openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/slack/src/outbound-delivery.test.ts‎
Lines changed: 1 addition & 0 deletions b/‎extensions/slack/src/outbound-delivery.test.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/cron/isolated-agent/delivery-dispatch.double-announce.test.ts‎
Lines changed: 49 additions & 14 deletions b/‎src/cron/isolated-agent/delivery-dispatch.double-announce.test.ts‎
Lines changed: 49 additions & 14 deletions
diff --git a/‎src/cron/isolated-agent/delivery-dispatch.ts‎
Lines changed: 59 additions & 5 deletions b/‎src/cron/isolated-agent/delivery-dispatch.ts‎
Lines changed: 59 additions & 5 deletions
diff --git a/‎src/gateway/server-methods/send.ts‎
Lines changed: 16 additions & 0 deletions b/‎src/gateway/server-methods/send.ts‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎src/gateway/server-restart-sentinel.test.ts‎
Lines changed: 22 additions & 0 deletions b/‎src/gateway/server-restart-sentinel.test.ts‎
Lines changed: 22 additions & 0 deletions
@@ -18,6 +18,7 @@ Docs: https://docs.openclaw.ai
 - Plugins/doctor: avoid full-array sorting while selecting ClawHub search/archive results and bounded dreaming doctor entries. Thanks @shakkernerd.
 - Agents/compaction: keep contributor diagnostics to a bounded top-three selection without sorting the full history. Thanks @shakkernerd.
 - Sessions/UI: avoid full-array sorting while selecting ACPX leases, Google Meet calendar events, and latest chat sessions. Thanks @shakkernerd.
+- Outbound delivery: enrich `deliverOutboundPayloads` to return a `DeliveryOutcome` (an `OutboundDeliveryResult[]` augmented with non-enumerable `cancelledCount` and `allCancelledByHook` metadata, fully back-compatible with existing array-shape consumers) and throw `DeliveryError` with `sentBeforeError` when a non-bestEffort send fails after some payloads were already delivered, so callers can distinguish hook-cancelled sends from delivery failures. Cron direct-delivery, gateway restart-sentinel, and the WAL queue cleanup path all short-circuit on `DeliveryError` and ack the queue entry instead of failing it, so a future drain/restart cannot replay the whole batch and duplicate the already-sent prefix. Fixes #57766.
 - Telegram: preserve the channel-specific 10-option poll cap in the unified outbound adapter so over-limit polls are rejected before send. (#78762) Thanks @obviyus.
 - Slack: route handled top-level channel turns in implicit-conversation channels to thread-scoped sessions when Slack reply threading is enabled, keeping the root turn and later thread replies on one OpenClaw session. (#78522) Thanks @zeroth-blip.
 - Telegram: re-probe the primary fetch transport after repeated sticky fallback success so transient IPv4 or pinned-IP fallback promotion can recover without a gateway restart. Fixes #77088. (#77157) Thanks @MkDev11.
 
@@ -134,5 +134,6 @@ describe("slack outbound shared hook wiring", () => {
     expect(handler).toHaveBeenCalledTimes(1);
     expect(sendMessageSlackMock).not.toHaveBeenCalled();
     expect(result).toEqual([]);
+    expect(result).toMatchObject({ cancelledCount: 1, allCancelledByHook: true });
   });
 });
@@ -39,9 +39,25 @@ vi.mock("./delivery-subagent-registry.runtime.js", () => ({
   countActiveDescendantRuns: countActiveDescendantRunsMock,
 }));
 
-vi.mock("../../infra/outbound/deliver.js", () => ({
-  deliverOutboundPayloads: vi.fn().mockResolvedValue([{ ok: true }]),
-}));
+// Narrow mock per AGENTS.md line 134 — avoid broad importOriginal() in hot tests.
+// The one test that constructs a DeliveryError uses this local stub; production
+// code matches via isDeliveryError() on name + shape, not class identity.
+vi.mock("../../infra/outbound/deliver.js", () => {
+  class DeliveryError extends Error {
+    readonly cause?: unknown;
+    readonly sentBeforeError: ReadonlyArray<unknown>;
+    constructor(cause: unknown, sentBeforeError: ReadonlyArray<unknown>) {
+      super();
+      this.name = "DeliveryError";
+      this.cause = cause;
+      this.sentBeforeError = sentBeforeError;
+    }
+  }
+  return {
+    deliverOutboundPayloads: vi.fn().mockResolvedValue([{ ok: true }]),
+    DeliveryError,
+  };
+});
 
 vi.mock("../../infra/outbound/identity.js", () => ({
   resolveAgentOutboundIdentity: vi.fn().mockReturnValue({}),
@@ -86,7 +102,7 @@ import { retireSessionMcpRuntime } from "../../agents/pi-bundle-mcp-tools.js";
 // Import after mocks
 import { countActiveDescendantRuns } from "../../agents/subagent-registry-read.js";
 import { callGateway } from "../../gateway/call.runtime.js";
-import { deliverOutboundPayloads } from "../../infra/outbound/deliver.js";
+import { DeliveryError, deliverOutboundPayloads } from "../../infra/outbound/deliver.js";
 import { buildOutboundSessionContext } from "../../infra/outbound/session-context.js";
 import { enqueueSystemEvent } from "../../infra/system-events.js";
 import { shouldEnqueueCronMainSummary } from "../heartbeat-policy.js";
@@ -578,7 +594,7 @@ describe("dispatchCronDelivery — double-announce guard", () => {
     vi.setSystemTime(new Date("2026-03-18T17:00:00.000Z"));
     vi.mocked(countActiveDescendantRuns).mockReturnValue(0);
     vi.mocked(isLikelyInterimCronMessage).mockReturnValue(false);
-    vi.mocked(deliverOutboundPayloads).mockResolvedValue([{ ok: true } as never]);
+    vi.mocked(deliverOutboundPayloads).mockResolvedValue([{ ok: true }] as never);
 
     const params = makeBaseParams({ synthesizedText: "Long running report finished." });
     params.runStartedAt = Date.now() - (3 * 60 * 60_000 + 1);
@@ -688,7 +704,7 @@ describe("dispatchCronDelivery — double-announce guard", () => {
   it("text delivery fires exactly once (no double-deliver)", async () => {
     vi.mocked(countActiveDescendantRuns).mockReturnValue(0);
     vi.mocked(isLikelyInterimCronMessage).mockReturnValue(false);
-    vi.mocked(deliverOutboundPayloads).mockResolvedValue([{ ok: true } as never]);
+    vi.mocked(deliverOutboundPayloads).mockResolvedValue([{ ok: true }] as never);
 
     const params = makeBaseParams({ synthesizedText: "Briefing ready." });
     const state = await dispatchCronDelivery(params);
@@ -706,7 +722,7 @@ describe("dispatchCronDelivery — double-announce guard", () => {
     vi.mocked(isLikelyInterimCronMessage).mockReturnValue(false);
     vi.mocked(deliverOutboundPayloads)
       .mockRejectedValueOnce(new Error("ECONNRESET while sending"))
-      .mockResolvedValueOnce([{ ok: true } as never]);
+      .mockResolvedValueOnce([{ ok: true }] as never);
 
     const params = makeBaseParams({ synthesizedText: "Retry me once." });
     const state = await dispatchCronDelivery(params);
@@ -720,7 +736,7 @@ describe("dispatchCronDelivery — double-announce guard", () => {
   it("keeps direct announce delivery idempotent across replay for the same cron execution", async () => {
     vi.mocked(countActiveDescendantRuns).mockReturnValue(0);
     vi.mocked(isLikelyInterimCronMessage).mockReturnValue(false);
-    vi.mocked(deliverOutboundPayloads).mockResolvedValue([{ ok: true } as never]);
+    vi.mocked(deliverOutboundPayloads).mockResolvedValue([{ ok: true }] as never);
 
     const params = makeBaseParams({ synthesizedText: "Replay-safe cron update." });
     const first = await dispatchCronDelivery(params);
@@ -735,7 +751,7 @@ describe("dispatchCronDelivery — double-announce guard", () => {
   it("does not collapse distinct recurring runs for the same job", async () => {
     vi.mocked(countActiveDescendantRuns).mockReturnValue(0);
     vi.mocked(isLikelyInterimCronMessage).mockReturnValue(false);
-    vi.mocked(deliverOutboundPayloads).mockResolvedValue([{ ok: true } as never]);
+    vi.mocked(deliverOutboundPayloads).mockResolvedValue([{ ok: true }] as never);
 
     const first = makeBaseParams({
       runStartedAt: 1_000,
@@ -773,7 +789,7 @@ describe("dispatchCronDelivery — double-announce guard", () => {
     vi.mocked(deliverOutboundPayloads).mockImplementation(async (params) => {
       const failedPayload = Array.isArray(params.payloads) ? params.payloads[0] : undefined;
       params.onError?.(new Error("payload failed"), failedPayload as never);
-      return [{ ok: true } as never];
+      return [{ ok: true }] as never;
     });
 
     const params = makeBaseParams({ synthesizedText: "Partial bestEffort replay." }) as Record<
@@ -790,10 +806,29 @@ describe("dispatchCronDelivery — double-announce guard", () => {
     expect(deliverOutboundPayloads).toHaveBeenCalledTimes(2);
   });
 
+  it("caches partial DeliveryError sends to prevent scheduler replay duplication", async () => {
+    vi.mocked(countActiveDescendantRuns).mockReturnValue(0);
+    vi.mocked(isLikelyInterimCronMessage).mockReturnValue(false);
+    vi.mocked(deliverOutboundPayloads).mockRejectedValue(
+      new DeliveryError(new Error("second chunk failed"), [{ messageId: "w1" } as never]),
+    );
+
+    const params = makeBaseParams({ synthesizedText: "Multi-chunk cron announce." });
+    const first = await dispatchCronDelivery(params);
+    const second = await dispatchCronDelivery(params);
+
+    // First call hits DeliveryError, caches partial delivery AND marks delivered
+    // so cron state stays consistent with the idempotency cache. Second call sees
+    // the cache and skips delivery entirely.
+    expect(first.delivered).toBe(true);
+    expect(second.delivered).toBe(true);
+    expect(deliverOutboundPayloads).toHaveBeenCalledTimes(1);
+  });
+
   it("prunes the completed-delivery cache back to the entry cap", async () => {
     vi.mocked(countActiveDescendantRuns).mockReturnValue(0);
     vi.mocked(isLikelyInterimCronMessage).mockReturnValue(false);
-    vi.mocked(deliverOutboundPayloads).mockResolvedValue([{ ok: true } as never]);
+    vi.mocked(deliverOutboundPayloads).mockResolvedValue([{ ok: true }] as never);
 
     for (let i = 0; i < 2003; i += 1) {
       const params = makeBaseParams({
@@ -878,7 +913,7 @@ describe("dispatchCronDelivery — double-announce guard", () => {
   it("text delivery always bypasses the write-ahead queue", async () => {
     vi.mocked(countActiveDescendantRuns).mockReturnValue(0);
     vi.mocked(isLikelyInterimCronMessage).mockReturnValue(false);
-    vi.mocked(deliverOutboundPayloads).mockResolvedValue([{ ok: true } as never]);
+    vi.mocked(deliverOutboundPayloads).mockResolvedValue([{ ok: true }] as never);
 
     const params = makeBaseParams({ synthesizedText: "Daily digest ready." });
     const state = await dispatchCronDelivery(params);
@@ -900,7 +935,7 @@ describe("dispatchCronDelivery — double-announce guard", () => {
   it("structured/thread delivery also bypasses the write-ahead queue", async () => {
     vi.mocked(countActiveDescendantRuns).mockReturnValue(0);
     vi.mocked(isLikelyInterimCronMessage).mockReturnValue(false);
-    vi.mocked(deliverOutboundPayloads).mockResolvedValue([{ ok: true } as never]);
+    vi.mocked(deliverOutboundPayloads).mockResolvedValue([{ ok: true }] as never);
 
     const params = makeBaseParams({ synthesizedText: "Report attached." });
     // Simulate structured content so useDirectDelivery path is taken (no retryTransient)
@@ -920,7 +955,7 @@ describe("dispatchCronDelivery — double-announce guard", () => {
     // First call throws a transient error, second call succeeds.
     vi.mocked(deliverOutboundPayloads)
       .mockRejectedValueOnce(new Error("gateway timeout"))
-      .mockResolvedValueOnce([{ ok: true } as never]);
+      .mockResolvedValueOnce([{ ok: true }] as never);
 
     vi.stubEnv("OPENCLAW_TEST_FAST", "1");
     try {
 
@@ -16,7 +16,7 @@ import type { OpenClawConfig } from "../../config/types.openclaw.js";
 import type { TtsAutoMode } from "../../config/types.tts.js";
 import { sleepWithAbort } from "../../infra/backoff.js";
 import { formatErrorMessage } from "../../infra/errors.js";
-import type { OutboundDeliveryResult } from "../../infra/outbound/deliver.js";
+import type { DeliveryError, OutboundDeliveryResult } from "../../infra/outbound/deliver.js";
 import { normalizeTargetForProvider } from "../../infra/outbound/target-normalization.js";
 import { hasReplyPayloadContent } from "../../interactive/payload.js";
 import { stringifyRouteThreadId } from "../../plugin-sdk/channel-route.js";
@@ -423,6 +423,19 @@ export function getCompletedDirectCronDeliveriesCountForTests(): number {
   return COMPLETED_DIRECT_CRON_DELIVERIES.size;
 }
 
+// Match our DeliveryError by name + shape rather than `instanceof`. Keeps the
+// DeliveryError import type-only (no eager load of the heavy outbound delivery
+// module from this cold path) and falls through to the caller's generic error
+// handling if a third-party adapter happens to throw an error with the same
+// name but missing `sentBeforeError` (#57766).
+function isDeliveryError(err: unknown): err is DeliveryError {
+  return (
+    err instanceof Error &&
+    err.name === "DeliveryError" &&
+    Array.isArray((err as { sentBeforeError?: unknown }).sentBeforeError)
+  );
+}
+
 function summarizeDirectCronDeliveryError(error: unknown): string {
   if (error instanceof Error) {
     return error.message || "error";
@@ -469,7 +482,12 @@ async function retryTransientDirectCronDelivery<T>(params: {
       return await params.run();
     } catch (err) {
       const delayMs = retryDelaysMs[retryIndex];
-      if (delayMs == null || !isTransientDirectCronDeliveryError(err) || params.signal?.aborted) {
+      if (
+        delayMs == null ||
+        !isTransientDirectCronDeliveryError(err) ||
+        params.signal?.aborted ||
+        isDeliveryError(err)
+      ) {
         throw err;
       }
       const nextAttempt = retryIndex + 2;
@@ -681,20 +699,31 @@ export async function dispatchCronDelivery(
           // See: https://github.com/openclaw/openclaw/issues/40545
           skipQueue: true,
         });
-      const deliveryResults = options?.retryTransient
+      const deliveryOutcome = options?.retryTransient
         ? await retryTransientDirectCronDelivery({
             jobId: params.job.id,
             signal: params.abortSignal,
             run: runDelivery,
           })
         : await runDelivery();
       // Only mark delivered when ALL payloads succeeded (no partial failure).
-      delivered = deliveryResults.length > 0 && !hadPartialFailure;
+      // Hook cancellation is intentional policy, not a failure — treat as delivered
+      // so the job is cached and not replayed (#57766).
+      delivered =
+        (deliveryOutcome.length > 0 || deliveryOutcome.allCancelledByHook === true) &&
+        !hadPartialFailure;
       // Intentionally leave partial success uncached: replay may duplicate the
       // successful subset, but caching it here would permanently drop the
       // failed payloads by converting the replay into delivered=true.
+      //
+      // Do NOT queue cron awareness when every payload was suppressed by hooks:
+      // the reply text was not actually sent to the target channel, so
+      // injecting it into the main session as "delivered" content would leak
+      // blocked (e.g. DLP/policy-suppressed) output into agent awareness (#57766).
+      const actuallySentContent = deliveryOutcome.length > 0;
       if (
         delivered &&
+        actuallySentContent &&
         shouldQueueCronAwareness({
           job: params.job,
           delivery,
@@ -712,10 +741,35 @@ export async function dispatchCronDelivery(
         });
       }
       if (delivered) {
-        rememberCompletedDirectCronDelivery(deliveryIdempotencyKey, deliveryResults);
+        rememberCompletedDirectCronDelivery(deliveryIdempotencyKey, deliveryOutcome);
       }
       return null;
     } catch (err) {
+      if (isDeliveryError(err) && err.sentBeforeError.length > 0) {
+        // Partial send: cache as delivered to prevent scheduler replay from
+        // duplicating the already-sent payloads. Accepts truncation over
+        // duplication — same trade-off bestEffort makes (#57766).
+        //
+        // Also mark `delivered = true` so cron state/history stays consistent
+        // with the idempotency cache — otherwise the run is persisted as
+        // "not-delivered" while the same key is treated as already delivered
+        // on replay.
+        //
+        // Awareness (queueCronAwarenessSystemEvent) is intentionally NOT called:
+        // sentBeforeError contains OutboundDeliveryResult entries (messageId,
+        // channel) that don't map cleanly back to payload text, so recording
+        // `outputText`/`synthesizedText` or `payloadsForDelivery` would insert
+        // unsent content into the agent's main-session transcript as if it had
+        // been delivered. That false-history risk outweighs the loss of partial
+        // awareness; the idempotency cache above still prevents user-visible
+        // duplicates on replay.
+        rememberCompletedDirectCronDelivery(deliveryIdempotencyKey, err.sentBeforeError);
+        delivered = true;
+        await logCronDeliveryError(
+          `[cron:${params.job.id}] partial delivery: ${err.sentBeforeError.length} payload(s) sent before failure: ${err.message}`,
+        );
+        return null;
+      }
       if (!params.deliveryBestEffort) {
         return params.withRunSession({
           status: "error",
 
@@ -561,6 +561,22 @@ export const sendHandlers: GatewayRequestHandlers = {
             : undefined,
         });
 
+        if (results.allCancelledByHook) {
+          // Hook cancellation is intentional policy, not a transport failure — surface
+          // as a successful no-op so gateway callers can distinguish it from UNAVAILABLE (#57766).
+          const payload: Record<string, unknown> = {
+            runId: idem,
+            channel,
+            cancelledByHook: true,
+          };
+          cacheGatewayDedupeSuccess({ context, dedupeKey, payload });
+          return {
+            ok: true,
+            payload,
+            meta: { channel, cancelledByHook: true },
+          };
+        }
+
         const result = results.at(-1);
         if (!result) {
           throw new Error("No delivery result");
 
@@ -389,6 +389,28 @@ describe("scheduleRestartSentinelWake", () => {
     expect(mocks.failDelivery).toHaveBeenCalledWith("queue-1", "transport still not ready");
   });
 
+  it("acks the queued restart notice on DeliveryError partial-send to prevent replay duplication", async () => {
+    // When the chunked restart message partially lands and a later chunk
+    // throws DeliveryError, the queue entry must be acked (not failed) so a
+    // future drain/restart cannot replay the whole notice and duplicate the
+    // already-delivered prefix (#57766).
+    const partialError = Object.assign(new Error("second chunk failed"), {
+      name: "DeliveryError",
+      sentBeforeError: [{ channel: "whatsapp", messageId: "chunk-1" }],
+    });
+    mocks.deliverOutboundPayloads.mockRejectedValueOnce(partialError);
+
+    await scheduleRestartSentinelWake({ deps: {} as never });
+
+    expect(mocks.deliverOutboundPayloads).toHaveBeenCalledTimes(1);
+    expect(mocks.ackDelivery).toHaveBeenCalledWith("queue-1");
+    expect(mocks.failDelivery).not.toHaveBeenCalled();
+    expect(mocks.logWarn).toHaveBeenCalledWith(
+      expect.stringContaining("partial-failed after sending 1 chunk"),
+      expect.objectContaining({ sentBeforeError: 1 }),
+    );
+  });
+
   it("still dispatches continuation after restart notice retries are exhausted", async () => {
     vi.useFakeTimers();
     mocks.deliverOutboundPayloads.mockRejectedValue(new Error("transport still not ready"));