fix(imessage): detect and recover anchorless watch payloads before routing

[zhangguiping-xydt]

Summary

• Fix iMessage group link-preview watch payloads that lose their conversation anchor (chat_id=0, empty chat_guid / chat_identifier, is_group=false) before they can be classified as sender DMs.
• Move anchorless recovery/fail-closed drop ahead of live inbound debounce classification so coalesceSameSenderDms cannot merge malformed group payloads under the raw chat:0 DM bucket.
• Keep the existing recovery path for catchup/direct handling and add monitor-level regression coverage for the live coalescing path.

Real behavior proof

Behavior or issue addressed: iMessage group link-preview watch payloads can arrive without usable conversation anchor fields. Before this fix, live notifications entered the inbound debouncer first, so with coalesceSameSenderDms=true multiple anchorless group payloads from the same sender could be merged under imessage:<account>:dm:chat:0:<sender> before recovery. The merged turn was then repaired using only the first GUID and could route content from another group under the first recovered group.

Real environment tested: macOS 26.4.1, Node.js v24.15.0, OpenClaw v2026.5.19, worktree SHA e22876fd1bef, imsg 0.9.0 installed at /opt/homebrew/bin/imsg.

Exact steps or command run after this patch:

imsg status --json
printf '{"jsonrpc":"2.0","id":1,"method":"chats.list","params":{"limit":3}}\n' | imsg rpc --json

OPENCLAW_GATEWAY_PORT=19046 \
OPENCLAW_GATEWAY_TOKEN=pr-84503-local-token \
OPENCLAW_STATE_DIR=/Users/zhangguiping/daily_pr_work/proofs/openclaw-pr-84503-local-proof/state \
OPENCLAW_CONFIG_PATH=/Users/zhangguiping/daily_pr_work/proofs/openclaw-pr-84503-local-proof/state/openclaw.json \
node scripts/run-node.mjs --dev gateway --bind custom --port 19046

curl --noproxy '*' -sS -I http://127.0.0.1:19046/
curl --noproxy '*' -sS http://127.0.0.1:19046/health

OPENCLAW_GATEWAY_PORT=19046 \
OPENCLAW_GATEWAY_TOKEN=pr-84503-local-token \
OPENCLAW_STATE_DIR=/Users/zhangguiping/daily_pr_work/proofs/openclaw-pr-84503-local-proof/state \
OPENCLAW_CONFIG_PATH=/Users/zhangguiping/daily_pr_work/proofs/openclaw-pr-84503-local-proof/state/openclaw.json \
node scripts/run-node.mjs channels status --probe --channel imessage --json

pnpm exec vitest run \
  extensions/imessage/src/monitor.watch-subscribe-retry.test.ts \
  extensions/imessage/src/monitor/conversation-repair.test.ts \
  extensions/imessage/src/monitor.gating.test.ts \
  extensions/imessage/src/monitor/coalesce.test.ts

Evidence after fix:

$ imsg status --json
{
  "version": "0.9.0",
  "basic_features": true,
  "sip": "enabled",
  "advanced_features": false,
  "rpc_methods": [
    "chats.list",
    "messages.history",
    "watch.subscribe",
    "watch.unsubscribe",
    "send",
    "send.rich",
    "send.attachment"
  ]
}

$ printf '{"jsonrpc":"2.0","id":1,"method":"chats.list","params":{"limit":3}}\n' | imsg rpc --json
{"result":{"chats":[]},"id":1,"jsonrpc":"2.0"}

2026-05-24T18:23:21.205+08:00 [gateway] http server listening (10 plugins: acpx, bonjour, browser, canvas, device-pair, file-transfer, imessage, memory-core, phone-control, talk-voice; 1.7s)
2026-05-24T18:23:21.211+08:00 [gateway] starting channels and sidecars...
2026-05-24T18:23:21.264+08:00 [imessage] [default] starting provider (/opt/homebrew/bin/imsg db=/Users/zhangguiping/Library/Messages/chat.db)
2026-05-24T18:23:21.646+08:00 [gateway] ready

$ curl --noproxy '*' -sS -I http://127.0.0.1:19046/
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8

$ curl --noproxy '*' -sS http://127.0.0.1:19046/health
{"ok":true,"status":"live"}

$ node scripts/run-node.mjs channels status --probe --channel imessage --json
{
  "channels": {
    "imessage": {
      "configured": true,
      "cliPath": "/opt/homebrew/bin/imsg",
      "dbPath": "/Users/zhangguiping/Library/Messages/chat.db",
      "running": true,
      "lastError": null,
      "probe": {
        "ok": true,
        "privateApi": {
          "available": false,
          "rpcMethods": [
            "chats.list",
            "messages.history",
            "watch.subscribe",
            "watch.unsubscribe"
          ]
        }
      }
    }
  },
  "channelAccounts": {
    "imessage": [
      {
        "accountId": "default",
        "enabled": true,
        "configured": true,
        "running": true,
        "lastError": null,
        "probe": {
          "ok": true
        }
      }
    ]
  }
}

Test Files  4 passed (4)
Tests       51 passed (51)
Duration    2.82s

Observed result after fix: The patched PR source starts a real OpenClaw gateway with the real iMessage plugin enabled, not skipped. The gateway starts /opt/homebrew/bin/imsg against the local Messages database, reaches ready, reports the iMessage account as configured/running with lastError: null, and the live channel probe confirms the watch.subscribe, messages.history, and chats.list RPC methods required by the anchorless-payload recovery path. The regression test for the reported live coalescing path still verifies that two anchorless payloads from different groups are repaired before debounce classification, so they no longer share the raw chat:0 DM bucket.

Additional live evidence gathered after this patch:

• A real iMessage group chat exists locally (chat_id=3, is_group=true), and imsg messages.history shows a live URL message in that group:
  • https://github.com/openclaw/openclaw/pull/84503
• imsg watch.subscribe was started live and returned a real notification for a new group URL message sent with the same account:
  • subscription=1
  • chat_id=3
  • is_group=true
  • text=https://github.com/openclaw/openclaw/pull/84503
• That proves the local Messages.app + imsg + OpenClaw watch pipeline is live end-to-end on a real group conversation, but the notification payload itself was not malformed.

What was not tested: No new malformed group link-preview notification arrived from the local Messages account during this run, so the evidence does not include a live incoming private message/GUID. The live proof above verifies the patched OpenClaw runtime, real imsg bridge, local Messages DB access, and iMessage watch-capable channel startup; the exact malformed payload branch is covered by the monitor-level regression test using redacted synthetic GUIDs and handles.

Fixes #84470

Regression Test Plan

• Coverage level: Unit test
• Target test file: extensions/imessage/src/monitor.watch-subscribe-retry.test.ts, extensions/imessage/src/monitor/conversation-repair.test.ts, extensions/imessage/src/monitor.gating.test.ts, extensions/imessage/src/monitor/coalesce.test.ts
• Scenario locked in: Anchorless live iMessage payloads are repaired before inbound debounce classification, unrecoverable anchorless payloads fail closed, and existing conversation-repair/gating/coalescing behavior remains covered.
• Why this is the smallest reliable guardrail: The regression drives the same monitor/watch path where live watch.subscribe notifications enter OpenClaw, while keeping private iMessage handles and GUIDs out of the repository.

Root Cause

• Root cause: Live iMessage watch payloads were entering the inbound debouncer before conversation-anchor recovery. When a malformed group payload looked like chat_id=0, empty chat identifiers, and is_group=false, coalesceSameSenderDms could classify it as a sender DM before the GUID-based repair path had a chance to recover the real group.
• Missing detection / guardrail: The live monitor path lacked a pre-debounce guard for anchorless payloads and lacked regression coverage proving anchorless group payloads cannot be coalesced under a raw DM bucket.

[clawsweeper]

Thanks for the context here. I swept through the related work, and this is now duplicate or superseded.

Close as superseded: #86150 now owns the same iMessage anchorless-payload repair on current main, with broader detection, route-level assertions, changelog coverage, and explicit credit for this contribution.

Canonical path: Use #86150 as the canonical landing path for #84470, porting any uniquely useful assertion from this branch only if maintainers want it.

So I’m closing this here and keeping the remaining discussion on #86150 and #84470.

Review details

Best possible solution:

Use #86150 as the canonical landing path for #84470, porting any uniquely useful assertion from this branch only if maintainers want it.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main enqueues the reported chat_id=0, empty identifier, is_group=false shape before repair, where coalesceSameSenderDms can bucket it as a sender DM. I did not reproduce a fresh live malformed iMessage notification in this checkout.

Is this the best way to solve the issue?

No for this branch as the landing vehicle: the repair direction is valid, but the newer canonical PR carries the same fix on current main with broader detection, route-level proof, and changelog coverage. The best solution is to land or close that canonical PR, not merge both.

Security review:

Security review cleared: No dependency, CI, secret-handling, or supply-chain regression was found; the privacy-sensitive routing behavior is covered by merge-risk and superseded-branch handling.

What I checked:

• Current main still has the bug-prone ordering: Current main parses live iMessage watch notifications and enqueues them into the inbound debouncer without an anchorless conversation-repair step first. (extensions/imessage/src/monitor/monitor-provider.ts:839, ad71a998ff94)
• Current debounce key can classify the reported shape as a DM: With coalesceSameSenderDms enabled, a payload with chat_id=0 and is_group=false builds a dm:chat:0: bucket before routing can recover the real group. (extensions/imessage/src/monitor/monitor-provider.ts:271, ad71a998ff94)
• Current routing falls back to direct sender delivery: resolveIMessageInboundDecision treats is_group=false as direct unless config proves otherwise, and buildIMessageInboundContext sends direct replies to imessage:. (extensions/imessage/src/monitor/inbound-processing.ts:493, ad71a998ff94)
• Latest release has not shipped this repair: v2026.5.22 has the same debounce ordering and no conversation-repair module under the iMessage monitor directory, so the remaining fix is not release-shipped yet. (extensions/imessage/src/monitor/monitor-provider.ts:251, a374c3a5bfd5)
• This branch implements the intended repair but remains proof-limited: The branch adds conversation-repair.ts and moves repair before inboundDebouncer.enqueue, while the PR body says no fresh malformed group link-preview notification was observed in live proof. (extensions/imessage/src/monitor/monitor-provider.ts, ee15ec620f4b)
• Canonical replacement now tracks the remaining work: Repair anchorless iMessage watch payload routing #86150 is open, draft, maintainer-labeled, closes iMessage group link-preview watch payload can lose conversation anchor and route reply to DM #84470, references this PR, credits the contributor work, and reapplies the repair on current main with broader detection, route-level assertions, and a changelog entry. (extensions/imessage/src/monitor/conversation-repair.ts, ff1d9dac2ebb)

Likely related people:

• omarshahine: Assigned to this PR and opened the newer maintainer-labeled replacement that explicitly carries the same fix path, closes the linked bug, references this PR, and credits the contributor work. (role: canonical follow-up owner; confidence: high; commits: ff1d9dac2ebb; files: extensions/imessage/src/monitor/conversation-repair.ts, extensions/imessage/src/monitor/monitor-provider.ts, extensions/imessage/src/monitor.last-route.test.ts)
• steipete: git blame on the central coalesceSameSenderDms block points to Peter Steinberger's commit that added the current monitor-provider and coalescing implementation in this checkout. (role: introduced current debounce/coalescing path; confidence: high; commits: 04d86e0f4721; files: extensions/imessage/src/monitor/monitor-provider.ts, extensions/imessage/src/monitor/coalesce.ts, extensions/imessage/src/monitor.watch-subscribe-retry.test.ts)
• Andy Ye: Recent iMessage monitor work adjusted live catchup cursor handling around the same watch/monitor surface, making this person a useful routing candidate for adjacent behavior questions. (role: recent adjacent contributor; confidence: medium; commits: 102555c6e027; files: extensions/imessage/src/monitor/monitor-provider.ts, extensions/imessage/src/monitor/catchup-bridge.ts, extensions/imessage/src/monitor.last-route.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against ad71a998ff94.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[zhangguiping-xydt]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26360486055
• Updated: 2026-05-24T12:03:07.667Z

[zhangguiping-xydt]

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26358856882
• Updated: 2026-05-24T10:45:31.992Z

[zhangguiping-xydt]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26368124857
• Updated: 2026-05-24T17:44:49.641Z

[clawsweeper]

ClawSweeper applied the proposed close for this PR.

• Action: closed this PR.
• Close reason: duplicate or superseded.
• Evidence: durable ClawSweeper review.

[omarshahine]

Superseded by the maintainer fix in #86150, merged as f37fbc9.

Thanks @zhangguiping-xydt for the contributor repair direction here. The landed fix keeps the same goal, reapplies it on current main, adds broader anchorless detection, route-level regression coverage, and real Lobster Mac proof against the live iMessage bridge.