fix(codex): guard path-only bootstrap files [AI-assisted]

[IWhatsskill]

Summary

Fixes a Codex app-server startup/reporting crash when bootstrap context files are supplied with path and content but no name.

The patch keeps path-based lookup first, treats the filename as optional, and derives the report display name from the path when needed.

Why

OpenClaw can carry context files shaped like:

{ "path": "/workspace/AGENTS.md", "content": "..." }

The Codex system prompt report path later assumed name was always present and could call .trim() through the basename helper with undefined.

What changed

• Guard optional bootstrap file names in the Codex injection stats path.
• Keep lookup by full path before trying filename or basename lookup.
• Derive a stable display name from path when name is absent.
• Add a regression test through runCodexAppServerAttempt() with a hook-supplied path-only bootstrap file.

Real behavior proof

Behavior or issue addressed: Codex app-server startup/reporting could crash while building the system prompt report when a bootstrap context file had path and content but no name; the failing path was runCodexAppServerAttempt -> buildCodexSystemPromptReport -> buildCodexBootstrapInjectionStats -> readCodexIndexedContextFileContent -> getCodexContextFileBasename.

Real environment tested: isolated Linux OpenClaw testserver clone of openclaw/openclaw, Node v22.22.2, pnpm 11.1.0. This was a standalone node --import tsx OpenClaw run outside Vitest. It used a provider-free Codex JSON-RPC stdio app-server process, no live provider credentials, no OAuth, and no secrets.

Exact steps or command run after this patch: applied the patch to the isolated OpenClaw checkout, then ran the standalone proof runner:

OPENCLAW_PR84736_PROOF_MODE=after \
OPENCLAW_PR84736_EXPECT=pass \
node --import tsx .artifacts/pr84736-real-proof/proof-runner.mjs

Before evidence: the same standalone path-only bootstrap scenario on current main reproduced the crash before the app-server turn could start:

PR84736 standalone OpenClaw Codex app-server proof
mode=before
expect=fail
runner=node --import tsx
vitest=false
appServerTransport=stdio
appServerProcess=provider-free Codex JSON-RPC stdio process
workspace=<tmp>/workspace
bootstrapFileShape={ path, content, missing }
appServerMethods=<none>
result=error
errorName=TypeError
errorMessage=Cannot read properties of undefined (reading 'trim')
stackTop=
TypeError: Cannot read properties of undefined (reading 'trim')
    at normalizeCodexContextFilePath (<repo>/extensions/codex/src/app-server/run-attempt.ts:4705:19)
    at getCodexContextFileBasename (<repo>/extensions/codex/src/app-server/run-attempt.ts:4709:10)
    at readCodexIndexedContextFileContent (<repo>/extensions/codex/src/app-server/run-attempt.ts:4501:26)
    at buildCodexBootstrapInjectionStats (<repo>/extensions/codex/src/app-server/run-attempt.ts:4442:32)
    at buildCodexSystemPromptReport (<repo>/extensions/codex/src/app-server/run-attempt.ts:4366:29)

After-fix evidence: copied live terminal output from the same standalone setup after the patch:

PR84736 standalone OpenClaw Codex app-server proof
mode=after
expect=pass
runner=node --import tsx
vitest=false
appServerTransport=stdio
appServerProcess=provider-free Codex JSON-RPC stdio process
workspace=<tmp>/workspace
bootstrapFileShape={ path, content, missing }
[agent/embedded] codex plugin thread config eligibility
appServerMethods=initialize -> initialized -> thread/start -> turn/start
result=success
assistantTextCount=0
reportedFile={"name":"SOUL.md","path":"<tmp>/workspace/SOUL.md","rawChars":50,"injectedChars":50,"truncated":false}
basenameFromPath=true

Observed result after fix: the Codex app-server attempt no longer calls the basename helper with undefined; the app-server reaches turn/start, and the system prompt report emits SOUL.md from the path-only bootstrap file with matching raw and injected character counts.

What was not tested: no live provider request, OAuth flow, routing, or config-shape behavior was changed or tested. The broader generic /context unnamed-bootstrap display fallback remains separate in #47941 and #48021.

Additional validation

Focused regression:

node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts --run --testNamePattern "reports hook-supplied bootstrap files"
1 passed | 185 skipped

Focused suite:

node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts src/agents/bootstrap-hooks.test.ts src/agents/bootstrap-files.test.ts src/agents/pi-embedded-helpers.buildbootstrapcontextfiles.test.ts
6 files / 301 tests passed

Other checks:

node_modules/.bin/oxfmt --check --threads=1 extensions/codex/src/app-server/run-attempt.ts extensions/codex/src/app-server/run-attempt.test.ts
passed

git diff --check
passed

node scripts/run-tsgo.mjs -p tsconfig.extensions.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions.tsbuildinfo
passed

node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.extensions.test.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/extensions-test.tsbuildinfo
passed

node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.extensions.json extensions/codex/src/app-server/run-attempt.ts extensions/codex/src/app-server/run-attempt.test.ts
0 warnings / 0 errors

pnpm check:changed
passed

Notes

No provider, OAuth, routing, config-shape, or fallback behavior is changed.

[clawsweeper]

Codex review: passed.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR updates Codex app-server system-prompt reporting to tolerate bootstrap files with path and content but no name, adds a focused regression test, and records the fix in the changelog.

Reproducibility: yes. The PR body supplies current-main before output with the undefined.trim() stack, and source inspection confirms hook-supplied path-only bootstrap files can reach the Codex report helper.

PR rating
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Summary: The PR is focused, backed by strong before/after real behavior proof, and has no blocking findings from this review.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (live_output): The PR body includes before/after copied live terminal output from a standalone OpenClaw Codex app-server run outside Vitest, showing the crash before and successful turn/start with SOUL.md after the patch.

Next step before merge
No repair job is needed; this PR already contains the focused fix and sufficient proof, so exact-head checks and the existing automerge gate can handle the remaining merge decision.

Security
Cleared: The diff only changes Codex app-server report lookup logic, a colocated test, and changelog text; it does not touch secrets, dependencies, CI, install, release, or package execution paths.

Review details

Best possible solution:

Land the narrow Codex app-server report guard after exact-head checks; keep the broader generic /context unnamed-file fallback on the existing linked issue and PR.

Do we have a high-confidence way to reproduce the issue?

Yes. The PR body supplies current-main before output with the undefined.trim() stack, and source inspection confirms hook-supplied path-only bootstrap files can reach the Codex report helper.

Is this the best way to solve the issue?

Yes. Guarding optional name, preserving path-first lookup, and deriving a display basename in the Codex app-server report layer is the narrowest maintainable fix for this scoped crash.

Label justifications:

• P2: This fixes a focused Codex app-server startup/reporting crash with a small implementation surface and limited blast radius.
• rating: 🦞 diamond lobster: Current PR rating is 🦞 diamond lobster because proof is 🦞 diamond lobster, patch quality is 🦞 diamond lobster, and The PR is focused, backed by strong before/after real behavior proof, and has no blocking findings from this review.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (live_output): The PR body includes before/after copied live terminal output from a standalone OpenClaw Codex app-server run outside Vitest, showing the crash before and successful turn/start with SOUL.md after the patch.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes before/after copied live terminal output from a standalone OpenClaw Codex app-server run outside Vitest, showing the crash before and successful turn/start with SOUL.md after the patch.

What I checked:

• Current main crash path: Current main builds Codex system-prompt report stats from bootstrap files, passes file.name through readCodexIndexedContextFileContent, and getCodexContextFileBasename(fileName) calls .trim() on that value, matching the reported undefined-name crash path. (extensions/codex/src/app-server/run-attempt.ts:4442, 9cdf8a1e2f9f)
• Patch guard: The PR head normalizes file.name through readNonEmptyString, derives a display basename from path when needed, and keeps path lookup before filename and basename lookup. (extensions/codex/src/app-server/run-attempt.ts:4443, 466711089908)
• Regression coverage: The PR adds a runCodexAppServerAttempt regression where an agent:bootstrap hook supplies only path, content, and missing, then asserts the report reaches turn/start and emits SOUL.md with matching character counts. (extensions/codex/src/app-server/run-attempt.test.ts:4832, 466711089908)
• Hook source permits runtime mutation: The hook runner hands bootstrapFiles through mutable hook context and returns the updated array, so hook-supplied shapes are part of the runtime path even though the static workspace type requires name. (src/agents/bootstrap-hooks.ts:19, 9cdf8a1e2f9f)
• Related generic fallback remains separate: The provided related context shows the broader generic /context unnamed-bootstrap display issue is still tracked by Context breakdown can label virtual bootstrap files as 'undefined' instead of falling back to path/basename #47941 and fix(context): fall back to path basename for unnamed bootstrap files #48021, so this PR is correctly scoped to Codex app-server reporting. (src/agents/bootstrap-budget.ts:149, 08bd7b740bb6)
• Feature history: git blame ties the current Codex app-server report helper and indexed content lookup to commit 110042d, which introduced this run-attempt surface in the current checkout. (extensions/codex/src/app-server/run-attempt.ts:4333, 110042d840bb)

Likely related people:

• yaoyi1222: git blame attributes the current Codex app-server report helper, bootstrap injection stats, and indexed context lookup to commit 110042d. (role: introduced behavior; confidence: high; commits: 110042d840bb; files: extensions/codex/src/app-server/run-attempt.ts, src/agents/bootstrap-hooks.ts)
• Kevin Lin: Recent git history shows work on the same Codex app-server run-attempt file shortly after the report helper landed. (role: recent adjacent contributor; confidence: medium; commits: 404fd6d9abce; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/run-attempt.test.ts)
• Takhoffman: The commit that introduced the current surface includes an Approved-by: takhoffman trailer and co-author signal, making this a plausible routing candidate for owner review. (role: reviewer/merger signal; confidence: medium; commits: 110042d840bb; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/run-attempt.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9cdf8a1e2f9f.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 💎 rare Tiny Crabkin

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 💎 rare.
Trait: keeps receipts.
Image traits: location flaky test forest; accessory release bell; palette coral, mint, and warm cream; mood sleepy but ready; pose waving from a small platform; shell brushed metal shell; lighting clean product lighting; background miniature CI buoys.
Share on X: post this hatch
Copy: My PR egg hatched a 💎 rare Tiny Crabkin in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[IWhatsskill]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26198603676
• Updated: 2026-05-21T00:52:41.606Z

[IWhatsskill]

@clawsweeper hatch

[clawsweeper]

🦞👀
ClawSweeper PR egg hatch requested.

I queued a comment sync for this PR. If the egg is hatchable, ClawSweeper will generate the image once and update the existing review comment.
Action: PR egg hatch queued (workflow sweep.yml, event repository_dispatch).
The ASCII egg stays as the fallback.

[Takhoffman]

@clawsweeper automerge

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=4667110899081e66153f8ed5453c311efb4bd75d)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-21T01:55:30Z
Merge commit: c4f14a39a520

What merged:

• The PR updates Codex app-server system-prompt reporting to tolerate bootstrap files with path and content but no name, adds a focused regression test, and records the fix in the changelog.
• Reproducibility: yes. The PR body supplies current-main before output with the undefined.trim() stack, and source inspection confirms hook-supplied path-only bootstrap files can reach the Codex report helper.

Automerge notes:

• PR branch already contained follow-up commit before automerge: fix(codex): guard path-only bootstrap files [AI-assisted]

The automerge loop is complete.

Automerge progress:

• 2026-05-21 01:24:36 UTC review queued 28c1f3368760 (queued)

• 2026-05-21 01:27:16 UTC repair queued 28c1f3368760 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26199919943

• 2026-05-21 01:30:03 UTC repair started (running) in 2s Run: https://github.com/openclaw/clawsweeper/actions/runs/26199919943 automerge-openclaw-openclaw-84736

• 2026-05-21 01:30:15 UTC validation plan (passed) in 14s Run: https://github.com/openclaw/clawsweeper/actions/runs/26199919943 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-21 01:30:32 UTC Codex write preflight (passed) in 31s Run: https://github.com/openclaw/clawsweeper/actions/runs/26199919943 danger-full-access

• 2026-05-21 01:36:16 UTC Codex edit 1 fc0ac9879ed9 (complete) in 6m 14s Run: https://github.com/openclaw/clawsweeper/actions/runs/26199919943 exit 0

• 2026-05-21 01:39:53 UTC validation and review 1 466711089908 (complete) in 9m 52s Run: https://github.com/openclaw/clawsweeper/actions/runs/26199919943 already-current

• 2026-05-21 01:39:58 UTC repair completed 466711089908 (branch updated) in 9m 57s Run: https://github.com/openclaw/clawsweeper/actions/runs/26199919943 initial automerge rebase is delegated to Codex repair

• 2026-05-21 01:39:57 UTC review queued 466711089908 (after repair)

• 2026-05-21 01:47:29 UTC automerge wait 466711089908 (ready) in 17m 28s Run: https://github.com/openclaw/clawsweeper/actions/runs/26199919943 checks and exact-head review are ready

• 2026-05-21 01:55:15 UTC review passed 466711089908 (structured ClawSweeper verdict: pass (sha=4667110899081e66153f8ed5453c311efb4bd...)

• 2026-05-21 01:47:30 UTC repair finished 466711089908 (pushed) in 17m 29s Run: https://github.com/openclaw/clawsweeper/actions/runs/26199919943 repair_contributor_branch

• 2026-05-21 01:49:12 UTC review queued 466711089908 (queued)

• 2026-05-21 01:55:32 UTC merged 466711089908 (merged by ClawSweeper automerge)