Fix context-engine compaction ownership for Codex sessions

[joshavant]

Summary

• keep owning context-engine compaction primary for queued budget compaction when a Codex/native harness is also selected
• request Codex native thread/compact/start only as a bounded secondary follow-up after successful owning context-engine compaction
• clear stale Codex thread-bootstrap projection metadata before that native follow-up mutates the bound thread
• add focused regression coverage for the queued handoff, secondary Codex 4xx behavior, Discord /new stale model cleanup, and the real Codex app-server bridge path

Refs #90496. This addresses the live-reproduced context-engine/native-compaction breakage from the issue and adds direct regression coverage for two adjacent issue symptoms. It does not claim to close every reported symptom around real production Codex provider 4xxs, scheduled-session metadata recreation, or automatic transcript rotation policy.

Real behavior proof

Behavior addressed: Budget auto-compaction can be short-circuited by the Codex app-server native path before an owning context engine compacts the session.

Real environment tested: Final-head local runtime proof on b5db02fd5a1cd673a17b86cc92eef10792a2b82a, using the queued compaction entry point plus a proof harness that calls the real Codex app-server compact bridge with a fake client at the socket boundary. Live Discord lane was also tested with a Convex-leased discord credential and gateway started from this branch.

Exact steps or command run after this patch: pnpm tsx /private/tmp/openclaw-90496-final-head-proof.ts. Live Discord proof was run with 1Password-injected Convex broker credentials: op-with-service-account run --env-file /private/tmp/openclaw-90496-op.env -- pnpm tsx /private/tmp/openclaw-90496-discord-proof.ts.

Evidence after fix: Final-head proof output showed queued context-engine compaction succeeded and the secondary Codex bridge sent thread/compact/start with request:"after_context_engine":

{
  "sha": "b5db02fd5a1cd673a17b86cc92eef10792a2b82a",
  "compactResult": {
    "ok": true,
    "compacted": true,
    "reason": "proof-context-engine-compacted",
    "result": {
      "details": {
        "engine": "proof-context-engine",
        "nativeHarnessCompaction": {
          "ok": true,
          "compacted": false,
          "result": {
            "details": {
              "backend": "codex-app-server",
              "signal": "thread/compact/start",
              "pending": true,
              "request": "after_context_engine",
              "trigger": "budget"
            }
          }
        }
      }
    }
  },
  "bridgeRequests": [
    {
      "method": "thread/compact/start",
      "params": {
        "threadId": "thread-proof-final-head"
      }
    }
  ],
  "bindingAfter": {
    "contextEngine": {
      "schemaVersion": 1,
      "engineId": "proof-context-engine",
      "policyFingerprint": "proof-policy"
    }
  },
  "assertions": {
    "contextEngineCompacted": true,
    "contextEngineMarkerWritten": true,
    "secondaryCodexResultOk": true,
    "secondaryCodexRequestMarked": true,
    "secondaryCodexBridgeSignal": true,
    "outboundBridgeRequest": true,
    "projectionCleared": true,
    "didNotTakeOldNonManualSkip": true
  }
}

Observed result after fix: The owning context engine compacts first. Only after that succeeds, the secondary Codex bridge sends thread/compact/start with request:"after_context_engine", clears the stale context-engine projection marker, and does not take the old reason:"non_manual_trigger" skip path.

What was not tested live: A real production Codex provider provider_error_4xx, scheduled/reminder stale model metadata recreation, and a new automatic transcript-rotation product policy for genuinely unrecoverable compaction.

Added Issue-Shape Regression Proof

• src/agents/embedded-agent-runner/compact.hooks.test.ts now covers a secondary Codex/native provider_error_4xx after successful context-engine compaction. The primary result remains ok:true, compacted:true, and the 4xx is nested under codexNativeCompaction instead of overriding the context-engine result.
• src/auto-reply/reply/session.test.ts now covers the exact Discord channel shape from Discord channel remains trapped in oversized session after /new; compaction fails provider_error_4xx and model drifts from codex/gpt-5.5 to gpt-5.4 #90496: a stale codex/gpt-5.4 auto fallback from openai/gpt-5.5, oversized token counters, and /new. The reset creates a new session and clears provider/model fallback provenance plus stale token counters so the configured codex/gpt-5.5 default can apply.

Live Discord proof

The live Discord proof on this branch leased a discord credential from Convex, sent a real marker mention, observed the SUT bot reply, reset a seeded stale session entry, and invoked queued budget compaction for the Discord channel session.

Redacted live output:

{
  "credential": {
    "kind": "discord",
    "source": "convex",
    "id": "<redacted>"
  },
  "discord": {
    "guildId": "<redacted>",
    "channelId": "<redacted>",
    "sentMessageId": "<redacted>",
    "replyMessageId": "<redacted>",
    "markerObserved": true
  },
  "reset": {
    "rpcOk": true,
    "before": {
      "providerOverride": "codex",
      "modelOverride": "gpt-5.4",
      "fallbackOriginProvider": "openai",
      "fallbackOriginModel": "gpt-5.5"
    },
    "after": {}
  },
  "compaction": {
    "result": {
      "ok": true,
      "compacted": true,
      "reason": "proof-context-engine-compacted"
    },
    "markerWritten": true,
    "markerEvents": [
      {
        "sessionKey": "agent:qa:discord:channel:<redacted>",
        "target": "budget",
        "force": false
      }
    ]
  }
}

Regression proof

On current origin/main at 80f1ae6ffe, the same live Discord proof reproduced the narrowed failure: Discord marker observed, reset clean, but budget compaction returned compacted:false, reason:"codex app-server owns automatic compaction", and markerWritten:false.

Verification

• .agents/skills/autoreview/scripts/autoreview --mode local passed with no accepted/actionable findings after the added 90496 edge-case tests.
• node scripts/run-vitest.mjs src/agents/embedded-agent-runner/compact.hooks.test.ts src/auto-reply/reply/session.test.ts passed, 69/69 agent tests and 104/104 auto-reply session tests.
• node scripts/run-vitest.mjs extensions/codex/src/app-server/compact.test.ts passed, 19/19 Codex bridge tests.
• pnpm tsx /private/tmp/openclaw-90496-final-head-proof.ts passed on b5db02fd5a1cd673a17b86cc92eef10792a2b82a.
• Live Discord proof passed on this branch with a Convex-leased discord credential.
• git diff --check passed.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 10:14 PM ET / 02:14 UTC.

Summary
The PR makes context-engine-owned compaction run before a bounded internal Codex native compaction follow-up, guards Codex binding/projection updates, waits for active native turns, and adds focused regression coverage.

PR surface: Source +520, Tests +819. Total +1339 across 14 files.

Reproducibility: yes. by source inspection: current main runs Codex native harness compaction before the owning context engine and the Codex native path skips budget triggers, matching the PR body's live current-main failure proof.

Review metrics: 1 noteworthy metric.

• Plugin SDK surface: 0 public SDK params added; 1 private Codex harness capability. The post-context-engine compaction hint stays internal, lowering plugin API compatibility risk before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Get explicit Codex/session-state owner review for the binding/projection sequencing before merge.

Risk before merge

• [P1] The PR changes when Codex binding projection metadata is cleared and when thread/compact/start runs; incorrect sequencing could desynchronize OpenClaw context-engine state from the native Codex thread.
• [P1] The PR deliberately leaves remaining symptoms in Discord channel remains trapped in oversized session after /new; compaction fails provider_error_4xx and model drifts from codex/gpt-5.5 to gpt-5.4 #90496 outside scope, including production Codex provider 4xxs, scheduled metadata recreation, and automatic transcript-rotation policy.

Maintainer options:

1. Owner-review the compaction handoff (recommended)
   Have a Codex/session-state owner verify the binding re-read, projection clear, and secondary native request ordering against live-session upgrade expectations before merge.

Next step before merge

• [P2] Protected maintainer handling and session-state sequencing risk require explicit owner review rather than an automated repair PR.

Security
Cleared: No concrete security or supply-chain regression was found; the diff does not change workflows, dependencies, secrets storage, or package execution surfaces.

Review details

Best possible solution:

Land this only after a Codex/session-state owner accepts the binding/projection sequencing and keep the remaining symptoms tracked in #90496.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection: current main runs Codex native harness compaction before the owning context engine and the Codex native path skips budget triggers, matching the PR body's live current-main failure proof.

Is this the best way to solve the issue?

Yes, likely: keeping the context engine primary and making Codex native compaction a private bounded follow-up is the narrowest owner-boundary fix I found, with maintainer review still needed for session-state sequencing.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9a1f2022b127.

Label changes

Label justifications:

• P1: The linked behavior can leave a Discord agent channel trapped in an oversized session, breaking a real agent/channel workflow.
• merge-risk: 🚨 session-state: The PR intentionally changes Codex thread binding, projection metadata, and context-engine/native compaction ordering.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes final-head runtime live output plus redacted live Discord proof showing the changed compaction behavior after the patch.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes final-head runtime live output plus redacted live Discord proof showing the changed compaction behavior after the patch.

Evidence reviewed

PR surface:

Source +520, Tests +819. Total +1339 across 14 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	8	600	80	+520
Tests	6	823	4	+819
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	14	1423	84	+1339

Acceptance criteria:

• [P1] node scripts/run-vitest.mjs src/agents/embedded-agent-runner/compact.hooks.test.ts src/auto-reply/reply/session.test.ts.
• [P1] node scripts/run-vitest.mjs extensions/codex/src/app-server/compact.test.ts extensions/codex/src/app-server/session-binding.test.ts extensions/codex/src/app-server/run-attempt.test.ts.
• [P1] git diff --check.

What I checked:

• Repository policy applied: Root and scoped OpenClaw review policy were read; the Codex/session-state change falls under the AGENTS.md guidance requiring whole-path review, Codex dependency inspection, and protected maintainer handling. (AGENTS.md:1, 9a1f2022b127)
• Current main still has the old short-circuit: Current main calls native harness compaction before context-engine-owned compaction can run, so the PR is not obsolete on main. (src/agents/embedded-agent-runner/compact.queued.ts:264, 9a1f2022b127)
• Current Codex native compaction skips non-manual triggers: Current main returns reason: "non_manual_trigger" for non-manual Codex app-server compaction, matching the reported budget-compaction failure shape. (extensions/codex/src/app-server/compact.ts:139, 9a1f2022b127)
• PR makes context engine primary: The PR skips the native harness preflight when the context engine owns compaction, then runs the native harness only as an after_context_engine secondary follow-up after successful compaction. (src/agents/embedded-agent-runner/compact.queued.ts:290, a7d2bd2a5113)
• Private Codex follow-up capability: The post-context-engine compaction request is kept behind a private internal harness capability rather than adding a public plugin SDK parameter. (src/agents/harness/compaction.ts:31, a7d2bd2a5113)
• Binding/projection guard added: The PR re-reads the Codex binding under a per-binding lock before clearing context-engine projection metadata and sending thread/compact/start. (extensions/codex/src/app-server/compact.ts:212, a7d2bd2a5113)

Likely related people:

• steipete: Git history shows repeated Codex app-server lifecycle/module work, including the app-server controls and lifecycle seam refactors that define this runtime boundary. (role: feature-history owner; confidence: high; commits: 31a0b7bd42a5, 8d72aafdbb8d, 3b65e2302a55; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/compact.ts)
• vincentkoc: Recent history on Codex app-server auth/startup and the latest stable release touched the same Codex runtime area involved in binding and auth-profile safety. (role: recent adjacent contributor; confidence: medium; commits: f1cc8f0cfc7c, 859eb0666282, 5181e4f7c82b; files: extensions/codex/src/app-server/run-attempt.ts, extensions/codex/src/app-server/session-binding.ts)
• shakkernerd: Current-main blame in this shallow checkout points the central compaction and Codex binding lines at a recent commit by Shakker, making them a plausible routing candidate for current surface context. (role: recent area contributor; confidence: medium; commits: 56d201fa670b; files: src/agents/embedded-agent-runner/compact.queued.ts, extensions/codex/src/app-server/compact.ts, src/agents/harness/compaction.ts)
• joshavant: Beyond authoring this PR, prior merged work by this contributor touches reply/session and auth-adjacent paths that overlap the linked Discord/session recovery symptoms. (role: adjacent contributor; confidence: low; commits: 731d4666d25f, 1769fb2aa1d6; files: src/auto-reply/reply/session.test.ts, src/agents/harness/compaction.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[joshavant]

@clawsweeper re-review

I updated the PR body with final-head proof on 2e24ceab886a1999d4dbc0d74854c8e3e27dcbbd:

• queued context-engine compaction succeeds with ok:true, compacted:true, reason:"proof-context-engine-compacted"
• the secondary Codex bridge path sends thread/compact/start
• the secondary bridge result includes request:"after_context_engine" and trigger:"budget"
• stale context-engine projection metadata is cleared before native Codex compaction
• the old reason:"non_manual_trigger" skip path is not taken
• live Discord primary proof was rerun on final head with a Convex-leased discord credential

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27185919614
• Updated: 2026-06-09T05:36:49.489Z

[joshavant]

Follow-up hardening pushed in fc4c870c57 for the session-state sequencing concern.

What changed:

• The secondary after_context_engine Codex native compaction path now re-reads the Codex app-server binding under the binding mutation lock before clearing context-engine projection metadata or sending thread/compact/start.
• Binding writes and clears now serialize through the same per-binding in-process queue plus the cross-process file lock. This prevents a same-process write/clear from slipping between compare, projection clear, and native compaction start.
• The guarded native start is bounded to the binding-lock contract timeout. Peer binding mutations wait longer than that bounded RPC instead of timing out on the lock.
• Pre-aborted guarded compaction skips before clearing projection, so abort cannot leave projection metadata cleared when Codex compaction never starts.
• Missing binding clears keep the old no-op behavior and do not recreate deleted session directories.

Verification after this commit:

• .agents/skills/autoreview/scripts/autoreview --mode local returned clean with no accepted/actionable findings.
• node scripts/run-vitest.mjs extensions/codex/src/app-server/compact.test.ts extensions/codex/src/app-server/session-binding.test.ts src/agents/embedded-agent-runner/compact.hooks.test.ts passed after autoreview.
• CI on fc4c870c57 is green, including Real behavior proof.