* feat(codex): read the account email with app-server usage
The Codex-harness usage snapshot now carries the account identity: the
usage fetch runs account/rateLimits/read and account/read over one
app-server session (new withCodexAppServerJsonClient seam, which the
single-request helper now delegates to), so the email is guaranteed to
belong to the same account as the windows. Identity stays best-effort;
rate limits survive an account read failure.
* style(test): scanner-safe app-server marker fixture
* test(codex): keep scanner-neutral hunks around app-server marker literals
* fix(codex): bound the best-effort account read within the usage deadline
Review P2: account/read shared the outer usage deadline, so a slow or hung
identity read could reject the whole snapshot with a timeout instead of
returning the already-fetched rate-limit windows. Race the account read
against a local timer bounded to min(4s, usageTimeoutMs/3) and drop the
identity on timeout; a regression test hangs account/read and asserts the
windows still return.
* fix(codex): send account/read params and bound identity by the remaining deadline
Second review round: account/read (GetAccount) requires a params object per
the app-server protocol, so send an empty {} (refreshToken defaults false);
without it a real app-server rejects the request. Bound the best-effort
identity read by the time left before the shared usage deadline (minus a
margin) instead of the original budget, so a slow rate-limit read can no
longer let the identity read trip the outer timeout and discard the
already-fetched windows.
* fix(codex): reserve the isolated shutdown budget in the usage deadline
Third review round: withCodexAppServerJsonClient awaits the isolated
client's closeAndWait inside the outer timeout, so a hung account/read
could reach the deadline during force-kill/exit cleanup and discard the
already-fetched windows. The usage read now passes a cheap isolatedShutdown
(force-kill 200ms + exit 300ms) and the identity bound reserves that plus a
250ms margin (750ms) of the remaining deadline, so cleanup always finishes
before the outer timeout.
* style(codex): rename scoped-request generic to avoid shadowing
crabbox run rsyncs the invoking repo by default, which blew the setup
budget when the gateway provisioned from a source checkout. Workspace
transfer is owned by the worker tunnel, so setup passes --no-sync.
Live AWS E2E hit the designed fail-stop: worker bootstrap requires Node on
the leased host, and bare AWS leases ship without it. Implement the plan's
provider setup phase as an opt-in `setup` profile key: after the lease is
SSH-ready the provider runs the command via `crabbox run --keep=true`,
gets its own timeout budget on top of provision, and stops the lease
before surfacing a failure so no unbootstrapped box leaks. Setup runs on
every provision attempt (including replay adoption), so commands must be
idempotent.
* fix(workboard): resolve parent dependency status via targeted lookups, not a full-corpus scan
dependencyTargetStatus() called the fully unscoped store.list() (every card,
every board, fully materialized via entries()+readCard()) just to look up the
status of a card's own parent id(s) -- almost always exactly one. dispatch()
calls promoteDependencyReady() once per card in its board-scoped pass, so
every parented card in that pass re-paid for a full-corpus re-scan.
Confirmed via a live CDP CPU profile of a real "openclaw workboard dispatch"
call (--inspect attached to a running gateway, Profiler.start/stop scoped to
the repro, elapsed 161.8s matching a known 160s+ stall): 93.3% of the time
(142s + 8.7s of 162s) was inside native SQLite all()/prepare() bindings, all
funneling through dispatch -> promoteDependencyReady -> dependencyTargetStatus
-> list -> entries -> readCard (readCard issues 4 separate synchronous SQL
statements per card). On a corpus of ~5770 cards, this is O(parented_cards_in_pass
x corpus_size x 4_queries) -- a genuine algorithmic defect, not event-loop
starvation from a concurrent session as originally suspected for this symptom.
Replace the unscoped list()+Map lookup with targeted get(parentId) calls
(already a single indexed-row lookup used everywhere else in this file) --
O(parents.length), normally O(1), instead of O(corpus size). Behavior is
unchanged: parent?.status === "done" on the get() result is exactly what
cards.get(parentId)?.status === "done" computed from the unscoped list().
Adds a regression test asserting the underlying store's entries() is called
at most once while promoting 8 parented cards together in one dispatch pass
(would have been 9 calls before this fix -- 1 outer scoped list() + 1 inner
unscoped list() per parented card).
* fix(workboard): address review feedback on dependency-target-status fastpath
Two findings from the automated PR review, both confirmed real:
- Remove an incomplete, unrelated active-owner fast-path (listActiveOwnerIds()
in store.ts + its cross-board test in store.test.ts) that leaked into this
commit from separate, still-in-progress local work. It imported
WorkboardActiveOwnerQueryable, a type that isn't defined anywhere in this
PR's tree, breaking typecheck and the bundled-extension lint check. Not
part of the dependencyTargetStatus fix this PR is scoped to.
- Replace the comparator-free, mutating .sort() calls in the new dependency
regression test with .toSorted() plus an explicit localeCompare comparator,
per the repo's lint rules.
Re-ran locally against just these two files (the actual PR diff, review WIP
set aside): pnpm lint --threads=8, pnpm format:check, pnpm tsgo:prod, pnpm
check:test-types, pnpm run lint:extensions:bundled all pass; full workboard
extension suite 111/111 (two removed tests belonged to the unrelated
active-owner code, not this fix).
---------
Co-authored-by: ClawBox <clawbox@cayk.ca>
* feat(usage): surface plan windows and account email in the chat context popover
The context-window popover now shows which account a session runs on:
provider usage snapshots carry an accountEmail resolved from the auth
profile when stored, the ChatGPT access-token JWT claims (openai/codex),
or the Claude CLI config file (~/.claude.json oauthAccount) for
keychain-synced logins. models.authStatus embeds it, quota groups keep
distinct accounts separate, and the popover renders the email under the
plan header for local CLI sessions and OpenClaw-configured subscriptions
alike.
* test(openai): assemble the fake usage JWT from parts
* test(usage): keep fixture tokens and identity plumbing scanner-safe
* fix(usage): verify the Claude CLI login before labeling usage with its email
Review findings: the CLI-config email fallback now requires the usage token
to match the cached CLI credential (and honors CLAUDE_CONFIG_DIR), so an
ambient login for another account never labels a snapshot; token-type
credentials propagate their stored email alongside oauth ones.
* style(anthropic): scanner-safe local for the CLI login read
* fix(usage): capture the Claude CLI account email on the credential
Review findings: reading ambient CLI config at usage-fetch time could not
verify keychain-only logins and could go stale across account switches.
The credential reader now captures oauthAccount.emailAddress next to the
credential it belongs to, the synced claude-cli profile carries it, and
the anthropic fetcher uses only the credential-borne identity.
* style(usage): scanner-safe credential fixtures and helper naming
* fix(auth): backfill the CLI account email onto existing synced profiles
Profiles synced before identity capture stay usable and skip CLI reads,
so upgraded installs would never gain the email until token rotation.
While the stored token material matches the CLI login, merge the
non-secret email onto the stored profile.
* style(test): scanner-safe email assertion
* test(auth): pin the no-reread invariant to identity-complete profiles
* fix(transcripts): stop live capture when the agent run is canceled
* fix(transcripts): preserve startup cleanup ownership
* fix(transcripts): keep runtime session type internal
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>