fix(imessage): harden outbound send transport

[omarshahine]

Summary

• Add channels.imessage.sendTransport / per-account overrides and pass the selected transport to imsg rpc send (auto default, bridge, or applescript).
• Stop monitor final replies from reusing the long-lived watch RPC client; reply delivery now opens its own send client, so a wedged watch subscription cannot also wedge outbound sends.
• Keep RPC send timeout recovery ambiguity-safe: approval prompts with unique IDs can recover a sent GUID from chat.db, but generic text timeouts do not resend and do not claim success from an older identical row.
• Add iMessage troubleshooting docs for the stale-send/receive split seen when Messages sends outbound replies but inbound rows stop arriving.

Fixes #84329.
Refs #90850.

Verification

• pnpm docs:list
• pnpm config:channels:gen
• pnpm config:channels:check
• node scripts/run-vitest.mjs extensions/imessage/src/send.test.ts extensions/imessage/src/monitor/deliver.test.ts extensions/imessage/src/accounts.test.ts extensions/imessage/src/config-schema.test.ts (72 tests)
• pnpm format:check -- extensions/imessage/src/send.ts extensions/imessage/src/send.test.ts extensions/imessage/src/monitor/deliver.ts extensions/imessage/src/monitor/deliver.test.ts extensions/imessage/src/monitor/monitor-provider.ts extensions/imessage/src/accounts.ts extensions/imessage/src/accounts.test.ts extensions/imessage/src/config-schema.test.ts extensions/imessage/src/config-ui-hints.ts src/config/types.imessage.ts src/config/zod-schema.providers-core.ts src/config/bundled-channel-config-metadata.generated.ts docs/channels/imessage.md docs/gateway/config-channels.md
• pnpm docs:check-mdx
• pnpm lint:extensions -- extensions/imessage/src/send.ts extensions/imessage/src/send.test.ts extensions/imessage/src/monitor/deliver.ts extensions/imessage/src/monitor/deliver.test.ts extensions/imessage/src/monitor/monitor-provider.ts extensions/imessage/src/accounts.ts extensions/imessage/src/accounts.test.ts extensions/imessage/src/config-schema.test.ts extensions/imessage/src/config-ui-hints.ts
• pnpm tsgo:extensions
• pnpm tsgo:core
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode local --prompt "Review the revised iMessage outbound reliability/config patch. The timeout path now only recovers approval prompt GUIDs and does not resend or generically match sent rows. Focus on duplicate-send risk, false success claims after timeout, caller-owned RPC client ownership, monitor reply client reuse, and config/docs/schema consistency." (clean)

Post-rebase focused proof on head 39ea25767bbcc113520a4a8783863549b512080c:

• pnpm config:channels:check
• node scripts/run-vitest.mjs extensions/imessage/src/send.test.ts extensions/imessage/src/monitor/deliver.test.ts extensions/imessage/src/accounts.test.ts extensions/imessage/src/config-schema.test.ts (72 tests)

Real behavior proof

Behavior addressed: outbound iMessage send reliability and transport selection when the imsg rpc child/watch client is long-lived.
Real environment tested: lobster macOS host, OpenClaw PR head 39ea25767bbcc113520a4a8783863549b512080c, imsg 0.11.0, Node v26.0.0.
Exact steps or command run after this patch: checked out origin/fix/imessage-outbound-transport-fallback on lobster, selected the local iMessage account handle from imsg account --local --json without printing it, then invoked sendMessageIMessage through the PR source with config channels.imessage.sendTransport = "applescript" and the same per-account override. The proof send was self-addressed and redacted.
Evidence after fix:

{
  "host": "lobster",
  "proofId": "openclaw-lobster-live-proof-c74895c2-b629-4bb0-abcb-e6521069b3d8",
  "transport": "applescript",
  "targetKind": "email",
  "elapsedMs": 1087,
  "messageIdPresent": true,
  "guidPresent": true,
  "sentTextMatches": true,
  "receiptParts": 1,
  "receiptReplyToId": null
}

Observed result after fix: the configured transport path completed a live Messages send and returned a receipt with message id and GUID present; local focused tests also prove the transport value is forwarded to RPC requests, caller-owned clients are not stopped, monitor reply sends no longer receive the watch RPC client, and generic RPC send timeouts neither resend nor recover an older identical row.
What was not tested: a live private bridge/IMCore send path on lobster, and a live reproduction of an already-wedged long-lived watch RPC client.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 8:06 PM ET / 00:06 UTC.

Summary
The branch adds iMessage sendTransport config/schema/docs, forwards the selected transport to RPC sends, stops monitor replies from reusing the watch RPC client, and tightens timeout recovery coverage.

PR surface: Source +22, Tests +156, Docs +27, Generated 0. Total +205 across 14 files.

Reproducibility: Partly: source inspection gives a high-confidence path for current main not passing transport and for monitor replies reusing the active watch RPC client. The exact already-wedged watch-client failure was not reproduced locally and remains environment-dependent.

Review metrics: 1 noteworthy metric.

• Config/default surfaces: 1 added key, root + per-account scope. channels.imessage.sendTransport becomes a user-facing config contract that maintainers should notice before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Have a maintainer explicitly accept or reject the new channels.imessage.sendTransport config surface before merge.

Risk before merge

• [P1] The PR adds channels.imessage.sendTransport as a new user-facing config/default surface, so maintainers should explicitly accept that operator knob instead of relying only on imsg's existing auto behavior.

Maintainer options:

1. Approve the config knob
   Maintainers can accept channels.imessage.sendTransport as the intended operator escape hatch because it is additive and defaults to imsg's current auto behavior.
2. Pause for config-surface decision
   If another channel config key is not wanted, pause or close this PR and solve the reliability issue through imsg defaults, docs, or a narrower internal client-ownership change.

Next step before merge

• [P2] The remaining action is maintainer judgment on the protected config surface, not an automated code repair.

Security
Cleared: The diff changes iMessage runtime, config schema, generated metadata, tests, and docs without adding dependencies, workflows, secret handling, package scripts, or new code-execution surfaces beyond existing imsg transport selection.

Review details

Best possible solution:

Land the transport hardening only after maintainers accept the additive sendTransport config contract; otherwise keep the runtime on imsg's default auto behavior and limit the change to docs or internal send-client ownership.

Do we have a high-confidence way to reproduce the issue?

Partly: source inspection gives a high-confidence path for current main not passing transport and for monitor replies reusing the active watch RPC client. The exact already-wedged watch-client failure was not reproduced locally and remains environment-dependent.

Is this the best way to solve the issue?

Unclear until the config-surface decision is made. Technically, forwarding imsg's existing RPC transport contract and decoupling monitor reply sends is a cleaner owner-boundary fix than adding a one-shot fallback, but the new operator knob needs maintainer approval.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against c0a4a7890df4.

Label changes

Label changes:

• add merge-risk: 🚨 compatibility: Adding a new iMessage channel config/default surface can affect operator behavior and upgrade expectations even though the default remains auto.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live macOS output for a configured iMessage send with redacted private details, message id, GUID, text match, and elapsed time.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix live macOS output for a configured iMessage send with redacted private details, message id, GUID, text match, and elapsed time.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P2: The PR targets scoped iMessage outbound reliability rather than a core-wide outage or security issue.
• merge-risk: 🚨 compatibility: Adding a new iMessage channel config/default surface can affect operator behavior and upgrade expectations even though the default remains auto.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix live macOS output for a configured iMessage send with redacted private details, message id, GUID, text match, and elapsed time.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live macOS output for a configured iMessage send with redacted private details, message id, GUID, text match, and elapsed time.

Evidence reviewed

PR surface:

Source +22, Tests +156, Docs +27, Generated 0. Total +205 across 14 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	7	41	19	+22
Tests	4	172	16	+156
Docs	2	27	0	+27
Config	0	0	0	0
Generated	1	13	13	0
Other	0	0	0	0
Total	14	253	48	+205

What I checked:

• Current main behavior: Current sendMessageIMessage builds RPC send params without a transport field and monitor delivery passes the active RPC client into reply sends, matching the reliability concern this PR targets. (extensions/imessage/src/send.ts:989, c0a4a7890df4)
• PR implementation: At PR head, sendMessageIMessage defaults sendTransport to auto, includes transport in RPC send params, and closes only owned clients through a guarded helper. (extensions/imessage/src/send.ts:896, 39ea25767bbc)
• Caller boundary: At PR head, deliverReplies and createIMessageEchoCachingSend no longer accept or forward the watch RPC client, so monitor replies create their own send client through the existing send helper. (extensions/imessage/src/monitor/deliver.ts:19, 39ea25767bbc)
• Config contract: The PR adds sendTransport to the iMessage schema/type surface and documents it in gateway channel config docs, making this an additive but user-facing config contract. (src/config/zod-schema.providers-core.ts:1399, 39ea25767bbc)
• Dependency contract: openclaw/imsg RPC send parses transport as auto, bridge, or applescript, defaults omitted transport to auto, and imsg's changelog documents the RPC send transport override in 0.8.2. (041b40686a6d)
• Regression coverage: PR-head tests cover default/configured transport forwarding, generic timeout non-recovery, owned versus caller-owned client shutdown, monitor sends without watch-client reuse, and schema validation for transport values. (extensions/imessage/src/send.test.ts:124, 39ea25767bbc)

Likely related people:

• omarshahine: Recent path history shows prior merged iMessage send/config work and review activity on the same reliability surface, including dedicated send timeout and tapback/config changes. (role: recent area contributor and reviewer; confidence: high; commits: 6c35c0d965a0, d7a924862044; files: extensions/imessage/src/send.ts, src/config/types.imessage.ts)
• colmbrogan: Recent merged work on iMessage outbound echo/send behavior touched the same send and monitor delivery path. (role: recent adjacent contributor; confidence: medium; commits: 7e3100a12022; files: extensions/imessage/src/send.ts, extensions/imessage/src/monitor/deliver.ts)
• steipete: Recent repository history shows broad config/docs work in the surrounding iMessage config and documentation surfaces. (role: adjacent docs/config contributor; confidence: medium; commits: 6868cde4d45f; files: docs/channels/imessage.md, docs/gateway/config-channels.md, src/config/types.imessage.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[omarshahine]

Added the requested real behavior proof to the PR body.

Lobster proof summary:

• Host: lobster
• PR head: 39ea25767bbcc113520a4a8783863549b512080c
• imsg: 0.11.0
• Runtime path: sendMessageIMessage through this PR with channels.imessage.sendTransport = "applescript"
• Result: live self-addressed send completed in 1087 ms with message id and GUID present; text match verified; recipient/account details redacted.

Proof id: openclaw-lobster-live-proof-c74895c2-b629-4bb0-abcb-e6521069b3d8

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27243709030
• Updated: 2026-06-10T00:06:52.162Z

[omarshahine]

Land-ready maintainer check before merge.

• Head: 39ea25767bbcc113520a4a8783863549b512080c
• State: open, non-draft, mergeable
• Checks: no non-green checks reported in gh pr checks
• ClawSweeper: proof sufficient / ready for maintainer review after lobster live send proof
• Maintainer decision: accepting the new channels.imessage.sendTransport config surface and compatibility-risk tradeoff for this PR

Lobster proof id: openclaw-lobster-live-proof-c74895c2-b629-4bb0-abcb-e6521069b3d8