Define durable final fallback delivery semantics across channels

[osolmaz]

Problem

OpenClaw has several user-visible failure modes where an agent turn ends with a sanitized fallback/error message internally, but the user sees silence because the channel delivery layer suppresses, drops, or cannot prove delivery of the final payload.

The current WhatsApp report in #84569 is one concrete example: the embedded runner can produce a safe final isError: true payload for an incomplete turn, but the WhatsApp delivery path suppresses it. The same product problem shows up in related channel and recovery issues: final user-visible work exists, or should exist, but delivery status is ambiguous or absent.

This should be solved as a core channel contract:

If core emits a sanitized final fallback message, every durable text-capable channel must either deliver it or report a real delivery failure. It must not silently suppress it.

Related issues and PRs

Directly related:

• WhatsApp session stalls on long model_call: incomplete turn with payloads=0, reply never delivered #84569: WhatsApp long model call ends with payloads=0 and no reply.
• fix(whatsapp): deliver final error payloads so incomplete-turn errors reach users #84578: narrow WhatsApp fix for final isError delivery.
• fix(channels): extend user-visible error fallback to Discord, Slack, Signal, WhatsApp #60812: extend user-visible error fallback to Discord, Slack, Signal, WhatsApp.
• fix(auto-reply): avoid silent completion when dispatch produces no sendable reply #63025: avoid silent completion when dispatch produces no sendable reply.
• fix(agents): detect empty provider responses as failures, improve Telegram error routing #60830: detect empty provider responses as failures and improve Telegram error routing.

Delivery and receipt semantics:

• [codex] add durable message lifecycle delivery #77205: durable message lifecycle foundation.
• fix(slack): require delivery receipts for replies #80749: Slack requires delivery receipts for replies.
• fix(cron): avoid delivered status for empty outbound receipts #79811: avoid delivered status for empty outbound receipts.
• Slack message_tool_only source replies fail because durable send requires reconcileUnknownSend #84078: Slack message_tool_only source replies fail because durable send requires reconcile support.

Session and recovery surfaces:

• fix(agents): surface user-visible error when embedded session is stuck or overflows context (#84536) #84602: surface user-visible error when embedded session is stuck or overflows context.
• fix(diagnostics): recover orphaned session activity and yield event loop during lock contention #87028: recover orphaned session activity.
• fix(diagnostics): recover idle queues with stale model activity #85232: recover idle queues with stale model activity.
• [Fix] Deliver restart recovery replies #86089: deliver restart recovery replies.
• [Bug]: Restart recovery can finish with payloads=0 while Control UI only shows tool blocks and no visible error #77883: restart recovery can finish with payloads=0.

Other related silent/lost delivery reports:

• Telegram messages silently dropped, no sendMessage logged #80520: Telegram messages silently dropped, no sendMessage logged.
• [Bug]: Telegram: real reply intermittently never sent; progress draft deletes anyway, leaving silent drop #85520: Telegram real reply intermittently never sent; progress draft deletes anyway.
• Slack long-running runs can appear silent when media delivery partially fails and recovery refuses replay #83165: Slack long-running runs can appear silent when media delivery partially fails and recovery refuses replay.
• [Bug] Slack replies silently dropped: composed in transcript, never posted to Slack #80715: Slack replies composed in transcript but never posted.
• Discord progress draft is deleted after final error reply #86395: Discord progress draft is deleted after final error reply.

Desired contract

Core should define and test these rules:

1. ReplyPayload.isError === true means user-visible error/fallback classification. It must not mean automatic suppression.
2. A sanitized final fallback is deliverable text when the channel declares durable final text support.
3. Hidden artifacts may still be suppressed: reasoning, compaction notices, non-final tool/progress errors, hook-cancelled payloads, and payloads that sanitize to empty.
4. A visible final payload must finish with an explicit status:
   • sent, with platform identity or receipt
   • failed, with failure stage and error
   • partial_failed, if earlier payloads were sent and a later payload failed
   • suppressed, only when suppression is intentional and has a reason
5. Empty platform identity such as messageId: "" must not be treated as successful delivery for visible final text.
6. Delivery outcomes must be visible to recovery/diagnostics so heartbeat/session recovery can tell the difference between delivered, suppressed, failed, and platform-outcome-unknown.

Implementation plan

1. Clarify the SDK/channel contract around isError, durable final text, and visible fallback delivery.

   Likely surfaces:

   • src/auto-reply/reply-payload.ts
   • src/channels/plugins/outbound.types.ts
   • src/channels/message/types.ts
   • src/plugin-sdk/channel-outbound.ts

2. Tighten core durable delivery semantics.

   Likely surfaces:

   • src/infra/outbound/deliver.ts
   • src/infra/outbound/deliver-types.ts
   • src/channels/message/send.ts

   Core should not let a visible final fallback disappear as a no-op result.

3. Make final fallback classification explicit enough that channels do not infer policy from isError alone.

   The important distinction is:

   • final user-visible fallback
   • normal final answer
   • non-final progress/tool/block payload
   • hidden/system artifact

4. Audit bundled channel adapters for isError suppression or empty-identity delivery results.

   Known starting points include WhatsApp, Telegram, Slack, Discord, Signal, Feishu, and Matrix.

5. Revisit sendTextOnlyErrorPayloads.

   This should either be removed, narrowed to “adapter needs full payload context,” or guarded so routing through sendPayload cannot silently drop final visible fallback text.

6. Add general tests before channel-specific tests.

   Core tests should prove:

   • incomplete/empty model turn creates sanitized final fallback
   • raw provider JSON, request IDs, stacks, and partial aborted text do not leak
   • final isError: true text is delivered on a durable text channel
   • empty identity for visible final text is not counted as delivered
   • hidden/non-final payloads can still be suppressed with explicit reason
   • recovery/diagnostics can inspect the outcome

7. Add cross-channel conformance coverage.

   For channels declaring durable final text support, prove:

   • normal final text delivers
   • sanitized final fallback delivers
   • empty sanitized text suppresses with reason
   • non-final tool/progress errors can remain suppressed
   • delivery result includes platform identity or receipt when sent

8. Bring channel adapters into compliance.

   fix(whatsapp): deliver final error payloads so incomplete-turn errors reach users #84578 can be treated as the immediate WhatsApp compliance patch, but the long-term fix should not be framed around WhatsApp. WhatsApp is one proving case for the shared durable final text contract.

9. Add observability.

   Session/diagnostic state should expose at least:

   • final fallback emitted
   • delivery sent
   • delivery suppressed with reason
   • delivery failed
   • platform outcome unknown

Non-goals

• Do not add per-channel config like sendErrorPayloads for this behavior. Delivering safe final fallback text should be the product default.
• Do not expose raw provider/internal errors to users.
• Do not make every isError payload visible; non-final tool/progress/internal payloads may still be hidden.
• Do not count empty message IDs or empty receipts as successful visible delivery.

Acceptance proof

This should not be considered production-ready until there is:

• core unit coverage for sanitized fallback creation
• core delivery coverage for visible final fallback semantics
• cross-channel durable final text conformance coverage
• channel-specific regression tests for at least WhatsApp, Telegram, Slack, and Discord where relevant
• live proof on at least one real channel
• for WhatsApp session stalls on long model_call: incomplete turn with payloads=0, reply never delivered #84569 specifically, live WhatsApp plus long model/fallback proof when credentials and the vLLM environment are available

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed May 28, 2026, 3:37 AM ET / 07:37 UTC.

Summary
Keep open. This is a member-authored, maintainer-labeled core channel reliability contract, and current main still has a source-level WhatsApp proving case where final isError payloads can become an empty-identity suppressed result instead of a delivered or failed visible fallback.

Reproducibility: yes. for the WhatsApp proving case: current source routes final isError payloads to a path that can return an empty message id and be recorded as suppressed. I did not run a live channel matrix, so the cross-channel portion remains source-backed rather than fully reproduced.

Next step
The protected maintainer item asks for a broad SDK/channel delivery contract and owner sequencing, not a safe autonomous single-fix PR.

Review details

Best possible solution:

Keep this as the maintainer-owned canonical contract, then land a sequenced design and implementation that makes sanitized final fallback delivery explicit in core and audits bundled adapters against it.

Do we have a high-confidence way to reproduce the issue?

Yes for the WhatsApp proving case: current source routes final isError payloads to a path that can return an empty message id and be recorded as suppressed. I did not run a live channel matrix, so the cross-channel portion remains source-backed rather than fully reproduced.

Is this the best way to solve the issue?

Yes, keeping this open as a core contract item is the best path. A narrow WhatsApp fix alone would not settle the SDK, outcome, diagnostic, and adapter conformance semantics requested here.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• The scope spans core delivery outcomes, SDK/channel contracts, recovery diagnostics, and bundled channel adapters, so a one-off channel patch would leave the product contract ambiguous.
• Current source proves the WhatsApp starting case, but the full Slack, Discord, Telegram, Signal, Feishu, and Matrix conformance matrix still needs targeted tests or live proof.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8d5f6c8ae465.

Label changes

Label changes:

• add P1: Silent final fallback delivery loss can make completed agent turns appear to vanish across real messaging-channel workflows.
• add impact:message-loss: The issue is directly about final user-visible fallback messages being suppressed, dropped, or left without delivery proof.
• add impact:session-state: The requested diagnostics and recovery semantics affect whether session recovery can distinguish delivered, suppressed, failed, and unknown final outcomes.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-product-decision: Current issue advisory state selects this label.

Label justifications:

• P1: Silent final fallback delivery loss can make completed agent turns appear to vanish across real messaging-channel workflows.
• impact:message-loss: The issue is directly about final user-visible fallback messages being suppressed, dropped, or left without delivery proof.
• impact:session-state: The requested diagnostics and recovery semantics affect whether session recovery can distinguish delivered, suppressed, failed, and unknown final outcomes.

Evidence reviewed

What I checked:

• Protected maintainer item: The provided GitHub context shows author association MEMBER and the protected maintainer label, so this workflow must not auto-close it even if parts of the behavior are already implemented.
• Current WhatsApp source repro: Current main opts WhatsApp error payloads into the payload path with sendTextOnlyErrorPayloads: true, while the WhatsApp payload sender returns an empty messageId for isError payloads. (extensions/whatsapp/src/channel-outbound.ts:36, 8d5f6c8ae465)
• Current WhatsApp empty identity behavior: The WhatsApp outbound base returns { channel: "whatsapp", messageId: "" } when ctx.payload.isError === true, which matches the issue's example of a safe final fallback payload being suppressed downstream. (extensions/whatsapp/src/outbound-base.ts:234, 8d5f6c8ae465)
• Core suppresses no-identity payload sends: Core routes opted-in isError payloads through sendPayload, checks delivery identity, and records adapter_returned_no_identity as a suppressed outcome when no identity is present. (src/infra/outbound/deliver.ts:1628, 8d5f6c8ae465)
• Existing durable outcomes are partial foundation: The durable message batch result type already models sent, suppressed, partial_failed, and failed, but this does not by itself define final fallback visibility semantics across all durable text channels. (src/channels/message/send.ts:40, 8d5f6c8ae465)
• Tests cover the narrow no-op path, not the full contract: Current tests prove text-only errors default to text delivery, opted-in adapters use sendPayload, and an empty sendPayload result is not counted as delivered; they do not provide the requested cross-channel final fallback conformance matrix. (src/infra/outbound/deliver.test.ts:3188, 8d5f6c8ae465)

Likely related people:

• vincentkoc: Current-source blame for the durable outcome and outbound final delivery paths points to commit a0ba9f2, authored by Vincent Koc. (role: recent area contributor; confidence: medium; commits: a0ba9f2b72b1; files: src/infra/outbound/deliver.ts, src/channels/message/send.ts, src/auto-reply/reply/agent-runner-execution.ts)
• steipete: The related merged durable message lifecycle work and local commit ceca7fd document the channel message plugin API foundation this issue builds on. (role: durable lifecycle foundation contributor; confidence: medium; commits: ceca7fdfda41, d163278e9cdf; files: docs/plugins/sdk-channel-message.md, docs/plugins/sdk-channel-outbound.md, src/channels/message/types.ts)
• nabbilkhan: Commit 207e2c5 introduced outbound delivery crash recovery, which is adjacent to the requested delivery outcome and recovery visibility contract. (role: outbound recovery contributor; confidence: medium; commits: 207e2c5affa9; files: src/infra/outbound/deliver.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.