Skip to content

fix(codex): preserve shared app-server when spawned helper run fails logically (#72574)#87375

Merged
steipete merged 5 commits into
openclaw:mainfrom
yetval:fix/72574-shared-client-cleanup-policy
May 27, 2026
Merged

fix(codex): preserve shared app-server when spawned helper run fails logically (#72574)#87375
steipete merged 5 commits into
openclaw:mainfrom
yetval:fix/72574-shared-client-cleanup-policy

Conversation

@yetval

@yetval yetval commented May 27, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes #72574 by narrowing the Codex app-server startup-failure cleanup policy. Spawned/helper runs that fail for logical reasons (auth, thread/start 401) no longer retire the shared app-server client used by the main session. Only real transport/process failures still clear the shared singleton.

Closes #72812 (multi-app-server topology was the wrong direction per maintainer; this PR uses the requested cleanup-policy approach instead).

Behavior change

extensions/codex/src/app-server/attempt-startup.ts — outer startup catch:

  • Before: any error reaching the outer catch (auth, thread/start, transport) called clearSharedCodexAppServerClientIfCurrent(startupClientForCleanup), wiping the main session's shared client.
  • After: clearSharedCodexAppServerClientIfCurrent only fires when isCodexAppServerConnectionClosedError(error) (transport poisoned) OR the run is not spawned (!params.spawnedBy?.trim()). Spawned + logical failure → lease releases via the existing finally, shared singleton survives.

Inner retry-loop cleanup on connection-closed errors is unchanged (still clears + retries on real transport failure regardless of spawn topology).

spawnedBy is the only new field threaded through startCodexAttemptThread. No topology change, no new app-server processes, no isolated-client construction. Single shared leased Codex app-server is preserved.

Diff size

extensions/codex/src/app-server/attempt-startup.ts |  7 ++-
extensions/codex/src/app-server/run-attempt.test.ts | 60 ++++++++++++++++++++++
extensions/codex/src/app-server/run-attempt.ts     |  1 +
3 files changed, 67 insertions(+), 1 deletion(-)

Test plan

  • New regression test: spawned helper thread/start 401 leaves shared client current.
  • New regression test: top-level run thread/start 401 still retires shared client (baseline preserved for non-spawned runs).
  • Focused suite: node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts → 67/67 passed.
  • Full app-server suite: node scripts/run-vitest.mjs extensions/codex/src/app-server/ → 68 files / 949 tests passed.
  • Live invalid-token spawn against real @openai/codex binary — see What was not tested.

Real behavior proof

Behavior addressed: shared Codex app-server client retired by spawned helper run thread/start auth failure (#72574). After fix, a spawned helper's 401 only fails that attempt; the parent session's shared client and its in-flight turns are untouched.

Real environment tested: Node 24, vitest 4.1.7, macOS local checkout at upstream/main@11ca150a1ba + this PR's commit cc424a24123. Tests exercise the production startCodexAttemptThread path through runCodexAppServerAttempt with a stubbed attemptClientFactory whose returned client throws on thread/start (the same error shape Codex emits for invalid bearer tokens).

Exact steps or command run after this patch:

git checkout fix/72574-shared-client-cleanup-policy
pnpm install --frozen-lockfile
node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts -t "logical thread/start error"
node scripts/run-vitest.mjs extensions/codex/src/app-server/

Evidence after fix:

  • -t "logical thread/start error" → 2 tests pass (spawned does NOT clear shared; top-level still clears).
  • Full app-server suite → 68 files / 949 tests pass.
  • vi.spyOn(sharedClientModule, "clearSharedCodexAppServerClientIfCurrent") asserts clearSpy.mock.calls.some(([arg]) => arg === failedClient) is false for the spawned case and true for the top-level case. Same factory and error shape across both — only params.spawnedBy differs.

Observed result after fix: spawned helper thread/start 401 rejects its own attempt without invoking clearSharedCodexAppServerClientIfCurrent(failedClient). Top-level thread/start 401 still invokes it (regression baseline for non-spawned runs preserved). Inner connection-closed retry loop unchanged.

What was not tested: live @openai/codex binary with a real invalid bearer token spawning a helper from a long-running parent session; relies on programmatic factory injection rather than a real CodexAppServerClient.start subprocess. Closed PR #72812 has live Fedora 43 proof for the bug repro itself — this PR's cleanup-policy narrowing is the maintainer-requested fix shape for the same bug.

Refs

This was referenced May 27, 2026
Closed
Closed
@openclaw-barnacle openclaw-barnacle Bot added extensions: codex size: S triage: mock-only-proof Candidate: PR proof only shows tests, mocks, snapshots, lint, typecheck, or CI. labels May 27, 2026
@clawsweeper

clawsweeper Bot commented May 27, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Codex review: needs maintainer review before merge. Reviewed May 27, 2026, 3:40 PM ET / 19:40 UTC.

Summary
The PR narrows Codex app-server startup cleanup so spawned helper thread/start RPC failures preserve the shared client while timeout, write, transport, and top-level failures still retire it.

PR surface: Source +30, Tests +130. Total +160 across 4 files.

Reproducibility: yes. source inspection plus the linked report provide a high-confidence path: current main unconditionally clears the shared startup client after a spawned helper thread/start logical failure. I did not run the live invalid-token Codex credential scenario in this checkout.

Review metrics: none identified.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

  • This PR intentionally changes Codex auth-failure cleanup in a shared app-server lifecycle path; if classification is too broad or too narrow, a helper run could still tear down the parent session or a genuinely poisoned client could be preserved.
  • The exact live invalid-token parent/helper run was not exercised; the maintainer override relies on focused production-boundary tests and Testbox validation instead of live Codex credentials.

Maintainer options:

  1. Merge after final-head checks (recommended)
    Use the posted final-head Testbox and focused test evidence, but wait for required GitHub checks or maintainer validation on c533218460036348b6fa349340c3951d03ffc89b before merge.
  2. Request live auth proof
    Maintainers can ask for a live invalid-token helper run if they want end-to-end Codex credential proof before accepting the override.
  3. Accept the override
    Maintainers may explicitly accept the remaining live-credential gap because the failure classifier and cleanup policy are covered at the production boundary with focused regressions.

Next step before merge
No automated repair is indicated; maintainers need to complete final-head CI and merge judgment for an auth/session-state lifecycle fix.

Security
Cleared: The diff touches Codex auth-error lifecycle handling but does not add dependencies, CI execution, secret handling, permissions, downloads, or a concrete security regression.

Review details

Best possible solution:

Land this cleanup-policy fix after required final-head checks and maintainer review confirm the auth/session-state lifecycle risk is acceptable.

Do we have a high-confidence way to reproduce the issue?

Yes, source inspection plus the linked report provide a high-confidence path: current main unconditionally clears the shared startup client after a spawned helper thread/start logical failure. I did not run the live invalid-token Codex credential scenario in this checkout.

Is this the best way to solve the issue?

Yes, this is the narrower maintainer-preferred fix shape: classify only thread/start RPC failures for spawned runs and keep timeout, write, transport, and top-level cleanup behavior intact.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e33958675078.

Label changes

Label justifications:

  • P1: The linked regression can destabilize an active Codex/OpenClaw session when a helper run hits an auth failure, so it affects real agent workflow reliability.
  • merge-risk: 🚨 auth-provider: The diff changes how Codex thread/start auth/RPC failures influence shared app-server cleanup.
  • merge-risk: 🚨 session-state: The shared Codex app-server client is session-lifecycle state, and an incorrect cleanup decision can kill or poison the parent session.
  • rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Override: A maintainer applied proof: override for this PR.
Evidence reviewed

PR surface:

Source +30, Tests +130. Total +160 across 4 files.

View PR surface stats
Area Files Added Removed Net
Source 3 37 7 +30
Tests 1 130 0 +130
Docs 0 0 0 0
Config 0 0 0 0
Generated 0 0 0 0
Other 0 0 0 0
Total 4 167 7 +160

What I checked:

  • Current main clears the shared client on any outer startup failure: On current main, the outer startup catch unconditionally calls clearSharedCodexAppServerClientIfCurrent(startupClientForCleanup), matching the reported failure mode where a spawned helper logical startup error can retire the shared parent client. (extensions/codex/src/app-server/attempt-startup.ts:375, e33958675078)
  • PR head preserves only spawned logical thread/start RPC failures: The PR head adds a guarded cleanup policy: transport-poisoned errors still clear, but a spawned run with isCodexThreadStartRequestError(error) skips shared-client retirement. (extensions/codex/src/app-server/attempt-startup.ts:378, c53321846003)
  • Thread-start classification is limited to Codex RPC errors: The final patch wraps only CodexAppServerRpcError from thread/start in CodexThreadStartRequestError; low-level write failures and connection-close errors continue through the existing cleanup paths. (extensions/codex/src/app-server/thread-lifecycle.ts:567, c53321846003)
  • Spawn lineage reaches the startup cleanup decision: runCodexAppServerAttempt now passes params.spawnedBy into startCodexAttemptThread, so the cleanup decision is based on the actual helper-run marker rather than session-key shape guessing. (extensions/codex/src/app-server/run-attempt.ts:867, c53321846003)
  • Regression coverage checks both preserve and retire paths: The new tests cover spawned logical RPC failure preserving the shared client, spawned timeout clearing it, spawned write failure clearing it, and top-level logical RPC failure clearing it. (extensions/codex/src/app-server/run-attempt.test.ts:3494, c53321846003)
  • Maintainer proof override and final-head validation were posted: The PR discussion records proof: override plus maintainer verification for final head c533218460036348b6fa349340c3951d03ffc89b, including focused Codex Vitest, pnpm tsgo:extensions, delegated Testbox tbx_01ksneq14jk207h53ghfmfvp0d, and clean autoreview. (c53321846003)

Likely related people:

  • steipete: The current main startup cleanup block is blamed to the app-server attempt seam split, and the PR discussion shows final-head maintainer verification plus final cleanup commits from the same person. (role: recent area contributor and reviewer; confidence: high; commits: a4c2e7f5cf1b, 0126de71d1d9, c181bd899d6b; files: extensions/codex/src/app-server/attempt-startup.ts, extensions/codex/src/app-server/thread-lifecycle.ts, extensions/codex/src/app-server/run-attempt.test.ts)
  • Alex Knight: Recent current-main history touches the Codex app-server thread lifecycle around native hook relay preservation, adjacent to this PR's startup/thread lifecycle path. (role: recent adjacent area contributor; confidence: medium; commits: 42e9504114f3; files: extensions/codex/src/app-server/thread-lifecycle.ts)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P1 High-priority user-facing bug, regression, or broken workflow. merge-risk: 🚨 session-state 🚨 May lose, corrupt, stale, or mis-associate session, agent, or context state. merge-risk: 🚨 auth-provider 🚨 May break OAuth, tokens, provider routing, model choice, or credentials. labels May 27, 2026
@clawsweeper

clawsweeper Bot commented May 27, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

ClawSweeper PR egg

✨ Hatched: 🌱 uncommon Moonlit Signal Puff

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

  • Merged PRs are hatchable.
  • Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
  • Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🌱 uncommon.
Trait: sleeps inside passing CI.
Image traits: location flaky test forest; accessory commit compass; palette plum, gold, and soft gray; mood mischievous; pose nestled inside a glowing shell; shell frosted glass shell; lighting golden review-room light; background miniature CI buoys.
Share on X: post this hatch
Copy: My PR egg hatched a 🌱 uncommon Moonlit Signal Puff in ClawSweeper.

What is this egg doing here?
  • Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
  • The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
  • Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
  • The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
  • Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

@yetval yetval force-pushed the fix/72574-shared-client-cleanup-policy branch from cc424a2 to 954f78b Compare May 27, 2026 18:35
@steipete steipete self-assigned this May 27, 2026
@steipete steipete force-pushed the fix/72574-shared-client-cleanup-policy branch from 954f78b to 5a810fd Compare May 27, 2026 18:47
@steipete steipete added the proof: override Maintainer override for the external PR real behavior proof gate. label May 27, 2026
@steipete

steipete commented May 27, 2026

Copy link
Copy Markdown
Contributor

Maintainer verification for 5a810fddfc4a12d0c56524f67cd1e78f50e5f1fd:

Behavior addressed: spawned/helper Codex app-server startup failures from logical thread/start errors no longer retire the shared parent app-server client. Top-level logical startup failures still retire the shared client, and transport/process-close startup failures still clear/retry.

Real environment tested: Blacksmith Testbox Linux via Crabbox plus local macOS focused Vitest. This was not a live invalid-token @openai/codex parent/helper run; applying proof: override because live Codex credentials are required for that exact path and the maintainer-requested cleanup-policy shape is covered at the production runCodexAppServerAttempt/startCodexAttemptThread boundary.

Exact steps or command run after this patch:

node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts
pnpm tsgo:extensions
pnpm check:changed
/Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode branch --base origin/main

Evidence after fix:

  • Focused Vitest: extensions/codex/src/app-server/run-attempt.test.ts passed, 67 tests.
  • Extension typecheck: pnpm tsgo:extensions passed.
  • Changed checks: Blacksmith Testbox tbx_01ksnc0j9t2fcdh46ezv8crhk2, run quick-shrimp, passed; covered extension prod/test typecheck, extension lint, guards, and import cycles.
  • Autoreview: clean, no accepted/actionable findings.

Observed result after fix: the spawned-helper regression asserts clearSharedCodexAppServerClientIfCurrent(failedClient) is not called on logical thread/start failure when spawnedBy is set; the paired top-level regression asserts the cleanup still happens without spawnedBy.

What was not tested: live invalid-token helper spawned from a long-running parent Codex app-server session.

@openclaw-barnacle openclaw-barnacle Bot removed the triage: mock-only-proof Candidate: PR proof only shows tests, mocks, snapshots, lint, typecheck, or CI. label May 27, 2026
@yetval

yetval commented May 27, 2026

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

proof: override applied by @steipete at 5a810fddfc; Real behavior proof check now passes. Maintainer verification posted above with Crabbox Testbox run tbx_01ksnc0j9t2fcdh46ezv8crhk2 and focused vitest evidence.

Remaining 4 red checks (check-lint, checks-fast-contracts-plugins-a, check-additional-boundaries-bcd, check-additional-runtime-topology-architecture) are pre-existing on bare upstream/main@da1a3434f48 and unrelated to this diff (this PR only touches extensions/codex/src/app-server/{attempt-startup,run-attempt,run-attempt.test}.ts). Sample: check-lint annotation hits src/config/sessions/store-cache.ts:199, introduced upstream by 99b27cde64d perf(sessions): reduce store clone allocations.

@clawsweeper

clawsweeper Bot commented May 27, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@steipete steipete force-pushed the fix/72574-shared-client-cleanup-policy branch from 5a810fd to a65e7d8 Compare May 27, 2026 18:56
@steipete

steipete commented May 27, 2026

Copy link
Copy Markdown
Contributor

Updated maintainer verification for a65e7d8a965613d9308a95e53cfb1289f6ca5b01 after rebasing on latest origin/main and adding a Canvas CI-unblocker for the current base boundary failure:

Behavior addressed: spawned/helper Codex app-server startup failures from logical thread/start errors no longer retire the shared parent app-server client. Top-level logical startup failures still retire the shared client, and transport/process-close startup failures still clear/retry.

Additional CI unblocker: extensions/canvas/src/cli.ts no longer imports deprecated openclaw/plugin-sdk/infra-runtime; strict numeric parsing is local to the Canvas CLI and preserves the existing partial-number rejection behavior.

Exact steps or command run after this patch:

node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts
pnpm tsgo:extensions
node scripts/run-vitest.mjs extensions/canvas/src/cli.test.ts src/plugins/contracts/plugin-sdk-package-contract-guardrails.test.ts
pnpm check:changed
/Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode branch --base origin/main

Evidence after fix:

  • Codex focused Vitest: extensions/codex/src/app-server/run-attempt.test.ts passed, 67 tests.
  • Extension typecheck: pnpm tsgo:extensions passed.
  • Canvas + SDK contract targeted Vitest: 2 files passed, 31 tests.
  • Changed checks: Blacksmith Testbox tbx_01ksncds42n7me2rejmxwdtd9v, run harbor-crab, passed; covered extension prod/test typecheck, extension lint, guards, and import cycles.
  • Autoreview: clean, no accepted/actionable findings.

Real behavior proof note: proof: override remains intentional. The exact live invalid-token helper-from-parent path requires live Codex credentials; the cleanup policy is covered at the production runCodexAppServerAttempt / startCodexAttemptThread boundary, and the paired regressions prove spawned vs top-level cleanup behavior.

@steipete steipete force-pushed the fix/72574-shared-client-cleanup-policy branch from a65e7d8 to 3fccf48 Compare May 27, 2026 18:57
@steipete

steipete commented May 27, 2026

Copy link
Copy Markdown
Contributor

Updated maintainer verification for 3fccf486345067a0c416c82a6f302ff2e2b85662 after rebasing on latest origin/main@2f710f5604:

Behavior addressed: spawned/helper Codex app-server startup failures from logical thread/start errors no longer retire the shared parent app-server client. Top-level logical startup failures still retire the shared client, and transport/process-close startup failures still clear/retry.

Exact steps or command run after this patch:

node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts
pnpm tsgo:extensions
pnpm check:changed
/Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode branch --base origin/main

Evidence after fix:

  • Codex focused Vitest: extensions/codex/src/app-server/run-attempt.test.ts passed, 67 tests.
  • Extension typecheck: pnpm tsgo:extensions passed.
  • Changed checks: Blacksmith Testbox tbx_01ksnc0j9t2fcdh46ezv8crhk2 passed for the Codex-only diff; after the brief Canvas CI-unblocker was added and then superseded by main, Testbox tbx_01ksncds42n7me2rejmxwdtd9v also passed for the temporary combined diff.
  • Autoreview: clean, no accepted/actionable findings.

Real behavior proof note: proof: override remains intentional. The exact live invalid-token helper-from-parent path requires live Codex credentials; the cleanup policy is covered at the production runCodexAppServerAttempt / startCodexAttemptThread boundary, and the paired regressions prove spawned vs top-level cleanup behavior.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels May 27, 2026
@steipete

steipete commented May 27, 2026

Copy link
Copy Markdown
Contributor

Updated maintainer verification for a25e40a1d4d5ce2d0eb8423fac7e26df74988ea3 after fixing the autoreview finding and stale release workflow assertions.

Behavior addressed: spawned/helper Codex app-server runs preserve the shared client only for logical thread/start request failures, such as invalid bearer-token responses. Startup timeouts, aborts, top-level logical failures, and transport/process-close failures still retire or clear the shared client.

Real environment tested: local macOS checkout plus delegated Blacksmith Testbox.

Exact steps or command run after this patch:

node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts test/scripts/package-acceptance-workflow.test.ts test/scripts/plugin-prerelease-test-plan.test.ts
pnpm tsgo:extensions
pnpm check:changed
/Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode branch --base origin/main

Evidence after fix:

  • Focused Vitest passed: 3 files, 108 tests.
  • pnpm tsgo:extensions passed.
  • pnpm check:changed passed on delegated Blacksmith Testbox tbx_01ksne63z0bkkwv52n5hqame18 (violet-shrimp), including extension prod/test typecheck, extension lint, script lint, guards, and import cycles.
  • Autoreview clean: no accepted/actionable findings; overall patch correct.

Observed result after fix: the regression test now covers the intended preservation path and the timeout cleanup path: spawned logical thread/start errors do not clear the failed shared client, while spawned thread/start startup timeouts do clear it.

What was not tested: live invalid-token helper run against real Codex credentials; the proof: override label is intentional because this failure requires live auth state not available in this checkout.

@clawsweeper clawsweeper Bot added rating: 🦞 diamond lobster Very strong PR readiness with only minor maintainer review expected. and removed rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. labels May 27, 2026
@steipete steipete force-pushed the fix/72574-shared-client-cleanup-policy branch from a25e40a to c533218 Compare May 27, 2026 19:34
@steipete

steipete commented May 27, 2026

Copy link
Copy Markdown
Contributor

Updated maintainer verification for final rebased head c533218460036348b6fa349340c3951d03ffc89b on origin/main@90f30075aa.

Behavior addressed: spawned/helper Codex app-server runs preserve the shared client only for actual app-server RPC failures from thread/start, such as invalid bearer-token responses. Startup timeouts, aborts, top-level logical failures, low-level write failures, and transport/process-close failures still retire or clear the shared client.

Real environment tested: local macOS checkout plus delegated Blacksmith Testbox.

Exact steps or command run after this patch:

node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts
pnpm tsgo:extensions
pnpm check:changed
/Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode branch --base origin/main

Evidence after fix:

  • Focused Codex Vitest passed: 69 tests.
  • pnpm tsgo:extensions passed.
  • pnpm check:changed passed on delegated Blacksmith Testbox tbx_01ksneq14jk207h53ghfmfvp0d (harbor-crab), including extension prod/test typecheck, extension lint, guards, and import cycles.
  • Autoreview clean: no accepted/actionable findings; overall patch correct.

Observed result after fix: regression coverage now distinguishes three spawned-helper paths: RPC thread/start errors preserve the shared client, startup timeouts clear it, and low-level thread/start write failures clear it.

What was not tested: live invalid-token helper run against real Codex credentials; the proof: override label is intentional because this failure requires live auth state not available in this checkout.

@steipete

steipete commented May 27, 2026

Copy link
Copy Markdown
Contributor

Behavior addressed: spawned Codex helper thread/start RPC auth failures no longer retire the parent shared app-server client; top-level logical failures, spawned startup timeouts, and low-level transport/write failures still clear the shared client.
Real environment tested: local source checkout plus delegated Blacksmith Testbox; live invalid-token helper-from-parent path not run because it needs real Codex credentials, covered by proof override.
Exact steps or command run after this patch: node scripts/run-vitest.mjs extensions/codex/src/app-server/run-attempt.test.ts; pnpm tsgo:extensions; pnpm check:changed via Testbox tbx_01ksneq14jk207h53ghfmfvp0d; autoreview final clean; CI run 26534075812 rerun.
Evidence after fix: focused Codex app-server tests passed 69 tests; extension tsgo passed; Testbox check:changed passed on tbx_01ksneq14jk207h53ghfmfvp0d; autoreview clean with no accepted/actionable findings; CI run 26534075812 is green after rerunning unrelated timeout flakes in checks-node-auto-reply-reply-dispatch and checks-node-agentic-commands-models.
Observed result after fix: PR head c533218 is mergeable clean with no failing or pending status checks.
What was not tested: real Codex credential invalid-token helper startup on a live user profile.

@steipete steipete merged commit 74f9d6b into openclaw:main May 27, 2026
153 of 155 checks passed
steipete added a commit that referenced this pull request May 27, 2026
@yetval @steipete
fix(codex): preserve shared app-server when spawned helper run fails …
00dabd6 
…logically (#72574) (#87375)

* fix(codex): preserve shared app-server when spawned helper run fails logically

* fix(codex): widen spawnedBy param to match EmbeddedRunAttemptParams

* fix(codex): align spawnedBy startup typing

* fix(codex): retire shared client on spawned startup timeout

* fix(codex): narrow spawned thread-start preservation

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
(cherry picked from commit 74f9d6b)
@clawsweeper clawsweeper Bot mentioned this pull request May 27, 2026
Merged
github-actions Bot pushed a commit to Desicool/openclaw that referenced this pull request May 28, 2026
@yetval @steipete
fix(codex): preserve shared app-server when spawned helper run fails …
60c8735 
…logically (openclaw#72574) (openclaw#87375)

* fix(codex): preserve shared app-server when spawned helper run fails logically

* fix(codex): widen spawnedBy param to match EmbeddedRunAttemptParams

* fix(codex): align spawnedBy startup typing

* fix(codex): retire shared client on spawned startup timeout

* fix(codex): narrow spawned thread-start preservation

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
@smilesong88 smilesong88 mentioned this pull request May 30, 2026
Closed
eleboucher pushed a commit to eleboucher/homelab that referenced this pull request May 31, 2026
@eleboucher
fix(container): update image ghcr.io/openclaw/openclaw (2026.5.27 ➔ 2…
c186311 
…026.5.28) (#759)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [ghcr.io/openclaw/openclaw](https://openclaw.ai) ([source](https://github.com/openclaw/openclaw)) | patch | `2026.5.27` → `2026.5.28` |

---

### Release Notes

<details>
<summary>openclaw/openclaw (ghcr.io/openclaw/openclaw)</summary>

### [`v2026.5.28`](https://github.com/openclaw/openclaw/blob/HEAD/CHANGELOG.md#2026528)

[Compare Source](openclaw/openclaw@v2026.5.27...v2026.5.28)

##### Highlights

- Agent and Codex runtime recovery is steadier: subagents keep cwd/workspace separation, hook context stays prompt-local, session locks release on timeout abort while live OpenClaw locks survive cleanup, stale restart continuations are avoided, and Codex app-server/helper failures no longer tear down shared runtime state. ([#&#8203;87218](openclaw/openclaw#87218), [#&#8203;86875](openclaw/openclaw#86875), [#&#8203;87409](openclaw/openclaw#87409), [#&#8203;87399](openclaw/openclaw#87399), [#&#8203;87375](openclaw/openclaw#87375), [#&#8203;88129](openclaw/openclaw#88129))
- Channel delivery and session identity got safer across outbound plugin hooks, Matrix room ids, iMessage reactions/approvals, Slack final replies, Discord recovered tool warnings, runtime-config message actions, WhatsApp profile auth roots, Telegram polling, and Microsoft Teams service URL trust checks. ([#&#8203;73706](openclaw/openclaw#73706), [#&#8203;75670](openclaw/openclaw#75670), [#&#8203;87366](openclaw/openclaw#87366), [#&#8203;87451](openclaw/openclaw#87451), [#&#8203;87334](openclaw/openclaw#87334), [#&#8203;84535](openclaw/openclaw#84535), [#&#8203;82492](openclaw/openclaw#82492), [#&#8203;83304](openclaw/openclaw#83304), [#&#8203;87160](openclaw/openclaw#87160))
- Mobile and chat surfaces got a broader refresh: the iOS Pro UI, hosted push relay default, realtime Talk tab playback, Gateway chat transport, onboarding, Talk permissions, WebChat reconnect delivery, and session picker behavior now preserve more state across reconnects and empty searches. ([#&#8203;87367](openclaw/openclaw#87367), [#&#8203;87531](openclaw/openclaw#87531), [#&#8203;87682](openclaw/openclaw#87682), [#&#8203;88096](openclaw/openclaw#88096), [#&#8203;88105](openclaw/openclaw#88105)) Thanks [@&#8203;ngutman](https://github.com/ngutman) and [@&#8203;BunsDev](https://github.com/BunsDev).
- Browser, channel, and automation inputs are stricter: Browser tool timeouts, viewport/tab indices, Gateway ports, cron retry handling, Discord component ids, schema array refs, Telegram callback pages, and channel progress callbacks now reject malformed values earlier and preserve the intended delivery context. ([#&#8203;82887](openclaw/openclaw#82887))
- Provider, media, and document coverage expands with Claude Opus 4.8, Fal Krea image schemas, NVIDIA featured models, MiniMax streaming music responses, encrypted PDF extraction, voice model catalogs, GitHub Copilot agent runtime support, and a Codex Supervisor plugin path for delegated Codex workflows. ([#&#8203;87845](openclaw/openclaw#87845), [#&#8203;87890](openclaw/openclaw#87890), [#&#8203;80775](openclaw/openclaw#80775), [#&#8203;84764](openclaw/openclaw#84764), [#&#8203;87751](openclaw/openclaw#87751), [#&#8203;87794](openclaw/openclaw#87794))
- CLI, auth, doctor, and provider paths fail faster and recover more clearly: malformed numeric/version options are rejected, workspace dotenv provider credentials are ignored, heartbeat defaults, OAuth/token lifetimes, and local service startup requests are bounded, agent auth health labels are clearer, legacy `api_key` auth profiles migrate to canonical form, and restart guidance is actionable. ([#&#8203;87398](openclaw/openclaw#87398), [#&#8203;86281](openclaw/openclaw#86281), [#&#8203;87361](openclaw/openclaw#87361), [#&#8203;88133](openclaw/openclaw#88133), [#&#8203;83655](openclaw/openclaw#83655), [#&#8203;87559](openclaw/openclaw#87559), [#&#8203;88088](openclaw/openclaw#88088), [#&#8203;85924](openclaw/openclaw#85924)) Thanks [@&#8203;vincentkoc](https://github.com/vincentkoc) and [@&#8203;giodl73-repo](https://github.com/giodl73-repo).
- Plugin and Gateway hot paths do less repeated work while preserving cache correctness for install records, config JSON parsing, tool search catalogs, session stores, manifest model rows, auto-enabled plugin config, browser tokens, viewer assets, and release-split external plugin packages. ([#&#8203;86699](openclaw/openclaw#86699))
- Release, QA, and E2E validation now bound more log, artifact, harness, and cross-OS waits so failing lanes produce proof instead of hanging or false-greening.

##### Changes

- Status: show active subagent details in status output.
- Diffs: split the default language pack and expand default Diffs language coverage while keeping the host floor aligned. ([#&#8203;87370](openclaw/openclaw#87370), [#&#8203;87372](openclaw/openclaw#87372)) Thanks [@&#8203;RomneyDa](https://github.com/RomneyDa).
- ClawHub: add plugin display names plus skill verification and trust surfaces. ([#&#8203;87354](openclaw/openclaw#87354), [#&#8203;86699](openclaw/openclaw#86699)) Thanks [@&#8203;thewilloftheshadow](https://github.com/thewilloftheshadow) and [@&#8203;Patrick-Erichsen](https://github.com/Patrick-Erichsen).
- iOS: refresh the dev app with Pro Command, Chat, Agents, Settings, hosted push relay defaults, and realtime Talk playback wired to gateway sessions, diagnostics, chat, and realtime Talk. ([#&#8203;87367](openclaw/openclaw#87367), [#&#8203;88096](openclaw/openclaw#88096), [#&#8203;88105](openclaw/openclaw#88105)) Thanks [@&#8203;Solvely-Colin](https://github.com/Solvely-Colin) and [@&#8203;ngutman](https://github.com/ngutman).
- Docs: clarify Codex computer-use setup, paste-token stdin auth setup, macOS gateway sleep troubleshooting, native Codex hook relay recovery, container model auth, install deployment cards, device-token admin gating, CLI setup flow compatibility, Notte cloud browser CDP setup, and backport targets. ([#&#8203;87313](openclaw/openclaw#87313), [#&#8203;63050](openclaw/openclaw#63050), [#&#8203;87685](openclaw/openclaw#87685)) Thanks [@&#8203;bdjben](https://github.com/bdjben), [@&#8203;liaoandi](https://github.com/liaoandi), and [@&#8203;thewilloftheshadow](https://github.com/thewilloftheshadow).
- PDF/tools: use ClawPDF for PDF extraction, support encrypted PDF extraction, and surface MCP structured content in agent tool results. ([#&#8203;87670](openclaw/openclaw#87670), [#&#8203;87751](openclaw/openclaw#87751))
- Providers: add Claude Opus 4.8 support, Fal Krea image model schemas, NVIDIA featured model catalogs, MiniMax streaming music responses, and provider-backed voice model catalogs. ([#&#8203;87845](openclaw/openclaw#87845), [#&#8203;87890](openclaw/openclaw#87890), [#&#8203;80775](openclaw/openclaw#80775), [#&#8203;84764](openclaw/openclaw#84764), [#&#8203;87794](openclaw/openclaw#87794)) Thanks [@&#8203;eleqtrizit](https://github.com/eleqtrizit) and [@&#8203;vincentkoc](https://github.com/vincentkoc).
- Codex/GitHub: add the GitHub Copilot agent runtime and the Codex Supervisor plugin package.
- Plugins: externalize GitHub Copilot and Tokenjuice as official install-on-demand plugins with npm and ClawHub publish metadata.
- Workboard: add agent coordination tools for tracking and handing off active agent work.
- Discord: show commentary in progress drafts so live Discord runs expose useful in-progress context. ([#&#8203;85200](openclaw/openclaw#85200))
- Plugin SDK: add a reply payload sending hook for plugins that need to deliver channel-owned replies and flatten package types for SDK declarations. ([#&#8203;82823](openclaw/openclaw#82823), [#&#8203;87165](openclaw/openclaw#87165)) Thanks [@&#8203;piersonr](https://github.com/piersonr) and [@&#8203;RomneyDa](https://github.com/RomneyDa).
- Policy: add policy comparison, ingress-channel conformance, and sandbox-posture conformance checks. ([#&#8203;85572](openclaw/openclaw#85572), [#&#8203;85744](openclaw/openclaw#85744), [#&#8203;86768](openclaw/openclaw#86768))

##### Fixes

- Agents: fall back to local config pruning when the optional `agents delete` Gateway probe cannot authenticate, so offline installs can still delete agents without removing shared workspaces.
- Tighten phone-control mutation authorization \[AI]. ([#&#8203;87150](openclaw/openclaw#87150)) Thanks [@&#8203;pgondhi987](https://github.com/pgondhi987).
- Clarify directive persistence authorization policy \[AI]. ([#&#8203;86369](openclaw/openclaw#86369)) Thanks [@&#8203;pgondhi987](https://github.com/pgondhi987).
- Agents/Codex: keep spawned agent cwd/workspace state separated, forward ACP spawn attachments, keep hook context prompt-local, release session locks on timeout abort and runtime teardown without deleting live OpenClaw-owned locks during cleanup, avoid session event queue self-wait, clean up exec abort listeners, stream assistant deltas incrementally, recover raw missing-thread compaction failures, preserve rotated compaction session identity, keep compaction-timeout snapshots continuable, preserve shared app-server state across startup or helper failures, keep native hook relay alive across restarts and prune stale bridge files, close native hook relay replacement races, keep Claude live tool progress visible for watchdog recovery, suppress abandoned requester completion handoff, route workspace memory through tools, resolve Codex runtime models first, report quarantined dynamic tools, format `skills` command output, bind node auto-review to prepared plans, retry Claude CLI transcript probes, and bound compaction/steering retries. ([#&#8203;87218](openclaw/openclaw#87218), [#&#8203;86875](openclaw/openclaw#86875), [#&#8203;86123](openclaw/openclaw#86123), [#&#8203;88129](openclaw/openclaw#88129), [#&#8203;87399](openclaw/openclaw#87399), [#&#8203;87375](openclaw/openclaw#87375), [#&#8203;72574](openclaw/openclaw#72574), [#&#8203;87383](openclaw/openclaw#87383), [#&#8203;87400](openclaw/openclaw#87400), [#&#8203;83022](openclaw/openclaw#83022), [#&#8203;87671](openclaw/openclaw#87671), [#&#8203;87738](openclaw/openclaw#87738), [#&#8203;87747](openclaw/openclaw#87747), [#&#8203;87706](openclaw/openclaw#87706), [#&#8203;87546](openclaw/openclaw#87546), [#&#8203;87541](openclaw/openclaw#87541), [#&#8203;81048](openclaw/openclaw#81048)) Thanks [@&#8203;mbelinky](https://github.com/mbelinky), [@&#8203;Alix-007](https://github.com/Alix-007), [@&#8203;luoyanglang](https://github.com/luoyanglang), [@&#8203;yetval](https://github.com/yetval), [@&#8203;sjf](https://github.com/sjf), [@&#8203;joshavant](https://github.com/joshavant), [@&#8203;benjamin1492](https://github.com/benjamin1492), [@&#8203;c19354837](https://github.com/c19354837), [@&#8203;fuller-stack-dev](https://github.com/fuller-stack-dev), [@&#8203;pfrederiksen](https://github.com/pfrederiksen), and [@&#8203;dodge1218](https://github.com/dodge1218).
- Codex Supervisor: keep real-home app-server MCP session listing on the loaded state path, bound stored history scans, and close WebSocket probes cleanly.
- Channels: thread canonical session keys into outbound hooks, preserve Matrix room-id case, keep fallback tool warnings mention-inert, retain delivered Slack final replies during late cleanup, continue iMessage polling after denied reactions, suppress duplicate native exec approvals, resolve Gateway message actions against the active runtime config, preserve Telegram SecretRef prompt config and polling keepalives, preserve WhatsApp profile auth roots, QR display, document filenames, and plugin hook config, suppress Discord recovered tool warnings, preserve the Discord voice outbound helper, cap Discord/Signal/Zalo channel request and container timeouts, and block untrusted Teams service URLs while keeping TeamsSDK patterns aligned. ([#&#8203;73706](openclaw/openclaw#73706), [#&#8203;75670](openclaw/openclaw#75670), [#&#8203;87366](openclaw/openclaw#87366), [#&#8203;87451](openclaw/openclaw#87451), [#&#8203;87465](openclaw/openclaw#87465), [#&#8203;87334](openclaw/openclaw#87334), [#&#8203;84535](openclaw/openclaw#84535), [#&#8203;76262](openclaw/openclaw#76262), [#&#8203;83304](openclaw/openclaw#83304), [#&#8203;82492](openclaw/openclaw#82492), [#&#8203;87581](openclaw/openclaw#87581), [#&#8203;77114](openclaw/openclaw#77114), [#&#8203;86426](openclaw/openclaw#86426), [#&#8203;85529](openclaw/openclaw#85529), [#&#8203;87160](openclaw/openclaw#87160)) Thanks [@&#8203;zeroaltitude](https://github.com/zeroaltitude), [@&#8203;lukeboyett](https://github.com/lukeboyett), [@&#8203;jarvis-mns1](https://github.com/jarvis-mns1), [@&#8203;xiaotian](https://github.com/xiaotian), [@&#8203;funmerlin](https://github.com/funmerlin), [@&#8203;joshavant](https://github.com/joshavant), [@&#8203;eleqtrizit](https://github.com/eleqtrizit), [@&#8203;heyitsaamir](https://github.com/heyitsaamir), [@&#8203;amittell](https://github.com/amittell), [@&#8203;lidge-jun](https://github.com/lidge-jun), [@&#8203;liorb-mountapps](https://github.com/liorb-mountapps), [@&#8203;masatohoshino](https://github.com/masatohoshino), [@&#8203;bladin](https://github.com/bladin), and [@&#8203;giodl73-repo](https://github.com/giodl73-repo).
- CLI/auth/doctor/providers: reject malformed numeric/timeout/subcommand-version inputs, ignore workspace dotenv provider credentials, wait for respawn child shutdown, bound heartbeat defaults plus Codex, GitHub Copilot, OpenAI, Anthropic, Google, Feishu, LM Studio, MiniMax, Xiaomi TTS, and local-provider OAuth/token/model requests, harden Codex auth probes, label auth health by agent, preserve explicit agentRuntime pins during Codex model migration, warm provider auth off the main thread, honor Codex response timeouts, stop migrating current Claude Haiku 4.5 profiles to Sonnet, bound local service startup, resolve GPT-5.5 without cached catalog, migrate legacy memory auto-provider config, rewrite non-canonical `api_key` auth profiles, and make doctor restart follow-ups actionable. ([#&#8203;87398](openclaw/openclaw#87398), [#&#8203;86281](openclaw/openclaw#86281), [#&#8203;87361](openclaw/openclaw#87361), [#&#8203;88133](openclaw/openclaw#88133), [#&#8203;83655](openclaw/openclaw#83655), [#&#8203;87559](openclaw/openclaw#87559), [#&#8203;87719](openclaw/openclaw#87719), [#&#8203;88088](openclaw/openclaw#88088), [#&#8203;85924](openclaw/openclaw#85924), [#&#8203;84362](openclaw/openclaw#84362)) Thanks [@&#8203;Patrick-Erichsen](https://github.com/Patrick-Erichsen), [@&#8203;samzong](https://github.com/samzong), [@&#8203;giodl73-repo](https://github.com/giodl73-repo), [@&#8203;alkor2000](https://github.com/alkor2000), [@&#8203;mmaps](https://github.com/mmaps), [@&#8203;nxmxbbd](https://github.com/nxmxbbd), and [@&#8203;vincentkoc](https://github.com/vincentkoc).
- Gateway/security/session state: expire browser tokens after auth rotation, scope assistant idempotency dedupe, drain probe client closes, avoid stale restart continuation reuse, preserve retry-after fallbacks and stale rate-limit cooldown probes, bound webchat image and artifact transcript scans, include seconds in inbound metadata timestamps, clear completed session active runs, clear stale chat stream buffers, and evict current plugin-state namespaces at row caps. ([#&#8203;87810](openclaw/openclaw#87810), [#&#8203;87833](openclaw/openclaw#87833), [#&#8203;75089](openclaw/openclaw#75089)) Thanks [@&#8203;joshavant](https://github.com/joshavant) and [@&#8203;litang9](https://github.com/litang9).
- Config/parsing/network: reject partial numeric parsing, parse provider/Discord retry headers and dates strictly, honor IPv6 and bare IPv6 `no_proxy` entries, preserve empty plugin allowlists, canonicalize secret target array indexes, and reject malformed media content lengths, inspected TCP ports, marketplace content lengths, cron epochs, sandbox stat fields, unsafe duration values, empty config path segments, noncanonical schema array refs, unsafe Telegram callback pages, and invalid Teams attachment-fetch DNS targets. ([#&#8203;87883](openclaw/openclaw#87883)) Thanks [@&#8203;zhangguiping-xydt](https://github.com/zhangguiping-xydt).
- Browser/input hardening: reject invalid tab indexes, excessive viewport resizes, explicit zero CDP ports, malformed geolocation options, unsafe screenshot or permission-grant timeouts, loose response-body limits, invalid cookie expiries, and non-finite Browser tool delays/timeouts.
- Cron/automation: retry recurring jobs after transient model rate limits before waiting for the next scheduled slot, and preflight model fallbacks before skipping scheduled work. ([#&#8203;82887](openclaw/openclaw#82887)) Thanks [@&#8203;chen-zhang-cs-code](https://github.com/chen-zhang-cs-code).
- Auto-reply/directives: respect provider and relayed channel metadata during directive persistence so channel-originated decisions keep their intended context. ([#&#8203;87683](openclaw/openclaw#87683))
- WhatsApp: resolve the auth directory from the active profile so profile-scoped WhatsApp installs do not drift to the wrong credential root. ([#&#8203;82492](openclaw/openclaw#82492)) Thanks [@&#8203;lidge-jun](https://github.com/lidge-jun).
- Gateway/session state: clear completed session active runs, avoid cold-loading providers for MCP inventory, cache single-session child indexes, cap handshake timers, and bound preauth, auth-guard, media, transcript, readiness, and port options.
- Channels/replies: preserve channel-owned progress callbacks when verbose output is off, keep group-room progress suppression intact, prefer external session delivery context, escape Discord component id delimiters, force final TUI chat repaints, show Slack reasoning previews, and normalize Discord/Matrix/Mattermost channel numeric options. ([#&#8203;87476](openclaw/openclaw#87476), [#&#8203;87423](openclaw/openclaw#87423))
- Agents/tool args: harden smart-quoted argument repair for edit arrays and exact escaped arguments so model-produced tool calls recover without corrupting valid input. ([#&#8203;86611](openclaw/openclaw#86611)) Thanks [@&#8203;ferminquant](https://github.com/ferminquant).
- Providers/agents: preserve seeded Anthropic signatures, preserve signed thinking payloads, concatenate signature-delta chunks, preserve DeepSeek `reasoning_content` replay across tier suffixes, apply OpenRouter strict9 ids to Mistral routes, promote Ollama plain-text tool calls, load NVIDIA featured model catalogs, stream MiniMax music generation responses, and recover empty preflight compaction. ([#&#8203;87593](openclaw/openclaw#87593), [#&#8203;87493](openclaw/openclaw#87493), [#&#8203;80775](openclaw/openclaw#80775), [#&#8203;84764](openclaw/openclaw#84764)) Thanks [@&#8203;Pluviobyte](https://github.com/Pluviobyte) and [@&#8203;eleqtrizit](https://github.com/eleqtrizit).
- Media/images: skip CLI image cache refs when resolving generated images, allow trusted generated HTML attachments, and bound generated video downloads so stale refs and slow providers fail cleanly. ([#&#8203;87523](openclaw/openclaw#87523), [#&#8203;87982](openclaw/openclaw#87982))
- File transfer: handle late tar stdin pipe errors after archive validation or unpacking has already settled.
- Performance: trust install-record caches between reloads, prefer native JSON parsing, reuse unchanged tool-search catalogs, reuse gateway session and plugin metadata paths, skip unchanged store serialization, patch single-entry session writes, add precomputed session patch writers, reduce store clone allocations, cache manifest model catalog rows and auto-enabled plugin config, avoid full session snapshots for entry reads, defer configured Slack full startup, prefer bundled plugin dist entries, and slim current metadata identity caches. ([#&#8203;87760](openclaw/openclaw#87760))
- Docker/release/QA: package runtime workspace templates, stream cross-OS served artifacts, preserve sparse Crabbox run artifacts, isolate npm plugin installs per package, reject incompatible package plugin API installs, drop the leftover root Sharp dependency from package manifests after the Rastermill migration, bound OpenClaw instance logs, plugin gauntlet relay logs, MCP channel buffers, kitchen-sink scans, agent-turn assertions, QA-Lab credential broker calls, QA Matrix substrate requests, and release scenario logs, and keep release/google live guards current. ([#&#8203;87647](openclaw/openclaw#87647), [#&#8203;87477](openclaw/openclaw#87477)) Thanks [@&#8203;rohitjavvadi](https://github.com/rohitjavvadi) and [@&#8203;vincentkoc](https://github.com/vincentkoc).
- Release/CI: bound manual git fetches, ClawHub verifier responses, ClawHub owner metadata, dependency-guard error bodies, Parallels limits, startup/test/memory budget parsing, and diffs viewer build warnings so release lanes fail with useful proof instead of hanging. ([#&#8203;87839](openclaw/openclaw#87839))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEwMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL3BhdGNoIl19-->

Reviewed-on: https://git.erwanleboucher.dev/eleboucher/homelab/pulls/759
SYU8384 pushed a commit to SYU8384/openclaw that referenced this pull request Jun 3, 2026
@yetval @steipete
fix(codex): preserve shared app-server when spawned helper run fails …
83a89e3 
…logically (openclaw#72574) (openclaw#87375)

* fix(codex): preserve shared app-server when spawned helper run fails logically

* fix(codex): widen spawnedBy param to match EmbeddedRunAttemptParams

* fix(codex): align spawnedBy startup typing

* fix(codex): retire shared client on spawned startup timeout

* fix(codex): narrow spawned thread-start preservation

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
sablehead pushed a commit to sablehead/openclaw that referenced this pull request Jun 10, 2026
@yetval @steipete
fix(codex): preserve shared app-server when spawned helper run fails …
c383f8f 
…logically (openclaw#72574) (openclaw#87375)

* fix(codex): preserve shared app-server when spawned helper run fails logically

* fix(codex): widen spawnedBy param to match EmbeddedRunAttemptParams

* fix(codex): align spawnedBy startup typing

* fix(codex): retire shared client on spawned startup timeout

* fix(codex): narrow spawned thread-start preservation

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@steipete steipete

Labels

extensions: codex merge-risk: 🚨 auth-provider 🚨 May break OAuth, tokens, provider routing, model choice, or credentials. merge-risk: 🚨 session-state 🚨 May lose, corrupt, stale, or mis-associate session, agent, or context state. P1 High-priority user-facing bug, regression, or broken workflow. proof: override Maintainer override for the external PR real behavior proof gate. rating: 🦞 diamond lobster Very strong PR readiness with only minor maintainer review expected. size: S status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

btw spawn with invalid bearer token triggers gateway/session disconnect

2 participants

@yetval @steipete