test(codex): pin completion-idle timeout thread reset

[harjothkhara]

Summary

Regression coverage for issue 89974 ("Codex app-server turn idle timeout is surfaced as user interruption"). No runtime behavior changes.

• Confirms that after a turn_completion_idle_timeout, OpenClaw clears the timed-out Codex app-server thread binding.
• Confirms the next turn starts a fresh thread (thread/start) instead of resuming the thread that may still contain Codex's generic <turn_aborted> / user-interrupted marker.

The "user interrupted the previous turn on purpose" wording is Codex's own <turn_aborted> rollout marker; OpenClaw cannot change it (turn/interrupt carries no reason), only avoid replaying it. The behavior that abandons the timed-out thread landed in #87781; this test pins it for the exact issue shape.

Collision and current state

• No direct competing PR currently claims or closes issue 89974; this PR is the only direct regression-coverage PR found for that issue.
• fix(codex): prevent false completion stalls during native streams #87781 already fixed the runtime thread-abandonment behavior this PR covers. This PR is intentionally a test-only guardrail, not a second runtime fix.
• This PR intentionally avoids a closing keyword for issue 89974 because it pins one already-fixed path and should not by itself close the broader issue.

Proof and merge path

This verifies the behavior at the code/test level; no live end-to-end repro was run. Because the PR is test-only and introduces no new runtime behavior, the remaining proof-policy blocker needs maintainer judgment, a proof: override label, or separately supplied redacted live logs showing the after-timeout next turn starts fresh.

I am not broadening this PR into a runtime classification/copy fix: that would change the scope, require a different proof lane, and is separate from pinning the #87781 thread-reset behavior.

Validation

• new regression test: passed
• run-attempt.turn-watches.test.ts: 56 passed
• run.codex-app-server-recovery.test.ts: 10 passed
• oxfmt / oxlint / tsgo / git diff --check: passed

Refs issue 89974. Behavior fixed by #87781.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 4, 2026, 1:35 AM ET / 05:35 UTC.

Summary
Adds a Codex app-server Vitest regression test asserting that a completion-idle timeout clears the resumed thread binding and that the next turn starts a fresh thread.

PR surface: Tests +53. Total +53 across 1 file.

Reproducibility: no. high-confidence live current-main reproduction was established. The source path is clear and the proposed test exercises the fixed timeout-to-fresh-thread behavior, but the contributor supplied only code/test validation.

Review metrics: none identified.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Add redacted terminal/log/live output showing an after-timeout follow-up starts fresh, or ask a maintainer to apply a proof override.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR body explicitly says no live end-to-end repro was run; supplied evidence is code/test validation only, so real behavior proof or a maintainer proof override is still required. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• [P1] External real behavior proof is still code/test-only; the PR body explicitly says no live end-to-end repro was run, so maintainers need a proof override or redacted live logs before merge.

Maintainer options:

1. Decide the mitigation before merge
   Merge the test after a maintainer proof override or redacted live evidence, while keeping the runtime behavior from the merged completion-stall recovery work as the implementation.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P1] A human maintainer needs to decide whether this test-only external PR can merge with a proof override or should wait for redacted live evidence; there is no narrow automated code repair to make.

Security
Cleared: The diff only changes a Vitest test file and uses existing local helpers, with no dependency, workflow, secret, runtime, or supply-chain surface changed.

Review details

Best possible solution:

Merge the test after a maintainer proof override or redacted live evidence, while keeping the runtime behavior from the merged completion-stall recovery work as the implementation.

Do we have a high-confidence way to reproduce the issue?

No high-confidence live current-main reproduction was established. The source path is clear and the proposed test exercises the fixed timeout-to-fresh-thread behavior, but the contributor supplied only code/test validation.

Is this the best way to solve the issue?

Yes for this PR's scope. A focused regression test in the Codex app-server turn-watch suite is the narrowest maintainable way to pin the already-fixed thread reset without changing runtime behavior.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5a10f46c56a0.

Label changes

Label justifications:

• P3: This is a low-risk test-only regression guard with no runtime behavior change, so the remaining maintainer work is proof judgment rather than urgent repair.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body explicitly says no live end-to-end repro was run; supplied evidence is code/test validation only, so real behavior proof or a maintainer proof override is still required. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Tests +53. Total +53 across 1 file.

View PR surface stats

Area	Files	Added	Removed	Net
Source	0	0	0	0
Tests	1	54	1	+53
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	1	54	1	+53

What I checked:

• Changed surface: The PR modifies only run-attempt.turn-watches.test.ts, adding a two-turn regression test plus imports for existing harness and binding helpers. (extensions/codex/src/app-server/run-attempt.turn-watches.test.ts:2869, 2a6badaa9523)
• Current timeout cleanup behavior: On current main, timed-out native turns clear the binding for the active thread before retiring the app-server client, which is the runtime behavior the PR pins. (extensions/codex/src/app-server/run-attempt.ts:2198, 5a10f46c56a0)
• Binding clear is thread-scoped: clearCodexAppServerBindingForThread preserves a newer/different binding and only unlinks the binding when the stored thread id matches. (extensions/codex/src/app-server/session-binding.ts:309, 5a10f46c56a0)
• Fresh start follows missing binding: startOrResumeThread reads the binding, resumes when one is present, and otherwise falls through to thread/start, matching the PR's second-turn assertion. (extensions/codex/src/app-server/thread-lifecycle.ts:335, 5a10f46c56a0)
• Linked runtime fix provenance: The linked merged PR fix(codex): prevent false completion stalls during native streams #87781 includes commits for completion-idle recovery and the thread-scoped binding clear; the release compare shows v2026.6.1 contains its merge commit. (extensions/codex/src/app-server/run-attempt.ts:2198, 5a10f46c56a0)
• Upstream Codex contract: Codex upstream owns the <turn_aborted> guidance text, and the app-server turn/interrupt client call carries only threadId and turnId, not an abort reason. (../codex/codex-rs/core/src/context/turn_aborted.rs:9, ad2012d645b7)

Likely related people:

• steipete: Current shallow blame points the central Codex app-server files to Peter Steinberger, and the linked merged runtime-fix PR commits were committed/merged by steipete. (role: recent area contributor and merger; confidence: high; commits: 6f08a1a3dd2a, 5f35ccbdf018, 2d0ff138b698; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/session-binding.ts, extensions/codex/src/app-server/thread-lifecycle.ts)
• keshavbotagent: Authored the earlier merged completion-stall recovery work in fix(codex): prevent false completion stalls during native streams #87781 that this PR is explicitly pinning with regression coverage. (role: linked runtime fix author; confidence: high; commits: f434af936ecb, 3eb0a1f3f860, 7a8dfeaf0a4c; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/run-attempt.turn-watches.test.ts, src/agents/embedded-agent-runner/run.codex-app-server-recovery.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[harjothkhara]

This PR is intentionally test-only: it adds regression coverage for #89974 and does not change runtime behavior.

The behavior under test appears to have already been fixed by #87781. This PR only pins the regression path: after turn_completion_idle_timeout, OpenClaw clears the timed-out Codex app-server thread binding, so the next turn starts a fresh thread instead of resuming the one that may contain Codex's generic <turn_aborted> / "user interrupted" marker.

Because this is a test-only external PR, I cannot honestly provide new live runtime "real behavior proof" beyond the code/test verification already listed. The red "Real behavior proof" check appears to require maintainer judgment or a proof: override label if maintainers want this regression test merged.

[harjothkhara]

Merge-state note: this PR is mergeable with no conflicts. GitHub reports mergeable_state: unstable, but the red Real behavior proof check appears to be the only non-green signal and is not a blocking required check.

This PR is intentionally test-only. It pins the #89974 regression fixed by #87781, so there is no live runtime behavior proof to add. A proof: override clears it, or this can be merged as-is if maintainers are comfortable. Happy to close instead if you'd rather keep just the #87781 fix.

[harjothkhara]

On the Real behavior proof gate

This PR is intentionally test-only (+54/-1, a single regression test) with no runtime change. The behavior it pins — clearing a timed-out Codex thread binding so the next turn starts a fresh thread/start rather than resuming a thread still carrying Codex's <turn_aborted> marker — already shipped in #87781 (merged 2026-05-29).

Because there's no new runtime code here, there's no new runtime behavior to capture live; a "live repro" would only re-demonstrate #87781's merged fix. The test drives the real runCodexAppServerAttempt path with only the external Codex app-server transport stubbed (the same boundary the rest of this file stubs), exercising the genuine idle-timeout → binding-clear → fresh-thread logic.

Per the proof policy this looks like a fit for a maintainer proof: override (test-only guardrail for already-merged behavior). Could a maintainer apply it — or advise if you'd prefer this folded into the #87781 coverage or closed? Happy to adjust scope either way.

[kevinslin]

lgtm. thanks for the coverage