feat(bluebubbles): replay missed webhook messages after gateway restart (#66721)

[omarshahine]

Summary

Fixes #66721. Adds an in-process startup catchup pass to the BlueBubbles channel that queries BB Server for messages delivered while the gateway was unreachable and replays them through the existing processMessage pipeline.

The hole this closes: BB Server's WebhookService is fire-and-forget on POST failure (no retries) and BB's MessagePoller only re-fires webhooks on BB-side reconnection events (Messages.app / APNs), not on webhook-receiver recovery. So inbound messages delivered while the OpenClaw gateway was down, restarting, or wedged were permanently lost — verified with a controlled experiment on macOS.

This PR was previously #66760, stacked on the now-merged dedupe work (#66816). After that landed, this was rebased onto main and reopened as a standalone PR against main.

Design

• New extensions/bluebubbles/src/catchup.ts:
  • fetchBlueBubblesMessagesSince(sinceMs, limit, opts) calls /api/v1/message/query with {after, sort:"ASC", with:["chat","chat.participants","attachment"]} so replays carry the same shape normalizeWebhookMessage already handles on live dispatch.
  • loadBlueBubblesCatchupCursor / saveBlueBubblesCatchupCursor persist a single {lastSeenMs, updatedAt} per account under <stateDir>/bluebubbles/catchup/<accountId>__<hash>.json, using the plugin-sdk's atomic JSON helpers. File layout mirrors the inbound-dedupe store from fix(bluebubbles): dedupe inbound webhooks across restarts (#19176, #12053) #66816.
  • runBlueBubblesCatchup(target) orchestrates: clamp config, fetch, filter isFromMe and pre-cursor records, dispatch to processMessage, advance cursor.
• Modified monitor.ts: after the webhook target registers, fire catchup as a background task; errors are logged but never block the channel-ready signal.
• Modified config-schema.ts: new optional catchup block (enabled, maxAgeMinutes, perRunLimit, firstRunLookbackMinutes); defaults are on with 2h lookback / 50 msg cap / 30-min first-run lookback.
• Modified accounts.ts: adds catchup to the account-merge nestedObjectKeys list so per-account overrides deep-merge on top of channel-level defaults (mirroring the existing network precedent).

Why this approach

The fix mirrors a workspace-level shell script that's been running on a real OpenClaw install for ~4 weeks (~100 LoC of bash + python doing the same query/filter/POST flow). Porting it into the BB channel itself means every install gets recovery for free, calls processMessage directly (no re-POST hop), and benefits from #66816's persistent dedupe automatically.

Safety

• Goes through the same processMessage path webhooks use, so auth, allowlist, pairing, and downstream agent dispatch all apply unchanged.
• Dedupes against fix(bluebubbles): dedupe inbound webhooks across restarts (#19176, #12053) #66816's persistent inbound GUID cache: a webhook delivery that already succeeded cannot be reprocessed by catchup.
• Never dispatches isFromMe records (double-checked before and after normalization) so the agent's own sends cannot enter the inbound path.
• Catchup runs once per gateway startup and does NOT skip on rapid restarts — skipping would permanently lose any messages that arrived during the brief downtime between the two startups.
• Cursor only advances to nowMs on fully-successful runs. On processMessage failure, the cursor is held just before the earliest failure so the next run retries from there. On truncation (fetchedCount === perRunLimit), the cursor advances only to the last-fetched timestamp so the next gateway startup picks up the unfetched tail.
• A future-dated cursor (NTP rollback, manual clock adjust) is treated as unusable and falls through to the firstRunLookback path; the cursor is repaired at the end of the run.
• Cursor uses nowMs (clamped to the latest observed timestamp on truncation) rather than the latest observed message timestamp unconditionally, to avoid stuck rescans from clock skew between BB-host and gateway-host.
• Hard ceilings: 12h max lookback, 500 messages per run.

Validation

Automated

• New scoped tests in extensions/bluebubbles/src/catchup.test.ts (21 cases): cursor round-trip, per-account scoping, filesystem-unsafe account IDs, first-run lookback + maxAge clamp, enabled: false, rapid-restart-still-runs, isFromMe filter (pre- and post-normalization), query-failure-preserves-cursor, per-message failure isolation, held-cursor-on-retryable-failure, clamp-to-prior-cursor, future-cursor recovery, pre-cursor defense-in-depth, perRunLimit warn / no-warn, truncation-cursor advances only to page boundary, and first-run maxAge clamp.
• Full BlueBubbles suite passes: 410/410.
• pnpm check green (madge, tsgo, oxlint, webhook-auth-body-order, no-pairing-store-group, pairing-account-scope).

Live end-to-end (macOS, BB Server 1.9.x, 2026-04-14)

Repeating the original repro from #66721's issue body against the new in-process catchup with the workspace shim disabled:

1. Stopped gateway cleanly. Verified port refused, no process.
2. Sent 3 distinct iMessages from a second device. BB-server log shows all 3 dispatches failed with connect ECONNREFUSED 127.0.0.1:18789 and never retried.
3. Started gateway. Webhook target registered; catchup fired in the background.
4. Gateway log:

   [bluebubbles] [default] BlueBubbles catchup:
     replayed=3 skipped_fromMe=0 skipped_preCursor=0 failed=0 fetched=3 window_ms=517184
   

5. All 3 messages produced agent replies delivered back via BB outbound. Persistent cursor file appeared at ~/.openclaw/bluebubbles/catchup/<accountId>__<hash>.json. Subsequent gateway restart with no new inbound activity logged replayed=0 fetched=0 (no-op, as expected).

Test plan

• pnpm test extensions/bluebubbles/src/catchup.test.ts — 21/21
• pnpm test extensions/bluebubbles/ — 410/410
• pnpm check — green
• Live macOS end-to-end repro: stop gateway, send N messages (N×ECONNREFUSED in BB log), start gateway, assert N replayed via catchup, cursor advanced, dedupe state populated, no-op on subsequent restart
• Maintainer review

Review-feedback history

This branch carries review feedback that was gathered on the prior PR #66760 (closed automatically when its base lobster/bb-inbound-dedupe was deleted after #66816 merged). All findings were addressed in-branch; the 5 follow-up commits on this branch are:

• 1b4402219c Greptile P2: align catchup state-dir with canonical SDK resolver; warn on perRunLimit truncation.
• 8d5129ff79 Codex P1: hold catchup cursor on retryable failures; Codex P2: clock-skew gate precondition.
• d154af9518 Codex P2: clamp first-run catchup window to maxAge; deep-merge catchup overrides.
• 34e0d52f6a Codex P2: treat future-dated cursor as unusable; recover via firstRunLookback.
• 5ac997f733 Codex P1 ×2: always run catchup on startup (remove min-interval gate); advance cursor to page boundary on truncation.

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 4 potential security issue(s) in this PR:

#	Severity	Title
1	🟠 High	BlueBubbles API password placed in URL query string (leaks via logs/proxies/errors)
2	🟡 Medium	BlueBubbles catchup runs after monitor stop/unregister (no cancellation), allowing message processing when account is disabled/stopped
3	🟡 Medium	Unbounded concurrent BlueBubbles catchup tasks on monitor startup (no cancellation/locking)
4	🟡 Medium	Unbounded JSON response buffering in BlueBubbles catchup fetch can cause memory/CPU DoS

1. 🟠 BlueBubbles API password placed in URL query string (leaks via logs/proxies/errors)

Property	Value
Severity	High
CWE	CWE-598
Location	extensions/bluebubbles/src/catchup.ts:121-125

Description

The catchup implementation constructs BlueBubbles API URLs using buildBlueBubblesApiUrl(..., password).

• buildBlueBubblesApiUrl appends the password as a ?password=... query parameter.
• Query strings are commonly captured by:
  • HTTP access logs / reverse proxies
  • monitoring/APM breadcrumbs
  • error objects (e.g., fetch/undici errors often include the full request URL)
  • browser/server history and referrers in some environments
• This module also logs errors via String(err) in several places, which risks including a full URL (and therefore the password) if upstream errors embed the request URL.

Vulnerable code path:

• opts.password (secret) → buildBlueBubblesApiUrl (adds to query string) → blueBubblesFetchWithTimeout(url, ...) (network request) → potential sink in logs/monitoring/errors.

Recommendation

Avoid sending credentials in URLs.

Preferred fix (if BlueBubbles server supports it): send the password in a header (or another non-URL channel) and keep URLs free of secrets.

const url = buildBlueBubblesApiUrl({ baseUrl: opts.baseUrl, path: "/api/v1/message/query" });

const res = await blueBubblesFetchWithTimeout(
  url,
  {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      ​// Example: use Authorization header instead of query param
      "Authorization": `Bearer ${opts.password}`,
    },
    body,
  },
  opts.timeoutMs ?? FETCH_TIMEOUT_MS,
  ssrfPolicy,
);

If the API requires ?password= and cannot be changed:

• Add a helper to redact URLs before logging (remove/replace password query param).
• Never log raw error objects/messages that may include the full request URL; log a sanitized message and optionally include a request id.

Example redaction:

function redactBlueBubblesUrl(raw: string): string {
  const u = new URL(raw);
  if (u.searchParams.has("password")) u.searchParams.set("password", "<redacted>");
  return u.toString();
}

And ensure error logs do not include the unredacted URL.

2. 🟡 BlueBubbles catchup runs after monitor stop/unregister (no cancellation), allowing message processing when account is disabled/stopped

Property	Value
Severity	Medium
CWE	CWE-285
Location	extensions/bluebubbles/src/monitor.ts:347-382

Description

monitorBlueBubblesProvider starts runBlueBubblesCatchup(target) in a fire-and-forget manner after registering the webhook target. The catchup task is not tied to the monitor lifecycle (no await, no AbortSignal, no “still registered?” gate).

As a result:

• If the monitor is stopped quickly (abort/shutdown/restart) and unregister() runs, the catchup task can continue to fetch and replay messages.
• Replayed messages are fed into processMessage(normalized, target) which performs real side effects (forwarding/dispatching, history updates, etc.) and does not check an abort/registration flag.
• This can cause messages to be processed after an account/operator intended the listener to be stopped/disabled, potentially violating expected access-control semantics (“disabled means stop processing”). It can also replay using a stale target snapshot if config/credentials were changed during restart.

Vulnerable code:

​// monitor.ts
runBlueBubblesCatchup(target).catch((err) => {
  runtime.error?.(
    `[${account.accountId}] BlueBubbles catchup: unexpected failure: ${String(err)}`,
  );
});

Recommendation

Tie catchup execution to the monitor lifecycle so it cannot process messages once the provider is stopped/unregistered.

Options:

1. Pass an AbortSignal into catchup and enforce it before/while processing (recommended):

​// monitor.ts
const catchupAbort = new AbortController();
const stop = () => {
  catchupAbort.abort();
  unregister();
  resolve();
};
void runBlueBubblesCatchup(target, { abortSignal: catchupAbort.signal })
  .catch(err => runtime.error?.(`[...] ${String(err)}`));

And in runBlueBubblesCatchup, check abortSignal.aborted:

if (deps.abortSignal?.aborted) return null;
for (const rec of messages) {
  if (deps.abortSignal?.aborted) break;
  await procFn(normalized, target);
}

2. Gate processing on active registration: maintain an active flag on WebhookTarget that is set false in the unregister/stop path, and have catchup bail if inactive.

3. Await catchup on startup if startup semantics allow it (less ideal if it delays readiness), but still ensure stop can cancel the work.

Also consider logging when catchup is aborted to avoid silent partial replays.

3. 🟡 Unbounded concurrent BlueBubbles catchup tasks on monitor startup (no cancellation/locking)

Property	Value
Severity	Medium
CWE	CWE-400
Location	extensions/bluebubbles/src/monitor.ts:373-382

Description

The BlueBubbles monitor starts a catchup replay task in a fire-and-forget manner on every provider startup:

• runBlueBubblesCatchup(target) is invoked without await, without any per-account/global mutex, and without being tied to the monitor's abortSignal/shutdown.
• If the monitor is started multiple times in-process (multiple accounts, rapid restarts, hot-reload, or duplicate registrations), multiple catchup loops can run concurrently.
• Each catchup run can fetch and process up to perRunLimit messages (clamped up to 500) and runs each message through the normal processMessage pipeline, which can involve network calls (attachments/history lookups, replies) and CPU work.
• Because the task is not cancelled on stop()/unregister(), it may continue processing messages after the webhook target is unregistered, creating unexpected background activity and amplifying load.

While inbound dedupe may prevent double-delivery, it does not prevent double-work (extra queries, normalization, per-message processing attempts), making startup a potential amplification point and a denial-of-service vector in operational scenarios (e.g., repeated restarts or multiple concurrent monitors).

Recommendation

Add concurrency control and shutdown cancellation for catchup runs.

Options:

1. Per-account singleflight/mutex (recommended) so only one catchup per account can run at a time:

​// catchup.ts
const inFlight = new Map<string, Promise<BlueBubblesCatchupSummary | null>>();

export function runBlueBubblesCatchupSingleflight(target: WebhookTarget) {
  const key = target.account.accountId;
  const existing = inFlight.get(key);
  if (existing) return existing;
  const p = runBlueBubblesCatchup(target).finally(() => inFlight.delete(key));
  inFlight.set(key, p);
  return p;
}

2. Bind to abort/shutdown: thread an AbortSignal into runBlueBubblesCatchup and fetch and check it between steps:

export async function runBlueBubblesCatchup(target: WebhookTarget, deps: RunBlueBubblesCatchupDeps = {}, signal?: AbortSignal) {
  if (signal?.aborted) return null;
  ​// before/after fetch, and inside the message loop:
  for (const rec of messages) {
    if (signal?.aborted) break;
    await procFn(normalized, target);
  }
}

3. Consider awaiting catchup (or limiting its runtime) during startup if startup load spikes are problematic.

These changes prevent runaway parallel replays, reduce startup amplification, and ensure catchup work does not continue after a monitor is stopped.

4. 🟡 Unbounded JSON response buffering in BlueBubbles catchup fetch can cause memory/CPU DoS

Property	Value
Severity	Medium
CWE	CWE-400
Location	extensions/bluebubbles/src/catchup.ts:149-159

Description

The BlueBubbles catchup recovery path fetches messages from the configured BlueBubbles server and parses the entire HTTP response as JSON without any client-side response-size limit or hard cap on the number of returned records.

This is problematic because:

• fetchBlueBubblesMessagesSince() calls await res.json() which requires loading/parsing the entire body in memory.
• It then iterates all entries in json.data and pushes them into an array without stopping at limit.
• When ssrfPolicy is provided, blueBubblesFetchWithTimeout() additionally buffers the entire response via response.arrayBuffer() before returning a Response, further amplifying memory usage for large responses.

If the BlueBubbles server is compromised/misconfigured, or if an attacker can influence baseUrl to point to a hostile endpoint, the endpoint can return an arbitrarily large JSON body or a data array much larger than the requested limit, potentially causing gateway startup stalls or OOM.

Vulnerable code:

const json = (await res.json().catch(() => null)) as { data?: unknown } | null;
...
const messages: Array<Record<string, unknown>> = [];
for (const entry of json.data) {
  const rec = asRecord(entry);
  if (rec) {
    messages.push(rec);
  }
}

Recommendation

Add explicit client-side caps for both response size and record count.

1. Enforce a hard cap on the number of records processed regardless of what the server returns:

const messages: Array<Record<string, unknown>> = [];
for (const entry of json.data) {
  if (messages.length >= limit) break; // hard cap
  const rec = asRecord(entry);
  if (rec) messages.push(rec);
}

2. Enforce a maximum acceptable response size before parsing JSON (and ideally avoid buffering the full response in blueBubblesFetchWithTimeout):

const MAX_BYTES = 1_000_000; // choose an appropriate upper bound
const len = Number(res.headers.get("content-length") ?? "0");
if (len && len > MAX_BYTES) throw new Error("Response too large");

For robust protection, implement streaming / incremental parsing or a guarded fetch helper that aborts once MAX_BYTES is exceeded even when Content-Length is missing or incorrect.

---

Analyzed PR: #66853 at commit 5ac997f

_{Last updated on: 2026-04-14T22:52:22Z}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5ac997f733

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Avoid clamping retry cursor against future saved cursor

When the persisted cursor is ahead of nowMs (the rollback case you already detect earlier), this retry branch still uses cursorBefore in Math.max(...). That makes heldCursor stay in the future and Math.min(heldCursor, nowMs) collapses cursorAfter to nowMs, so a transient processMessage failure is not retried and those messages can be skipped permanently. Clamp against windowStartMs (or only a cursor proven usable) in this branch.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Preserve page-boundary cursor when recovering from future cursor

The truncation path also reuses cursorBefore even when it was marked unusable (existing.lastSeenMs > nowMs). In that case Math.max(latestFetchedTs, cursorBefore ...) picks the future value, then Math.min(..., nowMs) advances the cursor to nowMs instead of the last fetched timestamp, which can permanently drop unfetched backlog items when fetchedCount === perRunLimit. Use only a usable prior cursor (or windowStartMs) for this clamp.

Useful? React with 👍 / 👎.

[greptile-apps]

Greptile Summary

This PR adds a startup catchup pass to the BlueBubbles channel that queries /api/v1/message/query for messages delivered while the gateway was unreachable and replays them through the existing processMessage pipeline. The design is well-considered: a persistent per-account cursor tracks the replay window, truncation advances the cursor only to the page boundary, retryable processMessage failures hold the cursor, future-dated cursors (NTP rollback) fall through to the first-run lookback path, and the #66816 inbound-dedupe cache prevents double-processing on any races with live webhooks.

Confidence Score: 5/5

Safe to merge — no P0/P1 issues found; only a minor CHANGELOG capitalization nit remains.

All findings are P2 (style). The implementation is thoroughly tested (21 unit cases, 410/410 suite-wide), includes a live e2e validation, and all CI gates are green. The cursor-management logic, isFromMe guards, truncation boundary, and failure-isolation behaviors are each covered by dedicated test cases.

No files require special attention.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: CHANGELOG.md
Line: 15

Comment:
**Lowercase `thanks` attribution**

All other changelog entries in this file use `Thanks @author` (capital T). This one uses `thanks @omarshahine` — a minor inconsistency with the project convention.

```suggestion
- fix(bluebubbles): replay missed webhook messages after gateway restart via a persistent per-account cursor and `/api/v1/message/query?after=<ts>` pass, so messages delivered while the gateway was down no longer disappear. Uses the existing `processMessage` path and is deduped by #66816's inbound GUID cache. (#66721) Thanks @omarshahine
```

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(bluebubbles): always run catchup on ..." | Re-trigger Greptile}

[greptile-apps]

Lowercase thanks attribution

All other changelog entries in this file use Thanks @author (capital T). This one uses thanks @omarshahine — a minor inconsistency with the project convention.

Suggested change

	- fix(bluebubbles): replay missed webhook messages after gateway restart via a persistent per-account cursor and `/api/v1/message/query?after=<ts>` pass, so messages delivered while the gateway was down no longer disappear. Uses the existing `processMessage` path and is deduped by #66816's inbound GUID cache. (#66721) thanks @omarshahine
	- fix(bluebubbles): replay missed webhook messages after gateway restart via a persistent per-account cursor and `/api/v1/message/query?after=<ts>` pass, so messages delivered while the gateway was down no longer disappear. Uses the existing `processMessage` path and is deduped by #66816's inbound GUID cache. (#66721) Thanks @omarshahine

Prompt To Fix With AI

This is a comment left during a code review.
Path: CHANGELOG.md
Line: 15

Comment:
**Lowercase `thanks` attribution**

All other changelog entries in this file use `Thanks @author` (capital T). This one uses `thanks @omarshahine` — a minor inconsistency with the project convention.

```suggestion
- fix(bluebubbles): replay missed webhook messages after gateway restart via a persistent per-account cursor and `/api/v1/message/query?after=<ts>` pass, so messages delivered while the gateway was down no longer disappear. Uses the existing `processMessage` path and is deduped by #66816's inbound GUID cache. (#66721) Thanks @omarshahine
```

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[omarshahine]

Superseded by a squashed-history PR on branch lobster/bb-catchup-squash for cleaner review. Code is identical; see the new PR for the same diff as a single commit.