fix(messages): keep group visible replies automatic by default

[steipete]

Summary

• Revert normal group/channel visible replies back to automatic final delivery by default.
• Keep message_tool as explicit opt-in for shared/ambient group rooms; room events still require message(action=send) for visible output.
• Update doctor/config docs/changelog and ambient room docs to recommend opt-in message_tool for group rooms on latest-generation, tool-reliable models such as GPT 5.5.

Discussion

#83443 fixed a Discord progress-preview final-drop path. This PR handles the broader complaint cluster: making every normal group/channel request default to message_tool made silent rooms too easy when a model returned final text but did not call message(action=send). The safer default is the old automatic visible final-reply path; users who want lurk-mode semantics can opt in with messages.groupChat.visibleReplies: "message_tool" and, for always-on rooms, pair it with messages.groupChat.unmentionedInbound: "room_event".

Room events remain strict. They still keep final text private unless the model calls the message tool, so ambient context stays quiet by construction. That is the mode we should recommend for shared group rooms with strong tool-calling models, not impose on every group/channel request.

Refs #83393.
Refs #78066.
Refs #77149.
Refs #76996.
Follows #83443.

Verification

Behavior addressed: Normal group/channel source replies default to automatic final delivery again, while explicit message_tool and ambient room_event turns remain message-tool-only.
Real environment tested: Local focused Vitest/docs checks in the OpenClaw checkout; #83443 was landed first with PR Real behavior proof.
Exact steps or command run after this patch: pnpm test src/auto-reply/reply/source-reply-delivery-mode.test.ts src/auto-reply/reply/dispatch-from-config.test.ts src/commands/doctor-legacy-config.migrations.test.ts src/commands/doctor/shared/preview-warnings.test.ts src/config/schema.help.quality.test.ts; pnpm format:docs:check; git diff --check; codex --dangerously-bypass-approvals-and-sandbox --sandbox danger-full-access review --uncommitted
Evidence after fix: Focused tests passed 4 Vitest shards; docs formatting clean; diff check clean; Codex review reported no actionable correctness issues.
Observed result after fix: Unset group/channel config resolves to automatic; explicit message_tool and room-event paths still resolve to message_tool_only; doctor no longer writes the old group default.
What was not tested: No live Discord/Slack/Telegram roundtrip for this config-default PR.

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR changes group/channel visible reply defaults back to automatic final delivery, removes doctor materialization of message_tool, updates docs/changelog, and adds focused resolver/dispatch/doctor tests.

Reproducibility: yes. by source inspection and focused tests: current main resolves unset group/channel visible replies to message_tool_only, while the PR-head tests demonstrate automatic for normal group/channel turns and message_tool_only for room events. I did not run a live transport repro in this read-only review.

PR rating
Overall: 🦐 gold shrimp
Proof: 🦐 gold shrimp
Patch quality: 🐚 platinum hermit
Summary: The patch is focused and covered by useful source-level tests, but proof quality is capped by the maintainer override and lack of live transport evidence for a channel-delivery default change.

Rank-up moves:

• Add a redacted live Discord, Slack, or Telegram roundtrip if maintainers want stronger confidence in the transport-visible behavior before merge.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Override: A maintainer applied proof: override for this PR.

Risk before merge
Why this matters: - Existing quiet or lurk-mode group/channel rooms that relied on unset config will begin posting final assistant text automatically unless operators explicitly set messages.groupChat.visibleReplies: "message_tool".

• Configs where openclaw doctor --fix already materialized messages.groupChat.visibleReplies: "message_tool" will remain explicitly tool-only, so some affected users may still need documented cleanup.
• No live Discord, Slack, or Telegram roundtrip proof is included for the final head; the merge gate is covered by proof: override and focused source-level proof, not transport proof.

Maintainer options:

1. Accept the visibility default reversal (recommended)
   Land with the included docs/changelog if maintainers intentionally accept that unset group/channel rooms become more visibly talkative by default.
2. Require live transport proof
   Ask for a Discord, Slack, or Telegram roundtrip before merge if maintainers want end-to-end confidence beyond the focused resolver and dispatch tests.
3. Pause if quiet-by-default remains policy
   Pause or close this PR if the product direction is still that shared group/channel rooms should be quiet unless explicitly configured automatic.

Next step before merge
No automated repair is queued because no discrete code defect remains; the remaining action is maintainer acceptance of the compatibility tradeoff and normal landing.

Security
Cleared: The diff does not add dependencies, CI execution, credential handling, or new privilege paths; the visibility-default change is tracked as compatibility/message-delivery risk rather than a concrete security regression.

Review details

Best possible solution:

Land the default reversal only if maintainers accept the talkative-by-default upgrade behavior, while preserving explicit message_tool and room_event quiet semantics plus clear docs for ambient rooms.

Do we have a high-confidence way to reproduce the issue?

Yes by source inspection and focused tests: current main resolves unset group/channel visible replies to message_tool_only, while the PR-head tests demonstrate automatic for normal group/channel turns and message_tool_only for room events. I did not run a live transport repro in this read-only review.

Is this the best way to solve the issue?

Yes, if maintainers accept the default reversal: the PR changes the central resolver, doctor behavior, docs, and regression tests instead of adding a duplicate fallback. The remaining question is product/upgrade safety for rooms that intentionally relied on the previous quiet default.

Label justifications:

• P1: The PR addresses a user-visible channel reply regression where generated final replies can be silently absent from group/channel rooms.
• merge-risk: 🚨 compatibility: Changing the unset group/channel default can alter existing room behavior during upgrade for users who depended on quiet/lurk semantics.
• merge-risk: 🚨 message-delivery: The diff changes whether normal group/channel final text is delivered visibly by default or suppressed pending a message-tool call.

What I checked:

• Resolver default and guards: The PR-head resolver keeps room_event strict, preserves unauthorized text-slash group/channel turns as message_tool_only, and changes unset group/channel config to resolve as automatic. (src/auto-reply/reply/source-reply-delivery-mode.ts:45, 0213df011bf0)
• Runtime message-tool allowance: The dispatch path now runtime-allows the message tool only for explicit message-tool mode, room events, or configured message_tool, matching the new automatic default for normal group/channel turns. (src/auto-reply/reply/dispatch-from-config.ts:772, 0213df011bf0)
• Doctor preview behavior: Doctor preview provenance now reports the unset group policy as automatic and only warns when a visible-reply policy is explicitly message_tool but unavailable. (src/commands/doctor/shared/preview-warnings.ts:284, 0213df011bf0)
• Regression coverage: Focused tests cover automatic defaults, strict room events, opt-in message-tool mode, unauthorized slash-command quiet handling, and default group/channel final dispatch. (src/auto-reply/reply/source-reply-delivery-mode.test.ts:33, 0213df011bf0)
• User-facing docs and changelog: The docs now say normal group/channel requests default to automatic visible replies and recommend message_tool for shared ambient rooms; the changelog records the behavior change. Public docs: docs/channels/groups.md. (docs/channels/groups.md:46, 0213df011bf0)
• Current-main merge sanity: A read-only merge-tree against current main produced a clean virtual merge and git diff --check reported no whitespace errors for the resulting PR diff. (0213df011bf0)

Likely related people:

• steipete: Shortlog over the central reply/doctor/docs files shows Peter Steinberger as the largest contributor in this area, and the PR discussion records maintainer-side source-level proof override on the final head. (role: heavy area contributor and proof override provider; confidence: high; commits: e7d33b4870f7, 310b5e4f6a22, a9407d2f65ce; files: src/auto-reply/reply/dispatch-from-config.ts, src/auto-reply/reply/source-reply-delivery-mode.ts, docs/channels/groups.md)
• Vincent Koc: Current-main blame on the visible-reply resolver, doctor warnings, and group docs points to the grafted current snapshot commit authored by Vincent Koc, with nearby reply/doctor refactor history also under the same name. (role: current implementation contributor; confidence: medium; commits: 3782294e926d, 7c91d0dbc985, a88fbf0f6476; files: src/auto-reply/reply/source-reply-delivery-mode.ts, src/commands/doctor/shared/preview-warnings.ts, docs/channels/groups.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5a7d31108ee3.

[openclaw-mantis]

Mantis Telegram Desktop Proof

Summary: Mantis did not generate before/after GIFs because this PR does not have a clean Telegram-visible before/after proof in the standard Mantis run.

• Scenario: telegram-desktop-proof
• Trigger: pull_request_target
• Run: https://github.com/openclaw/openclaw/actions/runs/26020584197
• Artifact: https://github.com/openclaw/openclaw/actions/runs/26020584197/artifacts/7052375282
• Baseline: skipped at 4c613fbfe05f4dc7ee66dfffa5bc48dc3f370816, expected Telegram Desktop baseline capture blocked
• Candidate: skipped at e8bb182d195fba65b09212223a528d94c08073dc, expected Telegram Desktop candidate capture blocked
• Overall: skipped

Raw QA files: https://artifacts.openclaw.ai/mantis/telegram-desktop/pr-83498/run-26020584197-1/index.json

[steipete]

Verification before merge:

Behavior addressed: normal group/channel source replies default to automatic final delivery again; explicit message_tool and ambient room_event turns remain message-tool-only; unauthorized text-slash group/channel command turns remain quiet/tool-only.
Real environment tested: source-level maintainer proof plus focused local Vitest on the rebased PR head fa33ace.
Exact steps or command run after this patch: pnpm test src/auto-reply/reply/source-reply-delivery-mode.test.ts src/auto-reply/reply/dispatch-from-config.test.ts src/commands/doctor-legacy-config.migrations.test.ts src/commands/doctor/shared/preview-warnings.test.ts src/config/schema.help.quality.test.ts; git diff --check.
Evidence after fix: 4 Vitest shards passed in 67.79s; diff check clean; the review finding about unauthorized text-slash group/channel turns was fixed in fa33ace.
Observed result after fix: unset group/channel config resolves to automatic for ordinary messages; explicit message_tool, room events, and unauthorized text-slash commands resolve to message_tool_only; doctor no longer materializes the old group default.
What was not tested: no live Discord/Slack/Telegram roundtrip in this merge gate. Maintainer accepts source-level proof for the linked routing/default issues.

[steipete]

Verification update: final pushed head is c440ec9. The last fix only corrected the slash-command guard predicate type; local proof after that fix:

• pnpm lint passed.
• pnpm tsgo:prod passed.
• pnpm test src/auto-reply/reply/source-reply-delivery-mode.test.ts src/auto-reply/reply/dispatch-from-config.test.ts src/commands/doctor-legacy-config.migrations.test.ts src/commands/doctor/shared/preview-warnings.test.ts src/config/schema.help.quality.test.ts passed 4 Vitest shards in 43.65s.
• git diff --check passed.

Maintainer accepts source-level proof for this default/routing fix; proof: override is applied.

[steipete]

Verification update: final pushed head is 0213df0. The last commit only narrows reused test fixtures with satisfies OpenClawConfig; local proof after that fix:

• pnpm check:test-types passed.
• pnpm test src/auto-reply/reply/source-reply-delivery-mode.test.ts src/auto-reply/reply/dispatch-from-config.test.ts src/commands/doctor-legacy-config.migrations.test.ts src/commands/doctor/shared/preview-warnings.test.ts src/config/schema.help.quality.test.ts passed 4 Vitest shards in 28.13s.
• git diff --check passed.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f52b2aa697

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Include unauthorized slash turns in tool-only allowlist

This condition no longer treats unauthorized text-slash turns as message-tool delivery, even though resolveSourceReplyDeliveryMode now forces those turns to "message_tool_only" in groups/channels. In configs with restrictive tool profiles (for example tools.profile: "coding"), runtimeProfileAlsoAllow stays empty here, messageToolAvailable resolves false, and the later fallback switches those unauthorized slash turns back to automatic visible delivery, exposing command output in-room instead of keeping it private. Please include the unauthorized text-slash path when computing prefersMessageToolDelivery so these turns keep the runtime message allow-grant.

Useful? React with 👍 / 👎.

[steipete]

Final head proof for f52b2aa6976f002ff825a6241b374be0dd0b2b93:

Behavior addressed: group/channel visible replies now resolve to automatic delivery by default; explicit message_tool remains opt-in; room_event remains tool-only; unauthorized text slash turns remain tool-only.
Real environment tested: source-level CI plus focused local regression tests.
Exact steps or command run after this patch:

• git diff --check
• pnpm lint
• pnpm tsgo:prod
• pnpm check:test-types
• pnpm test src/auto-reply/reply/completion-delivery-policy.test.ts src/auto-reply/reply/source-reply-delivery-mode.test.ts src/auto-reply/reply/dispatch-from-config.test.ts src/commands/doctor-legacy-config.migrations.test.ts src/commands/doctor/shared/preview-warnings.test.ts src/config/schema.help.quality.test.ts
• CI: https://github.com/openclaw/openclaw/actions/runs/26022922969
• CodeQL Critical Quality: https://github.com/openclaw/openclaw/actions/runs/26022922956
• Real behavior proof: https://github.com/openclaw/openclaw/actions/runs/26022921225
  Evidence after fix: all listed local checks passed; CI, CodeQL Critical Quality, and Real behavior proof passed on the final head.
  Observed result after fix: completion/source delivery policy matches the restored automatic default, while the message_tool opt-in and command-quiet paths stay covered by tests.
  What was not tested: no live Discord/Slack/Telegram room send; maintainer accepted source-level proof for this revert/default fix.