feat(outbox): SQLite outbox with write-ahead delivery, recovery worker, and sendFinal-required adapters

[nohat]

Summary

Combines the scope of old PRs #29147 and #29148 into a single, cleaned-up PR.

Key changes from the old PRs:

• outboundContract v1/v2 concept removed entirely — sendFinal is now required on all ChannelOutboundAdapters
• Plugin compat layer simplified (no inference, no legacy warnings)
• src/plugin-sdk/outbound-adapter.ts deleted
• All 22+ extension adapters updated with sendFinal
• ackDelivery errors separated from send errors in recovery

Carries forward from old PRs:

• SQLite migration for delivery queue (file-based → WAL-backed outbox table)
• Write-ahead pattern: outbox entry created before AI streaming, marked delivered on success
• Continuous recovery worker with exponential backoff
• Startup cutoff filter (only recover entries from current boot)
• Comprehensive test coverage for outbox, recovery, and adapter compat

Closes #22376, #9208, #14827, #29126, #23777, #16555, #29128
Related: #28941

Test plan

• pnpm build passes
• pnpm test passes (outbox, delivery, recovery, plugin compat tests)
• Manual: send messages through multiple channels, verify delivery
• Manual: kill gateway mid-stream, restart, verify recovery picks up pending messages
• Verify extension adapters compile with sendFinal required

🤖 Generated with Claude Code

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[openclaw-barnacle]

Closing this PR because it looks dirty (too many unrelated or unexpected changes). This usually happens when a branch picks up unrelated commits or a merge went sideways. Please recreate the PR from a clean branch.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7f4421ef55

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Surface ackDelivery write failures to recovery loop

When SQLite writes fail during ackDelivery (for example, a transient SQLITE_BUSY from another process), this catch block logs and returns success, so the recovery pass treats the send as recovered while the row stays queued. On the next outbox pass, the same pre-start entry is still eligible and gets sent again, causing duplicate outbound messages until an ack eventually succeeds. The recovery path already tries to handle ack failures separately, but this swallow prevents that path from running.

Useful? React with 👍 / 👎.

[greptile-apps]

Greptile Summary

This PR implements a SQLite-based outbox pattern with write-ahead delivery, recovery worker, and makes sendFinal required on all channel adapters. Major architectural improvement for reliable message delivery.

Key Changes

• Outbox table: Migrated from file-based queue to SQLite with WAL mode for durability
• Recovery worker: Continuous background worker with exponential backoff and startup cutoff filter
• Adapter contract: sendFinal now required on all ChannelOutboundAdapters (22+ extensions updated)
• Error handling: Separated ackDelivery errors from send errors in recovery path

Critical Issue Found

• Double queueing bug (reply-dispatcher.ts:175-215): Messages sent through dispatcher are enqueued twice - once by dispatcher, once by deliverOutboundPayloads. This creates duplicate outbox entries and wastes storage/processing.

Performance Concerns

• dispatchKind stored in JSON payload instead of table column, requiring all pending entries to be loaded and parsed during recovery. Adding a column would enable SQL-level filtering.

Positive Notes

• Write-ahead logging pattern correctly separates ack failures from send failures (delivery-queue.ts:548-554)
• Non-final entries properly filtered during recovery to avoid duplicate sends (delivery-queue.ts:471-496)
• Comprehensive test coverage for core outbox and recovery logic
• Recovery worker properly integrated with gateway lifecycle

Confidence Score: 2/5

• This PR has a critical double-queueing bug that will create duplicate outbox entries for every message
• Score reflects the critical double-queueing bug in reply-dispatcher that causes every message to be enqueued twice. While the architecture is sound and test coverage is good, this bug will cause storage bloat and potential delivery issues in production.
• Pay close attention to src/auto-reply/reply/reply-dispatcher.ts for the double queueing issue and verify the fix before merging

_{Last reviewed commit: 7f4421e}

[greptile-apps]

_{65 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

dispatchKind is stored in JSON payload, not as a column. recovery loads ALL pending entries, then filters in memory. storing dispatchKind as a column with an index would allow filtering in SQL: WHERE (dispatch_kind IS NULL OR dispatch_kind = 'final')

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/infra/outbound/delivery-queue.ts
Line: 477-496

Comment:
`dispatchKind` is stored in JSON payload, not as a column. recovery loads ALL pending entries, then filters in memory. storing `dispatchKind` as a column with an index would allow filtering in SQL: `WHERE (dispatch_kind IS NULL OR dispatch_kind = 'final')`

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

schema missing dispatch_kind column but the field is used in delivery-queue.ts (stored in JSON payload). consider adding: dispatch_kind TEXT for efficient filtering during recovery

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/infra/message-lifecycle/db.ts
Line: 48-66

Comment:
schema missing `dispatch_kind` column but the field is used in delivery-queue.ts (stored in JSON payload). consider adding: `dispatch_kind TEXT` for efficient filtering during recovery

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Additional Comments (1)

src/auto-reply/reply/reply-dispatcher.ts
dispatcher enqueues here, then calls options.deliver which eventually calls deliverOutboundPayloads (deliver.ts:274-288), which enqueues again unless skipQueue: true. this creates duplicate outbox entries for every message sent through the dispatcher

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/auto-reply/reply/reply-dispatcher.ts
Line: 175-215

Comment:
dispatcher enqueues here, then calls `options.deliver` which eventually calls `deliverOutboundPayloads` (deliver.ts:274-288), which enqueues again unless `skipQueue: true`. this creates duplicate outbox entries for every message sent through the dispatcher

How can I resolve this? If you propose a fix, please make it concise.