fix(sessions): preserve Matrix room-id case in session keys (#75670)

[lukeboyett]

Fixes #75670.

Summary

Matrix room IDs (and thread event IDs) are opaque and case-sensitive per the Matrix spec, but OpenClaw's session-key canonicalization lowercased them. That forked one room into duplicate sessions and produced 403 M_FORBIDDEN on recovery/identity paths that reconstruct the target from the (lowercased) session key — even though deliveryContext.to stayed correct. This is the session-key layer of #75670 (the issue's thread-event symptom was already handled by an injected identity thread-normalizer; the room-ID/session-key layer was not).

Instead of a Matrix-specific patch, this adds a generic, opt-in case-preservation registry that defaults to today's lowercase behavior and lets channels enroll individually. Signal group preservation (#82853) is encoded to match its prior behavior exactly; Matrix channel/group is the newly-enrolled channel. Every un-enrolled channel is byte-for-byte unchanged.

Regression history

• 2026-04-19 internal note: Matrix room IDs are exact literals and must not be case-normalized.
• [Bug]: Matrix outbound sends use lowercased room ID, triggering 403 M_FORBIDDEN against rooms the bot is actually joined to #78206 (closed) → [codex] add durable message lifecycle delivery #77205 (merged, ceca7fdf) fixed the lowercased room ID on the direct send path.
• The bug kept recurring on the session-key/recovery path (delivery metadata was correct, but lookup/recovery/identity rebuilt the target from the lowercased key): observed 403 User … not in room <lowercased> repeatedly (e.g. 2026-05-23, 2026-05-26 across two rooms), which is the live recurrence tracked in [Bug]: Matrix thread session key case-normalizes event IDs, causing duplicate stuck sessions and thread delivery failures #75670.
• fix(matrix): preserve case in group/channel peer IDs for session keys #57337 (closed, unmerged) was an earlier attempt at "preserve case in group/channel peer IDs for session keys" — revisited here as a generic registry with read-time precedence and live proof.

Related / prior work

• fix: preserve Signal group session IDs #82853 (merged) — Signal group session-id preservation; generalized here into the shared registry.
• [Bug]: Matrix ACP thread-bound sessions fail because room IDs are lowercased during session/binding routing #63828 / fix(matrix): preserve ACP thread binding targets #64343 (merged) — Matrix ACP thread-binding targets; same opaque-id-case class, different surface.
• Cross-channel evidence motivating the generic (not Matrix-only) design: fix(line): stop silent push failure on lowercased recipients (#81628) #81704 (LINE recipients), [Bug]: cron with sessionTarget=current still lowercases Matrix roomId in 2026.4.27 (regression of #71798 via MCP loopback path) #75261 / [Bug]: Matrix cron announce lowercases room IDs and scheduled delivery fails #71798 (cron Matrix room IDs), fix(cron): preserve LINE delivery target casing #82141 / fix(cron): preserve channel ID case in MCP loopback delivery context (#75261) #75303 (cron LINE/channel casing).
• No currently-open PR overlaps this session-key surface.

What changes

• CASE_PRESERVING_PEERS registry + isCasePreservingPeer(channel, peerKind) (session-key-utils.ts) — single policy source. signal/group = segment span (unscoped, behavior-identical to the old regex); matrix/channel|group = tail span (opaque room id incl. embedded :server, plus any :thread:<event> suffix).
• Consulted at the three sites that lowercased the room id:
  • construction — normalizeSessionPeerId
  • store canonicalization — normalizeSessionKeyPreservingOpaquePeerIds (rewritten to collect preserved spans and lowercase only the complement; tail matcher anchored to the agent-scoped head)
  • gateway send — explicit request.sessionKey now uses the opaque-preserving normalizer instead of raw lowercase
• Exact mixed-case wins over folded legacy in resolveSessionStoreEntry and delivery-info.ts lookup (exact ranks below routability, above freshness). Legacy lowercased rows collapse toward the exact key on the next write.
• Case-distinct safety (store-entry.ts): a folded lowercase key is treated as a collapsible/returnable legacy alias only when its delivery target confirms it is this room's lowercased artifact (not a genuinely case-distinct sibling room). Distinct rooms are never deleted or cross-read. (See "Codex review findings" below.)

Compatibility expectations

• Signal group preservation unchanged (scoped + unscoped Signal:Group:<id>; thread suffix still lowercased).
• Non-Matrix channels (Telegram, Slack, LINE, …) — keys lowercased exactly as before; a non-Matrix peer id literally containing :thread: is unaffected.
• Matrix DM / MXID — out of scope by decision; stays lowercased.
• Migration is fallback + write-time-collapse, not a bulk rewrite of stored session files.

Real behavior proof

• Behavior or issue addressed: Matrix room IDs were lowercased into session keys (agent:<a>:matrix:channel:<lowercased-room-id>), forking sessions and causing 403 M_FORBIDDEN on send/recovery paths that rebuild the target from the key, even though the bot is joined to the real mixed-case room.
• Real environment tested: A long-running production OpenClaw gateway (self-hosted Matrix homeserver, multi-account, macOS) running this exact patch on top of current main. The gateway was reloaded onto the patched build (PID confirmed on the new dist); two rooms that had logged the bug were exercised with live traffic. Room IDs / homeserver / MXID partially masked below; ellipses preserve the real opaque bytes' case.
• Exact steps or command run after this patch: (1) pnpm build then reload the LaunchDaemon; (2) confirm the running process is on the patched dist; (3) let organic traffic hit room A and send a fresh human message into room B; (4) inspect the live session store (~/.openclaw/agents/<agent>/sessions/sessions.json) and the gateway delivery logs for both rooms; (5) run the existing matrix-403 watcher.
• Evidence after fix (copied live output, partially masked):
  • Before (old build), the recurring failure — gateway.err.log:

    2026-05-26T10:56:48 [tools] message failed: MatrixError: [403] User @m…ry:<server> not in room !trpa…zeflu:<server>
    2026-05-26T10:32:08 [tools] message failed: MatrixError: [403] User @m…ry:<server> not in room !stmc…cqvxy:<server>
    

    (note the lowercased room id in the failing send target).
  • After (patched build), room B (sage room) — same send now succeeds — gateway.log:

    2026-05-27T13:14:58 setting pendingEvent status to sent in !trPa…zEflU:<server>
      event ID ~!trPa…zEflU:<server>:m1779902098492.0 -> $N91n…di8o
    

    delivered to the mixed-case room with a real Matrix event id; and the new persisted channel session key is mixed-case agent:<a>:matrix:channel:!trPa…zEflU:<server> (a single key, no fork).
  • Room A (dev room) — persisted session key for the live routable session is now mixed-case agent:<a>:matrix:channel:!StMc…CqvXy:<server> with deliveryContext.to = room:!StMc…CqvXy:<server>.
  • Zero case-403s on either room since the reload; the matrix-403 watcher reports 0 case-bug events in the post-reload window.
• Observed result after fix: outbound sends to mixed-case Matrix rooms succeed where they previously 403'd; lookup/recovery/identity see the correct mixed-case key. Non-Matrix channels and Signal behave exactly as before.
• What was not tested:
  • The documented main:thread:<event> residual (a thread key with no <channel>:<peerKind>: boundary still lowercases the event id — the main-session thread shape, not the room-session shape behind this issue).
  • Windows/Linux runtime (logic is platform-independent).
  • Separate surface (not this PR): some cron jobs carry pre-fix lowercased sessionTarget/sessionKey in their stored config. On fire they replay the old lowercased key (bypassing the now-fixed construction path) and materialize a non-routable, hollow session record (no deliveryContext, no origin) — which causes no 403 (the routable session is the mixed-case one). This is stale cron-config data, overlapping [Bug]: cron with sessionTarget=current still lowercases Matrix roomId in 2026.4.27 (regression of #71798 via MCP loopback path) #75261, and is corrected by a data migration of the cron configs, not by this PR's code.
  • pnpm check passes except a pre-existing, unrelated npm shrinkwrap guard failure (AWS-SDK lockfile/node_modules version skew) — this PR touches no package.json/lockfile.

Test plan

• pnpm build — clean.
• pnpm tsgo:core:test — clean.
• pnpm vitest run src/sessions/session-key-case-preservation.test.ts src/config/sessions/delivery-info.test.ts src/gateway/session-utils.test.ts — 314 passed.
• New src/sessions/session-key-case-preservation.test.ts regression matrix:
  • registry membership (Matrix channel/group + Signal group enrolled; DM / non-Matrix not);
  • construction + store-canon preserve Matrix room id (incl. :server) and :thread:<event> suffix;
  • case-distinct rooms never collapse to one key;
  • Signal scoped + unscoped preserved, Signal thread suffix lowercased, segment whitespace trimmed (legacy parity);
  • non-Matrix / :thread:-shaped peer id / Matrix DM all stay lowercased;
  • resolveSessionStoreEntry: case-distinct sibling neither deleted nor returned as existing; confirmed lowercased artifact still collapses + reads;
  • documented main:thread residual.
• Local codex review --base origin/main: AGREE.

Acceptance criteria (from the #75670 handoff)

• Matrix room IDs preserved exactly in new session keys.
• Matrix thread event IDs preserved (room-scoped path).
• Store lookup / delivery do not re-lowercase the :matrix:channel:<room-id> suffix.
• Legacy lowercased entries treated as aliases (exact mixed-case wins) without deleting case-distinct rooms.
• Regression tests cover mixed-case room, thread event, delivery metadata, no duplicate/cross-contaminated rows, and non-Matrix behavior unchanged.

Codex review findings (addressed)

• P2 — "Do not delete case-distinct Matrix sessions" (codex-connector, inline on store-entry.ts): the original folded-legacy collapse could delete (and read-cross-contaminate) a genuinely case-distinct sibling room. Resolved: the folded lowercase key is materialized as a legacy alias for both delete and read only when isLowercasedLegacyAlias(...) confirms it delivers to this room's real mixed-case id; the loop now collapses only true canonical aliases. Three+ new tests cover it. Local codex re-review: AGREE, P2 fully resolved.

AI-assisted disclosure 🤖

AI-assisted (Claude). Developed and reviewed via an iterative local codex review loop (multiple plan rounds + diff reviews, ending AGREE, including the P2 follow-up above). The real-behavior proof is from a human-operated production gateway, not generated. Plan/review notes available on request.

Notes for review

• Touches session-state + message-delivery (hence the merge-risk labels) — the case-distinct safety logic and the registry default-lowercase make the blast radius opt-in and non-Matrix-neutral.
• The fix is currently deployed on the author's production gateway ahead of merge (local patch), which produced the proof above; it drops on rebase once this lands.
• Allow edits by maintainers is enabled (takeover-ready).

[clawsweeper]

Codex review: needs changes before merge. Reviewed May 27, 2026, 7:17 PM ET / 23:17 UTC.

Summary
The PR adds opt-in case preservation for Matrix channel/group session keys and Signal group keys, updates session-store, delivery lookup, gateway send, thread recovery, and state migration paths, and adds Matrix case-preservation regression coverage.

PR surface: Source +17444, Tests +681, Other +4. Total +18129 across 15 files.

Reproducibility: yes. source inspection shows current main lowercases Matrix peer IDs outside Signal group preservation, and the PR/linked issue provide concrete Matrix 403 and duplicate-session evidence. I did not run a live Matrix reproduction in this read-only review.

Review metrics: 1 noteworthy metric.

• Generated browser asset rewrite: 1 asset rewritten, +17189/-52. The changed asset is executable plugin runtime code and is unrelated to the Matrix session-key behavior under review.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🦞 diamond lobster
Patch quality: 🦐 gold shrimp
Result: needs maintainer review before merge.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Replace substring Matrix alias proof with exact room/alias and thread equality plus regressions.
• Remove the unrelated extensions/diffs/assets/viewer-runtime.js rewrite from this branch.
• Rerun the focused session, delivery-info, migration, Matrix route, oxlint, typecheck, and whitespace checks after repair.

Risk before merge

• Matrix session-key compatibility is intentionally changing: if alias proof is wrong, case-distinct rooms or threads can still be cross-read, collapsed, or recovered under the wrong target.
• The branch rewrites an unrelated generated browser runtime under the diffs plugin; that executable asset is not explained by the Matrix session fix and needs removal or dedicated provenance.
• The strongest live proof is from the contributor's production gateway before later maintainer fixups; the latest branch has focused local validation but no post-fix live Matrix homeserver run.

Maintainer options:

1. Fix exact alias proof before merge (recommended)
   Replace substring-based Matrix delivery proof with exact extracted room or alias equality plus exact thread-id equality, add regressions for false-positive alias matches, and remove the unrelated generated diffs asset rewrite.
2. Accept the compatibility risk explicitly
   Maintainers could intentionally merge after documenting why substring proof and the generated asset rewrite are acceptable, but that would leave session-state and generated-code review risk in the release.
3. Pause for a narrower branch
   If the generated asset and session alias concerns are too intertwined to repair cleanly, pause this branch and ask for a narrow sessions-only PR that preserves the useful Matrix fix.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Replace Matrix folded-alias proof with exact extracted room/alias/thread equality, add focused regression tests that a substring-like delivery target is not accepted as a legacy alias, and revert extensions/diffs/assets/viewer-runtime.js unless a dedicated diffs source/proof change is added.

Next step before merge
A narrow automated repair can address both blockers by making Matrix alias proof exact and removing the unrelated generated runtime asset.

Security
Needs attention: No secret or dependency changes were found, but the unrelated generated browser runtime rewrite is a concrete supply-chain review concern.

Review findings

• [P2] Compare Matrix delivery proof exactly — src/config/sessions/store-entry.ts:88-90
• [P2] Remove the unrelated viewer runtime rewrite — extensions/diffs/assets/viewer-runtime.js:1

Review details

Best possible solution:

Keep the Matrix opaque-ID preservation design, replace folded Matrix alias checks with exact extracted room/alias and thread equality, remove the unrelated generated asset rewrite, and then land after focused session/delivery/migration validation.

Do we have a high-confidence way to reproduce the issue?

Yes, source inspection shows current main lowercases Matrix peer IDs outside Signal group preservation, and the PR/linked issue provide concrete Matrix 403 and duplicate-session evidence. I did not run a live Matrix reproduction in this read-only review.

Is this the best way to solve the issue?

No, not as currently submitted. The case-preservation direction is the right fix boundary, but the branch still needs exact Matrix alias proof and removal of unrelated generated browser runtime churn.

Full review comments:

• [P2] Compare Matrix delivery proof exactly — src/config/sessions/store-entry.ts:88-90
  The folded-alias proof still accepts a stored entry when normalizedBaseKey.includes(target). Matrix room and thread IDs are case-sensitive opaque targets, so substring proof can still classify the wrong stored entry as a legacy alias and let lookup or cleanup use the wrong room/thread. Extract the Matrix room or alias tail and compare it, plus the thread id when present, for equality.
  Confidence: 0.86
• [P2] Remove the unrelated viewer runtime rewrite — extensions/diffs/assets/viewer-runtime.js:1
  This Matrix session fix rewrites extensions/diffs/assets/viewer-runtime.js from a compact generated bundle into a 17k-line browser runtime without a related diffs source change or proof. That executable generated asset is unrelated to the fix and should be reverted, or moved to a dedicated generated-asset PR with source/provenance.
  Confidence: 0.92

Overall correctness: patch is incorrect
Overall confidence: 0.88

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against c20a055341ac.

Label changes

Label justifications:

• P1: The PR targets active Matrix channel workflows where lowercased room/thread IDs can break sends, recovery, and session state for real users.
• merge-risk: 🚨 compatibility: The PR changes canonical session-key behavior and legacy alias handling for stored Matrix and Signal sessions during upgrade.
• merge-risk: 🚨 message-delivery: Incorrect Matrix key or alias selection can route sends/recovery to a lowercased or wrong room/thread target.
• merge-risk: 🚨 session-state: The store lookup and migration changes can collapse, preserve, or ignore persisted session records, so exact alias safety matters before merge.
• rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🦞 diamond lobster and patch quality is 🦐 gold shrimp.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Override: A maintainer applied proof: override for this PR.

Evidence reviewed

PR surface:

Source +17444, Tests +681, Other +4. Total +18129 across 15 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	7	17558	114	+17444
Tests	6	708	27	+681
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	2	14	10	+4
Total	15	18280	151	+18129

Security concerns:

• [medium] Unrelated generated browser runtime rewrite — extensions/diffs/assets/viewer-runtime.js:1
  The PR changes a served JavaScript runtime asset by thousands of lines without a matching diffs source change or generated-asset provenance, so reviewers cannot attribute the executable code to the Matrix session fix.
  Confidence: 0.9

Acceptance criteria:

• node scripts/run-vitest.mjs src/config/sessions/delivery-info.test.ts src/sessions/session-key-case-preservation.test.ts src/config/sessions/transcript.test.ts src/plugin-sdk/thread-aware-outbound-session-route.test.ts src/commands/doctor-state-migrations.test.ts extensions/matrix/src/session-route.test.ts
• node scripts/run-oxlint.mjs src/config/sessions/delivery-info.test.ts src/config/sessions/delivery-info.ts src/config/sessions/store-entry.ts src/sessions/session-key-case-preservation.test.ts src/sessions/session-key-utils.ts extensions/matrix/src/session-route.test.ts src/commands/doctor-state-migrations.test.ts src/infra/state-migrations.ts
• git diff --check

What I checked:

• Repository policy applied: Root and scoped guides were read; session state, message delivery, plugin SDK, gateway, scripts, and generated asset changes are compatibility-sensitive under this repo's review policy. (AGENTS.md:1, c20a055341ac)
• Current main lowercases Matrix peers: Current main preserves Signal group IDs but lowercases all other peer IDs, so Matrix room IDs are folded before this PR. (src/sessions/session-key-utils.ts:35, c20a055341ac)
• PR implements a case-preserving registry: The merge result enrolls Matrix channel/group peers as tail-preserved opaque IDs and keeps Signal group behavior as segment-preserved. (src/sessions/session-key-utils.ts:46, be0cd4f3771c)
• Explicit gateway session keys now use the opaque-preserving normalizer: Gateway send no longer raw-lowercases an explicit request session key; it calls the new preserving normalizer before resolving the session agent. (src/gateway/server-methods/send.ts:571, be0cd4f3771c)
• Folded Matrix alias proof remains substring-based: The merge result still accepts delivery proof with normalizedBaseKey.includes(target) in both confirmed-alias and mismatch checks, leaving an inexact proof path in the session-store contract. (src/config/sessions/store-entry.ts:88, be0cd4f3771c)
• Unrelated generated browser asset rewrite: The PR rewrites the diffs viewer runtime from a compact generated bundle to a 17k-line asset without a matching diffs source change or proof in the Matrix session fix. (extensions/diffs/assets/viewer-runtime.js:1, be0cd4f3771c)

Likely related people:

• steipete: Current main blame for the session helper files points to recent refactor work, and the PR discussion shows maintainer fixups across session lookup, migration, and tests. (role: recent area contributor and PR fixup author; confidence: high; commits: 4da2b5f4d904, da59bf552c77, 55f4652c8a05; files: src/sessions/session-key-utils.ts, src/config/sessions/store-entry.ts, src/config/sessions/delivery-info.ts)
• gumadeiras: Authored the merged Matrix ACP thread-binding fix that previously addressed another opaque Matrix target casing surface in the related cluster. (role: adjacent Matrix thread-routing owner; confidence: medium; commits: 5d2225212d0e; files: src/agents/acp-spawn.ts, extensions/matrix/src/session-route.test.ts)
• lukeboyett: Authored the initial branch and supplied the live production Matrix logs that demonstrate the lowercased-room failure and the after-patch success path; not the sole current-main owner. (role: current PR branch author and live Matrix repro reporter; confidence: medium; commits: a5cbd256d869; files: src/sessions/session-key-utils.ts, src/config/sessions/store-entry.ts, src/config/sessions/delivery-info.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c6d63dff87

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[lukeboyett]

@clawsweeper re-review

The proof and codex finding are both addressed:

• Real behavior proof rewritten with copied live before/after output from a production gateway (partially masked): the recurring [403] not in room <lowercased> send now delivers status to sent against the mixed-case room id, zero case-403s post-reload. Unit tests/repro are supplemental only.
• codex-connector P2 ("do not delete case-distinct Matrix sessions") resolved — folded-legacy collapse + read fallback are now gated on a delivery-target confirmation; case-distinct rooms are never deleted or cross-read. New regression tests added; local codex review AGREE.
• PR body restructured (regression history, related work, compatibility, test plan, acceptance criteria, codex findings, review notes).

No contributor-facing work open.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26533691396
• Updated: 2026-05-27T19:34:00.122Z

[chatgpt-codex-connector]

💡 Codex Review

openclaw/src/config/sessions/delivery-info.ts

Line 150 in 31be7a5

acceptCandidate(normalizedIndex.get(foldedLegacyKey));

Do not reuse folded Matrix aliases in delivery lookup

When the requested Matrix session key is the lowercase room (or has no exact entry), this fallback index still looks up the lowercased/folded alias and can return a different mixed-case room entry that only folds to the same string. For example, with only agent:main:matrix:channel:!MixedCase:Example.Org in the store, extractDeliveryInfo("agent:main:matrix:channel:!mixedcase:example.org") can route to the mixed-case room because buildFreshestSessionEntryIndex indexes the mixed entry under the folded key; this reintroduces the same case-distinct room cross-contamination the new store-entry checks avoid.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[lukeboyett]

@codex @clawsweeper — addressed the delivery-lookup case-distinct finding (force-pushed).

findSessionEntryInStore / buildFreshestSessionEntryIndex no longer let a case-distinct Matrix room leak into delivery resolution:

• buildFreshestSessionEntryIndex no longer indexes entries under their folded lowercase key (only the exact opaque-preserving key).
• Folded reads now require exact Matrix room-tail equality (matrixRoomIdOf extract + compare), not substring containment.
• A new deliveryRoomCaseMismatch guard skips exact/trimmed/index candidates whose delivery room folds-equal but case-differs from the requested room (the mislabeled lowercased-artifact leak).
• Non-Matrix keys (e.g. Signal groups) are unaffected — the guard is Matrix-room-scoped, and folded migration stays permissive (matrixRoomIdOf("") === "").

Migration read preserved (mixed request + lowercased artifact delivering to the same mixed room) and a Signal regression test guards the non-Matrix path. Local codex review: AGREE. No contributor-facing work open.

[steipete]

Maintainer fixups pushed and re-reviewed.

Behavior addressed:

• Preserves Matrix room IDs and Matrix thread event IDs in session keys instead of lowercasing opaque identifiers.
• Prevents case-distinct Matrix rooms from collapsing into each other during store lookup, delivery lookup, send routing, current-thread recovery, and state migration/doctor canonicalization.
• Keeps confirmed legacy folded Matrix artifacts recoverable when delivery metadata proves they belong to the mixed-case room/thread.
• Keeps Signal and ordinary non-opaque alias freshness behavior intact, including fresher structural aliases for the same canonical Matrix key.

Real environment tested: local macOS checkout, Node/pnpm repo wrappers.

Exact steps or command run after this patch:

• node scripts/run-vitest.mjs extensions/codex/src/app-server/attempt-startup.test.ts src/agents/embedded-agent-runner/model.test.ts src/plugin-sdk/thread-aware-outbound-session-route.test.ts src/config/sessions/delivery-info.test.ts src/sessions/session-key-case-preservation.test.ts src/config/sessions/transcript.test.ts extensions/matrix/src/session-route.test.ts extensions/slack/src/channel.test.ts src/commands/doctor-state-migrations.test.ts
• node scripts/run-oxlint.mjs extensions/codex/src/app-server/attempt-startup.test.ts src/agents/embedded-agent-runner/model.provider-runtime.test-support.ts src/plugin-sdk/core.ts src/plugin-sdk/thread-aware-outbound-session-route.test.ts src/config/sessions/delivery-info.test.ts src/config/sessions/delivery-info.ts src/config/sessions/store-entry.ts src/sessions/session-key-case-preservation.test.ts src/sessions/session-key-utils.ts extensions/matrix/src/session-route.test.ts src/commands/doctor-state-migrations.test.ts src/infra/state-migrations.ts
• git diff --check
• pnpm tsgo:test
• /Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode branch --base origin/main

Evidence after fix:

• Vitest: 10 files passed, 366 tests passed.
• Oxlint: passed.
• Whitespace: passed.
• Typecheck: passed.
• Autoreview: clean, no accepted/actionable findings.

Observed result after fix: Matrix mixed-case room/thread keys stay distinct, legacy proven artifacts remain recoverable, and migration/doctor cleanup no longer re-lowercases valid Matrix keys.

What was not tested: live Matrix network delivery against a real homeserver.

[steipete]

Post-merge update: rebased/merged the PR branch onto current origin/main, resolved the two current-main test-support conflicts, and added one more migration regression for unscoped legacy Matrix keys.

Behavior addressed: unscoped legacy matrix:channel:<room> session keys now preserve Matrix room casing when scoped into agent:<id>:... during doctor/startup migration.

Real environment tested: local macOS checkout, Node/pnpm repo wrappers.

Exact steps or command run after this patch:

• node scripts/run-vitest.mjs extensions/codex/src/app-server/attempt-startup.test.ts src/agents/embedded-agent-runner/model.test.ts src/plugin-sdk/thread-aware-outbound-session-route.test.ts src/config/sessions/delivery-info.test.ts src/sessions/session-key-case-preservation.test.ts src/config/sessions/transcript.test.ts extensions/matrix/src/session-route.test.ts extensions/slack/src/channel.test.ts src/commands/doctor-state-migrations.test.ts
• node scripts/run-oxlint.mjs extensions/codex/src/app-server/attempt-startup.test.ts src/agents/embedded-agent-runner/model.provider-runtime.test-support.ts src/plugin-sdk/core.ts src/plugin-sdk/thread-aware-outbound-session-route.test.ts src/config/sessions/delivery-info.test.ts src/config/sessions/delivery-info.ts src/config/sessions/store-entry.ts src/sessions/session-key-case-preservation.test.ts src/sessions/session-key-utils.ts extensions/matrix/src/session-route.test.ts src/commands/doctor-state-migrations.test.ts src/infra/state-migrations.ts
• git diff --check
• pnpm tsgo:test
• /Users/steipete/Projects/agent-scripts/skills/autoreview/scripts/autoreview --mode branch --base origin/main

Evidence after fix:

• Vitest: 10 files passed, 367 tests passed.
• Oxlint: passed.
• Whitespace: passed.
• Typecheck: passed.
• Autoreview: clean, no accepted/actionable findings.

What was not tested: live Matrix network delivery against a real homeserver.

[steipete]

CI update before merge:

• checks-node-agentic-agents failed once in unrelated src/agents/tools/image-tool.test.ts timing/state assertions, then passed on rerun in run 26544166839.
• build-artifacts failed twice in gateway-watch-regression before the watch window because the CI runner source tree was already dirty. The job's tooling tests passed both times (184 passed, 2089 tests passed), and the failure was the runner guard: dirty_watched_tree.
• Local targeted proof and final autoreview remain green as posted above.