fix(imessage): persist echo markers before send

[colmbrogan]

Summary

• persist a short-lived iMessage echo marker before invoking the bridge send call, closing the race where Messages reflects the outbound row before post-send echo persistence finishes
• keep the existing post-send durable marker with the real message id for long catchup windows
• wire the pre-send echo hook through durable iMessage delivery paths and expire failed pre-send markers quickly

Real behavior proof

• Behavior or issue addressed: Messages self-chat can reflect an assistant outbound reply as an inbound-looking is_from_me=false row before OpenClaw writes the post-send persisted echo marker. That lets the iMessage monitor feed the assistant its own reply and can restart the acknowledgement loop.

• Real environment tested: a live macOS Messages setup using the owner's self-chat, with private local paths, phone numbers, chat ids, and message GUIDs redacted below.

• Exact steps or command run after this patch: ran openclaw --version; sent a unique proof message through the live iMessage channel with openclaw message send --channel imessage --target <owner-self-chat> --message OPENCLAW-88969-PROOF-20260604T002906Z --json; waited 20 seconds; queried the local Messages SQLite database for the proof token; searched the active main session transcript for the proof token.

• Evidence after fix: live send returned handledBy: core, dryRun: false, and messageId: ok; local Messages rows showed the known self-chat reflection shape with an empty is_from_me=1 companion row and an is_from_me=0 reflected row containing OPENCLAW-88969-PROOF-20260604T002906Z; the active session transcript contained the proof token only as an assistant delivery-mirror entry, not as a user/inbound iMessage prompt.

• Observed result after fix: the live self-chat reflection row was not routed back to the agent as a new inbound user turn, and no acknowledgement loop or automatic assistant response was triggered by the proof token.

• What was not tested: private phone number, local DB path, chat ids, and GUIDs are redacted; the broader mirror-pair refactor is not claimed; the exact public PR head was not rebuilt/restarted into the Gateway for this proof because the already-running live Gateway contained the iMessage echo fixes under local build 120691e, while CI/local checks cover the current PR branch.

Pre-fix live evidence

Before this patch, the live Messages database showed reflected outbound self-chat rows arriving before the post-send persisted echo marker was written. The representative live rows had this shape:

<row>|2026-06-01 03:48:10|0|<owner-self-chat>|<chat>|<owner-self-chat>|<guid>|'<assistant outbound text reflected as inbound-looking row>'|tel:<owner-self-chat>
<row>|2026-06-01 03:48:10|1|<owner-self-chat>|<chat>|<owner-self-chat>|<guid>|NULL|<owner-self-chat>
<row>|2026-06-01 03:48:19|0|<owner-self-chat>|<chat>|<owner-self-chat>|<guid>|'<assistant outbound text reflected as inbound-looking row>'|tel:<owner-self-chat>
<row>|2026-06-01 03:48:19|1|<owner-self-chat>|<chat>|<owner-self-chat>|<guid>|NULL|<owner-self-chat>

The matching persisted echo entries existed, but their write timestamps were later than the reflected rows, confirming the post-send-only marker was too late for this path:

{"scope":"default:imessage:<owner-self-chat>","text":"<assistant outbound text>","timestamp":"<after reflected row>"}
{"scope":"default:imessage:<owner-self-chat>","text":"<assistant outbound text>","timestamp":"<after reflected row>"}

Patched-live runtime evidence

The patched branch was then applied to the live OpenClaw installation as part of the combined iMessage fix branch:

$ openclaw --version
OpenClaw 2026.6.2 (8df0d41)

$ git -C <openclaw-checkout> status --short --branch
## local/live-imsg-88530-88969-2026-06-02

$ git -C <openclaw-checkout> log -1 --oneline
8df0d41e4e Merge remote-tracking branch 'fork/fix-imessage-presend-persisted-echo' into local/live-imsg-88530-88969-2026-06-02

The live Gateway was rebuilt from that combined branch with CI=true pnpm build, restarted, and probed successfully:

CLI version: 2026.6.2
Gateway version: 2026.6.2
Runtime: running
Connectivity probe: ok

The live recovery also confirmed the OpenClaw channel stack was functional again after restart: Telegram delivery resumed, iMessage was up, and the running Gateway was using the patched dist built from the combined branch.

Focused after-fix tests

The new regression holds the bridge send promise open and confirms the echo marker is persisted before the bridge result resolves, which is the exact timing gap observed in the live rows. Focused tests passed:

Test Files  4 passed (4)
Tests  80 passed (80)
[test] passed 1 Vitest shard in 29.85s

After the later refresh/rebase, the focused touched-test shard also passed:

extensions/imessage/src/monitor/deliver.test.ts
extensions/imessage/src/monitor/monitor-provider.echo-cache.test.ts
extensions/imessage/src/send.test.ts

3 files / 49 tests passed

oxlint on all touched iMessage files also completed with exit code 0.

What was not claimed

No private phone number, local Messages path, chat id, or message GUID is intentionally published here. No secrets are included.

This proof does not claim an additional public, unredacted live iMessage transcript. It shows the real pre-fix database race, the patched branch running in the live Gateway after rebuild/restart, and focused tests for the pre-send timing behavior.

Verification

• node scripts/run-vitest.mjs extensions/imessage/src/monitor/deliver.test.ts extensions/imessage/src/monitor/monitor-provider.echo-cache.test.ts extensions/imessage/src/send.test.ts -> 3 files, 49 tests passed
• CI=true pnpm oxlint extensions/imessage/src/monitor/deliver.ts extensions/imessage/src/monitor/deliver.test.ts extensions/imessage/src/monitor/monitor-provider.echo-cache.test.ts extensions/imessage/src/monitor/persisted-echo-cache.ts extensions/imessage/src/send.ts extensions/imessage/src/send.test.ts -> passed
• git diff --check upstream/main...HEAD -> passed
• live patched runtime verification: openclaw --version reported OpenClaw 2026.6.2 (8df0d41), Gateway reported CLI and Gateway version 2026.6.2, runtime running, and connectivity probe ok

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 9, 2026, 12:56 AM ET / 04:56 UTC.

Summary
Review failed before ClawSweeper could summarize the requested change.

PR surface: Source +194, Tests +198. Total +392 across 13 files.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Review metrics: none identified.

Merge readiness
Overall: 🌊 off-meta tidepool
Proof: 🌊 off-meta tidepool
Patch quality: 🌊 off-meta tidepool
Result: rating does not apply to this item.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• [P1] No close action taken because the review did not complete.

Maintainer options:

1. Decide the mitigation before merge
   Retry the Codex review after fixing the execution failure.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P1] Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6fcc9457020e.

Label changes

Label changes:

• add rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.
• remove proof: sufficient: Current real behavior proof status is not_applicable, not sufficient.
• remove P1: Current review triage priority is none.
• remove rating: 🐚 platinum hermit: Current PR rating is rating: 🌊 off-meta tidepool, so this older rating label is no longer current.
• remove merge-risk: 🚨 message-delivery: Current PR review selected no merge-risk labels.
• remove status: 👀 ready for maintainer look: Current PR status no longer selects a status label.

Label justifications:

• rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.

Evidence reviewed

PR surface:

Source +194, Tests +198. Total +392 across 13 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	8	232	38	+194
Tests	5	224	26	+198
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	13	456	64	+392

What I checked:

• failure reason: codex execution failed.
• codex failure detail: Codex review failed for this PR with exit 1.
• codex stdout: Per-item Codex failure; continuing with the rest of the shard.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[colmbrogan]

Rebased this PR onto current upstream/main and force-with-lease pushed a refreshed branch.

Addressed ClawSweeper's concrete test finding:

• Updated extensions/imessage/src/monitor/deliver.test.ts so the chunked delivery test now proves the new timing behavior: per-chunk pre-send echo markers are recorded, post-send message-id markers are preserved, and the old risky full un-chunked pre-send marker is still not recorded.

Local verification after rebase/test refresh:

• node scripts/run-vitest.mjs extensions/imessage/src/monitor/deliver.test.ts extensions/imessage/src/monitor/monitor-provider.echo-cache.test.ts extensions/imessage/src/send.test.ts: passed, 3 files / 49 tests.
• pnpm oxlint extensions/imessage/src/monitor/deliver.ts extensions/imessage/src/monitor/deliver.test.ts extensions/imessage/src/monitor/monitor-provider.echo-cache.test.ts extensions/imessage/src/monitor/persisted-echo-cache.ts extensions/imessage/src/send.ts extensions/imessage/src/send.test.ts: passed.
• git diff --check upstream/main...HEAD: passed.

Remaining proof note: patched-live iMessage proof still needs an operator run/restart window. I have not claimed that proof in this update.

[colmbrogan]

Refreshed this PR onto current upstream/main and force-with-lease pushed the rebased branch.

Local verification after refresh:

• node scripts/run-vitest.mjs extensions/imessage/src/monitor/deliver.test.ts extensions/imessage/src/monitor/monitor-provider.echo-cache.test.ts extensions/imessage/src/send.test.ts: passed, 3 files / 49 tests.
• CI=true pnpm oxlint extensions/imessage/src/monitor/deliver.ts extensions/imessage/src/monitor/deliver.test.ts extensions/imessage/src/monitor/monitor-provider.echo-cache.test.ts extensions/imessage/src/monitor/persisted-echo-cache.ts extensions/imessage/src/send.ts extensions/imessage/src/send.test.ts: passed.
• git diff --check upstream/main...HEAD: passed.

Still not claiming patched-live iMessage proof in this update; that remains the explicit operator/live-system proof step.

[colmbrogan]

Updated the PR body with redacted patched-live runtime proof from the combined branch now running on the live Gateway.

Key updates:

• Redacted private phone/path/chat/GUID details from the earlier proof.
• Added live runtime evidence showing OpenClaw 2026.6.2 (8df0d41).
• Added live Gateway evidence showing CLI and Gateway version 2026.6.2, runtime running, and connectivity probe ok.
• Removed the stale claim that the patched branch had not been restarted live.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26860379453
• Updated: 2026-06-03T02:46:16.714Z

[omarshahine]

Land-ready after maintainer refresh and fixes.

• Rebased/refreshed onto current origin/main
• Fixed autoreview findings around slow-send pending TTL, non-reversible in-memory pre-send markers, and generic pending text matching
• Local focused proof: node scripts/run-vitest.mjs extensions/imessage/src/monitor/deliver.test.ts extensions/imessage/src/monitor/monitor-provider.echo-cache.test.ts extensions/imessage/src/monitor/self-chat-dedupe.test.ts extensions/imessage/src/monitor/catchup.test.ts extensions/imessage/src/send.test.ts -> 5 files / 113 tests passed
• Local lint/proof: touched-file CI=true pnpm oxlint ... passed; node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.extensions.test.json --incremental false --pretty false passed; git diff --check passed
• Structured autoreview: clean, no accepted/actionable findings
• GitHub CI on head 8cd9e32114885193387e68cd2a921e9a5b3e84f4: relevant checks passed; cancelled entries are superseded duplicate runs

Thanks @colmbrogan.

[omarshahine]

Landed via squash merge.

• Head reviewed: 8cd9e32114885193387e68cd2a921e9a5b3e84f4
• Merge commit: 7e3100a1202263828d9c66f68b9d2ba503a6cbe9
• Local proof before merge: focused iMessage shard, touched-file oxlint, extension test typecheck probe, diff check, and structured autoreview clean
• GitHub CI: current-head relevant checks passed before merge

Thanks @colmbrogan.