fix(codex): avoid guardian review for local models

[vincentkoc]

Summary

• Downgrade Codex app-server Guardian/model-backed approval reviewers to user/OpenClaw approvals unless the effective reviewer context is clearly OpenAI.
• Treat explicit custom providers, provider-qualified local model refs, persisted binding model providers, side-question forks, bound conversation turns, alias collisions, and OpenAI transport overrides as fail-closed for Guardian/model-backed review.
• Add OpenClaw internal exec auto-review for Codex app-server command approvals only for tools.exec.mode=auto, simple parsed command approvals, and an explicit tools.exec.reviewer.model under openai/...; unsafe control commands, amendments, security-audit suppression, unparsed commands, reviewer ask decisions, unrelated agent-specific aliases, and custom OpenAI transport overrides fall back to plugin/human approval.
• Refresh the Plugin SDK API baseline for the exec auto-review contract and keep the SDK import/export topology acyclic.

Real behavior proof

Behavior addressed: local/custom model Codex app-server auto approval no longer tries to use Codex Guardian/model-backed review, and internal exec auto-review requires an explicitly OpenAI-qualified reviewer model whose effective OpenAI transport remains native/trusted.
Real environment tested: local focused Vitest/static checks in the Codex worktree with a temporary shared node_modules symlink; delegated Blacksmith Testbox changed gate; GitHub PR CI completed on head e3318f163e636be06c0f7e2e14c22e2b4a04427e.
Exact steps or command run after this patch: node scripts/run-vitest.mjs extensions/codex/src/app-server/thread-lifecycle.test.ts extensions/codex/src/app-server/thread-lifecycle.binding.test.ts extensions/codex/src/app-server/config.test.ts extensions/codex/src/app-server/app-server-policy.test.ts extensions/codex/src/app-server/approval-bridge.test.ts extensions/codex/src/app-server/run-attempt.test.ts extensions/codex/src/app-server/side-question.test.ts extensions/codex/src/conversation-binding.test.ts extensions/codex/src/conversation-control.test.ts; node scripts/run-vitest.mjs extensions/codex/src/app-server/config.test.ts extensions/codex/src/app-server/approval-bridge.test.ts; node --import tsx scripts/check-madge-import-cycles.ts; node scripts/check-plugin-sdk-subpath-exports.mjs; git diff --check; node scripts/crabbox-wrapper.mjs run --provider blacksmith-testbox -- env OPENCLAW_CHECK_CHANGED_REMOTE_CHILD=1 OPENCLAW_CHANGED_LANES_RAW_SYNC=1 corepack pnpm check:changed; .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main; ghx pr checks 88630 --repo openclaw/openclaw --watch --interval 20.
Evidence after fix: focused local Codex suite passed 9 files / 399 tests before the final rebase; post-rebase focused config/approval regression suite passed 2 files / 159 tests; Madge reported 0 cycles; SDK subpath export check passed; final Testbox tbx_01ktmvpp9t8phfeaxdjaz4t1rt passed check:changed with exit 0; final autoreview reported no accepted/actionable findings for this PR diff; GitHub PR CI completed with all checks passing or skipped.
Observed result after fix: policy, config, side-question, run-attempt, conversation-binding, conversation-control, approval-bridge, thread lifecycle, SDK export, typecheck, lint, import-cycle, runtime-topology, security, critical-quality, and build-artifact checks pass on the rebased branch.
Dependency/Codex contract checked: upstream Codex codex-rs/app-server-protocol/src/protocol/v2/thread.rs:95-100 exposes thread model + model_provider; upstream Codex codex-rs/app-server-protocol/src/protocol/v2/turn.rs:66-87 exposes turn reviewer/approval overrides and model, but no turn-level model_provider.
What was not tested: live LM Studio/Ollama app-server round trip was not run; coverage is via policy/bridge/config regression tests, Codex upstream source inspection, autoreview, Testbox changed gate, and GitHub PR CI.

[clawsweeper]

Codex review: found issues before merge. Reviewed June 8, 2026, 8:39 PM ET / 00:39 UTC.

Summary
The PR changes Codex app-server approval routing for local/custom model providers, adds guarded internal exec auto-review helpers through a new Plugin SDK runtime subpath, expands Codex regression coverage, and includes small Feishu/channel lint edits.

PR surface: Source +1265, Tests +2338, Config +4, Other +1. Total +3608 across 26 files.

Reproducibility: yes. at source level: current main forces Codex app-server execMode: auto toward model-backed review without provider trust context, and the PR adds focused regression tests for local/custom providers. I did not run a live LM Studio or Ollama round trip in this read-only review.

Review metrics: 1 noteworthy metric.

• Public SDK subpath surface: 1 added. agent-harness-exec-review-runtime is added to package exports and entrypoints, which creates a published plugin contract that needs docs and baseline alignment before merge.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦞 diamond lobster
Patch quality: 🦐 gold shrimp
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Restore awaited Feishu idle cleanup sequencing and keep/extend the existing fallback tests.
• [P2] Add the SDK subpath docs, doc metadata, and generated API baseline or keep the helper private.
• [P1] Record explicit maintainer acceptance of the local/custom-provider fail-closed approval behavior before merge.

Risk before merge

• [P1] Existing local/custom Codex app-server users with tools.exec.mode: auto may move from model-backed Guardian review attempts to user/plugin approval prompts, which is likely safer but still a compatibility-visible behavior change.
• [P1] The PR changes which reviewer model/provider contexts are trusted to approve exec requests, so maintainer acceptance of the security boundary is still required even with green tests.
• [P2] The incidental Feishu idle change can let no-visible-reply fallback or later replies run before async typing/streaming cleanup settles.
• [P1] The new public Plugin SDK subpath becomes a third-party plugin contract unless docs, metadata, and generated API baseline are aligned before publish.

Maintainer options:

1. Fix blockers before merge (recommended)
   Restore the awaited Feishu idle callback, add the missing SDK subpath docs/metadata/baseline, and keep the Codex fail-closed trust policy available for maintainer review.
2. Accept the approval-policy compatibility change
   Maintainers can explicitly accept that local/custom app-server users may see user/plugin approval prompts instead of model-backed Guardian review when the reviewer context is not trusted OpenAI.
3. Pause if the SDK subpath should not be public
   If the exec-review helper is only for the bundled Codex plugin, keep it private or plugin-local instead of publishing a new Plugin SDK contract in this PR.

Next step before merge

• [P2] The PR has narrow fixable defects, but it is maintainer-labeled and changes exec-approval compatibility plus a security trust boundary, so it needs author/maintainer follow-up rather than an autonomous cleanup close.

Security
Cleared: No concrete exploitable security or supply-chain defect was found in the diff; the exec-review trust-boundary change remains a maintainer acceptance risk rather than a discrete security bug.

Review findings

• [P2] Await Feishu idle cleanup — extensions/feishu/src/reply-dispatcher.ts:582
• [P2] Align the new SDK subpath contract — package.json:588-591

Review details

Best possible solution:

Land this only after restoring Feishu idle sequencing, completing the SDK public-surface docs/metadata/baseline, and recording maintainer acceptance of the provider-aware fail-closed exec-review policy.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level: current main forces Codex app-server execMode: auto toward model-backed review without provider trust context, and the PR adds focused regression tests for local/custom providers. I did not run a live LM Studio or Ollama round trip in this read-only review.

Is this the best way to solve the issue?

No, not as currently submitted: the Codex owner-boundary approach looks reasonable, but the PR also introduces a Feishu async regression and an incomplete public SDK contract. A safer merge path fixes those blockers while keeping the provider-aware trust policy explicit for maintainer acceptance.

Full review comments:

• [P2] Await Feishu idle cleanup — extensions/feishu/src/reply-dispatcher.ts:582
typingCallbacks.onIdle is part of the reply dispatcher contract as Promise<void> | void, and the Feishu tests rely on awaiting idle side effects before fallback continues. Dropping the await here lets idleSideEffectsPromise resolve before async typing/streaming cleanup finishes, so no-visible-reply fallback or later replies can race cleanup and async failures are no longer propagated. Keep the await Promise.resolve(...) sequencing or otherwise make the callback synchronously guaranteed.
  Confidence: 0.92
• [P2] Align the new SDK subpath contract — package.json:588-591
  Adding ./plugin-sdk/agent-harness-exec-review-runtime to package.json publishes a new third-party Plugin SDK import path, but the branch does not update the SDK docs/catalog metadata or generated API baseline that define public subpaths. That leaves plugin authors with an undocumented contract and lets the published SDK surface drift from its reference docs. Add the docs/metadata/baseline updates or keep this helper out of the public SDK surface.
  Confidence: 0.88

Overall correctness: patch is incorrect
Overall confidence: 0.89

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5b76436c452a.

Label changes

Label changes:

• add merge-risk: 🚨 message-delivery: The Feishu dispatcher edit can make visible-reply fallback race async idle/streaming cleanup.

Label justifications:

• P2: This is a normal-priority Codex approval-routing bug fix with bounded but compatibility-sensitive blast radius.
• merge-risk: 🚨 compatibility: The PR intentionally changes approval routing for existing local/custom Codex app-server setups and adds a new public Plugin SDK subpath.
• merge-risk: 🚨 security-boundary: The diff changes which reviewer model/provider endpoints may approve exec requests, which is a trust-boundary decision beyond CI alone.
• merge-risk: 🚨 message-delivery: The Feishu dispatcher edit can make visible-reply fallback race async idle/streaming cleanup.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦞 diamond lobster and patch quality is 🦐 gold shrimp.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: This is a maintainer-authored PR, so the external-contributor proof gate does not apply; the PR body still records focused tests, Testbox check:changed, autoreview, CI, and upstream Codex source inspection.

Evidence reviewed

PR surface:

Source +1265, Tests +2338, Config +4, Other +1. Total +3608 across 26 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	15	1510	245	+1265
Tests	9	2349	11	+2338
Docs	0	0	0	0
Config	1	4	0	+4
Generated	0	0	0	0
Other	1	1	0	+1
Total	26	3864	256	+3608

Acceptance criteria:

• [P1] node scripts/run-vitest.mjs extensions/feishu/src/reply-dispatcher.test.ts extensions/codex/src/app-server/config.test.ts extensions/codex/src/app-server/approval-bridge.test.ts.
• [P1] node scripts/check-plugin-sdk-subpath-exports.mjs.
• [P1] node scripts/generate-plugin-sdk-api-baseline.ts --check.
• [P1] git diff --check.

What I checked:

• Repository policy applied: Read the full root policy plus scoped extension, Plugin SDK, agents, channels, and scripts guides; the SDK and approval-routing guidance materially affects this review. (AGENTS.md:1, 5b76436c452a)
• Current-main behavior: Current main forces execMode === "auto" into a model-backed reviewer path without provider-specific trust context, which makes the PR's local/custom provider fix relevant. (extensions/codex/src/app-server/config.ts:437, 5b76436c452a)
• PR implementation evidence: The PR head adds provider/model trust checks and regression tests showing LM Studio/custom OpenAI-compatible app-server runs use approvalsReviewer: "user" instead of Guardian/model-backed review. (extensions/codex/src/app-server/config.ts:459, e3318f163e63)
• Codex upstream contract checked: Sibling upstream Codex source exposes model_provider on thread start, while turn start exposes model and approval reviewer fields but no turn-level model_provider; this supports the PR's thread-boundary provider normalization. (../codex/codex-rs/app-server-protocol/src/protocol/v2/thread.rs:95, 8534912df930)
• Prior maintainer review addressed on current head: A maintainer review found that an earlier head scanned unrelated agents.list aliases; current head's configuredAgentModelAliasMatches only checks agents.defaults.models, matching that review's stated resolver scope. (extensions/codex/src/app-server/approval-bridge.ts:557, e3318f163e63)
• Feishu async regression evidence: The PR removes the await around typingCallbacks.onIdle, but the dispatcher contract and Feishu tests treat onIdle as Promise<void> | void and depend on awaiting idle side effects before fallback continues. (extensions/feishu/src/reply-dispatcher.ts:582, e3318f163e63)

Likely related people:

• vincentkoc: Authored this PR and has prior merged Codex harness/control-surface and Plugin SDK-adjacent work in the same area. (role: feature owner and current PR author; confidence: high; commits: ac3cd1a0ca8c, d10d71cdb659, edc0a22179a7; files: extensions/codex/src/app-server/approval-bridge.ts, extensions/codex/src/app-server/config.ts, src/plugin-sdk/agent-harness-runtime.ts)
• steipete: Recent commits touched Codex app-server approval cleanup, SDK/agent-harness docs, and plugin SDK boundary refactors around the affected surfaces. (role: recent area contributor; confidence: high; commits: 56a5d7e8657e, 8f6e71087b01, 6868cde4d45f; files: extensions/codex/src/app-server/approval-bridge.ts, extensions/codex/src/app-server/config.ts, src/plugin-sdk/agent-harness-runtime.ts)
• kevinslin: Reviewed this PR's trust gate and recently changed Codex app-server config behavior in the same path. (role: reviewer and recent Codex config contributor; confidence: medium; commits: fce002ad0320; files: extensions/codex/src/app-server/config.ts, extensions/codex/src/app-server/approval-bridge.ts)
• ArthurNie: Recent merged Feishu no-visible-reply fallback work owns the async idle/fallback behavior affected by the incidental Feishu edit. (role: recent Feishu reply lifecycle contributor; confidence: medium; commits: 7c15c2765ebb; files: extensions/feishu/src/reply-dispatcher.ts, extensions/feishu/src/reply-dispatcher.test.ts)
• MonkeyLeeT: Recently changed long Feishu streaming reply behavior in the same dispatcher, adjacent to the changed idle side-effect sequencing. (role: recent Feishu streaming contributor; confidence: medium; files: extensions/feishu/src/reply-dispatcher.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​clack/​core@​1.3.1
	npm/​@​grammyjs/​transformer-throttler@​1.2.1
	npm/​@​matrix-org/​matrix-sdk-crypto-nodejs@​0.6.0
	npm/​@​earendil-works/​pi-tui@​0.78.0
	npm/​@​create-markdown/​preview@​2.0.3
	npm/​@​a2ui/​lit@​0.10.0
	npm/​@​copilotkit/​aimock@​1.27.3
	npm/​@​grammyjs/​runner@​2.0.3
	npm/​@​lydell/​node-pty@​1.2.0-beta.12
	npm/​@​aws/​bedrock-token-generator@​1.1.0
	npm/​@​mdx-js/​mdx@​3.1.1
	npm/​@​lit/​context@​1.1.6
	npm/​@​lit-labs/​signals@​0.3.0
	npm/​@​grammyjs/​types@​3.27.3
	npm/​@​matrix-org/​matrix-sdk-crypto-wasm@​18.3.0
	npm/​@​google/​genai@​2.7.0
	npm/​@​discordjs/​voice@​0.19.2
	npm/​@​clack/​prompts@​1.4.0
	npm/​@​homebridge/​ciao@​1.3.9

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Publisher changed: npm @earendil-works/pi-tui is now published by mitsuhiko Author: mitsuhiko From: pnpm-lock.yaml → npm/@earendil-works/pi-tui@0.76.0 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@earendil-works/pi-tui@0.76.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report