fix: bound native hook relay lifetime

[joshavant]

Summary

Fixes #90993.

• Add an OpenClaw-owned native hook relay deadline that starts before stdin is read, applies through direct bridge and gateway fallback, and aborts/destroys the held input path on timeout.
• Preserve existing provider-compatible timeout fallback behavior: PreToolUse noop/fail-closed, PermissionRequest deny, and observational noop for non-blocking events.
• Keep Codex-generated relay command timeouts below Codex's parent hook timeout so the relay has time to emit its fail-closed/noop response before the parent can kill it.

Verification

• .agents/skills/autoreview/scripts/autoreview --mode local after final changes: clean, no accepted/actionable findings.
• node scripts/run-vitest.mjs src/cli/native-hook-relay-cli.test.ts src/agents/harness/native-hook-relay.test.ts extensions/codex/src/app-server/native-hook-relay.test.ts extensions/codex/src/app-server/run-attempt.native-hook-relay.test.ts passed: 122 tests.
• pnpm exec oxfmt --check src/cli/native-hook-relay-cli.ts src/cli/native-hook-relay-cli.test.ts src/agents/harness/native-hook-relay.ts src/agents/harness/native-hook-relay.test.ts extensions/codex/src/app-server/native-hook-relay.ts extensions/codex/src/app-server/native-hook-relay.test.ts passed.
• node scripts/run-oxlint.mjs src/cli/native-hook-relay-cli.ts src/cli/native-hook-relay-cli.test.ts src/agents/harness/native-hook-relay.ts src/agents/harness/native-hook-relay.test.ts extensions/codex/src/app-server/native-hook-relay.ts extensions/codex/src/app-server/native-hook-relay.test.ts passed.
• pnpm tsgo:core, pnpm tsgo:core:test, pnpm tsgo:extensions, pnpm tsgo:extensions:test passed.
• pnpm build passed.
• Local child-process regression against freshly built openclaw.mjs: held-open stdin exited code 0, was not killed, and emitted native hook relay timed out after 1000ms.
• AWS Crabbox regression proof: provider aws, run run_0d76a211a57b, lease cbx_9d9647b4079b, slug brisk-crayfish; held-open stdin exited code 0 with the timeout line.

pnpm check:changed could not run because the local Crabbox binary is 0.20.0 and current Blacksmith Testbox delegation requires >=0.22.0; the matching direct checks above cover the changed core and Codex extension surfaces.

Real behavior proof

Behavior addressed: Native hook relay CLI processes can no longer wait indefinitely for EOF on stdin; timeout paths return the provider-compatible unavailable/noop/fail-closed response instead of leaking openclaw-hooks children.

Real environment tested: AWS Crabbox Linux, provider aws, run run_0d76a211a57b, lease cbx_9d9647b4079b, slug brisk-crayfish, plus local built openclaw.mjs child-process repro.

Exact steps or command run after this patch: Spawned openclaw hooks relay --provider codex --event pre_tool_use --pre-tool-use-unavailable noop --timeout 1000, wrote valid Codex PreToolUse JSON to stdin, intentionally kept stdin open, and observed whether the child exited before the 60s watchdog.

Evidence after fix: On AWS Crabbox, the held-open stdin child exited code 0 without watchdog kill and stderr included native hook relay timed out: native hook relay timed out after 1000ms.

Observed result after fix: The held-open relay process terminated instead of accumulating; the closed-stdin control also exited normally.

What was not tested: A multi-hour authenticated Codex app-server heartbeat scenario with real provider credentials was not run; the proved live path covers the root leak class through the actual relay CLI process.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 8, 2026, 9:55 PM ET / 01:55 UTC.

Summary
The branch adds a native hook relay deadline across stdin reading, direct bridge invocation, and gateway fallback, plus generated Codex command timeouts and regression coverage.

PR surface: Source +215, Tests +136. Total +351 across 6 files.

Reproducibility: yes. Current main and v2026.6.1 read native hook stdin without a deadline before bridge/gateway timeouts apply, and the PR body includes a held-open stdin repro with local and AWS Crabbox after-fix proof; I did not rerun it in this read-only review.

Review metrics: 1 noteworthy metric.

• Plugin SDK API surface: 1 optional method parameter added. NativeHookRelayRegistrationHandle is exported through openclaw/plugin-sdk/agent-harness-runtime, so maintainers should notice the compatibility surface even though existing one-argument implementations remain valid.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Next step before merge

• [P2] The protected maintainer label and absence of actionable findings make this a maintainer-handled review/landing item, not an automated repair candidate.

Security
Cleared: No concrete security or supply-chain regression was found; the diff changes runtime timeout handling and tests without adding dependencies, scripts, permissions, or credential exposure.

Review details

Best possible solution:

Land the bounded relay deadline after maintainer/CI handling, keeping the provider-compatible timeout outputs and Codex parent-timeout margin intact.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main and v2026.6.1 read native hook stdin without a deadline before bridge/gateway timeouts apply, and the PR body includes a held-open stdin repro with local and AWS Crabbox after-fix proof; I did not rerun it in this read-only review.

Is this the best way to solve the issue?

Yes. The best owner boundary is the OpenClaw relay entrypoint, with the child timeout expiring before Codex's parent hook timeout so OpenClaw can still emit fail-closed/noop output instead of being killed first.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 79c6136a9e17.

Label changes

Label changes:

• add P1: The PR fixes a user-reported native hook relay leak that can accumulate hundreds of MB per child process and take down unattended gateway hosts.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix local child-process output and AWS Crabbox live proof for the held-open stdin leak class, with the expected timeout line and exit code 0.
• add rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix local child-process output and AWS Crabbox live proof for the held-open stdin leak class, with the expected timeout line and exit code 0.

Label justifications:

• P1: The PR fixes a user-reported native hook relay leak that can accumulate hundreds of MB per child process and take down unattended gateway hosts.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix local child-process output and AWS Crabbox live proof for the held-open stdin leak class, with the expected timeout line and exit code 0.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix local child-process output and AWS Crabbox live proof for the held-open stdin leak class, with the expected timeout line and exit code 0.

Evidence reviewed

PR surface:

Source +215, Tests +136. Total +351 across 6 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	3	280	65	+215
Tests	3	148	12	+136
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	6	428	77	+351

What I checked:

• Repository policy applied: Read root AGENTS.md plus scoped src/agents/AGENTS.md and extensions/AGENTS.md; the review applied the agent/runtime, plugin boundary, Codex dependency, and protected-label guidance. Maintainer notes directory only contained telegram notes, which did not match this PR surface. (AGENTS.md:1, 79c6136a9e17)
• Current/shipped leak path: v2026.6.1 reads stdin with readStreamText before any relay timeout is applied, then passes timeoutMs only to bridge/gateway calls; current main has the same structure. (src/cli/native-hook-relay-cli.ts:54, 2e08f0f4221f)
• PR deadline implementation: The PR arms a deadline before reading stdin, uses remaining time for direct bridge and gateway fallback, passes an AbortSignal to callGateway, and emits provider-compatible timeout responses. (src/cli/native-hook-relay-cli.ts:70, 68dabb735245)
• PR stdin and gateway regression coverage: New tests cover held-open stdin for PreToolUse, PermissionRequest, and observational events, verify stdin destruction, and cover a hung gateway fallback under the same deadline. (src/cli/native-hook-relay-cli.test.ts:269, 68dabb735245)
• Codex parent timeout contract checked: Codex hook runner writes JSON to the child stdin pipe, then waits with timeout_sec and kill_on_drop, so OpenClaw must emit fallback output before Codex's parent timeout kills the hook process. (../codex/codex-rs/hooks/src/engine/command_runner.rs:56, 0beb5c7f32cf)
• Codex config timeout contract checked: Codex normalizes hook command timeout_sec to at least one second and uses the trusted command hash from the normalized command, timeout, and status message; the PR updates command timeout and trusted hash input together. (../codex/codex-rs/hooks/src/engine/discovery.rs:482, 0beb5c7f32cf)

Likely related people:

• Vincent Koc: The shipped v2026.6.1 baseline commit contains the native hook relay files and current available history does not expose a finer-grained human feature commit for this path. (role: release baseline author / recent area contributor; confidence: low; commits: 2e08f0f4221f; files: src/cli/native-hook-relay-cli.ts, src/agents/harness/native-hook-relay.ts, extensions/codex/src/app-server/native-hook-relay.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.