feat: canonicalize Codex protocol JSON asset ordering

[RomneyDa]

Problem: the generated codex assets cause large LOC churn bc they don't maintain ordering
But ordering doesn't matter for some keys.
Solution: prevent churn by sorting the keys and arrays in a sensible way

AI Generated:

Summary

• Add a reusable recursive canonicalizer for generated Codex app-server protocol JSON schemas.
• Use the same canonicalization in both the protocol sync writer and protocol drift checker.
• Normalize the currently tracked selected generated JSON assets from origin/main canonical order only; this does not include a Codex dependency bump.

Dependency / Protocol Source Checked

• Inspected sibling Codex source at rust-v0.137.0 and the pinned rust-v0.135.0 tag for the app-server export path.
• Relevant Codex files checked: codex-rs/app-server-protocol/src/bin/export.rs, codex-rs/app-server-protocol/src/export.rs, codex-rs/app-server-protocol/src/schema_fixtures.rs, and codex-rs/app-server-protocol/tests/schema_fixtures.rs.
• OpenClaw remains pinned to @openai/codex 0.135.0; no dependency or lockfile changes are included.

Verification

• node scripts/run-vitest.mjs test/scripts/codex-app-server-protocol-source.test.ts
• node scripts/run-vitest.mjs extensions/codex/src/app-server/protocol-validators.test.ts
• git diff --check
• JSON parse check over extensions/codex/src/app-server/protocol-generated/json/**/*.json
• Canonicalization proof: current generated JSON equals canonicalized origin/main for all 8 selected schemas
• .agents/skills/autoreview/scripts/autoreview --mode local clean, no actionable findings

Blocked locally:

• OPENCLAW_CODEX_PROTOCOL_MIN_FREE_BYTES=0 pnpm codex-app-server:protocol:check could not run the generator because local Homebrew cargo fails before startup with a missing libllhttp.9.3.dylib required by libgit2.

[clawsweeper]

Codex review: found issues before merge. Reviewed June 8, 2026, 9:44 PM ET / 01:44 UTC.

Summary
The branch adds a shared Codex app-server JSON schema canonicalizer, wires it into protocol sync/check scripts, adds tests, and reorders selected generated schema JSON assets.

PR surface: Source 0, Tests +77, Other +82. Total +159 across 9 files.

Reproducibility: not applicable. this is an internal generated-asset and script canonicalization PR, not a bug report with a runtime reproduction path. The relevant checks are source review, upstream Codex contract inspection, and generator drift proof.

Review metrics: 1 noteworthy metric.

• Generated protocol canonicalization surface: 1 helper added, 2 script consumers changed, 5 schema assets reordered. The shared helper now defines both sync output and drift comparison for Codex runtime schema JSON, so its ordering policy matters before merge.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🌊 off-meta tidepool
Patch quality: 🦐 gold shrimp
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Constrain array sorting to order-insensitive schema keywords or an equivalent explicit policy.
• Run pnpm codex-app-server:protocol:check in a clean environment at the current head.

Risk before merge

• [P1] The canonicalizer is keyed only on top-level type, so sync/check would canonicalize typed object arrays even under order-sensitive schema keywords if future generated schemas add them.
• [P1] The PR body says the full pnpm codex-app-server:protocol:check path was blocked locally, so generated runtime validators still need clean generator-backed drift proof before merge.

Maintainer options:

1. Constrain schema array sorting before merge (recommended)
   Restrict array sorting to explicitly order-insensitive schema keywords or pass parent-key context, then rerun canonicalizer tests and the generated protocol check.
2. Accept the broader canonicalization policy
   Maintainers can intentionally accept the broader policy, but they own the future schema-order compatibility risk and should record clean generator proof before landing.

Next step before merge

• Protected maintainer PR; the remaining action is maintainer review of canonicalization scope plus clean generator-backed drift proof, not read-only cleanup closure.

Security
Cleared: No concrete security or supply-chain issue found; the diff changes scripts, tests, and generated JSON ordering without dependency, lockfile, workflow, permission, secret, or download changes.

Review findings

• [P2] Restrict schema array canonicalization by keyword — scripts/lib/codex-app-server-protocol-source.ts:390

Review details

Best possible solution:

Land a keyword-scoped canonicalizer with clean generator-backed Codex protocol drift proof, keeping generated JSON aligned with upstream semantics.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is an internal generated-asset and script canonicalization PR, not a bug report with a runtime reproduction path. The relevant checks are source review, upstream Codex contract inspection, and generator drift proof.

Is this the best way to solve the issue?

No; sharing one helper between sync and check is the right owner boundary, but array sorting should be constrained to order-insensitive schema contexts before the helper writes runtime validator assets.

Full review comments:

• [P2] Restrict schema array canonicalization by keyword — scripts/lib/codex-app-server-protocol-source.ts:390
  This now runs for every array before writing generated runtime schemas, but it sorts any plain-object items that expose a top-level type regardless of the JSON Schema keyword. Order is significant for schema arrays such as prefixItems, so a future Codex schema with typed tuple positions would be rewritten and then hidden by the same normalization in the drift check; pass parent-key context or restrict sorting to the order-insensitive union keywords this PR proves safe.
  Confidence: 0.82

Overall correctness: patch is incorrect
Overall confidence: 0.78

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 79c6136a9e17.

Label changes

Label changes:

• add rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🌊 off-meta tidepool and patch quality is 🦐 gold shrimp.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: Not applicable: this is a member/maintainer internal tooling and generated-asset PR, so the contributor real-behavior proof gate does not apply; generator drift proof remains a maintainer merge check.
• remove rating: 🐚 platinum hermit: Current PR rating is rating: 🦐 gold shrimp, so this older rating label is no longer current.
• remove status: 👀 ready for maintainer look: Current PR status label is status: ⏳ waiting on author.

Label justifications:

• P3: This is an internal scripts/generated-asset cleanup with limited immediate user-facing blast radius.
• merge-risk: 🚨 compatibility: The changed generated Codex protocol schemas feed runtime validators, and an over-broad canonicalizer or unproved generator drift can break protocol compatibility on future syncs.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🌊 off-meta tidepool and patch quality is 🦐 gold shrimp.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: Not applicable: this is a member/maintainer internal tooling and generated-asset PR, so the contributor real-behavior proof gate does not apply; generator drift proof remains a maintainer merge check.

Evidence reviewed

PR surface:

Source 0, Tests +77, Other +82. Total +159 across 9 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	5	129	129	0
Tests	1	77	0	+77
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	3	84	2	+82
Total	9	290	131	+159

What I checked:

• Repository policy read: Read the full root policy plus scoped scripts, extensions, and test guides; the relevant guidance requires direct Codex source inspection and aligned generated-artifact sync/check behavior for this PR. (AGENTS.md:8, 79c6136a9e17)
• Current main does not already contain the change: Current main still normalizes generated Codex JSON by plain JSON parse/stringify in the checker and writer; the PR is not obsolete on main. (scripts/check-codex-app-server-protocol.ts:144, 79c6136a9e17)
• PR canonicalizer scope: The PR canonicalizes every array through sortCodexProtocolJsonArrayByType, so array sorting is not currently limited by the parent JSON Schema keyword. (scripts/lib/codex-app-server-protocol-source.ts:390, 001f6bbc2641)
• PR sync/check consumers: The PR uses the same canonicalizer in both the drift checker and the sync writer, so the helper defines both comparison policy and the runtime schema asset output. (scripts/sync-codex-app-server-protocol.ts:31, 001f6bbc2641)
• Generated JSON feeds runtime validation: Current main imports the generated Codex JSON schemas and compiles them with TypeBox validators, making schema-output semantics compatibility-sensitive rather than cosmetic-only. (extensions/codex/src/app-server/protocol-validators.ts:6, 79c6136a9e17)
• Codex exporter contract inspected: At Codex rust-v0.137.0, the export binary calls generate_ts_with_options and generate_json_with_experimental; OpenClaw-side ordering canonicalization is outside the upstream export entrypoint. (../codex/codex-rs/app-server-protocol/src/bin/export.rs:23, cfa0e4c8a658)

Likely related people:

• RomneyDa: Authored the merged Codex app-server 0.137 refresh that updated the same generated protocol assets and check assumptions, and this PR builds directly on that surface. (role: recent area contributor; confidence: high; commits: 112e98faa274; files: extensions/codex/src/app-server/protocol-generated/json/v2/ThreadStartResponse.json, scripts/check-codex-app-server-protocol.ts)
• vincentkoc: Recent API history shows script hardening and Windows protocol formatting work on the Codex protocol generation helpers that this PR changes. (role: script surface contributor; confidence: medium; commits: e0ab71d3dcf1, ce48e4c197e5; files: scripts/lib/codex-app-server-protocol-source.ts, scripts/check-codex-app-server-protocol.ts)
• steipete: Recent history shows validator documentation and the TypeBox validator migration for the runtime surface that consumes these generated schemas. (role: adjacent validator owner; confidence: medium; commits: ff867fcb7fbc, 3548cff14b9c; files: extensions/codex/src/app-server/protocol-validators.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.