fix(imessage): surface inbound startup diagnostics

[omarshahine]

Summary

• Add default-level, privacy-safe diagnostics when inbound rows are dropped for echo/reflection reasons (echo, self-chat echo, agent echo in self-chat, reflected assistant content) and for same-account from me rows. The log includes account, reason, numeric chat id when present, row/message id, GUID presence, group flag, and timestamp, but not message text, sender handles, or full GUIDs.
• Throttle from me diagnostics once per account/conversation/reason so normal outbound watcher rows do not spam default logs while still surfacing the same-account group-chat drop called out by review.
• Add structured watch.subscribe startup retry/failure context: account, cliPath, db path presence, remote-host presence, timeout, since_rowid, attachment/reaction flags, attempt count, and retry delay.
• Keep this diagnostics-only: no inbound delivery policy, watch retry classification, retry count, teardown, or thrown error behavior changes.

Refs #89593.
Refs #87263.

Verification

Initial proof:

• node scripts/run-vitest.mjs extensions/imessage/src/monitor.watch-subscribe-retry.test.ts (4 tests)
• pnpm format:check -- extensions/imessage/src/monitor/monitor-provider.ts extensions/imessage/src/monitor.watch-subscribe-retry.test.ts
• pnpm lint:extensions -- extensions/imessage/src/monitor/monitor-provider.ts extensions/imessage/src/monitor.watch-subscribe-retry.test.ts
• pnpm tsgo:extensions
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode local --prompt "Review this diagnostics-only iMessage monitor patch. It should not change inbound delivery policy or watch.subscribe retry behavior. Focus on log noise/privacy, whether echo/reflection drops are surfaced without message content/sender handles, whether watch.subscribe retry/failure diagnostics include useful startup context, and whether tests cover the new formatting." (clean)

Follow-up proof after ClawSweeper noted that from me rows also needed diagnostics:

• node scripts/run-vitest.mjs extensions/imessage/src/monitor.watch-subscribe-retry.test.ts (5 tests)
• pnpm format:check -- extensions/imessage/src/monitor/monitor-provider.ts extensions/imessage/src/monitor.watch-subscribe-retry.test.ts
• pnpm lint:extensions -- extensions/imessage/src/monitor/monitor-provider.ts extensions/imessage/src/monitor.watch-subscribe-retry.test.ts
• pnpm tsgo:extensions
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode local --prompt "Review the follow-up to PR #91785. It adds privacy-safe diagnostics for iMessage 'from me' drops and throttles that reason per account/conversation so normal outbound watcher rows do not spam default logs. Focus on whether it satisfies ClawSweeper's from-me diagnostic finding without changing delivery policy or overlogging PII." (clean)

Real behavior proof

Behavior addressed: missing runtime diagnostics for iMessage inbound rows that are intentionally dropped before dispatch, plus startup context for watch.subscribe retry/failure.
Real environment tested: lobster macOS host, OpenClaw PR head 597684c3650dab508cbb1378a58b74636d581626, imsg 0.11.0, Node v26.0.0.
Exact steps or command run after this patch: checked out origin/fix/imessage-inbound-startup-diagnostics on lobster, started monitorIMessageProvider through the PR source with a redacting runtime logger, then sent a self-addressed iMessage through sendMessageIMessage using sendTransport = "bridge". Account, target, chat id, message id, and any participant details were redacted from output.
Evidence after fix:

{
  "host": "lobster",
  "proofId": "openclaw-lobster-live-monitor-proof-ada22165-6306-46b6-8ed0-6c94fcab6bbc",
  "head": "597684c3650dab508cbb1378a58b74636d581626",
  "transport": "bridge",
  "candidateKey": "account_id",
  "targetKind": "handle",
  "sendMessageIdPresent": false,
  "sendGuidPresent": true,
  "dropDiagnosticFound": true,
  "redactedDropDiagnostic": "imessage: dropped inbound message account=<redacted> reason=\"from me\" chat_id=<redacted> group=false message_id=<redacted> guid=present created_at=2026-06-10T00:20:16.169Z",
  "startupDiagnostics": [],
  "logCount": 1,
  "errorCount": 0,
  "sendError": null,
  "errorSamples": []
}

Observed result after fix: the live monitor emitted the new default-level, privacy-safe from me drop diagnostic with no message text, sender handle, target handle, or full GUID in the proof output.
What was not tested: a live watch.subscribe startup timeout on lobster; that branch remains covered by focused tests because the live monitor startup succeeded.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 8:28 PM ET / 00:28 UTC.

Summary
The PR adds privacy-safe default iMessage inbound-drop diagnostics, throttles same-account from me drop logs, and expands watch.subscribe startup retry/failure log context with focused tests.

PR surface: Source +107, Tests +72. Total +179 across 2 files.

Reproducibility: not applicable. as a PR review: the patch adds diagnostics around existing iMessage drop/startup paths. The contributor supplied a live after-fix monitor proof for the visible inbound-drop diagnostic plus focused tests for the startup failure branch.

Review metrics: none identified.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none.

Risk before merge

• [P1] The PR has the protected maintainer label, so it should stay in the human maintainer path even with no blocking review findings.
• [P2] The live proof covers the inbound from me drop diagnostic; the watch.subscribe startup-timeout branch remains covered by focused tests rather than a live timeout reproduction.

Maintainer options:

1. Decide the mitigation before merge
   Land the diagnostics-only patch after maintainer review accepts the default-log privacy/noise tradeoff and normal CI or equivalent scoped proof is clean.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P2] Human maintainer review remains appropriate because the PR carries a protected maintainer label and the remaining decision is acceptance of log privacy/noise tradeoffs, not an automated code repair.

Security
Cleared: The diff only changes diagnostic formatting, runtime logging, and focused tests; it does not broaden dependency, CI, credential, install, package, or code-execution surfaces.

Review details

Best possible solution:

Land the diagnostics-only patch after maintainer review accepts the default-log privacy/noise tradeoff and normal CI or equivalent scoped proof is clean.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a PR review: the patch adds diagnostics around existing iMessage drop/startup paths. The contributor supplied a live after-fix monitor proof for the visible inbound-drop diagnostic plus focused tests for the startup failure branch.

Is this the best way to solve the issue?

Yes, this is the best narrow fix shape: log privacy-safe metadata at the existing drop/retry decisions instead of changing iMessage delivery policy, retry classification, or transport behavior.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 48ec58a5844f.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body now includes redacted live macOS iMessage monitor logs from the PR head showing the new from me inbound-drop diagnostic after the patch.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): The PR body now includes redacted live macOS iMessage monitor logs from the PR head showing the new from me inbound-drop diagnostic after the patch.
• remove rating: 🦪 silver shellfish: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P2: This is a normal-priority iMessage diagnostics fix for message-loss/startup debugging with limited blast radius and no delivery-policy change.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): The PR body now includes redacted live macOS iMessage monitor logs from the PR head showing the new from me inbound-drop diagnostic after the patch.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body now includes redacted live macOS iMessage monitor logs from the PR head showing the new from me inbound-drop diagnostic after the patch.

Evidence reviewed

PR surface:

Source +107, Tests +72. Total +179 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	109	2	+107
Tests	1	77	5	+72
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	186	7	+179

Acceptance criteria:

• [P1] node scripts/run-vitest.mjs extensions/imessage/src/monitor.watch-subscribe-retry.test.ts.
• [P1] pnpm format:check -- extensions/imessage/src/monitor/monitor-provider.ts extensions/imessage/src/monitor.watch-subscribe-retry.test.ts.
• [P1] pnpm lint:extensions -- extensions/imessage/src/monitor/monitor-provider.ts extensions/imessage/src/monitor.watch-subscribe-retry.test.ts.
• [P1] pnpm tsgo:extensions.
• [P1] git diff --check.

What I checked:

• Repository policy read: Read the full root AGENTS.md and applied its OpenClaw PR review, maintainer-label, read-only, proof, security, and channel/plugin guidance. (AGENTS.md:1, 48ec58a5844f)
• Scoped policy read: Read the extension-scoped AGENTS.md; the PR remains within the owning bundled plugin and does not cross plugin/core boundaries. (extensions/AGENTS.md:1, 48ec58a5844f)
• Diff inspected: The PR head changes only monitor-provider.ts and one focused test file, adding diagnostic formatting/throttling and startup log context without changing retry count, delivery predicates, teardown, or thrown-error behavior. (extensions/imessage/src/monitor/monitor-provider.ts:260, 597684c3650d)
• Inbound decision contract checked: Current main already returns the exact drop reasons this PR surfaces (from me, agent echo in self-chat, self-chat echo, echo, and reflected assistant content), so the patch wraps existing decisions instead of redefining delivery policy. (extensions/imessage/src/monitor/inbound-processing.ts:511, 48ec58a5844f)
• Runtime entry point checked: channel.runtime.ts starts monitorIMessageProvider for the active account, so the added logs sit at the plugin-owned iMessage monitor boundary used by real gateway runtime. (extensions/imessage/src/channel.runtime.ts:98, 48ec58a5844f)
• Startup retry path checked: The current monitor loop already retries bounded watch.subscribe startup failures and logs retry/failure messages; the PR enriches the string with account/config/presence fields while preserving the same control flow. (extensions/imessage/src/monitor/monitor-provider.ts:1420, 48ec58a5844f)

Likely related people:

• vincentkoc: Introduced the bounded iMessage watch.subscribe startup retry path and adjacent focused retry test that this PR now enriches with structured diagnostics. (role: startup retry feature owner; confidence: high; commits: 35a784c16563; files: extensions/imessage/src/monitor/monitor-provider.ts, extensions/imessage/src/monitor.watch-subscribe-retry.test.ts)
• obviyus: Recent history shows work on inbound echo IDs and reflected self-chat drop behavior, which are central to the diagnostic reasons surfaced by this PR. (role: inbound echo/self-chat contributor; confidence: high; commits: e3e2a19ab7f1, 4a5885df3a36; files: extensions/imessage/src/monitor/inbound-processing.ts, extensions/imessage/src/monitor/self-chat-dedupe.test.ts)
• steipete: Shortlog and file history show repeated refactors and fixes across the iMessage monitor and inbound-processing surfaces, including monitor retry type alignment and plugin boundary work. (role: heavy adjacent contributor; confidence: medium; commits: fa87c6334aa6, 625fd5b3e3e2, e4b5027c5e29; files: extensions/imessage/src/monitor/monitor-provider.ts, extensions/imessage/src/monitor/inbound-processing.ts)
• shakkernerd: Current line blame for the monitor/drop and startup retry regions points to a recent commit that touched the central iMessage monitor files, making this a useful routing signal despite the broad commit title. (role: recent area contributor; confidence: medium; commits: d48778994fb2; files: extensions/imessage/src/monitor/monitor-provider.ts, extensions/imessage/src/monitor/inbound-processing.ts, extensions/imessage/src/monitor.watch-subscribe-retry.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[omarshahine]

Addressed ClawSweeper's from me diagnostic finding in 597684c365.

What changed:

• Added from me to the privacy-safe diagnostic surface.
• Throttled from me diagnostics once per account/conversation/reason so normal outbound watcher rows do not spam default logs.
• Kept GUIDs presence-only and still logs no sender handle or message content.

Verification after this patch:

• node scripts/run-vitest.mjs extensions/imessage/src/monitor.watch-subscribe-retry.test.ts (5 tests)
• pnpm format:check -- extensions/imessage/src/monitor/monitor-provider.ts extensions/imessage/src/monitor.watch-subscribe-retry.test.ts
• pnpm lint:extensions -- extensions/imessage/src/monitor/monitor-provider.ts extensions/imessage/src/monitor.watch-subscribe-retry.test.ts
• pnpm tsgo:extensions
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode local --prompt "Review the follow-up to PR #91785. It adds privacy-safe diagnostics for iMessage 'from me' drops and throttles that reason per account/conversation so normal outbound watcher rows do not spam default logs. Focus on whether it satisfies ClawSweeper's from-me diagnostic finding without changing delivery policy or overlogging PII." (clean)

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

[omarshahine]

Added the requested live diagnostics proof to the PR body.

Lobster proof summary:

• Host: lobster
• PR head: 597684c3650dab508cbb1378a58b74636d581626
• Runtime path: live monitorIMessageProvider plus self-addressed sendMessageIMessage using sendTransport = "bridge"
• Result: monitor emitted the new redacted reason="from me" drop diagnostic.
• Redaction: account, target, chat id, message id, participant details, message text, and full GUID are not present in the proof output.

Proof id: openclaw-lobster-live-monitor-proof-ada22165-6306-46b6-8ed0-6c94fcab6bbc

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27244550756
• Updated: 2026-06-10T00:29:23.665Z

[omarshahine]

Land-ready maintainer check before merge.

• Head: 597684c3650dab508cbb1378a58b74636d581626
• State: open, non-draft, mergeable
• Checks: no non-green material checks reported in gh pr checks
• ClawSweeper: proof sufficient / ready for maintainer review after lobster live monitor proof
• Maintainer decision: accepting the diagnostics-only default-log privacy/noise tradeoff for this PR

Lobster proof id: openclaw-lobster-live-monitor-proof-ada22165-6306-46b6-8ed0-6c94fcab6bbc