fix(codex): beta blocker - keep context engine on canonical session key

[neeravmakwana]

Summary

• Problem: Telegram DM runs can carry a per-peer runtimePolicySessionKey for sandbox/runtime policy decisions, and Codex was reusing that key for context-engine history.
• Solution: keep a separate contextSessionKey derived from the canonical run sessionKey, and use it for context-engine/bootstrap/finalization surfaces.
• What changed: Codex context-engine calls, workspace bootstrap context, prompt reporting, compaction/maintenance, transcript mirroring, and finalization now use the canonical context session key.
• What did NOT change (scope boundary): sandbox resolution, tool/runtime policy scoping, channel routing, Telegram allowlisting, model selection, and provider/network behavior are unchanged.

Motivation

• Closes Beta blocker: runtime policy session key leaks into LCM context for Telegram DMs #84936. This fixes the beta-blocking failure mode where a per-peer runtime policy key can leak into LCM/context-engine lookup and make Telegram DMs select the wrong or stale conversation history.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes Beta blocker: runtime policy session key leaks into LCM context for Telegram DMs #84936
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior or issue addressed: Telegram DM dispatch should keep the conversation/context session on agent:main:main even when runtime policy derives a per-peer Telegram key.
• Real environment tested: local OpenClaw gateway on macOS with only Telegram enabled in an isolated temporary config/state directory; bot token was loaded from local .env and not printed; Telegram DM sender was allowlisted by numeric ID.
• Exact steps or command run after this patch:
  1. Built and ran the patched local gateway with a Telegram-only config.
  2. Sent one unique Telegram DM from the allowlisted user to the local bot.
  3. Captured verbose gateway/runtime logs and checked for canonical sessionKey=agent:main:main on dispatch, compaction checks, embedded pre-prompt diagnostics, and completion.
• Evidence after fix (redacted runtime log):

Focused regression:
- pnpm test src/auto-reply/reply/runtime-policy-session-key.test.ts extensions/codex/src/app-server/run-attempt.context-engine.test.ts -- --reporter=verbose
- Passed: 2 Vitest shards, 21 tests.
- New regression: keeps context-engine history bound to the run session when sandbox key differs.

Redacted live Telegram gateway logs from the patched local build:

2026-05-21T08:54:56.797-04:00 [gateway] agent model: google/gemini-2.5-flash (thinking=medium, fast=off)
2026-05-21T08:54:56.798-04:00 [gateway] http server listening (10 plugins: acpx, bonjour, browser, canvas, device-pair, file-transfer, memory-core, phone-control, talk-voice, telegram; 4.9s)
2026-05-21T08:54:57.599-04:00 [telegram] [default] starting provider (@openclaw_local_telegram_bot)
2026-05-21T08:54:58.026-04:00 [gateway] ready

2026-05-21T08:55:42.819-04:00 [telegram] update: {"update_id":580665149,"message":{"message_id":53,"from":"[redacted]","chat":{"id":"[redacted]","first_name":"[redacted]","username":"[redacted]","type":"private"},"date":1779368142,"text":"[redacted]"}}
2026-05-21T08:55:42.828-04:00 [routing] resolveAgentRoute: channel=telegram accountId=default peer=direct:<redacted-user-id> guildId=none teamId=none bindings=0
2026-05-21T08:55:42.860-04:00 [telegram] Inbound message telegram:<redacted-user-id> -> @openclaw_local_telegram_bot (direct, 30 chars)
2026-05-21T08:55:43.058-04:00 [diagnostic] message queued: sessionId=unknown sessionKey=agent:main:main source=dispatch queueDepth=1 sessionState=idle
2026-05-21T08:55:43.059-04:00 [diagnostic] session state: sessionId=unknown sessionKey=agent:main:main prev=idle new=processing reason="message_start" queueDepth=1

2026-05-21T08:55:59.208-04:00 preflightCompaction check: sessionKey=agent:main:main tokenCount=undefined contextWindow=200000 threshold=176000 ...
2026-05-21T08:55:59.218-04:00 memoryFlush check: sessionKey=agent:main:main tokenCount=undefined contextWindow=200000 threshold=176000 ...
2026-05-21T08:56:07.191-04:00 [diagnostic] session state: sessionId=<redacted-session-id> sessionKey=agent:main:main prev=processing new=processing reason="run_started" queueDepth=1
2026-05-21T08:56:07.212-04:00 [agent/embedded] [context-diag] pre-prompt: sessionKey=agent:main:main messages=0 roleCounts=none historyTextChars=0 ... provider=google/gemini-2.5-flash sessionFile=<redacted-session-file>
2026-05-21T08:56:07.215-04:00 [agent/embedded] [context-overflow-precheck] pre-prompt check sessionKey=agent:main:main provider=google/gemini-2.5-flash route=fits ...

2026-05-21T08:56:14.901-04:00 [diagnostic] message processed: channel=telegram chatId=telegram:<redacted-user-id> messageId=53 sessionId=unknown sessionKey=agent:main:main outcome=completed duration=32014ms
2026-05-21T08:56:14.903-04:00 [diagnostic] session state: sessionId=<redacted-session-id> sessionKey=agent:main:main prev=idle new=idle reason="message_completed" queueDepth=0

I also checked the proof log for sessionKey=agent:main:telegram... during this turn and did not find the per-peer Telegram key in the runtime/context lines above.

• Observed result after fix: the live Telegram DM stayed on canonical sessionKey=agent:main:main through queueing, run start, context diagnostics, and message completion. The focused Codex context-engine regression verifies bootstrap and assemble also receive agent:main:main when sandboxSessionKey differs.
• What was not tested: the isolated live proof config did not select Lossless/LCM as plugins.slots.contextEngine, so the exact LCM bootstrap/assemble split is covered by the focused regression rather than the Telegram proof run.
• Before evidence (optional but encouraged): source tracing showed runtimePolicySessionKey could be assigned to sandboxSessionKey, and Codex previously reused sandboxSessionKey for context-engine calls.

Root Cause (if applicable)

• Root cause: runCodexAppServerAttempt used the sandbox session key as the effective sessionKey for context-engine and workspace-context surfaces. For Telegram DMs, that sandbox key can be a derived per-peer runtime policy key, not the canonical conversation key.
• Missing detection / guardrail: existing Codex context-engine tests did not cover the case where sessionKey and sandboxSessionKey intentionally differ.
• Contributing context: the runtime policy key is valid for sandbox/tool scoping, but context continuity needs the run session key.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: extensions/codex/src/app-server/run-attempt.context-engine.test.ts
• Scenario the test should lock in: sessionKey=agent:main:main and sandboxSessionKey=agent:main:telegram:default:direct:12345 still pass agent:main:main to context-engine bootstrap and assemble.
• Why this is the smallest reliable guardrail: it exercises the Codex app-server context-engine handoff directly without requiring a live provider or Telegram bot.
• Existing test that already covers this (if any): none before this PR.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

Telegram DM runs that derive per-peer runtime policy keys keep context/history selection on the canonical run session. No config, defaults, CLI flags, or generated files change.

Diagram (if applicable)

Before:
Telegram DM -> runtimePolicySessionKey -> sandboxSessionKey -> context engine sessionKey -> possible stale/per-peer history

After:
Telegram DM -> runtimePolicySessionKey -> sandbox/tool policy only
Telegram DM -> canonical run sessionKey -> context engine sessionKey -> intended conversation history

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No
• If any Yes, explain risk + mitigation: N/A.

Security/runtime controls unchanged: sandbox resolution still receives sandboxSessionKey; runtime policy, tool selection, channel authorization, Telegram allowlisting, and provider credentials handling are unchanged. This PR only separates the context-engine session key from the runtime policy key.

Repro + Verification

Environment

• OS: macOS (darwin 25.3.0)
• Runtime/container: local Node/pnpm workspace, local OpenClaw gateway
• Model/provider: google/gemini-2.5-flash in the live proof; tests use mocked harnesses
• Integration/channel (if any): Telegram-only isolated gateway proof
• Relevant config (redacted): channels.telegram.enabled=true, dmPolicy=allowlist, only the proof Telegram user ID in allowFrom; other channels disabled; token loaded from .env without printing it

Steps

1. Run focused policy-key and Codex context-engine tests.
2. Run changed-file checks.
3. Start patched local Telegram-only gateway in an isolated config/state directory.
4. Send a unique Telegram DM from the allowlisted user.
5. Inspect redacted runtime logs for the dispatch and embedded context session key.

Expected

• Telegram DM runtime/context logs use sessionKey=agent:main:main.
• Codex context-engine bootstrap and assemble receive the canonical run session key even when sandboxSessionKey differs.
• Sandbox/tool policy remains scoped to the sandbox key.

Actual

• Expected behavior observed in the focused regression and live Telegram proof logs above.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Exact checks run:

git diff --check
pnpm test src/auto-reply/reply/runtime-policy-session-key.test.ts extensions/codex/src/app-server/run-attempt.context-engine.test.ts -- --reporter=verbose
pnpm check:changed

Results:

git diff --check: passed
focused tests: passed, 2 Vitest shards, 21 tests
pnpm check:changed: passed; lanes=extensions, extensionTests

Human Verification (required)

• Verified scenarios: direct Codex context-engine handoff when sessionKey and sandboxSessionKey differ; live Telegram DM dispatch through the patched gateway.
• Edge cases checked: proof log was checked for per-peer sessionKey=agent:main:telegram... in runtime/context lines, and none were found for the proof turn.
• What you did not verify: a full live Lossless/LCM Telegram run with plugins.slots.contextEngine set to Lossless; this remains covered by the focused regression test.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No
• If yes, exact upgrade steps: N/A.

Risks and Mitigations

• Risk: future Codex context-engine call sites might accidentally reintroduce sandbox key usage.
  • Mitigation: added a regression test that directly asserts context-engine bootstrap and assemble receive the canonical run session key when the sandbox key differs.

Out of Scope

• Investigating the unrelated EmbeddedAttemptSessionTakeoverError seen after message-tool activity during live proof exploration.
• Adding a dedicated live LCM/Telegram E2E lane.
• Changing runtime policy, sandbox, tool, Telegram authorization, provider, config default, docs, or generated artifacts.

Made with Cursor

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR separates Codex context-engine session identity from sandbox/runtime-policy identity and adds a regression test plus changelog entry for Telegram DM/Lossless session continuity.

Reproducibility: yes. Current main source clearly passes sandboxSessionKey into Codex context-engine lifecycle calls while the runtime policy resolver can derive per-peer Telegram direct-message keys; the linked issue and PR body provide logs for the observed stale LCM selection.

PR rating
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🦞 diamond lobster
Summary: The patch is small and targeted with credible runtime logs and regression coverage, with only exact live Lossless/LCM proof left as maintainer beta-gate judgment.

Rank-up moves:

• Run one live Telegram proof with Lossless/LCM selected if maintainers require exact transport-plus-engine validation before beta merge.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (logs): The PR body includes redacted after-fix live Telegram gateway logs showing canonical session keys through dispatch/run completion, plus focused regression output for the context-engine handoff; the latest extra commit is changelog-only in the provided commit list.

Mantis proof suggestion
A live Telegram lane can independently prove the user-visible DM path and absence of stale-context duplicate replies. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

telegram live: verify a Telegram DM with a per-peer runtime policy key keeps canonical context/history and sends one reply.

Risk before merge

• The supplied real proof shows live Telegram dispatch and focused context-engine regression coverage, but it does not include a live Telegram run with Lossless/LCM selected as the context engine.
• Because the patch changes which key selects Codex context-engine history when sandboxSessionKey differs, any hidden expectation of per-peer DM history would be replaced by canonical main-session history.
• The beta-blocker label makes the remaining merge decision maintainer-owned even with no blocking code findings.

Maintainer options:

1. Accept The Targeted Proof (recommended)
   Maintainers can accept the focused context-engine regression plus redacted live Telegram gateway logs as sufficient for this beta-blocker once normal checks are green.
2. Ask For Exact LCM Live Proof
   If beta gating requires full transport-plus-engine validation, ask for one live Telegram run with Lossless/LCM selected showing canonical bootstrap and assemble keys.
3. Pause For Session Scope Policy
   If maintainers want direct Telegram DMs to keep per-peer context history, pause this PR and resolve that session-scope policy before merging.

Next step before merge
This open protected beta-blocker PR has no blocking findings; the remaining action is maintainer beta-gate and merge judgment, not an automated repair.

Security
Cleared: The diff changes session-key plumbing, a focused regression test, and changelog text; it does not add dependencies, workflows, secret handling, network calls, or broader tool permissions.

Review details

Best possible solution:

Land the split-key fix after maintainer beta-gate acceptance, keeping context/history identity on the canonical run session while sandbox/tool policy stays on the sandbox session key.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main source clearly passes sandboxSessionKey into Codex context-engine lifecycle calls while the runtime policy resolver can derive per-peer Telegram direct-message keys; the linked issue and PR body provide logs for the observed stale LCM selection.

Is this the best way to solve the issue?

Yes. Separating contextSessionKey from sandboxSessionKey is the narrowest maintainable fix because it restores context continuity without changing sandbox/tool/runtime policy scoping.

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes redacted after-fix live Telegram gateway logs showing canonical session keys through dispatch/run completion, plus focused regression output for the context-engine handoff; the latest extra commit is changelog-only in the provided commit list.

Label justifications:

• P1: This fixes a beta-blocking Telegram/Lossless session-state regression that can select stale context and produce duplicate or failed replies for real users.
• merge-risk: 🚨 session-state: The diff changes the session key used by Codex context-engine bootstrap, assembly, compaction, mirroring, and finalization, so a wrong choice could mis-associate conversation history.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🐚 platinum hermit, patch quality is 🦞 diamond lobster, and The patch is small and targeted with credible runtime logs and regression coverage, with only exact live Lossless/LCM proof left as maintainer beta-gate judgment.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): The PR body includes redacted after-fix live Telegram gateway logs showing canonical session keys through dispatch/run completion, plus focused regression output for the context-engine handoff; the latest extra commit is changelog-only in the provided commit list.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes redacted after-fix live Telegram gateway logs showing canonical session keys through dispatch/run completion, plus focused regression output for the context-engine handoff; the latest extra commit is changelog-only in the provided commit list.
• mantis: telegram-visible-proof: Mantis should capture Telegram visible proof. The PR affects visible Telegram DM behavior by preventing stale-context or duplicate/fallback replies, so a short Telegram live proof would materially help review.

Acceptance criteria:

• Maintainer may rely on the PR author's reported pnpm test src/auto-reply/reply/runtime-policy-session-key.test.ts extensions/codex/src/app-server/run-attempt.context-engine.test.ts -- --reporter=verbose and pnpm check:changed, or request a Crabbox/Testbox rerun before merge.
• Optional beta-gate proof: live Telegram DM with Lossless/LCM selected as plugins.slots.contextEngine showing context-engine bootstrap and assemble stay on agent:main:main.

What I checked:

• Current main still uses the sandbox key for context-engine calls: On current main, Codex derives sandboxSessionKey from params.sandboxSessionKey and passes it to bootstrapHarnessContextEngine and assembleHarnessContextEngine, matching the reported failure mode when the sandbox key is a per-peer Telegram key. (extensions/codex/src/app-server/run-attempt.ts:809, 6dbd5bd4460e)
• Runtime policy can derive a per-peer direct-message key: resolveRuntimePolicySessionKey keeps main aliases for local/webchat paths but returns buildAgentPeerSessionKey for direct external channel peers, so Telegram DMs can legitimately have a sandbox/runtime policy key that differs from the canonical run session key. (src/auto-reply/reply/runtime-policy-session-key.ts:86, 6dbd5bd4460e)
• PR patch applies the split-key fix at the implicated Codex surfaces: The PR head adds contextSessionKey from the canonical run session and uses it for runtimeParams, context-engine bootstrap/assemble, workspace bootstrap context, prompt reporting, compaction/maintenance, transcript mirroring, and finalization while leaving sandbox resolution on sandboxSessionKey. (extensions/codex/src/app-server/run-attempt.ts:809, 13ba4eadd660)
• Regression coverage targets the exact split-key bug: The added Codex context-engine test sets sessionKey=agent:main:main and sandboxSessionKey=agent:main:telegram:default:direct:12345, then asserts bootstrap and assemble receive agent:main:main. (extensions/codex/src/app-server/run-attempt.context-engine.test.ts:348, 13ba4eadd660)
• Maintainer review context supports real Telegram proof for this surface: The Telegram review note calls for real Telegram proof for behavior touching transport or reply context; the PR body supplies redacted after-fix Telegram gateway logs plus focused regression output, with only exact live LCM selection left as a beta-gate judgment. (.agents/maintainer-notes/telegram.md:35, 6dbd5bd4460e)
• History and provenance for the current code path: git blame attributes the current run-attempt context-engine call sites and runtime policy resolver in this checkout to 8284c03, while git show/log also show a185ca2 and d569803 carrying the Codex app-server and context-engine test surfaces. (extensions/codex/src/app-server/run-attempt.ts:1003, 8284c035a096)

Likely related people:

• Gio Della-Libera: git blame on current main attributes the Codex run-attempt context-engine key plumbing and runtime policy resolver lines to 8284c03 in this checkout. (role: current code-path carrier; confidence: medium; commits: 8284c035a096; files: extensions/codex/src/app-server/run-attempt.ts, src/auto-reply/reply/runtime-policy-session-key.ts, src/auto-reply/reply/get-reply-run.ts)
• steipete: Local history shows Peter Steinberger carried the Codex app-server/context-engine test import in a185ca2, moved app-server code into the extension in d569803, and recently touched adjacent runtime policy surfaces in 02182d5. (role: recent area contributor; confidence: medium; commits: a185ca283a74, d5698038d71c, 02182d5a3031; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/run-attempt.context-engine.test.ts, src/auto-reply/reply/runtime-policy-session-key.ts)
• jalehman: The GitHub timeline shows jalehman was assigned/review-requested and force-pushed the changelog/documentation commit on the current PR head after the initial bot review. (role: current PR follow-up owner; confidence: medium; commits: 13ba4eadd660; files: CHANGELOG.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6dbd5bd4460e.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Velvet Patch Peep

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: guards the happy path.
Image traits: location proof lagoon; accessory rollback rope; palette pearl, teal, and neon green; mood patient; pose holding its accessory up for inspection; shell matte ceramic shell; lighting subtle sparkle highlights; background smooth stones and checkmarks.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Velvet Patch Peep in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[jalehman]

Merged via squash.

• Prepared head SHA: 6cdccaa007d8f71ac042d264e3aea08f2203c810
• Merge commit: 66dcc4ee8fd1cebc56736b400f138dac3f8a9adb

Thanks @neeravmakwana!