fix(codex): preserve semantic native threads across compaction

[100yenadmin]

Summary

This is PR #4 in the Codex native-thread stack, after #85978, #86069, and #86094. It turns the diagnostics foundation into the long-term cache/lifecycle fix for compatible context-engine thread_bootstrap bindings:

• preserve Codex thread_bootstrap bindings across successful context-engine-owned compaction;
• copy preserved bindings to successor session files during transcript rollover, then clear the archived/original binding;
• reread the active Codex binding after forced compaction before rebuilding the Codex prompt;
• if optimistic semantic reuse rotates during startup, rebuild the prompt for the fresh thread before turn/start so the fresh thread receives projected context;
• keep legacy, ownerless, non-bootstrap, mismatch, and app-server rejection paths rotating/clearing as before;
• hash sensitive MCP/environment comparison tokens before persisting or emitting lifecycle diagnostics;
• add context-engine-compaction-preserved-binding lifecycle diagnostics and docs explaining the preserved vs invalidated paths.

Why this is not “raise 70k to 258k/272k”

The default 70000 native reuse guard remains a legacy/stale-binding safety rail. The healthy Codex + LCM path is semantic ownership:

1. Context engine returns contextProjection.mode = "thread_bootstrap" with a stable epoch/fingerprint.
2. OpenClaw injects large assembled context once into the Codex native thread.
3. Later turns resume that native thread and send only the current prompt when the engine/policy/projection/tool identity still matches.
4. Compaction or rollover preserves the binding only when that semantic identity remains safe.
5. Actual app-server overflow/rejection still clears the binding before fresh-thread retry.

The important distinction is model capacity vs warm-thread lifecycle policy:

Value	Meaning	Share of 70k guard
70000	OpenClaw proactive native-thread reuse guard for legacy/stale bindings	100%
272000	OpenClaw Codex runtime input cap used for GPT-5.5 forward-compat rows	70k is 25.7%
400000	GPT-5.5 native/context window in current OpenClaw catalog/test fixtures	70k is 17.5%

With a 30% post-compaction target, even a compacted transcript can land above the guard:

• 30% of 258k = 77.4k
• 30% of 272k = 81.6k

So repeatedly applying a hard 70k warm-thread rotation rule to otherwise compatible Codex native threads makes long-running sessions take the cold path right after compaction. This PR keeps the 70k guard for legacy/non-semantic bindings, but lets semantically-owned thread_bootstrap bindings survive compaction/rollover.

Local bootstrap size scan

I ran a bounded local scan over named bootstrap candidates (AGENTS.md, USER.md, MEMORY.md, SOUL.md, IDENTITY.md, TOOLS.md, BOOTSTRAP.md) under /Volumes/LEXAR/repos, /Volumes/LEXAR/Codex, ~/.openclaw, and ~/.codex, using ceil(bytes / 4) as a conservative token estimate.

Metric	Result
Candidate files	3,235
Aggregate directories	2,032
Aggregate p50	~637 tokens
Aggregate p90	~3.8k tokens
Aggregate p99	~13.5k tokens
Max aggregate	~117.7k tokens (~/.codex/memories/MEMORY.md)
Largest repeated AGENTS candidate	~23.6k tokens

Interpretation: the bug is not “every AGENTS.md is over 70k.” The failure mode is total rendered pressure: compacted history + context-engine projection + workspace bootstrap/developer instructions + native rollout growth. Once that total has created a warm native thread, the efficient Codex path is to preserve the semantically valid native thread rather than reproject the large stable payload every turn.

Flow

flowchart TD
  A["Long-running Codex session"] --> B{"Saved native binding?"}
  B -- "Legacy / ownerless / non-bootstrap" --> C{"session/native tokens >= guard?"}
  C -- "yes" --> D["Rotate cold: thread/start + reproject context"]
  C -- "no" --> E["Try normal resume"]
  B -- "context-engine thread_bootstrap" --> F{"Engine id + policy + epoch/fingerprint + tools match?"}
  F -- "no" --> D
  F -- "yes" --> G["Resume warm native thread"]
  G --> H["Send current prompt only"]
  H --> I{"Context-engine compaction?"}
  I -- "same file, identity stable" --> J["Preserve binding in place"]
  I -- "successor rollover, identity stable" --> K["Copy binding to successor; clear archived original"]
  I -- "identity changes or app-server rejects" --> D
  J --> G
  K --> G

Loading

Real behavior proof

• Behavior or issue addressed: Compatible Codex context-engine thread_bootstrap native bindings are preserved across successful context-engine compaction and successor session-file rollover, while legacy/non-bootstrap, mismatch, and app-server rejection paths still rotate/clear.
• Real environment tested: Local OpenClaw worktree on the Lexar-backed checkout at /Volumes/LEXAR/repos/worktrees/openclaw-codex-semantic-reuse-guard, branch codex/semantic-native-thread-preservation, current head 8b405b4d5c59432b4f3218b570609d3d43f5a4ad. The proof used temp session files under /Volumes/LEXAR/Codex/openclaw-pr-86160-proof-8b405b4d5c and the actual exported reconcileContextEngineCompactedCodexBinding(...), writeCodexAppServerBinding(...), readCodexAppServerBinding(...), clearCodexAppServerBinding(...), and startOrResumeThread(...) helpers from this checkout.
• Exact steps or command run after this patch: Ran a one-off pnpm exec tsx proof probe, not Vitest/tsgo/build. The probe wrote matching thread_bootstrap bindings, simulated a compactor clearing the sidecar before same-file compaction, simulated successor rollover copy/archived clear, and seeded a legacy raw user-MCP binding to prove the mismatch path rotates through thread/start and persists a hashed comparison token. I also verified the patched worktree identity and whitespace state with pwd, git rev-parse HEAD, git branch --show-current, git status --porcelain, and git diff --check HEAD^ HEAD.
• Evidence after fix: Copied terminal output from the current patched worktree proof probe:

[agent/embedded] context-engine-owned Codex app-server compaction preserved native thread-bootstrap binding
[agent/embedded] context-engine-owned Codex app-server compaction preserved native thread-bootstrap binding
{
  "head": "8b405b4d5c59432b4f3218b570609d3d43f5a4ad",
  "proofDir": "/Volumes/LEXAR/Codex/openclaw-pr-86160-proof-8b405b4d5c",
  "sameFileThreadBootstrap": {
    "outcome": {
      "invalidated": false,
      "preserved": true,
      "successorInvalidated": false
    },
    "restoredAfterCompactorClearedSidecar": true,
    "preservedThreadId": "thread-same-file-warm",
    "projectionMode": "thread_bootstrap",
    "projectionEpoch": "epoch-proof",
    "projectionFingerprint": "projection-fp-proof"
  },
  "successorRolloverThreadBootstrap": {
    "outcome": {
      "invalidated": false,
      "preserved": true,
      "successorInvalidated": false
    },
    "archivedBindingPresent": false,
    "successorThreadId": "thread-rollover-warm",
    "successorSessionFileBasename": "rollover-successor.jsonl",
    "projectionMode": "thread_bootstrap",
    "projectionEpoch": "epoch-rollover",
    "projectionFingerprint": "projection-fp-rollover"
  },
  "mcpConfigMismatchRotation": {
    "lifecycleAction": "started",
    "methods": [
      "thread/start"
    ],
    "previousThreadRotated": true,
    "savedThreadId": "thread-mcp-new",
    "userMcpServersFingerprintPrefix": "sha256:",
    "leakedMcpSecretInBinding": false,
    "leakedMcpPathInBinding": false
  }
}
$ pwd
/Volumes/LEXAR/repos/worktrees/openclaw-codex-semantic-reuse-guard
$ git rev-parse HEAD
8b405b4d5c59432b4f3218b570609d3d43f5a4ad
$ git branch --show-current
codex/semantic-native-thread-preservation
$ git status --porcelain
$ git diff --check HEAD^ HEAD

git status --porcelain and git diff --check HEAD^ HEAD produced no output.

• Observed result after fix: Same-file compaction returned preserved: true and restored thread-same-file-warm after the sidecar was cleared. Successor rollover returned preserved: true, cleared the archived/original binding (archivedBindingPresent: false), and copied thread-rollover-warm with the same thread_bootstrap epoch/fingerprint to the successor session file. The MCP mismatch path did not resume the stale thread; it called thread/start, saved thread-mcp-new, persisted a sha256: comparison fingerprint, and did not leak the seeded MCP email/path into the saved binding.
• What was not tested: No local Vitest/tsgo suite, package build, or live Gateway/Discord/Codex app-server replay was run locally, to avoid the local resource issue called out in AGENTS.md. GitHub Actions remains the validation gate for type, package-boundary, and test execution.
• Before evidence: The motivating production-style logs reported repeated codex app-server native transcript exceeded active token limit; starting a fresh thread at native token counts above the 70k reuse guard; issue Codex long-running sessions should use semantic thread/bootstrap cache ownership #86023 and this PR body include the budget math and local bootstrap-size scan explaining that failure mode.

Validation

Local validation intentionally skipped heavy suites per AGENTS.md / user instruction. GitHub Actions is the validation gate.

Local:

• one-off pnpm exec tsx lifecycle proof probe, as captured above
• git diff --check HEAD^ HEAD

GitHub Actions:

• current head 8b405b4d5c59432b4f3218b570609d3d43f5a4ad is green, including the previously failing logging support-export slice after the stability-bundle mode parser fix and the rerun after the unrelated model-catalog timeout.

Not run locally:

• Vitest focused slices
• pnpm tsgo:extensions:test
• live Gateway/Discord/Codex app-server replay

Stack / Review Notes

This PR is stacked on #86094. The diff to review is the top commit:

• 8b405b4d5c fix(codex): preserve semantic native threads across compaction

Refs #86023.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 27, 2026, 7:16 AM ET / 11:16 UTC.

Summary
This PR adds Codex native-thread lifecycle diagnostics/config/docs/tests and changes Codex app-server compaction, rollover, startup retry, and prompt rebuild paths to preserve compatible context-engine thread_bootstrap bindings while hashing sensitive comparison tokens.

PR surface: Source +1743, Tests +2123, Docs +81, Generated 0. Total +3947 across 30 files.

Reproducibility: no. current-head live reproduction was established in this review. The source path and linked issue/PR evidence make the failure mode source-reproducible, but the current PR head still needs after-fix proof.

Review metrics: 2 noteworthy metrics.

• Config surface: 1 added (agents.defaults.compaction.maxActiveTranscriptTokens). The PR changes a user-visible/default-sensitive configuration contract, which needs upgrade and documentation review before merge.
• Trusted diagnostic surface: 1 event type added (codex.native_thread.lifecycle). The event carries lifecycle identifiers and comparison fingerprints, so privacy and support-export behavior matter beyond ordinary CI.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Add current-head real behavior proof for c99a46c... covering same-file preservation, successor rollover, mismatch rotation, and hashed comparison tokens.
• Confirm CI for the exact current head or include the relevant check summary after updating proof.

Proof guidance:
Needs stronger real behavior proof before merge: Terminal proof is present, but it is for older head 8b405b4d...; the contributor should add redacted current-head terminal/log/live output or a linked artifact for c99a46c... and update the PR body before merge.

Risk before merge

• Current-head real behavior proof is stale: the PR body proof is for 8b405b4d..., but current head c99a46c... includes later runtime changes to successor binding preservation, deferred post-start compaction, and unsent bootstrap cleanup.
• Merging changes the Codex native-thread reuse contract across compaction and transcript rollover; a missed compatibility dimension could attach a turn to a stale or wrong native thread.
• The PR adds or carries a user-facing config surface for Codex native transcript token thresholds, so maintainers need to accept the upgrade/default behavior and docs before merge.
• The new trusted lifecycle diagnostic surface carries thread/session/run identifiers and comparison fingerprints; the hashing/redaction approach looks intentional, but it is still a privacy-sensitive boundary for maintainer review.

Maintainer options:

1. Refresh current-head proof (recommended)
   Update the PR body with redacted terminal, log, live output, or linked artifact proof from c99a46c... showing same-file preservation, successor rollover copy/clear, mismatch rotation, and hashed comparison tokens.
2. Accept the semantic reuse policy
   A maintainer can intentionally accept the compatibility/session-state risk if the code review and current-head proof show the binding equivalence checks cover the real upgrade and rollover cases.
3. Pause for stack ordering
   If the diagnostics/config base stack is still under review, pause this PR until the base diagnostics work is landed or rebase this branch so maintainers can review only the semantic preservation delta.

Next step before merge
Manual review is needed because the remaining blockers are current-head real behavior proof and maintainer acceptance of compatibility/session-state/privacy risk, not a narrow mechanical repair.

Security
Cleared: No concrete supply-chain or code-execution regression was found; the patch hashes/redacts sensitive comparison fields, but the new diagnostic boundary still needs maintainer privacy review as merge risk.

Review details

Best possible solution:

Refresh the PR body with current-head real behavior proof, then have maintainers review the semantic preservation policy, config/default surface, and diagnostic privacy boundary before landing the stack in a coherent order.

Do we have a high-confidence way to reproduce the issue?

No current-head live reproduction was established in this review. The source path and linked issue/PR evidence make the failure mode source-reproducible, but the current PR head still needs after-fix proof.

Is this the best way to solve the issue?

Unclear until current-head proof and maintainer policy review catch up. Preserving compatible thread_bootstrap bindings is a plausible fix, but the compatibility/session-state/privacy boundaries are too important to treat stale proof as sufficient.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 545ad7f256e2.

Label changes

Label justifications:

• P2: This is a normal-priority Codex session-state/performance fix with limited blast radius but meaningful lifecycle risk.
• merge-risk: 🚨 compatibility: The PR changes Codex native-thread reuse defaults/configuration and compaction behavior that existing sessions and upgrades can observe.
• merge-risk: 🚨 session-state: The PR preserves and copies native thread bindings across compaction and rollover, so a wrong equivalence decision could mis-associate session state.
• merge-risk: 🚨 security-boundary: The PR adds trusted diagnostics for thread/session lifecycle identifiers and comparison fingerprints, making privacy/redaction review part of merge safety.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: Terminal proof is present, but it is for older head 8b405b4d...; the contributor should add redacted current-head terminal/log/live output or a linked artifact for c99a46c... and update the PR body before merge.

Evidence reviewed

PR surface:

Source +1743, Tests +2123, Docs +81, Generated 0. Total +3947 across 30 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	13	1866	123	+1743
Tests	13	2170	47	+2123
Docs	3	81	0	+81
Config	0	0	0	0
Generated	1	2	2	0
Other	0	0	0	0
Total	30	4119	172	+3947

What I checked:

• Repository policy read: Root AGENTS.md plus scoped extensions/AGENTS.md, src/agents/AGENTS.md, and docs/AGENTS.md were read; the root policy marks plugin APIs, provider routing, auth/session state, config/default additions, startup checks, fallback behavior, and persisted preferences as compatibility/upgrade-sensitive review surfaces. (AGENTS.md:20, 545ad7f256e2)
• Merge-result source reviewed: The generated merge commit changes rotateOversizedCodexAppServerStartupBinding to bypass proactive native transcript size rotation for active context-engine thread_bootstrap bindings while still rotating on byte/token guard failures for other bindings. (extensions/codex/src/app-server/run-attempt.ts:977, 4bc13ab7d3b7)
• Compaction preservation source reviewed: reconcileContextEngineCompactedCodexBinding preserves same-file thread_bootstrap bindings, copies compatible bindings to successor transcripts, clears archived originals, and invalidates non-equivalent successor/current bindings. (extensions/codex/src/app-server/compact.ts:91, 4bc13ab7d3b7)
• Prompt rebuild and rollover source reviewed: The merge result forces context-engine compaction on Codex overflow, reconciles the Codex binding around the compacted session file, adopts the successor session id/file, and rebuilds prompt inputs after compaction or optimistic semantic reuse rotation. (extensions/codex/src/app-server/run-attempt.ts:1450, 4bc13ab7d3b7)
• Diagnostic privacy source reviewed: The diagnostic helper hashes sensitive comparison fields before trusted diagnostic emission and keeps generic log payloads to a small allowlist, but the new event still carries thread/session/run identifiers internally. (extensions/codex/src/app-server/native-thread-diagnostics.ts:119, 4bc13ab7d3b7)
• Whitespace check: The local merge result has no git diff --check whitespace errors against current main. (4bc13ab7d3b7)

Likely related people:

• @vincentkoc: Current-main blame/log for the central Codex app-server lifecycle files points to Vincent Koc’s recent broad updates, and the current PR head also contains multiple Vincent Koc commits on the same native-thread preservation path. (role: recent area contributor; confidence: high; commits: cefa6777e20d, f1cc8f0cfc7c, 859eb0666282; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/compact.ts, extensions/codex/src/app-server/thread-lifecycle.ts)
• @steipete: Earlier current-main history shows Peter Steinberger introduced and refactored the Codex app-server controls and lifecycle seams that this PR now extends. (role: feature-history owner; confidence: high; commits: 31a0b7bd42a5, 8d72aafdbb8d, 3b65e2302a55; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/compact.ts, extensions/codex/src/app-server/thread-lifecycle.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[100yenadmin]

@clawsweeper please re-review this PR against the latest head 996ebfe6c4 and the now-passing Real behavior proof check.

[100yenadmin]

/review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26369555394
• Updated: 2026-05-24T18:42:03.032Z