openclaw - 💡(How to fix) Fix [Bug]: 2026.5.7 @openclaw/codex missing openclaw peer link plus stale NODE_PATH causes hook stalls and password_missing

Bug type

Regression / packaging-runtime resolution issue

Summary

On a Linux npm-global OpenClaw 2026.5.7 install, @openclaw/[email protected] under the local OpenClaw npm tree could not resolve the host openclaw package from ~/.openclaw/npm/node_modules. This produced ERR_MODULE_NOT_FOUND failures in cron/agent runs, and coincided with Codex native hook relay stalls, high gateway CPU, and repeated unauthenticated nativeHook.invoke calls (reason=password_missing).

This looks like the same peer-link failure class as #77959 and #78185, but it is still reproducible on 2026.5.7 on Linux/npm-global. There is also a second local-state problem: a systemd drop-in had a NODE_PATH pointing to a removed plugin-runtime-deps snapshot from 2026.4.23, so helper processes inherited a stale dependency path after the upgrade.

Environment

• OpenClaw: 2026.5.7 (eeef486)
• Node: v24.15.0
• @openclaw/codex: 2026.5.7
• @openai/codex: 0.128.0
• OS: Linux x64, systemd user gateway
• Install method: npm global
• Global package root: /usr/lib/node_modules/openclaw
• Local OpenClaw npm tree: /root/.openclaw/npm/node_modules
• Gateway command: /usr/bin/node /usr/lib/node_modules/openclaw/dist/index.js gateway --port 18789
• Gateway bind: loopback 127.0.0.1:18789

Observed broken state

The host package existed globally:

/usr/lib/node_modules/openclaw/package.json exists

But the local OpenClaw npm tree did not have the peer link before repair:

/root/.openclaw/npm/node_modules/@openclaw/codex/package.json exists
/root/.openclaw/npm/node_modules/openclaw missing

@openclaw/codex declares the host package as a peer:

{
  "name": "@openclaw/codex",
  "version": "2026.5.7",
  "peerDependencies": {
    "openclaw": ">=2026.5.7"
  }
}

But the bundled Codex runtime imports host SDK modules, for example:

from "openclaw/plugin-sdk/agent-harness-runtime"
from "openclaw/plugin-sdk/agent-runtime"
from "openclaw/plugin-sdk/windows-spawn"

A cron run failed with:

Error [ERR_MODULE_NOT_FOUND]: Cannot find package 'openclaw' imported from /root/.openclaw/npm/node_modules/@openclaw/codex/dist/client-BGbqC7jk.js

Additional stale NODE_PATH state

The running systemd service inherited this drop-in from a previous install/update:

Environment=NODE_PATH=/var/lib/openclaw/plugin-runtime-deps/openclaw-2026.4.23-4eca5026e977/node_modules

But /var/lib/openclaw/plugin-runtime-deps no longer contained that snapshot. So the gateway was 2026.5.7, while helper/child processes inherited a stale, non-existent 2026.4.23 runtime path.

Runtime symptoms

During the incident, the gateway was technically running but degraded:

OpenClaw 2026.5.7
Gateway active/running
Codex app-server 0.128.0

Observed symptoms:

• Gateway CPU stayed high, often around one core during stalls.
• Multiple openclaw hooks relay / openclaw child processes spiked to 100%+ CPU.
• Agent sessions stalled for many minutes around Codex hook progress.
• status, node.list, and device.pair.list calls reached ~140s in earlier windows.
• Codex app-server turns timed out.
• Logs showed repeated unauthenticated gateway calls:

[ws] unauthorized ... client=gateway:nativeHook.invoke backend v2026.5.7 ... auth=none ... reason=password_missing

The password_missing side appears related to helper processes running with agent-specific HOME/Codex environments and not resolving the real gateway config/auth. For example, openclaw doctor from an agent environment reported a config path under the Codex home and then failed to connect to the running gateway with missing auth.

Workaround applied locally

1. Link the host OpenClaw package into the local OpenClaw npm tree:

ln -s /usr/lib/node_modules/openclaw /root/.openclaw/npm/node_modules/openclaw

1. Replace the stale NODE_PATH systemd drop-in with the active package paths and force helper processes to read the real gateway config:

[Service]
Environment=NODE_PATH=/usr/lib/node_modules/openclaw/node_modules:/usr/lib/node_modules
Environment=OPENCLAW_CONFIG_PATH=/root/.openclaw/openclaw.json

1. Reload/restart:

systemctl --user daemon-reload
systemctl --user restart openclaw-gateway.service

Post-workaround verification

After restart, systemd picked up the corrected environment:

NODE_PATH=/usr/lib/node_modules/openclaw/node_modules:/usr/lib/node_modules
OPENCLAW_CONFIG_PATH=/root/.openclaw/openclaw.json

The gateway status probe succeeded:

Config (cli): /root/.openclaw/openclaw.json
Config (service): /root/.openclaw/openclaw.json
Runtime: running
Connectivity probe: ok

The Codex client import that previously failed now succeeds:

node --input-type=module -e "import('/root/.openclaw/npm/node_modules/@openclaw/codex/dist/client-BGbqC7jk.js').then(()=>console.log('codex-client-import-ok'))"
# codex-client-import-ok

In the post-restart window, the earlier Cannot find package 'openclaw', ERR_MODULE_NOT_FOUND, and password_missing messages did not reappear. Gateway memory also dropped substantially after restart, although CPU/event-loop delay still needs observation under normal workload.

Expected behavior

• @openclaw/codex should not be left in a state where it imports openclaw/plugin-sdk/* but no resolvable openclaw package exists in the local npm tree or ancestor path.
• Update/repair/startup should either create the peer link or fail loudly before agent turns/crons start.
• Managed systemd drop-ins should not keep pointing NODE_PATH at removed plugin-runtime-deps snapshots after an update.
• Codex native hook relay helpers should resolve gateway auth/config reliably, or avoid falling back to unauthenticated loopback calls that repeatedly log password_missing.

Actual behavior

• @openclaw/codex was installed and enabled, but openclaw was missing from /root/.openclaw/npm/node_modules.
• Cron/agent runs could fail with Cannot find package 'openclaw' imported from @openclaw/codex/dist/client-*.js.
• Systemd retained a stale NODE_PATH to a removed 2026.4.23 runtime deps snapshot while running 2026.5.7.
• Native hook relay/helper calls repeatedly hit the gateway with no auth (password_missing), contributing to stalls/noisy failure under load.

Related issues

• #77959 — same @openclaw/codex peer link class, but reported on 2026.5.4 and closed.
• #78185 — same local npm tree losing openclaw peer link, but reported on 2026.5.4 and closed.
• #53517 / #54428 / #70436 — broader plugin openclaw peer dependency resolution failures.
• #77896 — related package dependency resolution after 2026.5.4 host update.

This report is specifically for the same class still appearing on Linux/npm-global 2026.5.7, with the added stale NODE_PATH and nativeHook.invoke password_missing signals.