Codex appServer.command override like node C:\Users\me\.openclaw\npm\node_modules\@openai\codex\bin\codex.js could flow into spawn resolution as a single command string. The .js suffix then made the whole string look like a Node entrypoint, producing failures like Cannot find module 'C:\WINDOWS\system32\node C:\...\codex.js' instead of a clear config diagnostic.

Real environment tested:
Local OpenClaw source checkout at /Users/andy/openclaw-84365, using the bundled Node runtime at /Users/andy/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin/node.

Exact steps or command run after this patch:

PATH=/Users/andy/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH node scripts/run-vitest.mjs extensions/codex/src/app-server/config.test.ts extensions/codex/src/app-server/transport-stdio.test.ts src/plugin-sdk/windows-spawn.test.ts src/commands/doctor/shared/codex-route-warnings.test.ts
git diff --check
PATH=/Users/andy/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH node --import tsx --input-type=module --eval 'import { resolveCodexAppServerRuntimeOptions } from "./extensions/codex/src/app-server/config.ts"; import { collectCodexRouteWarnings } from "./src/commands/doctor/shared/codex-route-warnings.ts"; import { resolveWindowsSpawnProgram } from "./src/plugin-sdk/windows-spawn.ts"; const malformed = "node C:\\Users\\me\\.openclaw\\npm\\node_modules\\@openai\\codex\\bin\\codex.js"; const spacedPath = "C:\\Program Files\\OpenAI Codex\\codex.exe"; function capture(fn) { try { return { ok: true, value: fn() }; } catch (error) { return { ok: false, message: error instanceof Error ? error.message : String(error) }; } } const runtime = capture(() => resolveCodexAppServerRuntimeOptions({ pluginConfig: { appServer: { command: malformed } }, env: {}, requirementsToml: null })); const spawn = capture(() => resolveWindowsSpawnProgram({ command: malformed, platform: "win32", env: {}, execPath: "C:\\node\\node.exe" })); const safe = resolveCodexAppServerRuntimeOptions({ pluginConfig: { appServer: { command: spacedPath } }, env: {}, requirementsToml: null }).start.command; const doctorWarnings = collectCodexRouteWarnings({ cfg: { plugins: { entries: { codex: { enabled: true, config: { appServer: { command: malformed } } } } } } }).filter((warning) => warning.includes("app-server command")); const payload = { malformedCommand: malformed, runtimeRejected: !runtime.ok, runtimeMessage: runtime.ok ? null : runtime.message, windowsSpawnRejected: !spawn.ok, windowsSpawnMessage: spawn.ok ? null : spawn.message, spacedExecutablePreserved: safe, doctorWarningCount: doctorWarnings.length, doctorWarning: doctorWarnings[0] ?? null }; console.log(JSON.stringify(payload, null, 2)); if (runtime.ok || spawn.ok || safe !== spacedPath || doctorWarnings.length !== 1) process.exit(1);'

Evidence after fix:

{
  "malformedCommand": "node C:\\Users\\me\\.openclaw\\npm\\node_modules\\@openai\\codex\\bin\\codex.js",
  "runtimeRejected": true,
  "windowsSpawnRejected": true,
  "spacedExecutablePreserved": "C:\\Program Files\\OpenAI Codex\\codex.exe",
  "doctorWarningCount": 1
}

Observed result after fix:
The malformed override is rejected during Codex runtime option resolution and again by the shared Windows spawn resolver. Doctor reports one targeted warning for the same config shape. A valid executable path with spaces is still preserved as a direct command.

What was not tested:
I did not run a live Windows npm-global Codex app-server session. This patch covers the source-reproducible malformed override path with Windows spawn simulation and doctor/runtime tests.

Validation

Test Files  4 passed (4)
Tests  147 passed (147)

git diff --check also passed.

Author attribution: if this PR is squash-merged or reworked, please preserve the commit author Andy Ye <35905412+TurboTheTurtle@users.noreply.github.com> or include Co-authored-by: Andy Ye <35905412+TurboTheTurtle@users.noreply.github.com>.

[clawsweeper]

Codex review: passed.

Latest ClawSweeper review: 2026-05-22 05:37 UTC / May 22, 2026, 1:37 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR rejects Codex app-server command overrides that embed Node/package-manager inline arguments, adds matching doctor diagnostics, regression tests, and a changelog entry.

Reproducibility: yes. for the scoped malformed override path: current main passes the combined command string through to the Windows spawn resolver, and the PR body shows after-fix resolver/doctor live output. I did not establish a live Windows npm-global managed-startup reproduction.

PR rating
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Summary: Good focused bug-fix PR with sufficient targeted proof and no blocking findings, with remaining confidence limited by absence of a live Windows managed-startup smoke.

Rank-up moves:

• Before closing the linked Windows issue as fully exhausted, verify or separately track the managed Codex binary discovery path on a real Windows npm/global install.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (live_output): The PR body includes after-fix terminal/live-output proof for Codex runtime validation, shared Windows spawn validation, spaced executable preservation, and doctor warning behavior.

Risk before merge

• Merging intentionally turns malformed executable-plus-arguments app-server overrides into validation errors; that matches the documented command/args contract but is visible upgrade behavior for users with copied workarounds.
• The patch adds an exported helper on the public openclaw/plugin-sdk/windows-spawn subpath; it is additive and generic, but maintainers should be comfortable with that SDK surface becoming part of the contract.
• The linked Windows report also mentioned managed Codex binary discovery; this PR fixes and proves the malformed manual override path, not a live Windows npm-global managed-startup session.

Maintainer options:

1. Accept the scoped fail-closed validation (recommended)
   Merge with maintainer acceptance that malformed appServer.command strings now fail early and that this is the intended compatibility break for a broken workaround.
2. Require a live Windows smoke first
   Pause merge until a Windows npm/global Codex managed-startup smoke proves the broader linked issue can be closed end to end.
3. Rework if SDK expansion is not wanted
   If maintainers do not want a new public windows-spawn helper, rework the validation behind an approved internal or documented SDK seam before merging.

Next step before merge
No repair lane is needed because the PR is focused, maintainer-opted into automerge, has sufficient proof, and has no discrete code defect for automation to fix.

Security
Cleared: The diff adds fail-closed config/spawn validation, diagnostics, tests, and a changelog entry without adding dependencies, workflow changes, lifecycle hooks, or broader secret handling.

Review details

Best possible solution:

Land the narrow validation and doctor diagnostic after exact-head checks, while leaving any remaining Windows managed-binary discovery failure to separate follow-up if it still reproduces.

Do we have a high-confidence way to reproduce the issue?

Yes for the scoped malformed override path: current main passes the combined command string through to the Windows spawn resolver, and the PR body shows after-fix resolver/doctor live output. I did not establish a live Windows npm-global managed-startup reproduction.

Is this the best way to solve the issue?

Yes for the PR's stated scope: rejecting executable-plus-arguments values and pointing users to appServer.args matches the existing command/args contract better than shell-style splitting. The broader managed-binary discovery part of the linked report remains a separate proof question.

Label changes:

• add merge-risk: 🚨 compatibility: The PR deliberately rejects existing malformed app-server command override strings during config/runtime resolution instead of letting them reach spawn.
• add status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (live_output): The PR body includes after-fix terminal/live-output proof for Codex runtime validation, shared Windows spawn validation, spaced executable preservation, and doctor warning behavior.
• remove status: 👀 ready for maintainer look: Current PR status label is status: 🚀 automerge armed.

Label justifications:

• P1: The PR addresses a Windows Codex startup failure that can make Codex-backed chats unusable for affected users.
• merge-risk: 🚨 compatibility: The PR deliberately rejects existing malformed app-server command override strings during config/runtime resolution instead of letting them reach spawn.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🐚 platinum hermit, patch quality is 🐚 platinum hermit, and Good focused bug-fix PR with sufficient targeted proof and no blocking findings, with remaining confidence limited by absence of a live Windows managed-startup smoke.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (live_output): The PR body includes after-fix terminal/live-output proof for Codex runtime validation, shared Windows spawn validation, spaced executable preservation, and doctor warning behavior.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix terminal/live-output proof for Codex runtime validation, shared Windows spawn validation, spaced executable preservation, and doctor warning behavior.

What I checked:

• Current main passes command override through raw: Current main reads plugins.entries.codex.config.appServer.command or OPENCLAW_CODEX_APP_SERVER_BIN into command and separately resolves appServer.args, with no inline-argument validation before spawn. (extensions/codex/src/app-server/config.ts:351, e32e0f3f7f3e)
• Current main Windows spawn can classify a malformed string as a Node entrypoint: Current main resolves .js commands by using execPath and placing the whole resolved command in leadingArgv, matching the linked issue's node C:\...\codex.js treated as one module path failure mode. (src/plugin-sdk/windows-spawn.ts:218, e32e0f3f7f3e)
• PR adds shared inline-argument detection before Windows resolution: The PR branch adds detectWindowsSpawnCommandInlineArgs for Node/package-manager command prefixes and throws before resolving Windows spawn candidates when inline arguments are detected. (src/plugin-sdk/windows-spawn.ts:106, 966bcd6617f2)
• PR adds Codex config validation for config and env overrides: The PR branch validates both config and environment app-server command sources, then directs users to appServer.args or managed startup when a combined command string is found. (extensions/codex/src/app-server/config.ts:309, 966bcd6617f2)
• PR adds doctor warning for malformed Codex command config: The PR branch adds collectCodexAppServerCommandWarnings and pushes that warning into the existing Codex route-warning list before other route diagnostics. (src/commands/doctor/shared/codex-route-warnings.ts:2431, 966bcd6617f2)
• Current docs and plugin metadata support executable-only command semantics: The Codex harness docs say appServer.command is for a different executable, and the plugin metadata labels appServer.args as the arguments used for stdio transport. Public docs: docs/plugins/codex-harness.md. (docs/plugins/codex-harness.md:322, e32e0f3f7f3e)

Likely related people:

• steipete: History shows Peter Steinberger introduced Codex app-server controls and authored adjacent Windows wrapper resolver hardening used by this fix path. (role: feature introducer and adjacent Windows spawn contributor; confidence: high; commits: 31a0b7bd42a5, 12c12570238c, 68a8a98ab761; files: extensions/codex/src/app-server/config.ts, docs/plugins/codex-harness.md, src/plugin-sdk/windows-spawn.ts)
• Dallin Romney: Current-main blame/log for the central Codex app-server config, doctor warning file, and Windows spawn file points to a recent broad plugin-load refactor touching these paths. (role: recent area contributor; confidence: medium; commits: dca9cecaeed9; files: extensions/codex/src/app-server/config.ts, src/commands/doctor/shared/codex-route-warnings.ts, src/plugin-sdk/windows-spawn.ts)
• vincentkoc: Recent history on the Codex app-server config includes configurable post-tool raw assistant timeout work in the same runtime-options surface. (role: recent Codex app-server contributor; confidence: medium; commits: 60d200f79719; files: extensions/codex/src/app-server/config.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against e32e0f3f7f3e.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Velvet Branchling

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: stacks clean commits.
Image traits: location flaky test forest; accessory miniature diff map; palette charcoal, cyan, and signal green; mood sparkly; pose holding its accessory up for inspection; shell smooth pearl shell; lighting cool dashboard glow; background little resolved-comment flags.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Velvet Branchling in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[Takhoffman]

@clawsweeper merge

[TurboTheTurtle]

@clawsweeper automerge

[TurboTheTurtle]

Rebased this branch onto current upstream/main to resolve the merge conflict.\n\nConflict resolution: kept the new upstream sandbox-exec config helper and preserved this PR's Codex app-server command inline-args validation helper.\n\nValidation:\n- npm run test -- extensions/codex/src/app-server/config.test.ts src/plugin-sdk/windows-spawn.test.ts src/commands/doctor/shared/codex-route-warnings.test.ts\n- git diff --check\n\nAuthor check before push:\n\ntext\n774392d644 Andy Ye <35905412+TurboTheTurtle@users.noreply.github.com> Validate Codex app-server command overrides\n\n\nRaw Pulls API still reports maintainer_can_modify: true.\n\n@clawsweeper re-review

[Takhoffman]

@clawsweeper automerge

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=966bcd6617f26291a244c24c571e5f1b2b3596e0)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-22T05:39:03Z
Merge commit: 03125c8e132d

What merged:

• The PR rejects Codex app-server command overrides that embed Node/package-manager inline arguments, adds matching doctor diagnostics, regression tests, and a changelog entry.
• Reproducibility: yes. for the scoped malformed override path: current main passes the combined command strin ... ix resolver/doctor live output. I did not establish a live Windows npm-global managed-startup reproduction.

Automerge notes:

• PR branch already contained follow-up commit before automerge: Validate Codex app-server command overrides

The automerge loop is complete.

Automerge progress:

• 2026-05-22 05:17:53 UTC review queued 774392d64437 (queued)

• 2026-05-22 05:20:19 UTC repair queued 774392d64437 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26269940786

• 2026-05-22 05:23:10 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26269940786 automerge-openclaw-openclaw-84417

• 2026-05-22 05:23:26 UTC validation plan (passed) in 16s Run: https://github.com/openclaw/clawsweeper/actions/runs/26269940786 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-22 05:23:37 UTC Codex write preflight (passed) in 27s Run: https://github.com/openclaw/clawsweeper/actions/runs/26269940786 danger-full-access

• 2026-05-22 05:28:16 UTC Codex edit 1 32bb7a693da5 (complete) in 5m 7s Run: https://github.com/openclaw/clawsweeper/actions/runs/26269940786 exit 0

• 2026-05-22 05:32:23 UTC validation and review 1 966bcd6617f2 (complete) in 9m 13s Run: https://github.com/openclaw/clawsweeper/actions/runs/26269940786 already-current

• 2026-05-22 05:32:29 UTC repair completed 966bcd6617f2 (branch updated) in 9m 20s Run: https://github.com/openclaw/clawsweeper/actions/runs/26269940786 initial automerge rebase is delegated to Codex repair

• 2026-05-22 05:32:29 UTC review queued 966bcd6617f2 (after repair)

• 2026-05-22 05:39:18 UTC automerge wait 966bcd6617f2 (merged) in 16m 8s Run: https://github.com/openclaw/clawsweeper/actions/runs/26269940786 pull request already merged

• 2026-05-22 05:38:52 UTC review passed 966bcd6617f2 (structured ClawSweeper verdict: pass (sha=966bcd6617f26291a244c24c571e5f1b2b359...)

• 2026-05-22 05:39:05 UTC merged 966bcd6617f2 (merged by ClawSweeper automerge)

• 2026-05-22 05:39:19 UTC repair finished 966bcd6617f2 (pushed) in 16m 9s Run: https://github.com/openclaw/clawsweeper/actions/runs/26269940786 repair_contributor_branch