Heads-up: predicate-claw policy enforcement silently bypassed for OpenClaw codex-harness agents (upstream: openclaw/openclaw#82350)

[Kaspre]

Summary

Heads-up: in current OpenClaw 2026.5.x deployments using the codex harness, predicate-claw policy enforcement is silently bypassed for any agent routed through openai/gpt-* (codex-harness) models. The bug is upstream of predicate-claw (in OpenClaw's codex plugin), and predicate-authorityd itself returns correct decisions when consulted. The problem is that the OpenClaw before_tool_call hook chain — which is what calls into predicate-authorityd for fs.*, shell.exec, http.fetch, etc. — never fires for codex-routed tool calls.

Net effect for predicate-claw users: any OpenAI-codex agent in an OpenClaw deployment effectively has no policy enforcement, even though the policy file and sidecar are correctly loaded. Operators have no visible signal that this is happening — the OC plugin loads, registers, and runs; it just never gets a chance to authorize codex-routed tool calls.

Filed upstream in OpenClaw as openclaw/openclaw#82350 with full reproduction, codex SQLite trace evidence, and three probable transport-point culprits inside OpenClaw's codex plugin.

Affected OpenClaw versions

• Codex harness code first introduced in OC 2026.4.x (around 2026-04-10)
• Codex became the preferred runtime for openai/gpt-* models in OC 2026.5.9+
• Codex externalized as @openclaw/codex npm plugin in OC 2026.5.10+ (plugin install required, but easy to do)
• Confirmed reproducible on OC 2026.5.12 stable

So: any OC 2026.5.x deployment with @openclaw/codex installed and enabled, dispatching any agent through openai/gpt-* model refs, is silently bypassing predicate-claw policy for those agents. PI-harness agents (any non-OpenAI model, or agentRuntime.id: "pi" forced on OpenAI) are unaffected — those continue to enforce policy correctly.

Why this is upstream-of-you (and what would still help)

This isn't a fix predicate-claw can ship — the bug is in OpenClaw's extensions/codex/src/app-server/native-hook-relay.ts config transport. The OC issue suggests three plausible drop-points and a startup-self-test mitigation.

But two things from your side could help downstream consumers spot this early:

1. Documentation note in predicate-claw's README / OC integration docs: "Note: on OpenClaw deployments using the codex harness, policy enforcement for openai/gpt-* agents is currently affected by [Bug]: Codex harness — hooks.PreToolUse config never reaches app-server (silent plugin enforcement bypass) openclaw/openclaw#82350; pin those agents to the PI harness via agentRuntime.id: 'pi' until upstream fixes, or accept that codex-routed tool calls bypass the plugin."
2. Optional: startup self-probe in the predicate-claw OC plugin — fire a no-op test through the relay path after registration; if it fails to round-trip, log a clear SECURITY WARN at gateway log so operators see the bypass exists. (Same idea as suggested fix (1) in #82350 but at your layer.)

Neither is required — the actual fix lives upstream — but the silent-failure characteristic of this bug means operators may run unknowingly exposed for a while. A heads-up in docs would shorten that window.

Reproduction (brief — see #82350 for full)

Two agents on the same OC install with the same predicate-claw policy:

• agent-pi (any ollama-cloud or non-OpenAI model) → routed through PI harness → policy enforced correctly, plugin logs BLOCKED on denied paths
• agent-codex (any openai/gpt-* model) → routed through codex harness → plugin handler never fires, denied operations succeed, plugin's audit log captures nothing

Codex's own SQLite trace DB (~/.codex/logs_2.sqlite) confirms it never receives the hooks.PreToolUse config that OC's codex plugin is supposed to inject: across 110K log rows at INFO+TRACE+DEBUG verbosity over 5.8 days, zero occurrences of PreToolUse, pre_tool_use, or any related hook event name.

Filing context

Filing this as informational so predicate-claw maintainers are aware downstream consumers may be affected. Not requesting a fix in this repo — the upstream OC issue is where the actual fix needs to land. Happy to provide additional repro details or test against a fix if useful.

[Kaspre]

Update — upstream fix already on main

The upstream OpenClaw issue (openclaw/openclaw#82350) was closed by clawsweeper bot ~40 minutes after filing — they identified PR openclaw/openclaw#82078 ("fix(codex): use stable hooks feature flag", merged 2026-05-15 20:35Z) as already addressing the root cause.

Precise root cause now confirmed:

OpenClaw's codex plugin was emitting features.codex_hooks: true in the per-thread config, but recent versions of codex-cli have removed that feature-flag in favor of features.hooks (stable). PR #82078's Real Behavior Proof shows codex features list reports hooks stable true and does NOT list codex_hooks — confirming the old flag is fully gone from codex, not just deprecated-with-fallback. So OpenClaw was sending the hooks config with a feature flag codex no longer recognizes, codex silently dropped the entire hooks block, and the relay chain that should have called into predicate-claw never engaged.

This also explains why our diagnostic showed zero references to PreToolUse, PostToolUse, permission_request, and before_agent_finalize simultaneously in codex's SQLite trace DB — a single feature-flag check gated all four, and the gate evaluated false.

Release timeline

• Fix commit 3de97057d0bc merged to OC main on 2026-05-15 20:35Z
• Latest OC beta v2026.5.14-beta.2 (tagged at 11:11Z the same day, before the fix merged) does NOT contain the fix
• Next OC beta or stable release should ship it

Implications for predicate-claw downstream consumers

Any OpenClaw deployment on 2026.5.x ≤ v2026.5.14-beta.2 (and probably back to at least 2026.5.9 when codex became the preferred runtime for openai/gpt-* models) is affected until the fix lands in a release. PI-harness agents continue to enforce policy correctly; codex-harness agents (any openai/gpt-* model routed through the bundled @openclaw/codex plugin) do not.

Both of the suggestions in the original issue still have standing value as defense-in-depth, even after the upstream fix ships:

1. README note about checking OpenClaw version against the fix-shipping release, with a simple verification command (e.g., dispatch a known-denied operation through a codex agent and verify a BLOCKED log appears).
2. Optional startup self-probe in the predicate-claw OC plugin — fires a no-op test through the relay path after registration. The class of "feature flag renamed → silent bypass" can recur with future codex CLI changes; a self-probe catches the next regression instantly rather than after weeks of silent exposure.

Happy to leave this issue closed once the fix is released and validated, or keep it open for the README/self-probe tracking depending on what makes sense on your side.

[Kaspre]

Update - original upstream bug mostly fixed, but hook coverage still has current caveats

Correction to my earlier update: openclaw/openclaw#82078 was necessary, but not sufficient by itself.

Since then:

• fix(codex): enforce native tool policy openclaw/openclaw#82496 fixed the main Codex native-policy path.
• fix(codex): cover side-question native hooks openclaw/openclaw#82559 fixed the /btw / side-question native-hook path.

So the original broad "all codex-harness agents bypass Predicate" framing is less accurate on modern OpenClaw than it was when this issue was filed.

However, follow-up validation found remaining cases where a Predicate-style before_tool_call policy can still miss Codex-routed activity:

• fix(codex): defer native-hook-relay unregister to avoid cleanup race openclaw/openclaw#83987: OpenClaw-side native-hook relay cleanup race for gateway-dispatched Codex agents. A late Codex hook callback can hit native hook relay not found, so the OpenClaw before_tool_call chain can be skipped for that tool call. That PR is open at the time of this comment.
• Code Mode exec doesn't fire PreToolUse hooks (fix patch attached) openai/codex#23411: upstream Codex Code Mode outer exec does not implement pre_tool_use_payload, so that outer Code Mode dispatch does not emit PreToolUse. This is independent of Predicate/OpenClaw. Nested calls inside Code Mode should be covered once the OpenClaw relay path works.

So I would treat this as narrower than the original report, but still useful as a compatibility warning or self-probe tracker: Predicate users should verify that their installed OpenClaw/Codex combination is actually producing before_tool_call / PreToolUse events for the Codex paths they rely on.