feat(bluebubbles): replay missed webhook messages after gateway restart (#66721)

[omarshahine]

Summary

Fixes #66721. Adds an in-process startup catchup pass to the BlueBubbles channel that queries BB Server for messages delivered while the gateway was unreachable and replays them through the existing processMessage pipeline.

The hole this closes: BB Server's WebhookService is fire-and-forget on POST failure (no retries) and BB's MessagePoller only re-fires webhooks on BB-side reconnection events (Messages.app / APNs), not on webhook-receiver recovery. So inbound messages delivered while the OpenClaw gateway was down, restarting, or wedged were permanently lost.

This PR is stacked on top of #66810 (persistent inbound dedupe). The dedupe makes catchup safe to be aggressive: if a webhook delivery already succeeded for a GUID, the catchup replay of that same GUID is dropped at the dedupe boundary. Recommend landing #66810 first; this PR will rebase cleanly onto main once it does.

Design

• extensions/bluebubbles/src/catchup.ts (new, ~290 LoC):
  • fetchBlueBubblesMessagesSince(sinceMs, limit, opts) calls /api/v1/message/query with {after, sort:\"ASC\", with:[chat, chat.participants, attachment]} so replays carry the same shape normalizeWebhookMessage already handles on live dispatch.
  • loadBlueBubblesCatchupCursor / saveBlueBubblesCatchupCursor persist a single {lastSeenMs, updatedAt} per account at <stateDir>/bluebubbles/catchup/<accountId>__<hash>.json, using the plugin-sdk's atomic JSON helpers. File layout mirrors the inbound-dedupe store from fix(bluebubbles): dedupe inbound webhooks across restarts (#19176, #12053) #66810.
  • runBlueBubblesCatchup(target) orchestrates: clamp config, skip recent runs (<30s), clamp window to maxAgeMinutes, fetch, filter isFromMe and pre-cursor records, dispatch to processMessage, advance cursor to nowMs on success.
• monitor.ts: after the webhook target registers, fire catchup as a background task; errors are logged but never block the channel-ready signal.
• config-schema.ts: new optional catchup block (enabled, maxAgeMinutes, perRunLimit, firstRunLookbackMinutes); defaults are on with 2h lookback / 50 msg cap / 30-min first-run lookback.

Why this approach

The fix mirrors a workspace-level shell script that's been running on a real OpenClaw install for ~4 weeks (~100 LoC of bash + python doing the same query/filter/POST flow). Porting it into the BB channel itself means every install gets recovery for free, calls processMessage directly (no re-POST hop), and benefits from #66810's persistent dedupe automatically.

Safety

• Goes through the same processMessage path webhooks use, so auth, allowlist, pairing, and downstream agent dispatch all apply unchanged.
• Dedupes against fix(bluebubbles): dedupe inbound webhooks across restarts (#19176, #12053) #66810's persistent inbound GUID cache: a webhook delivery that already succeeded cannot be reprocessed by catchup.
• Never dispatches isFromMe records (double-checked before and after normalization) so the agent's own sends cannot enter the inbound path.
• Cursor is only advanced on a successful query; a failed fetch leaves the prior cursor in place so the next run retries the same window.
• 30s minimum interval between runs prevents churn on rolling restarts.
• Hard ceilings: 12h max lookback, 500 messages per run.
• Cursor uses nowMs rather than the latest observed message timestamp, so messages with dateCreated > nowMs (BB host vs gateway host clock skew) are not silently skipped — they replay on the next sweep, where dedupe handles any duplicate.

Validation

Automated

• New scoped tests in extensions/bluebubbles/src/catchup.test.ts (14 cases): cursor round-trip, per-account scoping, FS-unsafe account IDs, firstRunLookbackMinutes, maxAgeMinutes clamp, enabled: false, rapid-restart skip, isFromMe filter (pre- and post-normalization), query-failure-preserves-cursor, per-message failure isolation, pre-cursor defense-in-depth.
• Full BlueBubbles suite passes: 403/403.
• pnpm check green (madge, tsgo, oxlint, webhook-auth-body-order, no-pairing-store-group, pairing-account-scope).

Live end-to-end (macOS, BB Server 1.9.x, 2026-04-14)

Repeating the original repro from #66721's issue body, this time against the new in-process catchup with the workspace shim disabled:

1. Stopped gateway cleanly. Verified port refused, no process.
2. Sent 3 distinct iMessages from a second device. BB-server log shows all 3 dispatches failed with connect ECONNREFUSED 127.0.0.1:18789 and never retried (confirms the hole this PR fixes is real and that BB does not replay on receiver-side reachability).
3. Started gateway. Webhook target registered; catchup fired in the background.
4. Gateway log:

   [bluebubbles] [default] BlueBubbles catchup:
     replayed=3 skipped_fromMe=0 skipped_preCursor=0 failed=0 fetched=3 window_ms=517184
   

5. All 3 messages produced agent replies that were delivered back via BB outbound. Persistent cursor file appeared at ~/.openclaw/bluebubbles/catchup/<accountId>__<hash>.json. A subsequent gateway restart with no new inbound activity logged replayed=0 fetched=0 (no-op, as expected).

Test plan

• pnpm test extensions/bluebubbles/src/catchup.test.ts — 14/14
• pnpm test extensions/bluebubbles/ — 403/403
• pnpm check — green
• Live macOS end-to-end repro: stop gateway, send N messages (verified N×ECONNREFUSED in BB log), start gateway, assert N messages replayed via the catchup path with cursor advanced and dedupe state populated, and no-op on subsequent restart
• Maintainer review

Order of operations

#66810 (persistent inbound dedupe) is a prerequisite. Once it lands, this branch will rebase onto main and the PR will retarget automatically.

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 3 potential security issue(s) in this PR:

#	Severity	Title
1	🟡 Medium	BlueBubbles catchup sends API password in URL query string
2	🟡 Medium	Insecure test-state directory under /tmp allows symlink/hardlink overwrite of persisted JSON state
3	🟡 Medium	Local file overwrite via symlinked state subdirectories when persisting BlueBubbles cursor/dedupe JSON

1. 🟡 BlueBubbles catchup sends API password in URL query string

Property	Value
Severity	Medium
CWE	CWE-598
Location	extensions/bluebubbles/src/catchup.ts:120-125

Description

fetchBlueBubblesMessagesSince() constructs the BlueBubbles API URL using buildBlueBubblesApiUrl(..., password) which appends the password as a ?password=... query parameter.

Putting credentials in the URL is sensitive because:

• URLs are commonly logged by reverse proxies, HTTP access logs, observability/telemetry tooling, and error reports
• URLs may be stored in browser/network caches or intermediate components
• If any redirect occurs, the full URL can be propagated (and may end up in Referer headers in other contexts)

Vulnerable code:

const url = buildBlueBubblesApiUrl({
  baseUrl: opts.baseUrl,
  path: "/api/v1/message/query",
  password: opts.password,
});

This newly added catchup path increases the surface area where the password-in-URL pattern is used (additional endpoint and new network call on startup).

Recommendation

Avoid placing secrets in URLs. Prefer an HTTP header (e.g., Authorization) or a dedicated header expected by BlueBubbles.

Example (using a header instead of a query param):

const url = buildBlueBubblesApiUrl({
  baseUrl: opts.baseUrl,
  path: "/api/v1/message/query",
});

const res = await blueBubblesFetchWithTimeout(
  url,
  {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      ​// Prefer a header; exact scheme depends on BB server support
      "Authorization": `Bearer ${opts.password}`,
    },
    body,
  },
  opts.timeoutMs ?? FETCH_TIMEOUT_MS,
  ssrfPolicy,
);

If BlueBubbles only supports password as a query parameter, mitigate by:

• ensuring request/URL logging is disabled or redacts query strings
• redacting password from any error reporting paths
• using TLS and restricting network access to the BB server

2. 🟡 Insecure test-state directory under /tmp allows symlink/hardlink overwrite of persisted JSON state

Property	Value
Severity	Medium
CWE	CWE-59
Location	extensions/bluebubbles/src/inbound-dedupe.ts:23-29

Description

The BlueBubbles extension switches its persistence root to a predictable per-PID directory under os.tmpdir() whenever VITEST is set or NODE_ENV === "test".

If this code path is reachable in a non-test deployment (e.g., environment misconfiguration, untrusted env injection, or accidentally shipping with NODE_ENV=test), a local attacker on the same host can pre-create /tmp/openclaw-vitest-<pid> (or subpaths) as a symlink to another location. Subsequent writes via writeJsonFileAtomically() / createClaimableDedupe() ultimately call writeJsonAtomic()/writeTextAtomic(), which:

• creates directories with fs.mkdir(..., { recursive: true }) (follows symlinks)
• writes a temp file and then rename()s/copies it to the final path
• does not perform lstat/realpath validation on the full path components
• does not use O_NOFOLLOW (not available portably in Node, but symlink-safe patterns exist)

This enables link-following writes outside the intended state directory, potentially overwriting arbitrary files writable by the gateway process.

Vulnerable code (state dir selection):

if (env.VITEST || env.NODE_ENV === "test") {
  const name = "openclaw-vitest-" + process.pid;
  return path.join(os.tmpdir(), name);
}

Affected persistence sinks include:

• extensions/bluebubbles/src/inbound-dedupe.ts → persistent dedupe JSON file
• extensions/bluebubbles/src/catchup.ts → catchup cursor JSON file

Recommendation

Avoid predictable, attacker-precreatable directories under /tmp for any code path that can run outside a fully controlled test harness.

Options (prefer A):

A. Always require an explicit per-test state dir override (e.g., OPENCLAW_STATE_DIR set by the test harness) and remove the implicit /tmp fallback.

B. Use fs.mkdtemp to create an unguessable directory, and store it in a process-scoped global so all module instances share it during the process lifetime.

C. Add symlink defenses before writing: resolve realpath of the parent directory and verify it is within the intended root; reject if any path component is a symlink (via lstat).

Example using mkdtemp (process-scoped):

import fs from "node:fs/promises";
import os from "node:os";
import path from "node:path";

let testStateDir: string | null = null;

async function resolveStateDirFromEnv(env: NodeJS.ProcessEnv = process.env): Promise<string> {
  if (env.OPENCLAW_STATE_DIR?.trim()) return resolveStateDir(env);
  if (env.VITEST || env.NODE_ENV === "test") {
    if (!testStateDir) {
      testStateDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-vitest-"));
    }
    return testStateDir;
  }
  return resolveStateDir(env);
}

Additionally, consider hard-failing startup if NODE_ENV==="test" is detected outside an explicit test runner context.

3. 🟡 Local file overwrite via symlinked state subdirectories when persisting BlueBubbles cursor/dedupe JSON

Property	Value
Severity	Medium
CWE	CWE-59
Location	extensions/bluebubbles/src/catchup.ts:94-101

Description

The BlueBubbles extension persists two new pieces of state to disk (catchup cursor and inbound dedupe cache) under the OpenClaw state directory:

• catchup.ts writes ${stateDir}/bluebubbles/catchup/<prefix>__<hash>.json
• inbound-dedupe.ts writes ${stateDir}/bluebubbles/inbound-dedupe/<prefix>__<hash>.json

These paths are ultimately written using writeJsonFileAtomically() → writeJsonAtomic() → writeTextAtomic(), which creates directories with fs.mkdir(path.dirname(filePath), { recursive: true }) and then renames/copies a temp file into place.

On POSIX and Windows, this directory creation / open / rename sequence does not defend against pre-existing symlinks/junctions in parent directory components (e.g., ${stateDir}/bluebubbles being a symlink to /etc). If an attacker can write within the state directory tree (or can cause OPENCLAW_STATE_DIR to point at a shared/writable location), they can pre-create a symlinked path so the gateway will write these JSON files outside the intended state directory, potentially overwriting arbitrary files writable by the gateway process.

Vulnerable write sites include:

​// extensions/bluebubbles/src/catchup.ts
await writeJsonFileAtomically(filePath, cursor);

​// extensions/bluebubbles/src/inbound-dedupe.ts (via createClaimableDedupe)
resolveFilePath: resolveNamespaceFilePath,

This is primarily a local attack scenario, but is relevant in multi-tenant/shared-host deployments or when environment variables / state directory permissions are not tightly controlled.

Recommendation

Harden state-file writes against link-following in parent directories and against unsafe state dir overrides.

Recommended defense-in-depth (choose what is feasible cross-platform):

1. Ensure the state root is not attacker-writable and is created with 0700 (already attempted via ensureDirMode) and document this requirement.

2. Reject symlinks/junctions in the state path components before writing. For example, walk each path segment under stateDir and lstat() it; if any component is a symbolic link (or on Windows, a reparse point), refuse to write.

3. Prefer opening the destination securely (POSIX): use open() with O_NOFOLLOW (where available) and write via file-descriptor-based APIs, or use a library that supports O_NOFOLLOW and secure atomic replace.

4. Constrain OPENCLAW_STATE_DIR: if running in a context where untrusted parties can influence env vars, ignore OPENCLAW_STATE_DIR or require it to be an absolute path under an allowlisted base.

Example (conceptual) path-component validation:

import fs from "node:fs/promises";
import path from "node:path";

async function assertNoSymlinksUnder(root: string, targetDir: string) {
  const rel = path.relative(root, targetDir);
  const parts = rel.split(path.sep).filter(Boolean);
  let cur = root;
  for (const p of parts) {
    cur = path.join(cur, p);
    const st = await fs.lstat(cur);
    if (st.isSymbolicLink()) throw new Error(`refusing to write under symlink: ${cur}`);
  }
}

Apply this check (or equivalent) before calling writeJsonFileAtomically / persistent dedupe writes.

---

Analyzed PR: #66760 at commit f53bcc6

_{Last updated on: 2026-04-14T21:36:39Z}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8cd511dae7

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[greptile-apps]

Greptile Summary

Adds an in-process startup catchup pass to the BlueBubbles channel that queries BB Server for messages missed while the gateway was unreachable and replays them through the existing processMessage pipeline. The implementation is well-designed: it integrates cleanly with #66230's persistent inbound-dedupe (which drops already-handled GUIDs), double-filters isFromMe records, uses atomic cursor persistence, and is fire-and-forget from monitor.ts so it never blocks the channel-ready signal.

Confidence Score: 5/5

Safe to merge; all findings are P2 style/observability suggestions that don't affect correctness.

No P0/P1 issues found. The two P2 items are: (1) resolveStateDirFromEnv is duplicated between catchup.ts and inbound-dedupe.ts — a drift risk but both copies are currently identical; and (2) no warning is emitted when fetchedCount hits perRunLimit, making silent truncation during long outages hard to diagnose. Core logic, dedupe integration, cursor semantics, and test coverage are solid.

extensions/bluebubbles/src/catchup.ts — see comments on resolveStateDirFromEnv duplication and the perRunLimit truncation warning.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: extensions/bluebubbles/src/catchup.ts
Line: 50-59

Comment:
**Duplicated `resolveStateDirFromEnv` across catchup.ts and inbound-dedupe.ts**

This function is byte-for-byte identical to the one in `inbound-dedupe.ts`. If either copy drifts (e.g., adding a new env-var override), the two stores will resolve different directories and cursor/dedupe files will be written to different roots, silently breaking the catchup ↔ dedupe pairing. Extract to a shared local utility (e.g. `state-dir.ts` inside the plugin) and import it from both files.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: extensions/bluebubbles/src/catchup.ts
Line: 308-319

Comment:
**No warning logged when fetch results are at the `perRunLimit` cap**

When BB returns exactly `perRunLimit` messages it has likely truncated the result set — the remaining messages (with `dateCreated` between the last fetched message and `nowMs`) are permanently unreachable because the cursor advances to `nowMs`. The existing log line shows `fetched=N` but gives no indication that `N` equals the configured cap. Emitting a distinct warning when `messages.length >= perRunLimit` would help operators know to raise the limit before a long outage silently drops messages.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "feat(bluebubbles): replay missed webhook..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0e8ddbaa61

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 00de3cc1b7

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7990aeb7da

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 80d2393528

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[omarshahine]

Review feedback round-up

Thanks for the thorough reviews. Pushed 5 follow-up commits since the original 4a89afbe. Summary of what's in / not in:

Greptile (✅ both addressed)

• Duplicated resolveStateDirFromEnv → 0e8ddbaa61 switches catchup to the canonical openclaw/plugin-sdk/state-paths.resolveStateDir that inbound-dedupe already uses, so the two stores can never drift apart. (Note: catchup tests use OPENCLAW_STATE_DIR for per-test isolation, so the test-mode default short-circuit now only fires when that env var is unset; explicit overrides win.)
• No warning on perRunLimit truncation → 0e8ddbaa61 adds a distinct WARN line; ed4e403d7c then made truncation actually recoverable (cursor advances only to the page boundary), and the warn message was updated to reflect the new "next startup picks up the rest" semantics.

Codex (✅ all 7 addressed)

• P1: cursor advances after replay failure → 00de3cc1b7 tracks the earliest processMessage failure timestamp and holds the cursor just before it. Successful replays from this run are dedupe-protected by fix(bluebubbles): dedupe inbound webhooks across restarts (#19176, #12053) #66230. Normalize failures (record didn't yield a NormalizedWebhookMessage) are still treated as permanent skips so a malformed payload doesn't wedge catchup forever.
• P2: clock-skew negative-delta hits gate → addressed inside the broader fix in ed4e403d7c (see below).
• P2: maxAgeMinutes not enforced on first run → 7990aeb7da clamps both the existing-cursor and first-run branches to earliestAllowed.
• P2: account override drops catchup.enabled → 7990aeb7da adds catchup to nestedObjectKeys in accounts.ts, mirroring the existing network precedent so deep-merge semantics apply.
• P2: future cursor causes silent skip → 80d2393528 treats a strictly-future cursor as if no cursor exists, falling through to firstRunLookback so the [earliestAllowed, nowMs] window does get queried; cursor save at the end repairs the future timestamp.
• P1: run catchup even when cursor age is under MIN_INTERVAL → ed4e403d7c removes the MIN_INTERVAL_MS gate entirely. Catchup runs once per gateway startup and is the only recovery mechanism, so skipping the second startup's pass after a quick restart loses any messages that arrived during the brief downtime. The bounded query (perRunLimit, maxAge) and fix(bluebubbles): dedupe inbound webhooks across restarts (#19176, #12053) #66230's dedupe cap the cost of running every restart. (This also obviates the clock-skew gate that the P2 above asked for — solved by removal rather than >= precondition.)
• P1: keep cursor behind unfetched pages when limit is hit → ed4e403d7c tracks latestFetchedTs regardless of message fate, and on truncation (fetchedCount === perRunLimit) the cursor advances only to the page boundary so the next gateway startup picks up the unfetched tail. Previously the unfetched tail past the cap would have been permanently unreachable — exactly the failure mode the feature is meant to prevent.

Tests grew from 14 → 21 cases; full BlueBubbles suite remains 410/410; pnpm check green.

Aisle (5 findings, summary)

• fix: add @lid format support and allowFrom wildcard handling #1 Password in URL query (catchup.ts) — Real concern, but follows the existing BB plugin convention used everywhere (history.ts, probe.ts, send.ts). Fixing only catchup would create inconsistency; this should be a cross-cutting BB-wide PR that updates buildBlueBubblesApiUrl to use header-based auth, and is out of scope here.
• Images not passed to Claude CLI - only path reference in text #4 OPENCLAW_STATE_DIR symlink risk (catchup.ts) — Same pattern as fix(bluebubbles): dedupe inbound webhooks across restarts (#19176, #12053) #66230's inbound-dedupe (catchup now actually shares its resolver via the SDK helper, per the Greptile fix). The proper hardening (lstat + reject symlink) belongs in the plugin-sdk's resolveStateDir helper itself so all callers benefit, not bolted onto extension files.
• Login fails with 'WebSocket Error (socket hang up)' ECONNRESET #2 sendPolicy "deny", WA business, groups & office hours  #3 reply-media-paths symlink, CLI: add Opencode integration #5 PII in dedupe drop logs — Not in this PR's diff (src/auto-reply/... and extensions/bluebubbles/src/monitor-processing.ts:634-639 are untouched here). These appear to have been picked up because Aisle scanned the pre-rebase SHA 8cd511d when this PR's diff still included ghost commits from the force-pushed dedupe base. They properly belong to the already-merged PRs fix: sendPolicy deny should suppress delivery, not inbound processing (#53328) #65461 / fix(bluebubbles): lazy-refresh Private API status on send (#43764) #65447 / docs(changelog): backfill #65447 and #65461 entries #66220 (or follow-up PRs against main), not here.

Live end-to-end repro of the original failure mode is in the PR body and reproduced post-fix on macOS 26.3 / BB Server 1.9.x. Ready for another look.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ed4e403d7c

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Avoid dropping same-timestamp tail at truncation boundary

When a catchup run hits perRunLimit, this branch advances the cursor to latestFetchedTs. If there are additional unfetched messages with that exact same dateCreated value (which is realistic when timestamps are coarse or bursts occur), the next run starts from that same timestamp and the loop’s ts <= windowStartMs guard drops them, so they are never replayed. In outage backlogs this causes permanent message loss even though catchup is enabled; truncated pagination needs a stable tie-breaker (or a cursor rewind below the boundary) to avoid skipping equal-timestamp records.

Useful? React with 👍 / 👎.