feat(codex): diagnose native thread lifecycle

[100yenadmin]

Summary

This is PR #3 in the Codex native-thread reuse stack, after #85978 and #86069. It does not change the 70k default guard, and it does not preserve bindings across context-engine compaction or successor transcript rollover yet. It makes Codex app-server native thread reuse, bypass, rotation, and compaction-invalidation decisions observable first.

Changes:

• Add codex.native_thread.lifecycle as a trusted diagnostic event.
• Add extensions/codex/src/app-server/native-thread-diagnostics.ts with stable lifecycle reasons and one helper for trusted events plus low-cardinality logs.
• Route native token/byte guard rotation, thread_bootstrap semantic reuse, context-engine/projection/dynamic-tool/MCP/environment/plugin/auth mismatch, native-tool-surface-disabled bypass, missing binding, app-server rejection, invalid image rejection, and context-engine-owned compaction invalidation through the helper.
• Keep Fix Codex native thread reuse for context-engine bootstraps #85978/fix(codex): make native thread token guard configurable #86069 behavior intact: matching active thread_bootstrap bindings still bypass proactive token/byte guards; legacy/non-bootstrap bindings still honor configured token/byte guards.
• Document the difference between model/app-server context overflow, OpenClaw assembly/precheck pressure, and native-thread reuse rotation.

Why this matters

The confusing part of the slowdown is that the 70000 guard is not GPT-5.5's model context limit. It is a local warm-thread reuse threshold. If a legacy Codex native transcript is already above that threshold, OpenClaw refuses to reuse the saved native thread and starts a fresh app-server thread. That can make every turn pay cold-start context rebuild pressure even when the channel/session itself is fine.

PR #82981 is the historical source for the default: it introduced a guard that rotates stale Codex app-server bindings before resume when the bound native rollout is at or above 70k tokens, because large native Codex rollouts could keep getting resumed after OpenClaw had already compacted/mirrored a smaller transcript. So the default should be read as a proactive warm-thread reuse guard, not as a model-window cap, not as a bootstrap-size cap, and not as a carefully documented LCM reserve.

Example failure mode:

Turn	Legacy/native transcript	Guard	Decision	Cost shape
1	86k	70k	native-token-guard rotates	cold thread/start; bootstrap/context is rebuilt
2	still over guard	70k	rotates again	cold path again
3-10	still over guard	70k	repeats	no durable warm Codex thread

With #86069 config support, maxActiveTranscriptTokens: "120k" preserves an 86k legacy binding, while "50k" rotates a 60k binding. Setting the token guard to 0 disables only proactive token rotation; byte guards and semantic identity mismatches can still rotate.

The best-case long-running context-engine path is different: thread_bootstrap projects the large context once into the fresh Codex thread, then reuses it as long as the context-engine id, policy fingerprint, projection epoch/fingerprint, and dynamic-tool surface still match. This PR emits thread-bootstrap-semantic-reuse only after that semantic match is proven.

graph TD
  A[OpenClaw turn] --> B{Saved Codex binding?}
  B -->|no| S[Start fresh native thread]
  B -->|yes| C{Semantic identity matches?}
  C -->|no| R[Rotate with mismatch reason]
  C -->|yes legacy/per-turn| G{Native token/byte guard exceeded?}
  G -->|yes| T[Rotate with native-token/native-byte reason]
  G -->|no| U[Resume warm native thread]
  C -->|yes thread_bootstrap| H[Emit thread-bootstrap-semantic-reuse]
  H --> U
  R --> S
  T --> S

Loading

Adversarial review fixes in latest head

A four-agent adversarial pass found diagnostics issues rather than behavior changes in the guard itself. Latest head fixes them:

• Avoid false thread-bootstrap-semantic-reuse events from the early proactive guard bypass; semantic reuse is emitted only after the later identity match.
• Keep scoped ids/fingerprints in the trusted internal diagnostic event, but remove them from generic log payloads to avoid support-log/OTEL cardinality and privacy problems.
• Add native-tool-surface-disabled so transient native-disabled turns are not misclassified as environment-selection-mismatch.
• Preserve real thread_bootstrap/per_turn binding mode and context-engine metadata when native compaction rejects a stale binding.
• During overflow retry after session rollover, report the active successor session id and read the successor binding before logging/clearing it, so diagnostics name the actual successor thread only when one exists.

Diagnostics

codex.native_thread.lifecycle includes stable reason/action fields plus thread/session/run ids, binding mode, context-engine identity, projection epoch/fingerprint, previous/current fingerprints, token/byte guard values, native/session token counts, prompt/developer-instruction size estimates, and bootstrap/context-engine contribution booleans.

It intentionally does not include raw prompt text, bootstrap file contents, tool args, or secrets. The companion generic log record is lower-cardinality and omits scoped thread/session ids, epoch/fingerprint fields, and path-like/error extra values.

Non-goals

• No default guard change from 70000 in this PR.
• No migration or config rename.
• No binding preservation across context-engine compaction or successor transcript rollover yet.
• No change to PI runtime compaction semantics.

Real behavior proof

• Behavior or issue addressed: Codex native-thread lifecycle decisions now emit a structured trusted diagnostic event so an operator can distinguish native-token guard rotation from semantic reuse and other rotation families.
• Real environment tested: Local OpenClaw source checkout on the Lexar worktree at /Volumes/LEXAR/repos/worktrees/openclaw-codex-semantic-reuse-guard, using the real OpenClaw package runtime with node --import tsx.
• Exact steps or command run after fix: Executed the real diagnostic helper through the package export path and listened through the real internal diagnostic runtime:

node --import tsx - <<'NODE'
import { onInternalDiagnosticEvent, resetDiagnosticEventsForTest, waitForDiagnosticEventsDrained } from 'openclaw/plugin-sdk/diagnostic-runtime';
import { CodexNativeThreadLifecycleReason, emitCodexNativeThreadLifecycleDiagnostic } from './extensions/codex/src/app-server/native-thread-diagnostics.ts';

resetDiagnosticEventsForTest();
const events = [];
const unsubscribe = onInternalDiagnosticEvent((event) => {
  if (event.type === 'codex.native_thread.lifecycle') events.push(event);
});
emitCodexNativeThreadLifecycleDiagnostic({
  action: 'rotated',
  reason: CodexNativeThreadLifecycleReason.NativeTokenGuard,
  threadId: 'thread-proof',
  sessionId: 'session-proof',
  sessionKey: 'agent:main:session-proof',
  bindingMode: 'legacy',
  maxActiveTranscriptTokens: 70000,
  nativeTokens: 86000,
  sessionTokens: 86000,
});
await waitForDiagnosticEventsDrained();
unsubscribe();
console.log(JSON.stringify(events[0], null, 2));
NODE

• After-fix evidence: Copied terminal output from that command:

[agent/embedded] codex app-server native thread lifecycle: rotated (native-token-guard)
{
  "type": "codex.native_thread.lifecycle",
  "action": "rotated",
  "reason": "native-token-guard",
  "threadId": "thread-proof",
  "sessionId": "session-proof",
  "sessionKey": "agent:main:session-proof",
  "bindingMode": "legacy",
  "maxActiveTranscriptTokens": 70000,
  "nativeTokens": 86000,
  "sessionTokens": 86000,
  "seq": 2,
  "ts": 1779637794109
}

• Observed result after fix: The runtime emitted codex.native_thread.lifecycle with action: "rotated", reason: "native-token-guard", token guard values, native/session token counts, and thread/session identity, with no raw prompt text, bootstrap file contents, tool args, or secrets.
• Latest-head validation stance: After the adversarial-review amend, local Vitest/tsgo were intentionally not rerun on Codex Desktop; GitHub CI is the validation gate for this head. I ran only git diff --check locally.
• What was not tested: I did not run a live Discord gateway session through Codex app-server in this PR. That belongs to the next operational validation pass after this diagnostic surface lands.

Test Plan

Tests added/extended for the latest head:

• token guard, byte guard, 120k preserving 86k, 50k rotating 60k, 0 disabling proactive token rotation, byte guard pre-read behavior, and sanitized lifecycle log payloads in run-attempt.test.ts
• matching thread_bootstrap semantic reuse, no false semantic reuse on mismatched over-budget bindings, projection/context-engine mismatch, and overflow rollover successor-binding diagnostics in run-attempt.context-engine.test.ts
• missing binding, stale binding, stale thread_bootstrap binding metadata, auth-profile mismatch, and context-engine-owned compaction invalidation in compact.test.ts
• dynamic-tool, MCP, plugin app, environment selection, native-tool-surface-disabled, and app-server resume rejection reason coverage through startOrResumeThread

Remote validation expected on GitHub CI for the pushed head 2372e215a2.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 27, 2026, 7:18 AM ET / 11:18 UTC.

Summary
The branch adds a Codex native-thread lifecycle diagnostic event, an optional native transcript token guard config key, docs/tests, and lifecycle diagnostics through Codex thread reuse and compaction paths.

PR surface: Source +1087, Tests +1282, Docs +60, Generated 0. Total +2429 across 27 files.

Reproducibility: not applicable. as a bug reproduction: this is a feature/config diagnostics PR. The code and tests show the intended paths, but the PR body does not provide current-head real behavior proof for the latest head.

Review metrics: 2 noteworthy metrics.

• Config/default surfaces: 1 added. The PR adds agents.defaults.compaction.maxActiveTranscriptTokens, which is compatibility-sensitive even when optional because users may rely on config schemas and documented defaults.
• Diagnostic event surfaces: 1 added trusted event. codex.native_thread.lifecycle becomes a stable operator diagnostic surface and must have accepted payload, privacy, and exporter behavior before merge.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Add current-head redacted terminal output, logs, or a linked artifact that exercises the latest Codex lifecycle diagnostics through compaction/session-state paths.
• Update the PR body's Real behavior proof section so ClawSweeper can re-review the exact head.

Proof guidance:
Needs stronger real behavior proof before merge: The PR body includes terminal proof for an older helper-only head, but current head f623fc0 adds later compaction/session-state changes that are not covered by fresh real behavior proof. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• The PR adds a new optional config key and stable diagnostic event surface around Codex native-thread lifecycle behavior, so maintainers need to accept the compatibility and operator-facing shape before merge.
• The current PR body proof is stale relative to head f623fc0 and does not exercise the later compaction, successor-session, or session-state paths added after the helper-only proof.
• The open stacked follow-up at fix(codex): preserve semantic native threads across compaction #86160 depends on this diagnostics foundation, so landing order and review scope need maintainer coordination.

Maintainer options:

1. Refresh Current-Head Proof (recommended)
   Ask the contributor or assignee to add redacted terminal output, logs, or a linked artifact from head f623fc0 that exercises the lifecycle diagnostics through the latest compaction/session-state paths.
2. Accept The New Config Surface
   Maintainers can explicitly accept agents.defaults.compaction.maxActiveTranscriptTokens as the operator override and keep the default/current behavior unchanged for upgrades.
3. Pause For Stack Review
   If the diagnostic surface cannot be reviewed independently from the preservation work, pause this PR and review it together with the stacked follow-up before landing either branch.

Next step before merge
A maintainer or contributor needs to supply current-head real behavior proof and accept the config/diagnostic surface; there is no narrow automated repair to queue from this review.

Security
Cleared: No concrete security or supply-chain regression was found; the diff adds no dependencies/workflows and keeps scoped IDs out of generic logs while OTel ignores the new trusted event.

Review details

Best possible solution:

Keep the branch open, require current-head real behavior proof for the latest lifecycle/session-state paths, and merge only after maintainers accept the new config and diagnostic surfaces.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a bug reproduction: this is a feature/config diagnostics PR. The code and tests show the intended paths, but the PR body does not provide current-head real behavior proof for the latest head.

Is this the best way to solve the issue?

Yes, pending proof: centralizing lifecycle reasons and low-cardinality logs is a maintainable shape for this diagnostic surface. The safer pre-merge path is to keep the default behavior stable while requiring current-head proof and maintainer acceptance of the new config key.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 545ad7f256e2.

Label changes

Label justifications:

• P2: This is a normal-priority Codex diagnostics/config improvement with session-state relevance but no emergency or broad outage evidence.
• merge-risk: 🚨 compatibility: The PR adds a new documented config key and schema/help/baseline surface for Codex native thread token reuse behavior.
• merge-risk: 🚨 session-state: The diff touches Codex native thread bindings, compaction/retry metadata, successor session handling, and diagnostics around when saved native threads are reused or rotated.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR body includes terminal proof for an older helper-only head, but current head f623fc0 adds later compaction/session-state changes that are not covered by fresh real behavior proof. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +1087, Tests +1282, Docs +60, Generated 0. Total +2429 across 27 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	12	1209	122	+1087
Tests	11	1315	33	+1282
Docs	3	60	0	+60
Config	0	0	0	0
Generated	1	2	2	0
Other	0	0	0	0
Total	27	2586	157	+2429

What I checked:

• Repository policy read and applied: Root AGENTS.md was read fully; the review applied its guidance on full-policy reads, config/default-surface merge risk, real behavior proof, scoped docs/extensions/agents guidance, and read-only PR review. (AGENTS.md:1, 545ad7f256e2)
• Scoped guides read: extensions/AGENTS.md, docs/AGENTS.md, and src/agents/AGENTS.md were read because the PR touches bundled Codex code, docs, and agent runner behavior. (extensions/AGENTS.md:1, 545ad7f256e2)
• Current PR state: Live GitHub API reports PR head f623fc0, base 545ad7f, mergeable clean, maintainer_can_modify true, and labels including proof supplied, status needs proof, compatibility risk, and session-state risk. (f623fc0a7dd1)
• Current main lacks the new surface: A current-main search found no codex.native_thread.lifecycle, maxActiveTranscriptTokens, or NonNegativeTokenCountSchema occurrences, so the central PR work is not already implemented on main. (545ad7f256e2)
• Diagnostic helper surface: The PR head adds emitCodexNativeThreadLifecycleDiagnostic, which logs a low-cardinality payload and emits a trusted codex.native_thread.lifecycle diagnostic event. (extensions/codex/src/app-server/native-thread-diagnostics.ts:104, f623fc0a7dd1)
• Configurable guard and lifecycle diagnostics: The PR head routes byte/token guard decisions through the lifecycle diagnostic and adds maxActiveTranscriptTokens handling around Codex startup binding rotation. (extensions/codex/src/app-server/run-attempt.ts:975, f623fc0a7dd1)

Likely related people:

• vincentkoc: Assigned on the PR, authored the latest head repair commits, and appears in recent current-main Codex app-server/auth lifecycle history. (role: recent area contributor and assignee; confidence: high; commits: f623fc0a7dd1, 8810fc97932d, f1cc8f0cfc7c; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/thread-lifecycle.ts, extensions/codex/src/app-server/compact.ts)
• steipete: Recent Git history shows major Codex app-server lifecycle split, startup hardening, and the context budget guard hardening commits in this area. (role: feature-history owner; confidence: high; commits: 31a0b7bd42a5, 3b65e2302a55, 23fd4c21bbd7; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/thread-lifecycle.ts)
• hansolo949: The linked merged context-budget guard PR is identified in the PR body as the historical source of the proactive native-thread reuse guard this PR makes observable. (role: introduced related behavior; confidence: medium; commits: d7e5e3a10f14, 084318b8c461; files: extensions/codex/src/app-server/run-attempt.ts)
• 100yenadmin: Opened this PR and the linked architecture issue, and authored related prior stack work referenced by the PR; include as routing context because this is a stacked diagnostics/config thread, not merely because they opened this PR. (role: stack author and related work owner; confidence: medium; commits: d17a722e68bb, 0eac6a7782cb; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/native-thread-diagnostics.ts, docs/plugins/codex-harness-runtime.md)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[100yenadmin]

@clawsweeper re-review

The previous finding was fixed on the current head 2372e215a2: lifecycle generic logs now use an allowlisted low-cardinality payload and no longer merge extra over stable fields. Please re-review the current head.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26366532970
• Updated: 2026-05-24T16:26:57.547Z

[100yenadmin]

@clawsweeper re-review

The previous field-collision finding is fixed on current head 5e4147595e: generic lifecycle logs now use an allowlisted low-cardinality payload built from stable fields only, extra is excluded from logs, and the regression test now includes colliding extra.reason and extra.sessionKey values while asserting the stable reason remains native-token-guard and scoped identifiers stay out of generic logs. Please re-review the current head.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26366749584
• Updated: 2026-05-24T16:42:04.453Z