OpenClaw's Trajectory-Capture Hardening Treats Tool Schemas Like Untrusted Supply Chain
Trajectory capture sounds like an internal logging feature until the day an agent run fails and the only useful question is, "What did the runtime think was true when it made that decision?" At that point it becomes the black box. PR #90268, paired with the Codex app-server follow-up in PR #90332, is OpenClaw tightening that black box against a failure mode agent platforms should treat as hostile by default: tool schemas that crash the recorder before evidence is captured.
The bug is simple enough to explain and ugly enough to matter. OpenClaw's trajectory capture path reads tool definitions so it can record what tools were available, what names and descriptions were projected, and what schemas shaped the model's possible actions. But a malformed plugin, extension, diagnostic object, or MCP-adjacent adapter can expose throwing getters on fields like name, description, parameters, or inputSchema. If the capture path reads those fields directly, one bad descriptor can crash support-data capture for the turn.
That is not just a logging annoyance. It is observability denial-of-service against the control plane. The runtime loses exactly the evidence operators need to understand a bad run: which tools were visible, how they were described, how their inputs were shaped, and whether a particular tool projection looked suspicious. A single unreadable descriptor should not be able to blind the rest of the session.
The schema is not documentation. It is executable-adjacent input.
PR #90268 hardens the core trajectory runtime. It guards tool-definition capture against throwing name, description, and parameters accessors, skips unreadable names, omits unreadable optional descriptions, and records bounded truncation markers for hostile nested objects. PR #90332 applies the same pattern to the Codex app-server trajectory path, guarding name, description, and inputSchema getters. Both patches add focused tests for the unpleasant cases that real plugin ecosystems eventually surface: proxy object-key traps, proxy array item traps, nested field getters, and healthy sibling tools that must survive when one descriptor is bad.
The sibling preservation is the design choice worth calling out. A naive implementation would fail closed by aborting capture as soon as one descriptor misbehaves. That is defensible in a narrow security-review sense and poor operationally. The better invariant is: do not trust the bad row, record that it was unreadable or truncated, and keep the healthy rows. Operators need evidence. A malicious or broken tool should not get to erase its neighbors from the transcript.
The facts are concrete. PR #90268 was created on June 4 at 09:07 UTC and changes src/trajectory/runtime.ts with 110 new test lines. PR #90332 followed at 13:02 UTC and changes extensions/codex/src/app-server/trajectory.ts, again with 110 test lines. The core trajectory path records bounded objects like { "truncated": true, "reason": ... }; the Codex path uses the existing "<unreadable>" marker. Focused trajectory runtime tests passed 13 tests for the core patch. Focused Codex app-server trajectory tests passed 8 tests for the follow-up. Formatter, oxlint, diff checks, and branch autoreview passed, with autoreview scores calling the patches correct at 0.84 and 0.88 respectively. Broad Testbox proof for the core patch was blocked by missing Blacksmith auth, which is worth noting because evidence should be precise, not inflated.
This connects directly to MCP and plugin security. Tool schemas are often treated as harmless metadata: a name for the model, a description for selection, a JSON schema for arguments. In an agent runtime, that metadata drives the control plane. It shapes model behavior, approval surfaces, telemetry, support capture, replay, and sometimes generated UI. If the runtime reads it as trusted application data, it is giving plugins a surprisingly powerful place to break things.
The industry has already learned the hard version of this lesson in dependency management. Package metadata, install scripts, manifests, and lockfiles are not passive paperwork when automated systems consume them. Agent tool descriptors are heading down the same path. A descriptor can influence what the model is allowed to do. It can influence what a human sees before approving. It can influence whether the incident trail exists after the fact. That is supply-chain input, not decoration.
For practitioners, the checklist is not complicated, but it is easy to skip. Normalize tool descriptors before projection. Read fields once and store inert values. Treat getters as untrusted code, even when they appear on objects passed around inside your own process. Bound recursive capture of nested schemas. Preserve sibling records when one descriptor fails. Add explicit tests for throwing ownKeys, throwing field getters, proxy arrays, non-string names, unreadable optional descriptions, circular references, and absurdly large schema payloads. Then make the resulting trajectory available to operators in a way that distinguishes "missing" from "unreadable" from "truncated."
There is also a Codex-specific angle. OpenAI Codex app-server integrations need reliable trajectory capture because app-server sessions increasingly sit between model behavior, MCP status, plugin surfaces, and user-visible debugging. If a hostile schema can crash the capture path there, the system loses provenance at the exact point users need to know whether the model, the adapter, the plugin, or the approval layer was responsible. OpenClaw is right to patch the core and Codex paths together rather than leaving app-server observability as a second-class lane.
The broader take: agent platforms cannot keep treating observability as a post-processing feature. The recorder itself is part of the trusted computing base. If it can be crashed by the things it observes, it needs the same defensive parsing discipline as the execution path. OpenClaw's trajectory hardening is not glamorous, and that is why it matters. The best control-plane fixes are often invisible until they preserve the one piece of evidence that lets a team avoid guessing.
Tool schemas are supply-chain input. OpenClaw is finally treating them that way.
Sources: OpenClaw PR #90268, OpenClaw PR #90332, OpenClaw v2026.6.2-beta.1 release