fix(codex): require authorized inbound claims for bound turns (#71702)

* fix(codex): require authorized inbound claims for bound turns * fix(codex): consume unauthorized bound turns
2026-05-06 06:20:43 +00:00 · 2026-04-25 12:42:23 -07:00
parent 84f183b7ad
commit 346a72ddb9
3 changed files with 38 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -188,6 +188,7 @@ Docs: https://docs.openclaw.ai
 - Agents/Claude CLI: pass the OpenClaw system prompt through Claude's prompt-file flag so Windows runs avoid argv length failures without changing system prompt semantics. Fixes #69158. (#69211) Thanks @skylee-01, @cassioanorte, @Syu0, and @Stache73.
 - Agents/CLI sessions: bind `google-gemini-cli` session auth-epoch to the Google account identity in `~/.gemini/oauth_creds.json`, so Gemini-backed agents resume their conversation after gateway restart instead of minting a fresh session, and stale bindings are invalidated when the authenticated Google account changes. Fixes #70973. (#71076) Thanks @openperf.
 - Slack: stop treating user mentions in assistant-authored message edit blocks as sender attribution, preventing edited bot messages from spoofing a mentioned DM user. (#71700) Thanks @vincentkoc.
+- Codex: consume unauthorized bound conversation inbound claims before they can fall through to other claim handlers or enqueue Codex turns. (#71702) Thanks @vincentkoc.

 ## 2026.4.24

--- a/extensions/codex/src/conversation-binding.test.ts
+++ b/extensions/codex/src/conversation-binding.test.ts
@@ -2,7 +2,10 @@ import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
 import { afterEach, beforeEach, describe, expect, it } from "vitest";
-import { handleCodexConversationBindingResolved } from "./conversation-binding.js";
+import {
+  handleCodexConversationBindingResolved,
+  handleCodexConversationInboundClaim,
+} from "./conversation-binding.js";

 let tempDir: string;

@@ -40,4 +43,34 @@ describe("codex conversation binding", () => {

    await expect(fs.stat(sidecar)).rejects.toMatchObject({ code: "ENOENT" });
  });
+
+  it("consumes inbound bound messages when command authorization is absent", async () => {
+    const result = await handleCodexConversationInboundClaim(
+      {
+        content: "run this",
+        channel: "discord",
+        isGroup: true,
+      },
+      {
+        channelId: "discord",
+        pluginBinding: {
+          bindingId: "binding-1",
+          pluginId: "codex",
+          pluginRoot: tempDir,
+          channel: "discord",
+          accountId: "default",
+          conversationId: "channel-1",
+          boundAt: Date.now(),
+          data: {
+            kind: "codex-app-server-session",
+            version: 1,
+            sessionFile: path.join(tempDir, "session.jsonl"),
+            workspaceDir: tempDir,
+          },
+        },
+      },
+    );
+
+    expect(result).toEqual({ handled: true });
+  });
 });
--- a/extensions/codex/src/conversation-binding.ts
+++ b/extensions/codex/src/conversation-binding.ts
@@ -113,6 +113,9 @@ export async function handleCodexConversationInboundClaim(
  if (!data) {
    return undefined;
  }
+  if (event.commandAuthorized !== true) {
+    return { handled: true };
+  }
  const prompt = (event.bodyForAgent ?? event.content ?? "").trim();
  if (!prompt) {
    return { handled: true };