Chapter 7: Implementation plan
Updated: 2026-06-07 · Executes Chapter 6 Phase A. Designed to be run by Codex on obot's OpenClaw machine.
Non-goals (this phase)
- No Paperclip install, account, or credentials yet — that is Chapter 5, gated on this phase passing.
- No custom orchestration platform — build the smallest runner that supervises one process. Stop at ~200 lines.
- No automatic merges; PRs stay review-gated per Autonomy.
- No Telegram-as-executor; OpenClaw cron is demoted to wake/notify only.
- GitHub Issues/PRs remain the public source of truth.
Target architecture for this phase
| Component | Role this phase | Concrete form |
|---|---|---|
| OpenClaw main obot | Telegram intake + scheduler + notifier. Not the executor. | Cron wakes a launcher / posts alerts; systemEvent wake path only (Chapter 3). |
| Supervised runner | Starts a worker, writes a run-record, heartbeats, enforces a deadline, recovers. | New scripts/run_codex_cycle.py, extending the existing scripts/work_session.py ledger. |
| Watchdog | Reads run-records, flags stalled/triggered-but-not-started, emits one alert. | scripts/check_runs.py (or a --watch mode on the runner), run by cron. |
| Dev executor | Isolated, audited code execution → PR. | Codex cloud @codex on an issue/PR, or a Codex Automation in a dedicated worktree. |
| PM executor | Portfolio audit → durable artifact → Dev target or decline. | Codex local (non-interactive) wrapped by the runner; output is a GitHub issue comment. |
| GitHub | Source of truth + audit. | Project / Requirement / Task issues; PR + Codex task log are the Dev evidence. |
| Run-records dir | Durable ledger of every run's state. | runs/<run_id>.json + transcript log, local + linked in issue comments. |
Phase 0 — Demote cron, scaffold the ledger ~30 min
- Edit the autonomous cron jobs so they only wake main obot or start the launcher script — never run a long PM/Dev
agentTurndirectly (Chapter 3 root cause). - Create a durable run-records directory and decide its schema (below). Reuse
scripts/work_session.pyfields where they already exist (target, session ref, checkpoint, liveness, evidence, recovery). - Create the GitHub issue set for this cycle pilot:
- Project: "Reliable autonomous cycle (execution-first)".
- Requirement: "Supervised Codex runner + watchdog with stall detection".
- Task: "Failure-injection acceptance test".
- Task: "PM dry-run audit artifact".
- Task: "Dev docs-only PR via Codex-native execution".
runs/<run_id>.json):
{
"run_id": "2026-06-08-pm-01",
"role": "pm | dev",
"target_issue": "obot-claw/obot-claw.github.io#NN",
"repo": "obot-claw/...",
"executor": "codex-local | codex-cloud",
"state": "triggered | started | completed | failed",
"started_at": "ISO-8601 or null",
"heartbeat_at": "ISO-8601, updated every N seconds",
"deadline_at": "ISO-8601 (started_at + timeout)",
"artifact": "PR url / issue-comment url / audit file path / null",
"failure_reason": "string or null",
"recovery": "what the watchdog/obot should do on stall"
}
State rule (Chapter 3): only started counts as active; only completed counts as useful work. A record stuck in triggered past a short grace window is a failure, not progress.
Phase 1 — Supervised runner core deliverable
- Write
scripts/run_codex_cycle.py. Inputs:--role,--issue,--repo,--timeout,--prompt-template,--write-scope. - On start: write the run-record as
triggered, launch the Codex CLI non-interactively as a managed subprocess, then flip tostartedonce the process is confirmed running. - Emit a heartbeat (update
heartbeat_at+ append a transcript line) every N seconds while the subprocess lives. - On clean exit with an artifact: write
completed+ artifact link. On timeout/crash/no-artifact: writefailed+failure_reason. - Use a fresh worktree/clone for any write task; never mutate a dirty unrelated clone (Autonomy L3 rule).
Exit: a manual PM dry-run writes a run-record and either an audit artifact or a clear failure reason. Keep it boring; this is a supervisor, not a platform.
Phase 2 — Failure-injection test the keystone
This is the test Chapter 3 said we have never passed and Chapter 5 lists as an acceptance gate. Do it on the cheap substrate first.
- Run the runner against a deliberately stalling prompt (or kill the subprocess mid-run) so it stops heart-beating before producing an artifact.
- The watchdog (
scripts/check_runs.pyon a short cron) must detect: (a)triggeredthat never reachedstarted, and (b)startedwith a staleheartbeat_atpastdeadline_at. - On detection it flips the record to
failed, writes a failure artifact, and emits one concise (<500 char, plain-text) Telegram alert via obot — without Jeremy asking.
Pass = "Started vs triggered" and "Stall detection" from Chapter 5, satisfied with no Paperclip in the loop.
Phase 3 — PM dry-run (authority L2)
- Runner starts the PM role: read the Roadmap, open issues, and Hub state (reuse
scripts/portfolio_audit.py). - PM produces a durable audit artifact as a GitHub issue comment and either selects one Dev target or declines with a reason.
- obot sends a Telegram summary only after the issue-comment artifact exists.
Phase 4 — Dev cycle via Codex-native (authority L2/L3)
- Pick a safe documentation-only task in
obot-claw.github.io(no secrets, deterministic check). - Drive it Codex-native: tag
@codexon the task issue, or run a Codex Automation in a dedicated worktree → one PR. No merge. - The PR + Codex task log are the durable evidence; link them back into the run-record and the issue.
- L3 (implementation PR) only if the parent Requirement already approves implementation scope; otherwise keep it an L2 draft/docs PR.
This is the half Codex 2026 already solves natively (isolated worktrees, scheduled automations, issue→PR, PR-as-audit) — lean on it instead of hand-building.
Phase 5 — Wire daily PM→Dev (only after a manual pass)
- Daily PM cron wakes main obot or runs the launcher that starts the supervised runner.
- A watchdog cron checks the run-record after 5–10 min; a stall produces a visible alert, never a false "active" claim.
- If PM completes with a safe Dev target, the launcher starts Dev through the same supervised runner.
Graduation gate → Chapter 5 pilot
| Criterion | Pass condition |
|---|---|
| One real cycle | A PM→Dev→PR cycle completed with liveness evidence at each step. |
| Stall detection | Failure-injection test flips to failed + alerts, unprompted (Phase 2). |
| No false status | Nothing was reported "active" without a started record + concrete evidence. |
| GitHub artifacts | Audit comment + PR exist and are linked from run-records. |
| Telegram hygiene | Summaries are <500 char plain text, sent only after a durable artifact. |
Authority & stop conditions
Follow the Autonomy operating contract: default block authority L2; L3 only where the parent Requirement approves implementation; merges stay review-gated. Stop and report (don't push) if requirements are ambiguous, checks fail without a clear fix, work needs non-obot-claw writes, private data could be exposed, credentials/tooling are blocked, or work exceeds the active Requirement scope.
Deliverables checklist
scripts/run_codex_cycle.py— supervised runner with run-record + heartbeat.scripts/check_runs.py— watchdog with stall/triggered-but-not-started detection + Telegram alert.runs/— durable run-record directory (gitignored if it may contain run detail, or sanitized if committed).- Updated cron config: wake/notify only, no long
agentTurn. - GitHub Project + Requirement + 3 Task issues (Phase 0).
- One audit issue-comment artifact (Phase 3) and one docs PR (Phase 4).
- A short evidence note (or daily entry) recording the failure-injection pass.
Rollback / what not to do
- Don't keep retrying OpenClaw cron
agentTurnand calling it progress (Chapter 3). - Don't let the runner grow into a scheduler/queue/agent-platform — if it does, that's the signal to pilot Paperclip, not to keep building.
- Don't start the Paperclip pilot before this phase passes — you'd be unable to attribute a failure to Paperclip vs the unsolved execution layer.
- If Codex-native cloud/GitHub access is unavailable, fall back to Codex local in a clean worktree under the same runner supervision.
Hand-off to the next session
scripts/run_codex_cycle.py + the run-record schema above; (4) run the Phase 2 failure-injection test and capture the alert as evidence. Report back with the run-records and issue/PR links — that evidence is the go/no-go input for the Chapter 5 Paperclip pilot.Notes from obot for next Codex session
- Active issue: P009 Project #36, Requirement #37, Task #38.
- Then: Task #39 failure-injection watchdog test, then Task #40 PM→Dev→PR acceptance cycle.
- Local source of truth: read
AUTONOMOUS_QUEUE.md,TODO.md,AGENTS.md,HEARTBEAT.md, and skillswork-session-supervision,codex-work-cycle, andportfolio-pm-audit. - Constraint: cron
agentTurnis currently not trusted as an executor. Cron may wake/check; the runner must provide durable state and heartbeat evidence. - Minimum deliverable for #38: a small runner/ledger scaffold with states
triggered,started,completed,failed; heartbeat timestamp; transcript/log path; artifact link; failure reason; and recovery note. - Do not drift: stop before building a large orchestration platform. The goal is one reliable Codex-native cycle, not a general agent company.