iMessage group link-preview watch payload can lose conversation anchor and route reply to DM

[zqchris]

Summary

A malformed iMessage watch notification for a group link-preview message can be interpreted as a direct message, causing OpenClaw to reply to the sender DM instead of the originating group.

This is a high-risk routing/privacy bug: when a channel payload loses its conversation anchor, OpenClaw must not fall back to a sender DM.

Observed behavior

A group message containing a link arrived from watch.subscribe with this effective shape:

• chat_id: 0
• empty chat_guid
• empty chat_identifier
• is_group: false
• sender set to the account/handle that later became the DM target
• message text contained the URL plus user text

OpenClaw routed it as:

• inbound: chatId=0 from=imessage:<sender>
• session: agent:<agent>:imessage:default:direct:<sender>
• outbound: imessage: delivered reply to imessage:<sender>

The same message GUID looked up through messages.history belonged to the real group:

• chat_id: 349
• is_group: true
• non-empty chat_guid / chat_identifier
• group participants present

I am intentionally redacting handles, GUIDs, and group names here.

Expected behavior

If iMessage watch payloads lack a valid conversation anchor, OpenClaw should either:

1. recover the real conversation from a stable message identifier before routing, or
2. fail closed and drop the event.

It should never route a malformed group/link-preview event to a sender DM.

Local mitigation proof

A local patch on patch/chris adds a guard and recovery path:

• detect chat_id <= 0 with empty chat_guid and chat_identifier
• use the message GUID to inspect recent chats.list + messages.history
• repair the payload before routing when the GUID is found
• drop the event when the real conversation cannot be recovered

Commit: zqchris@7c56a6bba852

After the patch and gateway restart, the same event replayed as:

• inbound: chatId=349 from=imessage:group:349
• session: agent:<agent>:imessage:group:349
• outbound: imessage: delivered reply to chat_id:349

Verification run locally

• env OPENCLAW_VITEST_MAX_WORKERS=1 node scripts/run-vitest.mjs extensions/imessage/src/monitor/conversation-repair.test.ts extensions/imessage/src/monitor.gating.test.ts
• pnpm exec oxfmt --check --threads=1 extensions/imessage/src/monitor/conversation-repair.ts extensions/imessage/src/monitor/conversation-repair.test.ts extensions/imessage/src/monitor/monitor-provider.ts extensions/imessage/src/monitor/inbound-processing.ts extensions/imessage/src/monitor.gating.test.ts
• git diff --check
• pnpm build
• live gateway restart and replay/log verification as described above

Notes

The underlying bridge/source issue appears to be in imsg watch.subscribe, because messages.history for the same GUID returns the correct group metadata. I am filing a companion issue against openclaw/imsg for that payload mismatch.

[zqchris]

Companion bridge/source issue filed here: openclaw/imsg#118

That issue tracks why watch.subscribe emitted a chat_id=0 DM-shaped payload while messages.history for the same GUID returned the correct group metadata. This OpenClaw issue should still track the fail-closed routing guard, because malformed channel payloads must not be allowed to fall back to sender DMs.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open. Current main still has a source-reproducible path where an iMessage watch payload with chat_id: 0, empty chat identifiers, and is_group: false is parsed as valid input, routed as a direct peer, and delivered to imessage:<sender>; the companion bridge issue explains the bad upstream payload but does not remove OpenClaw's need for a fail-closed routing guard.

Reproducibility: yes. from source inspection: the reported payload parses, is not classified as a group, resolves the sender as the direct peer, and builds To: imessage:<sender>. I did not run tests because this review is read-only and repository tests can write artifacts.

Next step
This is a narrow source-reproducible bug, but wrong-recipient delivery is security-sensitive and should get owner review before a repair lane changes live iMessage routing behavior.

Security
Needs attention: The report describes a wrong-recipient iMessage delivery path, which is a concrete privacy/security concern even though no patch is under review.

Review details

Best possible solution:

Land a focused iMessage monitor guard before inbound routing: recover anchorless watch payloads from a stable message GUID via existing chats.list/messages.history RPCs when possible, and otherwise drop with a clear diagnostic instead of dispatching to a sender DM.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: the reported payload parses, is not classified as a group, resolves the sender as the direct peer, and builds To: imessage:<sender>. I did not run tests because this review is read-only and repository tests can write artifacts.

Is this the best way to solve the issue?

Yes, the best fix shape is a pre-routing iMessage monitor guard that either repairs the conversation from the message GUID or fails closed. That keeps the safety invariant local to the channel adapter instead of relying on downstream session routing to infer missing group metadata.

Label changes:

• add P1: A malformed iMessage group event can route an automated reply to the wrong recipient in a real channel workflow.
• add impact:security: The reported failure can expose a group-context reply to an unintended direct-message recipient.
• add impact:message-loss: The issue is about misrouting a channel reply away from the originating group conversation.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P1: A malformed iMessage group event can route an automated reply to the wrong recipient in a real channel workflow.
• impact:message-loss: The issue is about misrouting a channel reply away from the originating group conversation.
• impact:security: The reported failure can expose a group-context reply to an unintended direct-message recipient.

Security concerns:

• [high] Prevent wrong-recipient iMessage replies — extensions/imessage/src/monitor/inbound-processing.ts:984
  A malformed group watch event can be dispatched as a sender DM, so private group-context agent output may be sent to the wrong conversation unless the monitor repairs or drops the event before routing.
  Confidence: 0.86

Acceptance criteria:

• Add a focused regression test showing chat_id: 0 plus empty chat_guid and chat_identifier cannot dispatch to imessage:<sender>.
• Add recovery/drop coverage for GUID-found and GUID-not-found cases if using messages.history repair.
• Run the narrow iMessage monitor test files through node scripts/run-vitest.mjs in a writable worktree, plus git diff --check and the relevant oxfmt check.

What I checked:

• Current parser accepts the reported anchorless payload shape: parseIMessageNotification only checks that chat_id is an optional number, chat identifiers are optional strings, and is_group is an optional boolean; it does not reject chat_id: 0 with empty chat_guid and chat_identifier. (extensions/imessage/src/monitor/parse-notification.ts:63, 67c12e036802)
• Current decision logic classifies the malformed payload as direct: chat_id: 0 becomes a defined chatId, but isGroup is only true when message.is_group is true or the chat is configured as a group; the group without chat_id drop only runs for isGroup, so the reported is_group: false payload skips the group guard. (extensions/imessage/src/monitor/inbound-processing.ts:457, 67c12e036802)
• Current routing and outbound context fall back to the sender DM: The route uses the sender-normalized peer when isGroup is false, and buildIMessageInboundContext sets To to imessage:${decision.sender} unless the decision is group-scoped with a chat target. (extensions/imessage/src/monitor/inbound-processing.ts:640, 67c12e036802)
• No current live-watch repair hook before enqueue: handleMessage parses the RPC notification and immediately enqueues the parsed message; the current path has no recovery step using guid, chats.list, or messages.history before debounce/routing. (extensions/imessage/src/monitor/monitor-provider.ts:767, 67c12e036802)
• Existing RPC contract in this plugin can support the proposed recovery shape: The iMessage catchup bridge already uses chats.list followed by per-chat messages.history, which matches the reporter's proposed recovery path and avoids inventing a new bridge surface. (extensions/imessage/src/monitor/catchup-bridge.ts:64, 67c12e036802)
• External mitigation validates the requested fix boundary: The reporter's linked mitigation commit adds a regression test that drops chat_id=0 payloads without conversation metadata and a recovery helper that checks chats.list plus messages.history by GUID before routing. (7c56a6bba852)

Likely related people:

• Ayaan Zaidi: Local blame and file history attribute the current iMessage monitor inbound decision and context-building files to this commit, making them the best current-main routing candidate from available history. (role: current path history owner; confidence: medium; commits: 5a82e4aa19c2; files: extensions/imessage/src/monitor/inbound-processing.ts, extensions/imessage/src/monitor/monitor-provider.ts)
• zqchris: The issue and linked mitigation commit provide the live reproduction, recovery/drop design, and focused tests for this exact iMessage routing failure. (role: reporter and local mitigation author; confidence: medium; commits: 7c56a6bba852; files: extensions/imessage/src/monitor/conversation-repair.ts, extensions/imessage/src/monitor/monitor-provider.ts, extensions/imessage/src/monitor/inbound-processing.ts)

Remaining risk / open question:

• The source path is clear, but the redacted live watch.subscribe event has not been converted into a repository fixture on current main.
• The fix should be reviewed as privacy-sensitive because fail-closed behavior may drop some malformed iMessage events that previously reached agents as DMs.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 67c12e036802.