fix(codex): preserve shared app-server after startup app errors

[steipete]

Summary:

• Keep the single shared Codex app-server alive when thread/start fails with a logical app-level error, including helper/spawned startup failures.
• Still clear the shared client for abandoned startup work: aborts, startup timeouts, and per-RPC startup request timeouts.
• Add app-server startup regression coverage and isolate the installed-plugin ledger cache fixture that was red in the CI runtime-config shard.

Behavior addressed: Codex helper startup auth/app errors no longer tear down the parent shared app-server; OpenClaw continues using one Codex app-server process for multiple threads.
Real environment tested: Testbox through Crabbox, provider=blacksmith-testbox, id=tbx_01ksnjqr56nf18sb4wwrf686nc.
Exact steps or command run after this patch: corepack pnpm install --frozen-lockfile && node scripts/run-vitest.mjs run extensions/codex/src/app-server/attempt-startup.test.ts extensions/codex/src/app-server/run-attempt-thread-cleanup.test.ts extensions/codex/src/app-server/shared-client.test.ts && OPENCLAW_TEST_PROJECTS_PARALLEL=2 OPENCLAW_VITEST_MAX_WORKERS=2 corepack pnpm exec node scripts/test-projects.mjs test/vitest/vitest.logging.config.ts test/vitest/vitest.process.config.ts test/vitest/vitest.runtime-config.config.ts
Evidence after fix: Codex app-server focused tests passed: 3 files, 26 tests. CI-parity infra shard passed: 145 files, 1536 tests. git diff --check passed locally.
Observed result after fix: Logical thread/start failures reject the helper startup without clearing the shared Codex app-server; timeout/abort/per-RPC timeout paths still clear abandoned startup clients.
What was not tested: A live Codex auth failure against a real operator account; coverage uses fake JSON-RPC app-server transport plus Testbox CI runtime.

Fixes #72574

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9b6c2c434a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Distinguish RPC app errors before clearing shared server

When thread/start or plugin startup returns a JSON-RPC application error whose message happens to end with timed out, CodexAppServerClient wraps it as CodexAppServerRpcError (extensions/codex/src/app-server/client.ts:398-405), but this message-only check treats it like a local abandoned-request timeout and closes the shared app-server. That reintroduces the parent-session disruption this change is trying to avoid for app-level startup failures; restrict this branch to the local timeout errors rather than all app errors with timeout-shaped text.

Useful? React with 👍 / 👎.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 27, 2026, 4:40 PM ET / 20:40 UTC.

Summary
The branch changes Codex app-server startup cleanup so shared clients survive startup app errors, adds focused cleanup tests, updates Number.NaN lint nits, and isolates a plugin validation test cache.

PR surface: Source +10, Tests +206. Total +216 across 6 files.

Reproducibility: yes. for the PR-introduced bug: source inspection shows CodexAppServerClient wraps server JSON-RPC error messages, and the PR classifier keys off error.message.endsWith(" timed out"). I did not run live invalid-token proof.

Review metrics: none identified.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🦐 gold shrimp
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Fix the timeout-shaped JSON-RPC app-error classifier and add a regression for that exact case.
• Add redacted real Codex app-server invalid-token or logical startup-error proof.
• Rebase or resolve the dirty branch state before final merge review.

Proof guidance:
Needs real behavior proof before merge: The PR body lists mocked Testbox/lint/type proof and says the live invalid-token path was not tested; add redacted terminal output, logs, screenshot/video, or linked artifact from a real logical startup-error run and update the PR body to trigger re-review, or ask a maintainer to comment @clawsweeper re-review if it does not run.

Risk before merge

• Merging as-is can still close the shared Codex app-server when a JSON-RPC application error has timeout-shaped text, disrupting shared session/server state.
• The PR body provides mocked Testbox proof only; it does not show a real invalid-token or logical startup-error run against a real Codex app-server.
• GitHub currently reports the branch as dirty, so the exact merge result needs rebase or conflict resolution before landing.

Maintainer options:

1. Fix the timeout classifier before merge (recommended)
   Use a local timeout marker, error class, or source-aware guard so JSON-RPC app errors are never classified by message suffix, then add a regression for an app error ending in timed out.
2. Pause if current main is enough
   Since the linked helper invalid-token disruption is already fixed on current main, maintainers can pause or close this broader follow-up until real proof shows the extra behavior is needed.

Next step before merge
Human follow-up is needed because the branch is dirty, proof is mock-only, and automation cannot supply the contributor's real-environment proof.

Security
Cleared: The diff is limited to Codex startup cleanup logic, tests, and lint/test isolation; no concrete security or supply-chain regression was found.

Review findings

• [P2] Do not classify RPC error text as local timeout — extensions/codex/src/app-server/attempt-startup.ts:389

Review details

Best possible solution:

Land a rebased branch only after local timeout/cancel cleanup is distinguished by error source rather than message suffix and redacted real invalid-token or logical startup-error proof is added; otherwise pause this broader follow-up if #87375 is sufficient.

Do we have a high-confidence way to reproduce the issue?

Yes for the PR-introduced bug: source inspection shows CodexAppServerClient wraps server JSON-RPC error messages, and the PR classifier keys off error.message.endsWith(" timed out"). I did not run live invalid-token proof.

Is this the best way to solve the issue?

No, not yet. The intended cleanup split is plausible, but local timeout and cancel cleanup should be classified by source rather than by application-error message text.

Full review comments:

• [P2] Do not classify RPC error text as local timeout — extensions/codex/src/app-server/attempt-startup.ts:389
shouldClearSharedClientAfterStartupRace clears the shared client whenever an Error.message ends with timed out. Because CodexAppServerClient wraps JSON-RPC app errors using the server-provided message, a logical thread/start error such as model request timed out would still kill the shared app-server this PR is trying to preserve; use a source-aware timeout marker/class or explicitly exclude RPC app errors, and cover that case.
  Confidence: 0.9

Overall correctness: patch is incorrect
Overall confidence: 0.9

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1eb27da55d85.

Label changes

Label justifications:

• P1: The PR targets a real Codex helper startup/session disruption, and the remaining classifier bug can still affect shared app-server availability.
• merge-risk: 🚨 session-state: The changed cleanup policy can wrongly clear shared Codex thread/server state during logical startup failures.
• merge-risk: 🚨 availability: The diff changes when the shared Codex app-server process is closed, so a bad classifier can make active sessions lose their running server.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🦐 gold shrimp.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body lists mocked Testbox/lint/type proof and says the live invalid-token path was not tested; add redacted terminal output, logs, screenshot/video, or linked artifact from a real logical startup-error run and update the PR body to trigger re-review, or ask a maintainer to comment @clawsweeper re-review if it does not run.

Evidence reviewed

PR surface:

Source +10, Tests +206. Total +216 across 6 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	4	24	14	+10
Tests	2	206	0	+206
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	6	230	14	+216

What I checked:

• Checkout state: The target checkout was clean before review. (1eb27da55d85)
• Repository policy: The full root policy and scoped bundled-plugin policy were read; the review applied their guidance that plugin startup, session state, and availability changes are merge-sensitive. (AGENTS.md:15, 1eb27da55d85)
• PR classifier defect: The PR head clears the shared client for any Error whose message ends with timed out, which is not a source-aware distinction between local timeout and JSON-RPC app errors. (extensions/codex/src/app-server/attempt-startup.ts:389, 4ba2e81adda1)
• RPC app error contract: Current source wraps JSON-RPC response errors as CodexAppServerRpcError using the server-provided message, so an application error can legitimately carry timeout-shaped text. (extensions/codex/src/app-server/client.ts:405, 1eb27da55d85)
• Thread-start app-error wrapper: Current source wraps thread/start RPC errors in CodexThreadStartRequestError, preserving the formatted underlying app-error message for the outer startup catch. (extensions/codex/src/app-server/thread-lifecycle.ts:571, 1eb27da55d85)
• Related current-main fix: Blame and history show the linked helper invalid-token disruption was already narrowed on current main by the merged fix(codex): preserve shared app-server when spawned helper run fails logically (#72574) #87375, while this PR is a broader follow-up. (extensions/codex/src/app-server/attempt-startup.ts:378, 74f9d6b96d48)

Likely related people:

• yetval: Auth-failure/shared-client preservation on current main was introduced through the merged related PR touching the same startup cleanup and thread-start error wrapper paths. (role: recent area contributor; confidence: high; commits: 74f9d6b96d48; files: extensions/codex/src/app-server/attempt-startup.ts, extensions/codex/src/app-server/thread-lifecycle.ts, extensions/codex/src/app-server/run-attempt.test.ts)
• steipete: The merged current-main fix records Peter Steinberger as merger and co-author, and this PR is a follow-up on the same shared Codex app-server behavior. (role: recent merger and follow-up owner; confidence: medium; commits: 74f9d6b96d48, 4ba2e81adda1; files: extensions/codex/src/app-server/attempt-startup.ts, extensions/codex/src/app-server/attempt-startup.test.ts)
• Andi Liao: Blame on the current Codex app-server client and startup scaffolding points to the grafted app-server implementation commit, making this useful historical routing context. (role: original app-server area contributor; confidence: medium; commits: 085228c96177; files: extensions/codex/src/app-server/client.ts, extensions/codex/src/app-server/attempt-startup.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.