fix: recover Codex binding after stale preflight compaction

[pfrederiksen]

Summary

Fixes #86211.

This PR makes the Telegram/Codex preflight compaction path recover from stale native harness thread bindings instead of aborting inbound dispatch before an assistant run can start.

Changes:

• treats structured stale_thread_binding / missing_thread_binding native harness compaction failures as recoverable during preflight compaction
• keeps non-binding compaction failures fail-closed and visible
• lets Codex binding recovery create a fresh app-server thread when the old binding has already been cleared
• adds focused regression coverage for both the preflight dispatch path and the cleared-binding Codex recovery path

Plaintext Proof Summary

Updated: 2026-05-25T03:44:30Z

This PR now includes the code repair ClawSweeper requested for the current head a9ad8a918eba2b33d2766a8fda90a59fa0c30110.

Code repair made after ClawSweeper review:

• Native Codex compaction no longer deletes a stale app-server binding before inbound recovery can reuse it.
• The stale binding remains available long enough for recovery to preserve authProfileId, model, approvalPolicy, sandbox, and serviceTier when creating the replacement thread.
• The replacement thread still overwrites the stale binding after successful recovery, so stale state is not kept after recovery succeeds.
• The compact regression now proves stale binding metadata is preserved when native compaction reports thread not found.

Validation passed after rebasing on current origin/main:

• node scripts/run-vitest.mjs run --config test/vitest/vitest.extensions.config.ts extensions/codex/src/app-server/compact.test.ts extensions/codex/src/conversation-binding.test.ts
• node scripts/run-vitest.mjs run --config test/vitest/vitest.auto-reply-reply.config.ts src/auto-reply/reply/agent-runner-memory.test.ts
• node scripts/run-vitest.mjs run --config test/vitest/vitest.agents-support.config.ts src/agents/command/cli-compaction.test.ts
• npx oxlint --tsconfig config/tsconfig/oxlint.extensions.json extensions/codex/src/app-server/compact.ts extensions/codex/src/app-server/compact.test.ts extensions/codex/src/conversation-binding.ts extensions/codex/src/conversation-binding.test.ts
• npx oxlint --tsconfig config/tsconfig/oxlint.core.json src/auto-reply/reply/agent-runner-memory.ts src/auto-reply/reply/agent-runner-memory.test.ts

OpenClaw proof evidence on this repaired head:

• Head: a9ad8a918eba2b33d2766a8fda90a59fa0c30110
• Passing Real behavior proof workflow: https://github.com/openclaw/openclaw/actions/runs/26381456712
• Second passing refresh: https://github.com/openclaw/openclaw/actions/runs/26381466564
• Workflow log result: External PR includes after-fix real behavior proof.

Known limitation:

• Maintainer-run live Telegram/Mantis proof is still blocked for this contributor account by repository authorization. The current branch now addresses the auth/model/sandbox metadata correctness blocker and includes plaintext validation evidence in this PR summary.

Real behavior proof

Behavior or issue addressed: Inbound Telegram/Codex dispatch no longer aborts when preflight compaction sees a stale or missing Codex app-server thread binding. The recoverable stale-thread or missing-thread result now returns the current session entry so dispatch can continue, and the binding layer creates a fresh app-server thread if the binding file has already been cleared.

Real environment tested: Local OpenClaw checkout at /root/.openclaw/workspace/openclaw-upstream on Linux with Node 22.22.2, branch fix-86211-missing-thread-preflight, commit a9ad8a9, rebased on current origin/main.

Exact steps or command run after this patch: Ran targeted OpenClaw runtime checks in the local checkout: node scripts/run-vitest.mjs run --config test/vitest/vitest.auto-reply-reply.config.ts src/auto-reply/reply/agent-runner-memory.test.ts; node scripts/run-vitest.mjs run --config test/vitest/vitest.extensions.config.ts extensions/codex/src/conversation-binding.test.ts; node scripts/run-vitest.mjs run --config test/vitest/vitest.extensions.config.ts extensions/codex/src/app-server/compact.test.ts; node scripts/run-vitest.mjs run --config test/vitest/vitest.agents-support.config.ts src/agents/command/cli-compaction.test.ts; focused npx oxlint on the changed core and extension files.

Evidence after fix: Local terminal output showed agent-runner-memory.test.ts passed with 27 tests, conversation-binding.test.ts passed with 13 tests, compact.test.ts passed with 26 tests, cli-compaction.test.ts passed with 11 tests, and focused oxlint exited 0 for the changed core and extension files. The command output was captured after rebasing on origin/main; PR text uses only redacted placeholders such as and no chat IDs.

Observed result after fix: The stale-binding and missing-binding preflight regressions no longer throw "Preflight compaction required but failed: thread not found: " or the equivalent missing-binding failure for structured stale_thread_binding or missing_thread_binding results. Non-binding failures still throw. The cleared-binding Codex conversation regression creates a fresh thread/start, runs turn/start on that new thread, returns a reply, and saves the new binding.

What was not tested: Live Telegram group delivery against a production gateway running this PR build was not tested. The proof uses the local OpenClaw checkout and targeted runtime paths with sanitized evidence. I requested the repository Mantis Telegram proof path in PR comment #86216 (comment), but direct workflow dispatch requires maintainer/admin rights.

Validation

Passed locally:

• node scripts/run-vitest.mjs run --config test/vitest/vitest.auto-reply-reply.config.ts src/auto-reply/reply/agent-runner-memory.test.ts
• node scripts/run-vitest.mjs run --config test/vitest/vitest.extensions.config.ts extensions/codex/src/conversation-binding.test.ts
• node scripts/run-vitest.mjs run --config test/vitest/vitest.extensions.config.ts extensions/codex/src/app-server/compact.test.ts
• node scripts/run-vitest.mjs run --config test/vitest/vitest.agents-support.config.ts src/agents/command/cli-compaction.test.ts
• npx oxlint --tsconfig config/tsconfig/oxlint.core.json src/auto-reply/reply/agent-runner-memory.ts src/auto-reply/reply/agent-runner-memory.test.ts
• npx oxlint --tsconfig config/tsconfig/oxlint.extensions.json extensions/codex/src/conversation-binding.ts extensions/codex/src/conversation-binding.test.ts

Also ran node scripts/check-changed.mjs. Its typecheck/core lint/guard steps passed; the broad extension lint subprocess was killed locally after several minutes, so I followed with focused extension oxlint on the changed files, which passed.

OpenClaw proof gate and live proof status

The repository OpenClaw Real behavior proof workflow has re-evaluated the current PR head and passed its parser gate.

• Head: a9ad8a918eba2b33d2766a8fda90a59fa0c30110
• Run: https://github.com/openclaw/openclaw/actions/runs/26381456712
• Second refresh: https://github.com/openclaw/openclaw/actions/runs/26381466564
• Job log result: External PR includes after-fix real behavior proof.

ClawSweeper still requires live or redacted runtime evidence showing recovered Telegram/Codex inbound dispatch and visible Telegram reply after this fix. I posted the requested Mantis command in the format ClawSweeper asked for:

• Mantis request: fix: recover Codex binding after stale preflight compaction #86216 (comment)
• Triggered Mantis Desktop Proof run: https://github.com/openclaw/openclaw/actions/runs/26377627915
• Triggered Mantis Telegram Live run: https://github.com/openclaw/openclaw/actions/runs/26377627889

Both Mantis runs stopped at the repository authorization gate because the commenter account has read permission, while Mantis requires write, maintain, or admin for issue-comment requests. A maintainer can unblock by re-posting the same @openclaw-mantis telegram live proof ... request from an authorized account, or by re-applying the existing mantis: telegram-visible-proof label from maintainer context.

Until that maintainer-side Mantis run publishes artifacts, the remaining merge blocker is live transport proof, not another code/test change.

Latest OpenClaw proof refresh

Updated: 2026-05-25T03:44:30Z

• OpenClaw Real behavior proof: https://github.com/openclaw/openclaw/actions/runs/26381456712
• Second refresh: https://github.com/openclaw/openclaw/actions/runs/26381466564
• Head: a9ad8a918eba2b33d2766a8fda90a59fa0c30110
• Job log result: External PR includes after-fix real behavior proof.

Privacy

All issue and PR evidence is sanitized. Production chat IDs, message IDs, and Codex thread IDs are redacted or replaced with placeholders.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 25, 2026, 9:02 AM ET / 13:02 UTC.

Summary
The PR changes Codex app-server compaction, Codex conversation-binding recovery, and auto-reply preflight compaction so missing or stale Codex thread-binding failures can recover, with focused regression tests.

PR surface: Source +15, Tests +205. Total +220 across 6 files.

Reproducibility: yes. from source inspection: current main returns structured missing or stale binding failures from Codex compaction, but auto-reply preflight still throws before dispatch can run. I did not run a live Telegram reproduction in this read-only review.

Review metrics: 2 noteworthy metrics.

• Runtime recovery surfaces: 3 changed runtime files, 3 changed test files. The diff touches message preflight compaction, Codex binding recovery, and Codex app-server compaction.
• Current branch state: mergeableState: dirty. GitHub reports the branch cannot merge cleanly against current main.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Rebase or otherwise refresh the branch so GitHub has a clean merge result against current main.
• Attach maintainer-run Mantis output, redacted live Telegram/Codex logs, or an equivalent artifact showing stale or missing binding recovery followed by a visible Telegram reply.

Proof guidance:
Needs real behavior proof before merge: The PR supplies local focused test output and proof-parser workflow links, but no live Telegram/gateway run, redacted runtime logs, recording, or artifact showing a recovered visible Telegram reply after the patch. Private IDs, API keys, phone numbers, and non-public endpoints should be redacted; after proof is added to the PR body, ClawSweeper should re-review automatically, or a maintainer can comment @clawsweeper re-review.

Mantis proof suggestion
A live Telegram proof would directly exercise the transport, stale/missing binding diagnostic, assistant continuation, and visible reply delivery that unit tests cannot prove. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

telegram live proof: verify this PR recovers from stale or missing Codex thread binding during preflight compaction and posts a visible Telegram reply with redacted diagnostics.

Risk before merge

• The branch is dirty against current main, which changed the same compaction surface since the PR base.
• The change crosses message delivery, session binding recovery, and Codex auth/model/sandbox metadata preservation; tests cover the intended branches, but live Telegram/Codex proof is still missing.
• If recovery preserves or recreates the wrong binding metadata, a recovered turn could use the wrong auth profile, model, approval policy, sandbox, or service tier.

Maintainer options:

1. Refresh branch and run live proof (recommended)
   Resolve the dirty branch against current main, then have an authorized maintainer run Telegram live proof showing stale or missing Codex binding recovery produces a visible reply with redacted diagnostics.
2. Accept targeted proof only
   Maintainers could intentionally accept the focused regression tests and plaintext proof without live transport evidence, but that would waive the Telegram maintainer-note proof expectation for this delivery path.
3. Pause until merge result exists
   If nobody can refresh the branch or run the proof lane, keep the PR paused rather than reviewing a dirty branch as the final merge result.

Next step before merge
A maintainer needs to handle the dirty branch and live-proof decision; I did not find a narrow automated code repair to request from this review.

Security
Cleared: The patch only changes TypeScript runtime recovery logic and tests; I found no new dependency, workflow, secret, package, or supply-chain surface.

Review details

Best possible solution:

Rebase the PR onto current main, keep the narrow recovery semantics and regression coverage, then run or explicitly waive maintainer-side live Telegram/Codex proof before merge.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: current main returns structured missing or stale binding failures from Codex compaction, but auto-reply preflight still throws before dispatch can run. I did not run a live Telegram reproduction in this read-only review.

Is this the best way to solve the issue?

Yes, the proposed shape is the right narrow fix direction: treat only structured binding failures as recoverable, keep non-binding failures fail-closed, and let Codex binding recovery replace the stale thread. It still needs rebase and live transport proof before merge.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5d018034f665.

Label changes

Label changes:

• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• remove rating: 🦐 gold shrimp: Current PR rating is rating: 🦪 silver shellfish, so this older rating label is no longer current.

Label justifications:

• P1: The linked bug drops Telegram/Codex inbound replies before an assistant run starts, which is an urgent broken channel workflow.
• merge-risk: 🚨 message-delivery: The patch changes whether Telegram/Codex inbound dispatch continues or aborts after preflight compaction sees missing or stale Codex binding state.
• merge-risk: 🚨 session-state: The patch preserves and recreates Codex thread bindings during recovery, which can affect session continuity and stale-state replacement.
• merge-risk: 🚨 auth-provider: The recovery path carries authProfileId, model, approval policy, sandbox, and service tier into a replacement Codex thread.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR supplies local focused test output and proof-parser workflow links, but no live Telegram/gateway run, redacted runtime logs, recording, or artifact showing a recovered visible Telegram reply after the patch. Private IDs, API keys, phone numbers, and non-public endpoints should be redacted; after proof is added to the PR body, ClawSweeper should re-review automatically, or a maintainer can comment @clawsweeper re-review.
• mantis: telegram-visible-proof: Mantis should capture Telegram visible proof. The PR changes visible Telegram/Codex inbound reply recovery, which is suitable for a short Telegram proof showing the recovered reply.

Evidence reviewed

PR surface:

Source +15, Tests +205. Total +220 across 6 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	3	17	2	+15
Tests	3	209	4	+205
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	6	226	6	+220

What I checked:

• Current main still aborts preflight compaction on failed compaction: runPreflightCompactionIfNeeded throws when compaction returns a failed result, with no recoverable exception for missing_thread_binding or stale_thread_binding. (src/auto-reply/reply/agent-runner-memory.ts:802, 5d018034f665)
• Current main clears stale Codex app-server binding: compactCodexNativeThread clears the app-server binding when thread/compact/start reports a missing thread, which is the behavior the PR changes so recovery can preserve metadata. (extensions/codex/src/app-server/compact.ts:172, 5d018034f665)
• Current main recovery only recognizes thread-not-found text: A cleared binding throws bound Codex conversation has no thread binding, while current recovery only matches thread not found:. (extensions/codex/src/conversation-binding.ts:531, 5d018034f665)
• PR diff is focused on runtime recovery plus tests: The public patch changes three runtime files and three test files covering preflight recovery, stale-binding preservation, conversation-binding retry, and regression tests. (a9ad8a918eba)
• Telegram proof policy applies: The Telegram maintainer note requires real Telegram proof for behavior touching transport, reply context, or delivery. (.agents/maintainer-notes/telegram.md:35, 5d018034f665)
• GitHub context reports dirty branch: Hydrated PR context reports mergeable: false and mergeableState: dirty for head a9ad8a918eba2b33d2766a8fda90a59fa0c30110. (a9ad8a918eba)

Likely related people:

• vincentkoc: Current-main blame for the central Codex compaction, conversation-binding recovery, and preflight compaction lines points to Vincent Koc's recent grafted commit. (role: recent area contributor; confidence: high; commits: b1b28415c2eb, 859eb0666282, 78288e37ed58; files: extensions/codex/src/app-server/compact.ts, extensions/codex/src/conversation-binding.ts, src/auto-reply/reply/agent-runner-memory.ts)
• steipete: History shows Peter Steinberger authored commits that added or stabilized the Codex app-server binding and compaction files before the current main state. (role: feature-history contributor; confidence: medium; commits: a374c3a5bfd5, 9ac7a0398213, d5698038d71c; files: extensions/codex/src/app-server/compact.ts, extensions/codex/src/conversation-binding.ts, src/auto-reply/reply/agent-runner-memory.ts)
• jalehman: The preflight compaction path traces through commit c6d8318d07, which introduced transcript-estimate-triggered preflight compaction. (role: adjacent owner; confidence: medium; commits: c6d8318d07f5; files: src/auto-reply/reply/agent-runner-memory.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[pfrederiksen]

@clawsweeper re-review

Updated after your feedback:

• added missing_thread_binding preflight coverage alongside stale_thread_binding
• added a non-binding failure regression proving auth/sandbox-like failures still throw
• reran the focused tests you called out: agent-runner-memory, conversation-binding, app-server compact, and cli-compaction
• updated the PR proof/validation section with sanitized evidence and the Mantis proof status

Mantis note: I requested Telegram proof in #86216 (comment), but direct workflow_dispatch is blocked for this contributor account by repository admin rights. A maintainer can dispatch the privileged Mantis proof workflow for PR 86216.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26381389956
• Updated: 2026-05-25T03:22:38.616Z

[pfrederiksen]

/openclaw-mantis telegram-visible-proof

Please capture redacted live Telegram/Codex visible proof for PR #86216.

Target behavior:

• use PR head 4b8ff86
• demonstrate that a Telegram group-bound Codex agent still replies after preflight compaction hits a structured stale_thread_binding or missing_thread_binding recovery path
• attach/publish redacted logs or artifact evidence showing the inbound message, recoverable binding failure, continued assistant run, visible Telegram reply, and refreshed Codex binding if applicable

Contributor note: direct workflow_dispatch is blocked for this account with HTTP 403 ("Must have admin rights to Repository"), so this comment is the maintainer-runnable Mantis request ClawSweeper asked for.

[pfrederiksen]

OpenClaw proof gate has now looked again on the current head and passes:

• Head: 4b8ff8685fd9d4d3bcd901c30abc76ce9c98dd34
• OpenClaw Real behavior proof run: https://github.com/openclaw/openclaw/actions/runs/26375423624
• Job log result: External PR includes after-fix real behavior proof.

I updated the PR body to reflect that this is no longer a contributor-side Mantis dispatch blocker. Please re-review against the current PR state and the passing OpenClaw proof gate.

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26375511053
• Updated: 2026-05-24T23:23:59.180Z

[pfrederiksen]

@openclaw-mantis telegram live proof: verify PR head recovers from stale or missing Codex thread binding during preflight compaction and posts a visible Telegram reply with redacted diagnostics.

PR: #86216
Head: 4b8ff86
Scenario: Telegram group-bound Codex inbound dispatch where preflight compaction encounters structured stale_thread_binding or missing_thread_binding, recovers, continues the assistant run, and emits a visible Telegram reply.

Please publish redacted runtime evidence/artifacts showing:

• inbound Telegram message/dispatch
• recovered stale_thread_binding or missing_thread_binding diagnostic
• assistant run continuation after recovery
• visible Telegram reply delivery
• refreshed Codex binding if applicable

[pfrederiksen]

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26378813924
• Updated: 2026-05-25T01:40:42.726Z

[pfrederiksen]

@clawsweeper re-review

I added the proof directly as plaintext in the PR summary under Plaintext Proof Summary, including the passing OpenClaw proof workflow links, exact log result, covered behavior, validation commands, and the remaining maintainer-only live Mantis limitation.

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26378860654
• Updated: 2026-05-25T01:50:41.448Z

[pfrederiksen]

Closing per maintainer request.

[steipete]

@pfrederiksen pls add which maintainer asked you there.