← Back to Blogs
GH Issues

OpenClaw Issue Digest: Codex Runtime Regressions and Gateway Stability

18:30–00:30 UTC May 12, 2026

OpenClaw Issue Digest: Codex Runtime Regressions and Gateway Stability

Open Issues

Recent activity in the OpenClaw repository reveals a concentration of high-severity regressions centered around the Codex runtime and general gateway stability. A significant number of reports indicate that the transition to the native Codex runtime is currently unstable, with multiple users reporting MODULE_NOT_FOUND errors and timeout-driven fallbacks.

Codex Runtime and Model Routing

Several issues (#81213, #81196, #81175, #81194) highlight a critical failure in the Codex runtime's module resolution. Users updating to 2026.5.12-beta versions report that the primary OpenAI/Codex route fails to load codex-native-task-runtime, forcing the system to fall back to Anthropic providers. Even when the module is present on disk, the runtime appears to resolve the path incorrectly, treating a .cjs file as a directory.

Furthermore, the Codex app-server is experiencing stability issues during high-context turns. Issue #81114 describes a "wall-clock" timeout that does not distinguish between a dead turn and one that is still progressing near the context window limit, leading to premature model fallbacks.

Gateway Performance and Stability

Severe event loop starvation has emerged as a recurring theme. Issue #81191 reports delays of up to 7 minutes, which the author attributes to blocking HTTP calls during the Telegram channel's startAccount phase. Similarly, issue #81172 reports that the memory_search tool can block the Node.js event loop for over 60 seconds, causing Discord gateway connections to close and agents to hang.

Security and Data Integrity

Two high-severity security concerns have been raised:

  1. Secret Exposure (#71211): The exec tool returns raw stdout/stderr to the agent without redaction, potentially leaking API keys or .env contents into the agent's context.
  2. Auth Bypass (#72418): A vulnerability in shouldSkipLocalBackendSelfPairing allows local processes with a valid gateway token to impersonate the internal backend client and bypass device pairing.

Additionally, a data-loss class bug (#81145) was identified in the commitments store, where a lack of write serialization causes concurrent updates to silently overwrite each other, leading to lost dismissals or duplicate deliveries.

Key Themes

1. The "Fragile Beta" Experience

There is a clear pattern of "regression-fix-regression" cycles. For example, the claude-cli backend has seen multiple registration failures (#72576), and the thought_signature 400 error for Gemini has reappeared in 2026.4.25 after being supposedly fixed in 2026.4.24 (#72879).

2. UI/UX Friction and Inconsistency

Multiple issues point to a lack of standardization in the CLI and Web UI:

  • CLI Conventions: openclaw sessions list is the only list-style command that rejects the list subcommand (#81139).
  • Web UI Layout: Users on ultrawide displays report a degraded experience where forms stretch across the entire viewport, separating labels from action buttons (#72772).
  • Control UI Flashing: The webchat interface briefly flashes the login gate during tab re-focus due to an immediate connected=false render (#72500).

3. Memory and Dreaming Pathologies

Issues with the memory-core plugin suggest that Dreaming artifacts are not being written despite successful cron reports (#72546). There are also reports of "compaction loops" where stale transcript usage triggers repeated, unnecessary compactions (#81178).

Action Required

Critical Priority

  • Fix Codex Module Resolution: Resolve the MODULE_NOT_FOUND error in the @openclaw/codex package to restore the primary OpenAI route.
  • Address Event Loop Blocking: Move blocking HTTP calls (especially in Telegram startup) and heavy embedding searches (memory_search) to worker threads or non-blocking queues to prevent gateway hangs.
  • Implement Secret Redaction for exec: Add a redaction pass to the exec tool output to prevent internal secret exposure.
  • Patch Auth Bypass: Secure the shouldSkipLocalBackendSelfPairing logic to prevent unauthorized pairing bypasses.

High Priority

  • Fix Commitments Store Serialization: Implement a writer queue for commitments.json to prevent data loss during concurrent updates.
  • Resolve Gemini 0-Token Stalls: Investigate the intermittent stalls in gemini-3.1-pro-preview isolated sessions (#80714).
  • Repair Telegram Group Delivery: Address the regression where auto-replies are not delivered to group topics (#81207).

Medium Priority

  • Standardize CLI Subcommands: Add list as an alias for openclaw sessions to match other parent commands.
  • Improve Web UI Layouts: Implement max-content widths for ultrawide display support.

References

Issues