fix(bluebubbles): dedupe inbound webhooks across restarts (#19176, #12053)

[omarshahine]

Summary

BlueBubbles `MessagePoller` keeps a ~1-week lookback and re-fires `new-message` webhooks after BB Server restart or reconnection. With no sequence number or ack in the BB webhook protocol, the gateway previously had no way to recognize replays and would happily re-reply to messages it had already handled before the restart — producing duplicated outbound messages, and confusing replies to stale inbound that the user had already moved on from (see #19176, #12053).

This PR adds a persistent, file-backed inbound dedupe keyed by message GUID, modeled after the same `createPersistentDedupe` pattern used by the Feishu plugin.

• TTL = 7 days (matches BB's lookback window, so any replay is guaranteed to land on a remembered GUID).
• On-disk state at `~/.openclaw/bluebubbles/inbound-dedupe/.json` — survives gateway restarts, which is the crucial property the previous in-memory dedupe layers can't provide.
• Applied at the top of `processMessage`, before any downstream work, so stale replays never reach pairing, dispatch, or the reply cache.

Why this approach

Other channels with monotonic sequence IDs (Telegram's `update_id`, Matrix's sync token, Discord's gateway sequence) can dedupe natively via protocol. BlueBubbles does not expose anything like that, so an identity-based persistent dedupe at the message layer is the closest equivalent that fits how BB actually delivers webhooks.

Interaction with edit events (`updated-message`)

PR #52277 raised a related concern: if dedupe keys are GUID-only, a legitimate `updated-message` event would share a GUID with its original `new-message` and get dropped as a duplicate.

In the current codebase this cannot happen: `monitor.ts` routes `updated-message` payloads differently — without a reaction they are dropped at the webhook layer ("ignored without reaction"), and with a reaction they flow through `processReaction`, not `processMessage`. Our dedupe sits inside `processMessage`, so only `new-message` events are gated. Edits can't collide today.

If the separate work in #52277 lands and begins routing text-edit bodies into `processMessage`, the dedupe key will need to expand to include event type and edit metadata (e.g. `guid + eventType + (dateEdited||"")`) so an edit is treated as a distinct key. That's a straightforward forward-compatible change when it's needed.

Validation

• New scoped test: `extensions/bluebubbles/src/inbound-dedupe.test.ts` (3 cases covering claim/reject, per-account scoping, missing GUID).
• Full BlueBubbles suite passes (387/387).
• End-to-end tested on a live gateway (macOS 26.3, BB Server 1.9.x) with a synthetic replay script: first webhook gets processed + recorded, second webhook with the same GUID is dropped before dispatch, dedupe file timestamp unchanged. Sample script lives in `scripts/test-bb-dedupe.sh` for the PR lifecycle; remove before merge if not desired.
• `pnpm check` green.

Credits

Re-creates and improves on the focused fix from #31159 by @dashhuang — same behavioral goal (drop stale BB webhook replays), implemented as a persistent on-disk dedupe so it actually survives the gateway-restart case that drives the bug, and without the module-global mutable state that made the original patch need test-reset plumbing.

Fixes #19176, #12053.

Test plan

• New scoped test passes (`pnpm test extensions/bluebubbles/src/inbound-dedupe.test.ts`)
• Full BlueBubbles suite passes (`pnpm test extensions/bluebubbles/`)
• `pnpm check` green
• Live test on macOS 26.3 with BB Server — synthetic replay dropped, dedupe file persisted across gateway restart
• Maintainer review

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 3 potential security issue(s) in this PR:

#	Severity	Title
1	🟡 Medium	Replay can re-run tool side effects when reply delivery fails (dedupe claim released)
2	🟡 Medium	Disk/CPU DoS via file-backed inbound dedupe store rewriting large JSON map
3	🟡 Medium	Symlink/hardlink file clobber risk in Windows fallback path for atomic JSON writes

1. 🟡 Replay can re-run tool side effects when reply delivery fails (dedupe claim released)

Property	Value
Severity	Medium
CWE	CWE-841
Location	extensions/bluebubbles/src/monitor-processing.ts:644-661

Description

The inbound deduplication wrapper in processMessage releases its dedupe claim when the reply pipeline reports a final delivery error via onError. This allows the same inbound message GUID to be processed again on a later webhook replay (or reconnect replay window), re-running the full agent/tool pipeline.

If any tools/actions in processMessageAfterDedupe have side effects (writes, purchases, network calls, state changes), and the only failure is that the final BlueBubbles send transiently failed, those side effects may have already occurred but the claim is released anyway. A subsequent replay will execute them again, potentially causing duplicate external actions.

Vulnerable behavior:

• Input: inbound webhook message (GUID-derived dedupeKey)
• Side effects: tool execution and other actions inside processMessageAfterDedupe / dispatcher flow
• Trigger: onError(..., {kind: "final"}) sets dedupeSignal.deliveryFailed = true
• Result: claim is released rather than finalized, permitting replay reprocessing

Vulnerable code:

if (signal.deliveryFailed) {
  ...
  claim.release();
} else {
  await claim.finalize();
}

and

if (info.kind === "final") {
  dedupeSignal.deliveryFailed = true;
}

Recommendation

Treat inbound processing as at-most-once for side effects, even if reply delivery fails.

Options (choose based on product requirements):

1. Finalize the dedupe claim once side effects complete, and separately enqueue/retry only the outbound reply delivery (store the final response or a reference to it).

2. Add an idempotency key (the inbound GUID / dedupeKey) that is passed into all side-effecting tools so they can dedupe externally (or your tool-execution layer can persist tool-call results keyed by GUID).

3. If you must release on delivery failure, restructure so that no side-effecting tools run until after reply delivery is guaranteed, which is usually impractical.

Illustrative approach (finalize processing, retry delivery):

​// After successful tool run / response generation
await claim.finalize();
try {
  await deliverFinalReply(...);
} catch (e) {
  ​// schedule retry of delivery only; do NOT release inbound dedupe
  await enqueueDeliveryRetry({ dedupeKey, responseId });
}

2. 🟡 Disk/CPU DoS via file-backed inbound dedupe store rewriting large JSON map

Property	Value
Severity	Medium
CWE	CWE-400
Location	extensions/bluebubbles/src/inbound-dedupe.ts:16-57

Description

The new BlueBubbles inbound GUID dedupe persists attacker-influenced GUIDs to a per-account JSON file for 7 days (TTL) with a hard cap of 50,000 entries. Each successful message processing calls impl.commit(), which (via createPersistentDedupe) performs:

• readFile() of the whole JSON blob
• JSON.parse() into an object containing up to fileMaxEntries keys
• Object.keys(...).toSorted(...) for pruning
• writeJsonFileAtomically() rewriting the entire file

Because inbound GUIDs originate from remote webhook/poller events, a remote party can send many unique messages (unique GUIDs) to drive the store to its maximum size and then keep it near the cap. This can cause sustained high disk I/O and CPU usage due to repeated full-file read/parse/sort/write cycles, potentially degrading the gateway or exhausting disk throughput.

Although sanitizeGuid() caps GUID length at 512 chars, the worst-case on-disk size remains large (order-of-magnitude tens of MB: 50,000 * 512 plus JSON overhead), and the rewrite cost is paid repeatedly.

Vulnerable code (BlueBubbles wiring):

• Uses large FILE_MAX_ENTRIES and long TTL
• Commits every processed unique GUID to disk

Recommendation

Reduce the ability for untrusted inbound traffic to force large persistent state and full-file rewrites.

Suggested mitigations (pick a combination):

1. Store a fixed-size hash of the GUID (e.g., SHA-256 hex) instead of raw GUID strings to cap key size.

import { createHash } from "node:crypto";

function normalizeGuidForStore(guid: string): string {
  return createHash("sha256").update(guid, "utf8").digest("hex");
}

2. Lower FILE_MAX_ENTRIES and/or lower TTL (or make them configurable with conservative defaults).

3. Change the persistent-dedupe backend to an append-only log with periodic compaction, or a small SQLite table with an index and DELETE WHERE seenAt < ... to avoid full-file rewrite per event.

4. Add rate limiting/backpressure for inbound events or for commits to disk (batch commits, debounce writes).

5. Ensure onDiskError fails closed in a way that doesn’t keep retrying expensive operations in a tight loop.

3. 🟡 Symlink/hardlink file clobber risk in Windows fallback path for atomic JSON writes

Property	Value
Severity	Medium
CWE	CWE-59
Location	src/infra/json-files.ts:9-27

Description

The writeJsonAtomic/writeTextAtomic helper used by the persistent dedupe store performs an atomic rename() first, but on Windows falls back to copyFile() when rename() fails with EPERM/EEXIST.

On Windows, copyFile(tempPath, filePath) can follow an existing destination symlink (and will also overwrite the contents of an existing hardlink), which can allow a local attacker who can create/replace files under the configured state directory to redirect writes to an arbitrary target file.

This is relevant to the new BlueBubbles inbound dedupe feature because it calls createClaimableDedupe({ resolveFilePath, ... }), which persists a JSON file under the OpenClaw state directory via writeJsonFileAtomically → writeJsonAtomic.

Vulnerable behavior:

• attacker pre-creates .../bluebubbles/inbound-dedupe/<ns>.json as a symlink/hardlink to another file writable by the gateway process
• when the dedupe store commits, rename() may hit the Windows fallback and copyFile() overwrites the link target

Vulnerable code:

await fs.copyFile(tempPath, filePath);

Note: rename() replacement semantics are generally safe against symlink-following on POSIX, but the Windows fallback removes that safety property.

Recommendation

Avoid overwriting an attacker-controlled link destination.

Options:

1. Prefer a safe replace strategy that does not follow destination symlinks/hardlinks:
   • On Windows, delete the destination path first (after verifying it is a regular file in the intended directory) and then rename().
   • Additionally, validate the destination with lstat() to reject symlinks.

Example (sketch):

import fs from "node:fs/promises";

async function safeReplaceFile(tempPath: string, filePath: string) {
  try {
    ​// Best: attempt atomic rename
    await fs.rename(tempPath, filePath);
    return;
  } catch (e: any) {
    if (process.platform !== "win32" || (e?.code !== "EPERM" && e?.code !== "EEXIST")) {
      throw e;
    }
  }

  ​// Windows fallback: refuse to write through links
  try {
    const st = await fs.lstat(filePath);
    if (st.isSymbolicLink()) {
      throw new Error(`Refusing to overwrite symlink: ${filePath}`);
    }
    ​// Optionally also ensure st.isFile() and that filePath is within an expected base dir.
    await fs.rm(filePath, { force: true });
  } catch (e: any) {
    if (e?.code !== "ENOENT") throw e;
  }

  await fs.rename(tempPath, filePath);
}

2. Defense-in-depth for callers: ensure the state directory is created with 0700 and is not group/world-writable; ensure no path components are symlinks by comparing realpath(dirname(filePath)) to an expected base directory; and validate that resolveFilePath(namespace) stays within the intended base directory (e.g., path.relative(base, filePath) must not start with ..).

---

Analyzed PR: #66816 at commit cbeb3ca

_{Last updated on: 2026-04-14T22:40:55Z}

[greptile-apps]

Greptile Summary

Adds a persistent file-backed GUID dedupe (~/.openclaw/bluebubbles/inbound-dedupe/<accountId>.json) at the top of processMessage so BlueBubbles MessagePoller webhook replays after server restart are dropped before reaching pairing, dispatch, or the reply cache. The approach follows the existing createClaimableDedupe SDK pattern and includes a claim/finalize/release lifecycle so transient send failures allow the next replay to retry.

All four claim outcomes are handled correctly, the onError → deliveryFailed signal correctly scopes release to terminal final failures only (avoiding replay-triggered tool-side-effect duplication), and tests cover the expected dedupe, scoping, skip, and release behaviors.

Confidence Score: 5/5

Safe to merge — all remaining findings are minor style/clarity concerns that do not affect correctness.

The core dedupe logic is correct across all four claim outcomes. The finalize-on-success / release-on-failure lifecycle is sound. Disk persistence is properly guarded against errors. Tests cover the key behavioral contracts. The two P2 findings (misleading comment in a catch block whose release() call is a no-op, and an unnecessary export on an internal type) have no runtime impact.

No files require special attention.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: extensions/bluebubbles/src/monitor-processing.ts
Line: 602

Comment:
**`InboundDedupeDeliverySignal` exported but only used within this file**

The type is defined and consumed entirely within `monitor-processing.ts` — `processMessageAfterDedupe` (unexported) takes it as a parameter, and `processMessage` (exported) creates and owns it. Exporting the type leaks an internal implementation detail of the dedupe wrapper into the module's public surface. Consider removing the `export` keyword unless downstream consumers (e.g., tests) need to reference it explicitly.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: extensions/bluebubbles/src/monitor-processing.ts
Line: 662-673

Comment:
**`claim.release()` in the `catch (finalizeError)` block is a no-op**

When `finalize()` throws, it means `impl.commit` threw. `createClaimableDedupe.commit` always calls `inflight.delete(scopedKey)` in its `finally` block before re-throwing, so by the time `claim.release()` runs here, the inflight slot is already gone — `release` calls `inflight.get` on an empty map and returns immediately.

The GUID won't get "stuck" for 7 days, but not because `release()` unsticks it: `commit` failed before persisting anything (disk errors inside `checkAndRecordInner` are caught and fall back to memory, so `commit` itself rarely throws at all). The comment overstates what `release()` accomplishes and could mislead future maintainers into thinking the call is load-bearing when it's actually redundant in this path.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(bluebubbles): dedupe inbound webhook..." | Re-trigger Greptile}

[greptile-apps]

InboundDedupeDeliverySignal exported but only used within this file

The type is defined and consumed entirely within monitor-processing.ts — processMessageAfterDedupe (unexported) takes it as a parameter, and processMessage (exported) creates and owns it. Exporting the type leaks an internal implementation detail of the dedupe wrapper into the module's public surface. Consider removing the export keyword unless downstream consumers (e.g., tests) need to reference it explicitly.

Prompt To Fix With AI

This is a comment left during a code review.
Path: extensions/bluebubbles/src/monitor-processing.ts
Line: 602

Comment:
**`InboundDedupeDeliverySignal` exported but only used within this file**

The type is defined and consumed entirely within `monitor-processing.ts` — `processMessageAfterDedupe` (unexported) takes it as a parameter, and `processMessage` (exported) creates and owns it. Exporting the type leaks an internal implementation detail of the dedupe wrapper into the module's public surface. Consider removing the `export` keyword unless downstream consumers (e.g., tests) need to reference it explicitly.

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[omarshahine]

Fixed — removed the export keyword. The type is now file-local.

[greptile-apps]

claim.release() in the catch (finalizeError) block is a no-op

When finalize() throws, it means impl.commit threw. createClaimableDedupe.commit always calls inflight.delete(scopedKey) in its finally block before re-throwing, so by the time claim.release() runs here, the inflight slot is already gone — release calls inflight.get on an empty map and returns immediately.

The GUID won't get "stuck" for 7 days, but not because release() unsticks it: commit failed before persisting anything (disk errors inside checkAndRecordInner are caught and fall back to memory, so commit itself rarely throws at all). The comment overstates what release() accomplishes and could mislead future maintainers into thinking the call is load-bearing when it's actually redundant in this path.

Prompt To Fix With AI

This is a comment left during a code review.
Path: extensions/bluebubbles/src/monitor-processing.ts
Line: 662-673

Comment:
**`claim.release()` in the `catch (finalizeError)` block is a no-op**

When `finalize()` throws, it means `impl.commit` threw. `createClaimableDedupe.commit` always calls `inflight.delete(scopedKey)` in its `finally` block before re-throwing, so by the time `claim.release()` runs here, the inflight slot is already gone — `release` calls `inflight.get` on an empty map and returns immediately.

The GUID won't get "stuck" for 7 days, but not because `release()` unsticks it: `commit` failed before persisting anything (disk errors inside `checkAndRecordInner` are caught and fall back to memory, so `commit` itself rarely throws at all). The comment overstates what `release()` accomplishes and could mislead future maintainers into thinking the call is load-bearing when it's actually redundant in this path.

How can I resolve this? If you propose a fix, please make it concise.

[omarshahine]

Fixed — removed the redundant claim.release() call since commit() already clears inflight state in its finally block. Now just logs the error.

[omarshahine]

Aisle findings response

#1 (High) Symlink-following file overwrite: This is a pre-existing concern in src/infra/json-files.ts (shared atomic write infrastructure), not introduced by this PR. The dedupe layer calls createClaimableDedupe from the Plugin SDK which uses the existing atomic write path. Any hardening should be done in the shared infra, not in this extension.

#2 (Medium) PII in verbose logs: Consistent with existing BB channel behavior — logVerbose throughout the channel already logs message content, sender IDs, and chat GUIDs. Verbose mode is operator-opted and not enabled by default. No change to the security model.

#3 (Medium) Attacker-controlled dedupe key: If an attacker can forge BB webhooks (requires the webhook password), they can already inject arbitrary messages, not just suppress them. The dedupe key derivation mirrors the existing debouncer key logic. The webhook password is the trust boundary here.

#4 (Info) Plaintext GUIDs on disk: All BB state (sessions, reply cache, history) is already stored as plaintext JSON under the same state directory with the same permissions. Consistent with existing behavior.

None of these are blockers or require changes in this PR scope.

[omarshahine]

Aisle findings response (commit d27603b)

#1 (High) Replay re-executes tool side effects when final delivery fails:
This is an intentional design tradeoff, documented in the PR body under "Interaction with edit events." The alternative — committing the dedupe on tool execution rather than delivery — means the user never gets a reply if the final send fails transiently. For a personal iMessage channel (BB's use case), a duplicate reply is recoverable; a permanently silenced message is not. A two-phase "process + deliver" retry queue would be the ideal long-term solution, but that's a cross-channel infrastructure change well beyond this PR's scope. The current behavior is strictly better than the status quo (no dedupe at all, guaranteed duplicates on every restart).

#2 (Medium) Unbounded fields in verbose logs:
Valid hardening suggestion. Adding a length cap to sanitizeForLog is reasonable. Will address.

#3 (Medium) Symlink-following in atomic JSON writer:
Pre-existing concern in src/infra/json-files.ts, not introduced by this PR. Same response as the earlier scan.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: be43c315aa

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Skip dedupe for from-me webhook messages

processMessage now claims/drops dedupe entries before the message.fromMe branch runs, so after a gateway restart replayed from-me events are treated as duplicate and never reach cacheInboundMessage() in processMessageAfterDedupe. That regresses post-restart cache hydration for BlueBubbles reply context/short IDs (the cache is in-memory), so replies to pre-restart assistant messages can lose context resolution even though the replay webhooks still arrived. Consider bypassing duplicate-drop for fromMe events (or running their cache-update path before dedupe return).

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cbeb3ca130

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Release dedupe claim on block-stream delivery failures

When BlueBubbles blockStreaming is enabled, replies can be delivered as block payloads without a final payload, but this handler only marks dedupeSignal.deliveryFailed for info.kind === "final". If a block send fails (transient network/API error), onError logs it but leaves deliveryFailed false, so processMessage commits the dedupe claim and future replay webhooks for that message are dropped as duplicates for 7 days instead of retrying delivery. This regresses reliability specifically for block-streaming accounts with block-only output.

Useful? React with 👍 / 👎.