fix(imessage): always-on inbound recovery and dedupe

[omarshahine]

Summary

What problem does this PR solve?

• After a bridge/Push recovery, Apple writes the messages that queued during the gap into chat.db with fresh ROWIDs but old send dates; imsg watch emits them and OpenClaw dispatched them as fresh user requests (iMessage bridge recovery can dispatch stale inbound backlog as fresh requests #89237, "backlog bomb"). Separately, iMessage was the only channel with no inbound replay protection, and messages that arrived while the gateway was down were either lost (catchup off) or recovered by a heavy opt-in subsystem.

Why does this matter now?

• iMessage bridge recovery can dispatch stale inbound backlog as fresh requests #89237 is a P1 message-integrity bug. The fix also lets a much smaller, always-on design replace the ~850-LOC opt-in catchup subsystem.

What is the intended outcome?

• Persistent claimable GUID dedupe (createClaimableDedupe, the same primitive whatsapp/discord/signal/mattermost/zalo/line/nextcloud-talk use): claim at ingestion, carry the exact claimed key on the debouncer entry, commit on successful flush, release on dispatch failure (per dispatch unit, so a coalesced bucket cannot strand a sibling's claim).
• Downtime recovery, rebuilt on the dedupe. On startup the monitor passes the last dispatched rowid (a persisted per-account cursor) to imsg watch.subscribe as since_rowid, so imsg replays the rows that landed while the gateway was down, then tails live. The dedupe drops anything already handled, so none of the old cursor/messages.history/retry bookkeeping is needed.
• Stale-backlog age fence, split on the startup rowid boundary. Replayed rows (at/below the boundary) use a wide recovery window; genuinely-live rows (above it) use the tight live fence where iMessage bridge recovery can dispatch stale inbound backlog as fresh requests #89237's Push-flush backlog appears.

What is intentionally out of scope?

• The old chats.list + messages.history catchup mechanism (deleted). Recovery needs local chat.db access; over a remote SSH cliPath the monitor tails from the current rowid (suppress-and-move-on).

What does success look like?

• Missed-during-downtime messages are replayed; the Push-flush backlog is suppressed; duplicates are deduped; net -710 prod LOC.

What should reviewers focus on?

• The claim/commit/release wiring (per-unit commit so coalesced GUID-less rows cannot leak a claim), the rowid-boundary split of the age fence, and the catchup config retirement + back-compat.

Linked context

Which issue does this close?

Closes #89237

Which issues, PRs, or discussions are related?

Related #91243 (supersedes the catchup half).

Was this requested by a maintainer or owner?

Maintainer-authored; fixes a P1 issue-rating: diamond lobster report.

Real behavior proof (required for external PRs)

• Behavior or issue addressed: (a) iMessage bridge recovery can dispatch stale inbound backlog as fresh requests #89237 stale-backlog suppression on the live path, and (b) recovery of messages missed while the gateway was down.
• Real environment tested: the patched gateway built from this branch, run from source against real imsg 0.11.0 / Messages.app. Empty allowlist so the test gateway sent nothing.
• Exact steps and evidence (redacted live monitor output):
  • iMessage bridge recovery can dispatch stale inbound backlog as fresh requests #89237 age fence (real imsg over a remote SSH cliPath, the exact setup iMessage bridge recovery can dispatch stale inbound backlog as fresh requests #89237 was reported on): a real inbound (age ~1.5s) under the 15min fence → CLAIMED+ENQUEUED (dispatched); with the fence forced to 1ms the same message → AGE-FENCE-SUPPRESSED (no enqueue). The fence gates exactly on send-date age.
  • Downtime recovery (local imsg/Messages on the gateway Mac; messages scripted from a second Mac so it is end-to-end):
    • baseline message → dispatched, recovery cursor persisted at its rowid 127953
    • gateway stopped; two messages sent while down (chat.db max → 127955)
    • gateway restarted → startup cursor(L)=127953 boundary(M)=127955 since_rowid=127953, then inbound rowid=127954 recovery=true text="DOWNTIME MSG A (sent while gateway down)" DELIVERED and rowid=127955 recovery=true ... MSG B ... DELIVERED
• Observed result: both messages sent while the gateway was down were replayed and delivered on restart (recovery=true); without the cursor/since_rowid they are skipped by imsg's self-fence. The iMessage bridge recovery can dispatch stale inbound backlog as fresh requests #89237 backlog (old date, live rowid) is still suppressed.
• What was not tested: the spontaneous bridge-recovery Push-flush burst is not reproducible on demand; covered by unit tests + imsg source analysis. Remote-cliPath recovery is intentionally not implemented (no local db).
• Proof limitations: [PROOF-...] instrumentation was added only on a throwaway local checkout to capture the traces and has been reverted; no host state was modified.

Tests and validation

Which commands did you run?

• node scripts/run-vitest.mjs extensions/imessage (537 pass) + config-guard + config-validation
• pnpm tsgo:core / tsgo:extensions / tsgo:extensions:test / tsgo:core:test (clean); oxlint / oxfmt clean; generated config artifacts + docs format in sync

What regression coverage was added or updated?

• inbound-dedupe.test.ts (claim/commit/release, retry, in-flight duplicate, composite-key round-trip, age-fence threshold/fail-open), recovery-cursor.test.ts (load/advance/monotonic/per-account), doctor-contract-api.test.ts (catchup strip), monitor.last-route.test.ts (startup since_rowid = cursor, recovery replay delivered vs live old suppressed, stale-vs-fresh). Catchup tests deleted.

What failed before this fix, if known?

• Stale backlog dispatched as fresh; no inbound dedupe; missed-during-downtime messages lost unless the opt-in catchup was enabled.

Risk checklist

Did user-visible behavior change? (Yes/No)

Yes. Inbound is deduped; the Push-flush backlog is suppressed (logged); downtime recovery is now automatic on local setups (was opt-in catchup).

Did config, environment, or migration behavior change? (Yes/No)

Yes. channels.imessage.catchup.* is retired; existing configs still load (key stripped before validation) and openclaw doctor --fix removes it via a new iMessage doctor contract that also reports it.

Did security, auth, secrets, network, or tool execution behavior change? (Yes/No)

No.

What is the highest-risk area?

The catchup config retirement and the claim/commit/release + rowid-boundary recovery wiring.

How is that risk mitigated?

Strip-before-validation (no load break) + doctor report/migrate; per-unit commit/release and the dual-threshold split are unit-tested; the dedupe backstops cursor imprecision; both behaviors were live-proven on real imsg/Messages.

Current review state

What is the next action?

Maintainer review; Greptile + CI.

What is still waiting on author, maintainer, CI, or external proof?

CI + Greptile.

Which bot or reviewer comments were addressed?

Codex autoreview flagged premature replay record, a check-then-record race, a coalesced GUID-less claim leak, and a startup-window message-loss window — all fixed; the branch-level Codex review came back clean.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 8, 2026, 3:46 AM ET / 07:46 UTC.

Summary
The PR adds iMessage persistent inbound dedupe, startup since_rowid downtime recovery, stale-backlog age fencing, catchup config/doctor cleanup, docs, and regression tests.

PR surface: Source +569, Tests +384, Docs -43, Generated 0. Total +910 across 18 files.

Reproducibility: yes. source-reproducible: current main's live iMessage monitor path has no persistent inbound replay guard or stale age fence, and upstream imsg starts from current max rowid when no cursor is supplied. I did not run a real Messages.app bridge recovery in this review.

Review metrics: 1 noteworthy metric.

• iMessage config/default surface: 1 deprecated compatibility surface. channels.imessage.catchup.* remains schema-valid for enabled compatibility but disabled blocks are retired and removed by doctor, so upgrade behavior needs maintainer attention.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🐚 platinum hermit
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted live remote cliPath recovery proof for the final since_rowid path.
• Update the stale PR-body language that still says remote cliPath recovery is out of scope.
• [P1] Get maintainer acceptance of the catchup compatibility/deprecation behavior before merge.

Proof guidance:

• [P1] Needs stronger real behavior proof before merge: The PR has useful redacted live logs, but final-head remote cliPath since_rowid recovery still needs real proof; redact private identifiers, update the PR body, and ClawSweeper should re-review automatically or a maintainer can request @clawsweeper re-review.

Risk before merge

• [P1] Final remote cliPath downtime recovery is not yet proven in a real remote setup on this head; the current proof covers remote age fencing and local downtime replay, not the final remote since_rowid replay path.
• [P1] The PR changes a shipped channels.imessage.catchup.* surface: enabled catchup is preserved, but disabled blocks are retired and the new default remote recovery uses the narrower live fence unless legacy catchup is enabled.
• [P1] The branch is stale relative to current main by one commit, so maintainers should refresh normal CI/merge checks before landing without treating stale-base noise as PR-owned code.

Maintainer options:

1. Require final remote recovery proof (recommended)
   Ask for redacted live output showing a real remote cliPath gateway restarting from a persisted cursor and receiving the missed message through the final since_rowid path.
2. Accept the compatibility profile
   Maintainers can accept that enabled catchup remains the wide-window compatibility path while disabled catchup blocks are retired by doctor and default remote recovery uses the 15-minute live fence.
3. Pause if remote defaults are not settled
   If maintainers are not ready to narrow default remote recovery semantics, hold the PR until the remote catchup/deprecation policy is explicit.

Next step before merge

• [P1] A maintainer needs to judge the compatibility/default behavior and require contributor-side real remote proof; this is not a safe automated repair lane.

Security
Cleared: The PR does not change workflows, dependencies, lockfiles, secrets handling, or other supply-chain surfaces; the security pass found no concrete concern.

Review details

Best possible solution:

Land the monitor-layer dedupe/recovery design only after the PR body is updated with final-head remote cliPath recovery proof and maintainers explicitly accept the catchup compatibility/deprecation behavior.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible: current main's live iMessage monitor path has no persistent inbound replay guard or stale age fence, and upstream imsg starts from current max rowid when no cursor is supplied. I did not run a real Messages.app bridge recovery in this review.

Is this the best way to solve the issue?

Mostly yes: fixing before iMessage dispatch with since_rowid, persistent GUID dedupe, and an age fence is the right layer, and preserving enabled catchup is the safer compatibility shape. The remaining gap is proof and maintainer acceptance for final remote recovery/default semantics.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 538d36eaaaa6.

Label changes

Label changes:

• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🦪 silver shellfish, so this older rating label is no longer current.

Label justifications:

• P1: The PR targets a P1 iMessage message-integrity bug where stale inbound backlog can be dispatched as fresh requests.
• merge-risk: 🚨 compatibility: The PR changes shipped iMessage catchup configuration semantics and default recovery behavior for existing setups.
• merge-risk: 🚨 message-delivery: The PR changes when iMessage inbound rows are replayed, suppressed, deduped, or delivered to agents.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR has useful redacted live logs, but final-head remote cliPath since_rowid recovery still needs real proof; redact private identifiers, update the PR body, and ClawSweeper should re-review automatically or a maintainer can request @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +569, Tests +384, Docs -43, Generated 0. Total +910 across 18 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	6	625	56	+569
Tests	7	722	338	+384
Docs	3	29	72	-43
Config	0	0	0	0
Generated	2	4	4	0
Other	0	0	0	0
Total	18	1380	470	+910

What I checked:

• Repository policy applied: Root and scoped policy were read; iMessage config/default changes and message delivery changes are compatibility-sensitive and need proof beyond diff-only review. (AGENTS.md:1, 538d36eaaaa6)
• Current main behavior: Current main has opt-in catchup and a local startup rowid watermark, but no persistent iMessage inbound claim/commit/release dedupe or live stale-backlog age fence before enqueue. (extensions/imessage/src/monitor/monitor-provider.ts:343, 538d36eaaaa6)
• PR implementation shape: Final head computes watchSinceRowid from the recovery cursor, splits the age fence by local recovery boundary, commits suppressed stale rows to dedupe, claims inbound rows before enqueue, and keeps enabled legacy catchup as the compatibility path. (extensions/imessage/src/monitor/monitor-provider.ts:358, d84c84d5fa3c)
• Regression coverage: The PR adds tests for remote cursor replay, enabled catchup preservation, local downtime replay using the wider recovery window, and live old-row suppression. (extensions/imessage/src/monitor.last-route.test.ts:608, d84c84d5fa3c)
• Dependency contract: Upstream imsg documents since_rowid as an exclusive watch cursor, passes it through RPC, and self-fences to maxRowID() only when the watcher cursor is zero. (openclaw/imsg:Sources/IMsgCore/MessageWatcher.swift:100, 041b40686a6d)
• Proof gap: The PR body gives redacted live logs for remote age-fence behavior and local downtime replay, but final head also implements remote cliPath since_rowid recovery while the body still describes remote recovery as out of scope. (d84c84d5fa3c)

Likely related people:

• vincentkoc: Recent main history for iMessage monitor startup/retry and catchup-adjacent code includes multiple commits, and the final PR head commit is authored by Vincent Koc. (role: recent area contributor; confidence: high; commits: 8dff52958701, 35a784c16563, d84c84d5fa3c; files: extensions/imessage/src/monitor/monitor-provider.ts, extensions/imessage/src/monitor.last-route.test.ts)
• steipete: Shortlog shows Peter Steinberger as the largest contributor across the central iMessage monitor/docs files, with repeated refactors around plugin/channel seams. (role: historical area contributor; confidence: medium; commits: d85b2a0e8148, e4b5027c5e29, 2766c27b2aa6; files: extensions/imessage/src/monitor/monitor-provider.ts, docs/channels/imessage.md)
• omarshahine: Beyond opening this PR, Omar Shahine recently touched the same iMessage monitor/coalescing surface in the merged split-send coalescing work. (role: recent adjacent contributor; confidence: medium; commits: 9caff5f873cd, e95bf048af9c, 408d00a7adfa; files: extensions/imessage/src/monitor/monitor-provider.ts, extensions/imessage/src/monitor/coalesce.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[omarshahine]

@clawsweeper re-review

Reshaped since the last review: instead of deprecating catchup outright, this now replaces the ~850-LOC catchup subsystem with downtime recovery built on the new inbound dedupe (startup since_rowid = persisted last-dispatched rowid; age fence split on the startup rowid boundary). Missed-during-downtime messages are recovered again, with no config. Live down→up→recovered proof and the #89237 age-fence proof are in the PR description. Net -710 prod LOC.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

[omarshahine]

@clawsweeper re-review

Your P1 ("users who enabled catchup would silently move to suppress-and-move-on and miss downtime messages") was reviewed against the pre-reshape commit e9b5b23. The PR has since been reshaped so that is no longer the behavior:

• Catchup is replaced, not removed. Downtime recovery is now automatic on local setups: on startup the monitor passes the last dispatched rowid (a persisted cursor) to imsg watch.subscribe as since_rowid, so imsg replays the messages that landed while the gateway was down, then tails live. The dedupe drops anything already handled. A user who had catchup.enabled: true keeps the capability — now with no config.
• Live proof of the exact concern is in the PR description (Real behavior proof): gateway stopped → 2 messages sent while down → gateway restarted → both replayed and delivered (recovery=true), end to end on real imsg/Messages.

On the merge-risk: compatibility / message-delivery labels: there is no upgrade risk to the config removal. Existing configs still load (the retired catchup key is stripped before validation), the key is inert, and recovery runs automatically — so a catchup-on user loses nothing on upgrade. openclaw doctor --fix removes the stale key and a doctor rule reports it.

Two cursor-state edges in the new recovery path (failed-replay cursor leapfrog, suppressed-row re-delivery after restart) and a bounded-key concern were caught by Codex autoreview and fixed in b3e66b83 / 2bf16dc5, with regression tests.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27120568240
• Updated: 2026-06-08T06:49:09.234Z

[vincentkoc]

Maintainer fix pushed in d84c84d.

What changed:

• Preserved channels.imessage.catchup.enabled: true as the legacy compatibility replay path, including remote/SSH setups.
• Kept disabled/non-enabled catchup blocks retired and removable by doctor --fix.
• Restored legacy catchup cursor sidecar detection/import so upgrade cursors are not lost.
• Tightened recovery cursor advancement so failed or lower pending replay rows cannot be skipped.
• Kept first-run startup-boundary rows under the live stale fence unless a real prior recovery cursor exists.
• Restored coalesced catchup high-water metadata and removed raw NUL bytes from the inbound dedupe source.

Proof:

• pnpm test:serial src/cli/program/config-guard.test.ts extensions/imessage/src/monitor.last-route.test.ts extensions/imessage/src/monitor/recovery-cursor.test.ts
• pnpm test:serial extensions/imessage/src/monitor.last-route.test.ts extensions/imessage/src/monitor/coalesce.test.ts extensions/imessage/src/monitor/inbound-dedupe.test.ts extensions/imessage/src/monitor/catchup.test.ts extensions/imessage/src/monitor/catchup-bridge.test.ts extensions/imessage/src/doctor-contract-api.test.ts extensions/imessage/src/state-migrations.test.ts
• pnpm config:channels:check
• pnpm config:docs:check
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main clean for accepted/actionable findings
• OPENCLAW_TESTBOX=1 pnpm check:changed passed on Testbox tbx_01ktk2pr836sg06dx1tv2366cn (Actions run: https://github.com/openclaw/openclaw/actions/runs/27122967788). The wrapper exited 0; the trailing external runner portal sync warning was a coordinator 401 after completion.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27123453538
• Updated: 2026-06-08T08:01:20.787Z