fix(codex): make native thread token guard configurable

[100yenadmin]

Summary

This is a stacked follow-up to #85978 for the hard-coded Codex app-server native-thread token reuse guard.

It makes the proactive native-token guard configurable instead of treating 70000 as the only possible policy:

• Adds agents.defaults.compaction.maxActiveTranscriptTokens.
• Keeps the current default at 70000 when unset, preserving existing behavior.
• Allows numeric values or token-count strings such as "120k" / "1.5k".
• Allows 0 to disable only this proactive token guard.
• Preserves byte-limit rotation and semantic binding invalidation.
• Skips Codex rollout-directory scans when both native byte and token guards are disabled.

Stacking / Review Order

This branch is intentionally stacked on #85978 (codex/native-thread-reuse-budget).

Recommended order:

1. Review/merge Fix Codex native thread reuse for context-engine bootstraps #85978 first. It fixes the semantic correctness bug where an active context-engine thread_bootstrap binding could be cleared by the startup size guard before the context-engine projection decision had a chance to preserve it.
2. Review this PR second. It makes the remaining legacy/non-bootstrap native token guard policy explicit and configurable.

If this PR is reviewed before #85978 lands, the intended new commit here is:

80da76695c fix(codex): make native thread token guard configurable

Why This Is Needed

The existing guard is not the model context window. It is a local Codex app-server native-thread reuse guard. Today it is hard-coded to 70000 tokens, and when it fires OpenClaw clears the saved native thread binding before startup:

codex app-server native transcript exceeded active token limit; starting a fresh thread

That is a reasonable safety valve for legacy/stale bindings, but it is too blunt for long-running Codex sessions because the native token count can include the large bootstrap-loaded context already paid into the native thread.

Scenario:

sequenceDiagram
  participant OC as OpenClaw
  participant CE as Context Engine / Bootstrap
  participant CX as Codex app-server native thread

  OC->>CE: assemble bootstrap/context
  CE-->>OC: 80k-120k effective bootstrap/context
  OC->>CX: thread/start with developer instructions + projected context
  CX-->>OC: rollout token_count over 70k
  OC->>CX: next turn startup checks saved binding
  alt legacy hard guard
    OC->>OC: clear binding at 70k
    OC->>CX: cold thread/start again
  else semantic thread_bootstrap from #85978
    OC->>OC: preserve matching semantic binding
    OC->>CX: thread/resume warm path
  end

Loading

The bootstrap question is the crux: for legacy/non-context-engine native reuse, the guard can effectively see the native thread after it has already absorbed large startup/bootstrap instructions. For active context-engine thread_bootstrap, #85978 prevents that bootstrap cost from automatically invalidating the native binding on the next turn. This PR covers the remaining policy question by letting operators set the guard to match their deployment instead of forcing every installation through 70000.

What This Does Not Solve

This does not implement the larger #86023 architecture items:

• semantic compaction-preservation across Codex native threads;
• binding ownership across session-file rollover;
• workspace bootstrap fingerprinting as a first-class reuse reason;
• doctor/status diagnostics for native-thread rotation reason codes.

Those should stay separate because they touch lifecycle design, diagnostics, and context-engine contracts rather than just the hard-coded native guard policy.

Real behavior proof

• Behavior or issue addressed: The Codex app-server native-thread startup guard no longer treats 70000 as the only possible token policy. A thread binding with 86000 recorded session tokens is preserved when configured to "120k" and cleared when configured to "50k".
• Real environment tested: Local OpenClaw checkout on macOS from /Volumes/LEXAR/repos/worktrees/openclaw-codex-semantic-reuse-guard, using the actual patched runtime modules through node --import tsx.
• Exact steps or command run after this patch:

node --import tsx - <<'EOF'
import fs from 'node:fs/promises';
import path from 'node:path';
import os from 'node:os';
import { testing } from './extensions/codex/src/app-server/run-attempt.ts';
import { readCodexAppServerBinding, writeCodexAppServerBinding } from './extensions/codex/src/app-server/session-binding.ts';

const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'openclaw-real-proof-native-token-'));
const sessionFile = path.join(tempDir, 'session.jsonl');
const agentDir = path.join(tempDir, 'agent');
const cwd = path.join(tempDir, 'workspace');
await fs.mkdir(path.dirname(sessionFile), { recursive: true });
await fs.mkdir(cwd, { recursive: true });
await fs.writeFile(sessionFile, '');
await writeCodexAppServerBinding(sessionFile, {
  threadId: 'thread-existing',
  cwd,
  model: 'gpt-5.4-codex',
  modelProvider: 'openai',
  dynamicToolsFingerprint: '[]',
});
await fs.writeFile(
  path.join(path.dirname(sessionFile), 'sessions.json'),
  JSON.stringify({
    'agent:main:session-1': {
      sessionFile,
      totalTokens: 86000,
    },
  }),
);
const preserved = await testing.rotateOversizedCodexAppServerStartupBinding({
  binding: await readCodexAppServerBinding(sessionFile),
  sessionFile,
  agentDir,
  config: {
    agents: { defaults: { compaction: { truncateAfterCompaction: true, maxActiveTranscriptTokens: '120k' } } },
  },
});
await writeCodexAppServerBinding(sessionFile, {
  threadId: 'thread-existing',
  cwd,
  model: 'gpt-5.4-codex',
  modelProvider: 'openai',
  dynamicToolsFingerprint: '[]',
});
const cleared = await testing.rotateOversizedCodexAppServerStartupBinding({
  binding: await readCodexAppServerBinding(sessionFile),
  sessionFile,
  agentDir,
  config: {
    agents: { defaults: { compaction: { truncateAfterCompaction: true, maxActiveTranscriptTokens: '50k' } } },
  },
});
console.log(JSON.stringify({
  environment: process.cwd(),
  observed: {
    overDefaultConfiguredTo120k: preserved?.threadId ?? null,
    belowConfigured50k: cleared?.threadId ?? null,
    savedBindingAfter50k: (await readCodexAppServerBinding(sessionFile))?.threadId ?? null,
  },
}, null, 2));
EOF

• Evidence after fix: Terminal output from the command above:

[agent/embedded] codex app-server native transcript exceeded active token limit; starting a fresh thread
{
  "environment": "/Volumes/LEXAR/repos/worktrees/openclaw-codex-semantic-reuse-guard",
  "observed": {
    "overDefaultConfiguredTo120k": "thread-existing",
    "belowConfigured50k": null,
    "savedBindingAfter50k": null
  }
}

• Observed result after fix: The same 86000-token recorded native/session state preserves the existing binding under "120k" and clears it under "50k", matching the configurable guard behavior added by this PR.
• What was not tested: A live Discord/Codex long-running channel was not exercised in this proof. That broader end-to-end slowdown remains tracked in Codex long-running sessions should use semantic thread/bootstrap cache ownership #86023.

Validation

Focused local validation from /Volumes/LEXAR/repos/worktrees/openclaw-codex-semantic-reuse-guard:

OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts --run -t "configured native rollout token|token rotation when configured to zero|configured token limit below|session totals|byte rotation active|skips rollout directory scans"
OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs src/config/zod-schema.agent-defaults.test.ts src/config/config.schema-regressions.test.ts src/config/config.compaction-settings.test.ts src/config/schema.help.quality.test.ts --run -t "compaction.truncateAfterCompaction|preserves memory flush|agent compaction safeguards"
pnpm exec oxfmt --check --threads=1 extensions/codex/src/app-server/run-attempt.ts extensions/codex/src/app-server/run-attempt.test.ts src/config/types.agent-defaults.ts src/config/zod-schema.agent-defaults.ts src/config/zod-schema.agent-defaults.test.ts src/config/config.schema-regressions.test.ts src/config/config.compaction-settings.test.ts src/config/schema.help.ts src/config/schema.labels.ts src/config/schema.help.quality.test.ts
pnpm config:schema:check
pnpm config:docs:check
git diff --check
pnpm tsgo:core:test
pnpm tsgo:extensions:test

Results: all passed locally.

I also ran four read-only adversarial review agents over the diff. Two returned zero >=95% findings; two found test/efficiency gaps that were fixed before this PR was opened.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 26, 2026, 1:27 PM ET / 17:27 UTC.

Summary
The branch replaces the hard 70k Codex app-server native-thread token guard with a Codex-reported model-window or 300k fallback fuse, bypasses startup size guards for active context-engine thread-bootstrap bindings, and adds Codex lifecycle tests.

PR surface: Source +63, Tests +257. Total +320 across 3 files.

Reproducibility: no. high-confidence real reproduction is in hand. Source and tests show current main rotates at 70k and the PR simulates the new guard behavior, but the latest no-config rewrite was not proven with a live Codex app-server conversation or equivalent runtime probe.

Review metrics: 1 noteworthy metric.

• Native token guard policy: 1 default changed: 70,000 hard guard replaced by model_context_window/300,000 fallback plus thread-bootstrap bypass. This changes upgrade behavior for existing Codex sessions before CI can prove the new runtime policy is safe.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🦪 silver shellfish
Patch quality: 🧂 unranked krab
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Add latest-head real behavior proof from a Codex app-server runtime path, with private details redacted.
• Fix or explicitly gate the thread-bootstrap overflow retry so fresh threads are not saved as bootstrapped without projected context.
• Have maintainers decide whether the model-window/300k fallback policy should land alone or only with the broader native-thread stack.

Proof guidance:
Needs real behavior proof before merge: Latest-head proof is focused Vitest/check/Testbox output; it does not show after-fix behavior in a real Codex app-server runtime, so contributor action is still needed with redacted terminal output, logs, recording, or a live-output artifact. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• Merging changes the Codex warm-thread rotation default from a 70k hard guard to a model-window or 300k fallback policy, so upgraded sessions can preserve native threads that previously cold-started.
• Context-engine thread-bootstrap bindings skip the startup size guard before projection and retry; if the resumed turn overflows, the retry can persist a fresh thread as bootstrapped without sending assembled context.
• Latest-head proof is focused tests/Testbox/autoreview output, not a live Codex app-server conversation or equivalent runtime proof of the changed no-config behavior.

Maintainer options:

1. Fix retry-safe projection before merge (recommended)
   Update the context-engine overflow/fresh-thread path so a bypassed thread-bootstrap binding cannot mark a fresh native thread as bootstrapped unless the assembled context was actually projected into that thread.
2. Land only with the semantic-preservation stack
   Maintainers could accept this PR only as part of the broader native-thread stack if the follow-up that rebuilds fresh-thread context is reviewed and lands with it.
3. Pause if the fuse policy is unsettled
   If the model-window/300k fallback is still a product policy question, keep the PR paused rather than merging a new default warm-thread behavior.

Next step before merge
Human review is needed to choose the guard policy, handle the context-engine retry risk, and request latest-head real runtime proof; this is not a narrow autonomous repair lane.

Security
Cleared: The diff only changes Codex app-server runtime/test logic and does not add dependencies, scripts, secrets handling, CI permissions, or package resolution changes.

Review findings

• [P1] Preserve projection when bypassed bindings overflow — extensions/codex/src/app-server/run-attempt.ts:908-918

Review details

Best possible solution:

Land a retry-safe internal fuse only after maintainers accept the new guard policy: valid thread-bootstrap bindings should stay warm, but actual model-window or overflow retries must either project context into the fresh thread or avoid writing a bootstrapped binding.

Do we have a high-confidence way to reproduce the issue?

No high-confidence real reproduction is in hand. Source and tests show current main rotates at 70k and the PR simulates the new guard behavior, but the latest no-config rewrite was not proven with a live Codex app-server conversation or equivalent runtime probe.

Is this the best way to solve the issue?

No, not yet. Removing the config option fits the maintainer direction, but the thread-bootstrap bypass needs retry-safe projection behavior or an explicit maintainer decision to accept the session-state risk.

Full review comments:

• [P1] Preserve projection when bypassed bindings overflow — extensions/codex/src/app-server/run-attempt.ts:908-918
  This early return skips the new token/window scan for any active thread_bootstrap binding. If that resumed thread is actually at Codex's context window, the existing overflow retry starts a fresh thread with the warm-resume prompt and then persists the same thread_bootstrap binding, so the fresh native thread can be marked bootstrapped without receiving the assembled context. Keep the model-window fuse for this case or rebuild/project before retrying on a fresh thread.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.84

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a5eee8f1c678.

Label changes

Label justifications:

• P2: This is a normal-priority Codex session-state/runtime fix with limited surface but meaningful upgrade behavior.
• merge-risk: 🚨 compatibility: The PR changes an existing default warm-thread reuse guard, so upgraded Codex sessions may retain native threads that current main would rotate.
• merge-risk: 🚨 session-state: The changed startup bypass can interact with context-engine retry state and persist a native binding that no longer matches what was actually projected.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🦪 silver shellfish and patch quality is 🧂 unranked krab.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: Latest-head proof is focused Vitest/check/Testbox output; it does not show after-fix behavior in a real Codex app-server runtime, so contributor action is still needed with redacted terminal output, logs, recording, or a live-output artifact. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +63, Tests +257. Total +320 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	77	14	+63
Tests	2	272	15	+257
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	349	29	+320

What I checked:

• Repository policy read: Root AGENTS.md was read fully; it makes config/default, session state, provider/plugin behavior, startup checks, and fallback behavior compatibility-sensitive for review. (AGENTS.md:1, a5eee8f1c678)
• Scoped extension policy read: extensions/AGENTS.md was read; the change stays inside the bundled Codex plugin boundary and does not add a plugin SDK surface. (extensions/AGENTS.md:1, a5eee8f1c678)
• Current main behavior: Current main still has a fixed 70,000-token Codex app-server startup reuse guard, so this PR changes an existing default runtime policy rather than only adding tests. (extensions/codex/src/app-server/run-attempt.ts:665, a5eee8f1c678)
• PR guard bypass: The PR returns a thread-bootstrap binding before scanning byte/token rollout files whenever a context engine is active, bypassing the new model-window fuse for that binding class. (extensions/codex/src/app-server/run-attempt.ts:908, 0177987431ff)
• Existing overflow retry behavior: The existing context-engine overflow retry starts a fresh Codex thread after a failed resumed turn; the adjacent test expects the retry prompt to be only the current user prompt while still saving the same thread-bootstrap projection, which makes the new bypass risky when the old thread is actually over window. (extensions/codex/src/app-server/run-attempt.context-engine.test.ts:973, a5eee8f1c678)
• Latest proof context: The latest maintainer comment reports focused Vitest, git diff, autoreview, pnpm check:changed, and a Blacksmith Testbox run, but no live Codex app-server conversation or non-Vitest runtime probe for the no-config rewrite. (0177987431ff)

Likely related people:

• vincentkoc: Blame points the current Codex app-server startup guard and surrounding run-attempt implementation to c38b503, and recent history also shows adjacent Codex auth work in this file. (role: introduced behavior / recent area contributor; confidence: high; commits: c38b5033e64b, 5ef812293b08; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/run-attempt.test.ts)
• steipete: Recent main history includes adjacent Codex app-server notification handling work, and the current PR head commit was authored after the config-option objection and rewrite. (role: recent adjacent contributor / current branch committer; confidence: medium; commits: ead847f6065a, 0177987431ff; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/run-attempt.test.ts, extensions/codex/src/app-server/run-attempt.context-engine.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[100yenadmin]

@clawsweeper re-review

Fixed the P3 docs finding in 7d640c42e5 by adding agents.defaults.compaction.maxActiveTranscriptTokens to the manual compaction config example and option list in docs/gateway/config-agents.md.

Validation from /Volumes/LEXAR/repos/worktrees/openclaw-codex-semantic-reuse-guard:

git diff --check
pnpm config:docs:check

Results: both passed.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26363846179
• Updated: 2026-05-24T14:37:30.566Z

[100yenadmin]

@vincentkoc tagging you here for context and co-author credit.

This PR is part of the native-thread stabilization work: when threads are not set up correctly, cache continuity and compaction can attach to the wrong thread or break across resumes. This change fixes that path so cached context and compaction state stay attached to the intended native thread.

I also added a no-code co-author commit on this branch with Co-authored-by: Vincent Koc <vincentkoc@ieee.org>.

[steipete]

I really do not want yet another config option.

[steipete]

Behavior addressed

• Reworked the Codex native thread token guard so it no longer adds or documents a maxActiveTranscriptTokens config option.
• OpenClaw now treats token-based native thread clearing as an internal recovery fuse: it prefers Codex's reported model_context_window, and otherwise uses a deliberately high fallback so Codex's own auto-compaction can run first.
• Context-engine thread-bootstrap bindings still resume through the native size guard when the active engine owns that projection.

Real environment tested

• Local macOS checkout on Node 24.15.0.
• Blacksmith Testbox changed-file gate.

Exact steps or command run after this patch

• fnm exec --using v24.15.0 -- node scripts/run-vitest.mjs run extensions/codex/src/app-server/run-attempt.test.ts extensions/codex/src/app-server/run-attempt.context-engine.test.ts --reporter=dot --pool=forks --no-file-parallelism
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode local --base origin/main
• fnm exec --using v24.15.0 -- pnpm check:changed

Evidence after fix

• Focused Vitest: 2 files passed, 247 tests passed.
• git diff --check: passed.
• Autoreview: clean, no accepted/actionable findings.
• Testbox check:changed: tbx_01ksjm1hy7mfrc5bebzyckqdew, GitHub Actions run https://github.com/openclaw/openclaw/actions/runs/26463150977, exit 0.

Observed result after fix

• Existing bound Codex native threads are not discarded at the old 70k threshold.
• Rollout token scans preserve total token counts even when a later token-count line reports only model_context_window.
• Oversized fallback, byte limit, stale session-token, auth preservation, and context-engine bootstrap behavior remain covered.

What was not tested

• A live OpenAI Codex app-server conversation was not run; this change is covered by the app-server lifecycle tests and the changed-file type/lint/import-cycle gate.