Fix Codex usage-limit recovery copy

[amknight]

Summary

• Replace the no-reset Codex usage-limit fallback with actionable recovery guidance that does not depend on /codex account.
• Preserve structured reset and retry-time messaging when Codex provides that data.
• Keep blocked-window summaries useful even when Codex omits a reset timestamp.

Verification

• node scripts/run-vitest.mjs extensions/codex/src/app-server/rate-limits.test.ts
• node scripts/run-vitest.mjs extensions/codex/src/app-server/event-projector.test.ts
• node scripts/run-vitest.mjs extensions/codex/src/commands.test.ts
• git diff --check
• AUTOREVIEW_AUTO_TESTS=0 .agents/skills/autoreview/scripts/autoreview --mode local --no-web-search

Real behavior proof

Behavior addressed: Codex harness usage-limit errors without reset data no longer tell users to query Codex again or mention an unactionable missing reset value.
Real environment tested: Local OpenClaw Codex worktree using mocked Codex app-server rate-limit and failed-turn payloads.
Exact steps or command run after this patch: Ran the targeted rate-limit formatter and app-server event projector Vitest files after the final copy change; commands.test was run to cover the /codex account command surface; git diff --check and autoreview were also run before commit.
Evidence after fix: The new formatter regression asserts the message includes waiting, another Codex account, or another configured model/provider, and asserts it does not include /codex account or the old missing-reset wording.
Observed result after fix: All listed targeted tests passed and autoreview reported no accepted/actionable findings.
What was not tested: A live hosted Codex subscription exhaustion event, because the behavior is covered with deterministic app-server payload tests.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 24, 2026, 11:55 PM ET / 03:55 UTC.

Summary
This PR updates Codex app-server usage-limit recovery wording, adds formatter/event-projector regression tests, and adds an Unreleased changelog entry.

PR surface: Source +30, Tests +82, Docs +1. Total +113 across 4 files.

Reproducibility: yes. by source inspection: current main reaches the old no-reset and /codex account wording through the shared Codex usage-limit formatter. I did not execute tests because this was a read-only cleanup review.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🌊 off-meta tidepool
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• A live hosted Codex subscription exhaustion event was not exercised; review evidence is source inspection plus deterministic app-server payload tests.

Maintainer options:

1. Decide the mitigation before merge
   Land the centralized formatter, test, and changelog change after normal maintainer review and CI.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
No ClawSweeper repair job is needed because there are no blocking findings; the PR remains open for normal maintainer review and merge handling.

Security
Cleared: The diff only changes Codex formatter logic, tests, and changelog text; it does not touch dependencies, workflows, secrets, package metadata, or code-download surfaces.

Review details

Best possible solution:

Land the centralized formatter, test, and changelog change after normal maintainer review and CI.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection: current main reaches the old no-reset and /codex account wording through the shared Codex usage-limit formatter. I did not execute tests because this was a read-only cleanup review.

Is this the best way to solve the issue?

Yes, the PR fixes the shared formatter and adjacent tests instead of adding channel-specific copy or a new config surface.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9db04a27eb20.

Label changes

Label justifications:

• P3: This is a low-risk Codex recovery-copy and ergonomics fix with focused tests and limited blast radius.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🌊 off-meta tidepool and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a maintainer/MEMBER PR, so the external contributor real-behavior proof gate does not apply; the body supplies deterministic mocked payload test evidence but no live subscription-exhaustion run.

Evidence reviewed

PR surface:

Source +30, Tests +82, Docs +1. Total +113 across 4 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	36	6	+30
Tests	2	83	1	+82
Docs	1	1	0	+1
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	4	120	7	+113

What I checked:

• Current main behavior: Current main appends the old no-reset fallback and tells users to run /codex account from the shared Codex usage-limit formatter. (extensions/codex/src/app-server/rate-limits.ts:53, 9db04a27eb20)
• PR formatter change: The PR head selects reset, retry, or no-reset recovery guidance and replaces the /codex account instruction with wait/account/provider guidance. (extensions/codex/src/app-server/rate-limits.ts:44, b7a7301ef322)
• No-reset regression coverage: The PR adds a regression for omitted reset details that asserts actionable guidance is present and both the old missing-reset wording and /codex account are absent. (extensions/codex/src/app-server/rate-limits.test.ts:10, b7a7301ef322)
• Blocked sibling-bucket coverage: The PR covers the case where the blocked Codex bucket has no reset and a sibling bucket has a future reset, preventing the wrong reset from being shown. (extensions/codex/src/app-server/rate-limits.test.ts:101, b7a7301ef322)
• User-visible path coverage: The app-server event projector test now expects structured reset errors to include Wait until the reset time, covering the prompt error path users see in channels. (extensions/codex/src/app-server/event-projector.test.ts:719, b7a7301ef322)
• Changelog: The PR includes an Unreleased Fixes entry for the Codex harness usage-limit recovery-copy change. (CHANGELOG.md:16, b7a7301ef322)

Likely related people:

• pashpashpash: Merged Codex subscription reset-time work in commit c3af812 touched the same formatter, app-server paths, and tests that this PR adjusts. (role: recent feature contributor; confidence: high; commits: c3af812fe3de; files: extensions/codex/src/app-server/rate-limits.ts, extensions/codex/src/app-server/rate-limits.test.ts, extensions/codex/src/app-server/event-projector.test.ts)
• vincentkoc: Current checkout blame for the formatter and usage summary points to commit 0acc3e3, which carries the checked-out current-main copy of the Codex rate-limit files. (role: current-main provenance; confidence: medium; commits: 0acc3e32164a; files: extensions/codex/src/app-server/rate-limits.ts, extensions/codex/src/app-server/rate-limits.test.ts, extensions/codex/src/app-server/event-projector.test.ts)
• steipete: Recent current-main history shows adjacent Codex app-server work in commit d9af23f under the same run-attempt path. (role: recent adjacent contributor; confidence: low; commits: d9af23fb5af5; files: extensions/codex/src/app-server/run-attempt.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 💎 rare Moonlit Clawlet

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 💎 rare.
Trait: purrs at green checks.
Image traits: location flaky test forest; accessory miniature diff map; palette amber, ink, and glacier blue; mood calm; pose peeking out from the egg shell; shell translucent glimmer shell; lighting moonlit rim light; background gentle dashboard dots.
Share on X: post this hatch
Copy: My PR egg hatched a 💎 rare Moonlit Clawlet in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.