OpenClaw merged a P1 Codex security-boundary fix this morning that makes bound app-server conversations honor the execution host policy of the agent they were actually bound to. The change landed in PR #86360, titled "fix(codex): honor bound agent exec host policy."
The issue sits in a sensitive part of the runtime: how Codex app-server conversations decide whether native execution is allowed, and which agent's tools.exec.host policy applies when a turn comes back through an existing binding.
In plain terms, a bound conversation should not accidentally inherit execution-host overrides from an unrelated current session. If an OpenClaw operator binds a Codex conversation to one agent, the runtime needs to continue checking that agent's policy on later turns, attach/create flows, and missing-thread recovery paths.
What Changed
The PR stores the binding agent id for newly created Codex app-server conversation bindings. That agent id is then passed into the native execution guard and runtime policy resolution, including bound turns and missing-thread recovery.
The PR summary says the fix prevents "unrelated current-session exec-host overrides from masking a different bound agent's tools.exec.host=node policy." That is the key security detail. Execution host policy is not just a preference; it decides where code runs and which boundary the agent is operating inside.
The patch also preserves legacy behavior for the configured default agent. Persisted unscoped or default-session overrides, such as main or node-session, still work when the explicit agent is the default agent.
Why It Matters
OpenClaw's power comes from connecting long-lived conversations, tools, runtime agents, plugins, and local execution policy. That also means identity has to be boringly precise.
A bound Codex session may outlive the first turn that created it. It may be resumed through the app server, recovered after a missing-thread path, or handled without a fresh source session key. In those cases, the runtime cannot rely on whatever session happens to be current. It needs the agent identity that was captured when the binding was made.
This fix makes that identity explicit.
For operators, the takeaway is simple: bound Codex conversations now carry their agent execution policy more faithfully across the whole lifecycle. That reduces the chance that a permissive override from one context changes the execution boundary of another.
Part Of A Wider Safety Push
This morning's Tier 1 scan also found another command-boundary change: PR #84172, which rebuilds POSIX command authorization on OpenClaw's Tree-sitter-backed command planner.
That PR replaces an ad hoc shell splitter with one parsed command model used for allowlist checks, allow-always persistence, and enforced-command rewriting. Its summary says reusable executable patterns persist only when plan coverage shows the command is fully represented; otherwise approval stays one-shot.
Taken together, the two PRs show the same direction: OpenClaw is tightening the places where execution policy, parsing, and persistence meet. It is moving away from inferred context and approximate parsing toward explicit identity and shared command structure.
Verification
PR #86360 includes the usual focused test and build evidence in its pull request thread. PR #84172 reports a broader rewrite with command authorization tests and security-boundary review labels.
Neither change is a flashy feature, but both matter for anyone running OpenClaw in a setup where local execution, Codex bindings, or shared agent policies are part of the daily workflow. These are the kinds of fixes that make powerful agent systems easier to trust over time.
Sources: OpenClaw PR #86360, OpenClaw PR #84172, and the OpenClaw repository.