Make Telegram sendMessage actions durable

[mbelinky]

Summary

• Routes Telegram sendMessage action delivery through the durable outbound final-send path instead of direct Telegram platform sends.
• Preserves Telegram action payload features on the durable path, including buttons, quote/reply options, media/voice options, session context, gateway scopes, and delivery pin requests.
• Extends delivery pin scope propagation through the core outbound adapter seam and adds queue-level retry/ack proof.

Verification

• node scripts/run-vitest.mjs extensions/telegram/src/action-runtime.test.ts extensions/telegram/src/outbound-adapter.test.ts src/infra/outbound/deliver.test.ts src/plugin-sdk/channel-message.test.ts -- --reporter=verbose passed: 4 files, 180 tests.
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.core.json src/plugin-sdk/channel-outbound.ts src/channels/plugins/outbound.types.ts src/infra/outbound/deliver.ts src/infra/outbound/deliver.test.ts passed.
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.extensions.json extensions/telegram/src/action-runtime.ts extensions/telegram/src/action-runtime.test.ts extensions/telegram/src/outbound-adapter.ts extensions/telegram/src/outbound-adapter.test.ts passed.
• git diff --check origin/main...HEAD passed.
• AUTOREVIEW_AUTO_TESTS=0 /Users/marianobelinky/agent-shared/skills/autoreview/scripts/autoreview --mode branch --base origin/main passed with no accepted/actionable findings.

Real behavior proof

Behavior addressed: Telegram sendMessage actions now enqueue durable final deliveries before the Telegram platform send, so a slow or timed-out gateway/platform send leaves retryable state instead of losing the completed agent output.
Real environment tested: Local OpenClaw source checkout using the real durable outbound queue code with a temporary OPENCLAW_STATE_DIR; Telegram platform calls were fault-injected in the focused action-runtime test.
Exact steps or command run after this patch: node scripts/run-vitest.mjs extensions/telegram/src/action-runtime.test.ts extensions/telegram/src/outbound-adapter.test.ts src/infra/outbound/deliver.test.ts src/plugin-sdk/channel-message.test.ts -- --reporter=verbose.
Evidence after fix: The new action-runtime test observes the queue entry on disk before the Telegram send runs, verifies timeout leaves a pending retryable entry with retryCount: 1, and verifies a later successful durable send is acked/removed.
Observed result after fix: Focused tests passed, including retry persistence, successful ack, delivery pin preservation, and gateway scope propagation into Telegram pinning.
What was not tested: Live Telegram delivery against a real bot was not run in this PR; this is covered with local queue/platform fault injection only.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 27, 2026, 8:24 AM ET / 12:24 UTC.

Summary
The PR routes Telegram sendMessage actions through sendDurableMessageBatch, preserves action payload options on that path, propagates gateway scopes into delivery pinning, and adds focused queue/pin tests plus a changelog entry.

PR surface: Source +33, Tests +290, Docs +6. Total +329 across 9 files.

Reproducibility: yes. from source inspection: current main sends Telegram action messages directly, while the PR moves them to the queue with required durability. I did not run the PR tests in this read-only review.

Review metrics: 1 noteworthy metric.

• Plugin/outbound API surfaces: 2 changed, 0 removed. The PR widens sendDurableMessageBatch parameters and adds gatewayClientScopes to pinDeliveredMessage, which are compatibility-sensitive plugin/outbound seams.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🧂 unranked krab
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Add live Telegram proof or redacted runtime logs showing the changed action-send delivery path after the patch; redact API keys, phone numbers, IPs, and private endpoints.
• Make Telegram action sends replay-safe before using required durability, or keep this path best-effort and prove the upgrade behavior.
• Remove the CHANGELOG.md edit and keep release-note context in the PR body or merge message.

Proof guidance:
Needs real behavior proof before merge: Needs real behavior proof before merge: the PR body reports focused tests and fault injection only, not live Telegram transport or redacted runtime logs showing the changed path. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• durability: "required" on Telegram action sends can leave ambiguous platform-start failures unrecoverable because Telegram does not currently provide reconcileUnknownSend.
• The PR changes public/plugin-adjacent outbound seams by adding gatewayClientScopes to pinDeliveredMessage and widening sendDurableMessageBatch parameters, so maintainers should explicitly accept the compatibility surface.
• The real behavior proof is synthetic only; live Telegram transport proof or redacted runtime logs are still missing.

Maintainer options:

1. Preserve Replay Safety First (recommended)
   Change the action path to best-effort durability or add Telegram reconcileUnknownSend plus recovery coverage before making action sends required.
2. Accept Ambiguous-Send Failure
   Maintainers can intentionally accept that ambiguous Telegram action sends may move to failed instead of replaying, but that contract should be explicit before merge.
3. Pause For Transport Proof
   Hold the PR until live Telegram proof or redacted runtime logs show the changed action delivery path in a real setup.

Next step before merge
Maintainer review is needed to choose the Telegram required-durability contract and accept or reject the plugin SDK seam changes; the protected maintainer label also blocks cleanup closing.

Security
Cleared: The diff does not add dependencies, workflow execution, secret handling, or new third-party code execution; the main concerns are delivery correctness and compatibility.

Review findings

• [P1] Require replay-safe durability before required sends — extensions/telegram/src/action-runtime.ts:512
• [P3] Remove the release-owned changelog edit — CHANGELOG.md:5-9

Review details

Best possible solution:

Keep the durable action-send refactor only after the Telegram path is replay-safe: either use best-effort durability for Telegram action sends for now, or add Telegram unknown-send reconciliation plus focused recovery tests before requiring the queue.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: current main sends Telegram action messages directly, while the PR moves them to the queue with required durability. I did not run the PR tests in this read-only review.

Is this the best way to solve the issue?

No; the durable path is the right direction, but required durability is not the best current fix unless Telegram can reconcile unknown sends. A safer path is best-effort durability or the same required-send support gate used by the message tool.

Full review comments:

• [P1] Require replay-safe durability before required sends — extensions/telegram/src/action-runtime.ts:512
  This new path forces durability: "required", but Telegram's message adapter is built from the outbound adapter and does not declare or implement reconcileUnknownSend. The existing required message-send path checks that capability before using required durability; without the same guard or a Telegram reconciler, a timeout after platform send starts leaves the queued action send unrecoverable rather than safely durable.
  Confidence: 0.9
• [P3] Remove the release-owned changelog edit — CHANGELOG.md:5-9
  Normal PRs should not edit CHANGELOG.md; this release note context already belongs in the PR body or squash/merge message, and release generation owns the changelog file.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.88

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against d09eb437f261.

Label changes

Label justifications:

• P1: The PR changes Telegram message delivery durability for completed agent output, and the unresolved ambiguity can affect real channel replies.
• merge-risk: 🚨 compatibility: The diff changes plugin/outbound-facing types and a public SDK helper signature, so maintainers need to accept the seam expansion.
• merge-risk: 🚨 message-delivery: Required Telegram action sends are not replay-safe without unknown-send reconciliation, which can leave completed replies unrecovered after timeout or crash.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🧂 unranked krab.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: Needs real behavior proof before merge: the PR body reports focused tests and fault injection only, not live Telegram transport or redacted runtime logs showing the changed path. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +33, Tests +290, Docs +6. Total +329 across 9 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	5	95	62	+33
Tests	3	301	11	+290
Docs	1	6	0	+6
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	9	402	73	+329

What I checked:

• Current Telegram action behavior on main: Current main sends Telegram sendMessage actions directly through sendMessageTelegram and then pins after the platform send succeeds; the action path does not use the durable queue today. (extensions/telegram/src/action-runtime.ts:473, d09eb437f261)
• PR-required durable send: The PR changes the action path to call sendDurableMessageBatch with durability: "required". (extensions/telegram/src/action-runtime.ts:512, 20b45687e11f)
• Required sends already require replay support elsewhere: The existing message-send path derives required durability with reconcileUnknownSend: true and checks adapter support before using required queue policy. (src/infra/outbound/message.ts:219, d09eb437f261)
• Telegram lacks unknown-send reconciliation: The Telegram outbound durable capabilities declare text/media/payload/thread/batch support but do not declare reconcileUnknownSend, and the channel adapter is built from that outbound adapter. (extensions/telegram/src/outbound-adapter.ts:198, d09eb437f261)
• Recovery refuses blind replay for ambiguous sends: Queue recovery checks send_attempt_started and unknown_after_send entries for adapter reconciliation; without a reconciler it warns and moves/refuses the entry instead of blindly replaying. (src/infra/outbound/delivery-queue-recovery.ts:371, d09eb437f261)
• Telegram proof standard: The Telegram maintainer notes require real Telegram proof for transport-touching PRs, preferring bot-to-bot QA or an equivalent live probe over synthetic-only validation. (.agents/maintainer-notes/telegram.md:35, d09eb437f261)

Likely related people:

• Vincent Koc: git blame attributes the current Telegram action-send path, durable queue plumbing, and required message-send guard in this checkout to commit 1ba4448 by Vincent Koc. (role: recent area contributor; confidence: medium; commits: 1ba4448a60b6; files: extensions/telegram/src/action-runtime.ts, src/infra/outbound/deliver.ts, src/infra/outbound/message.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.