Fix stale visible reply recovery

[joshavant]

Summary

Fixes #90535.

• Adds a bounded recovery retry for visible reply dispatch when the reply run registry is stuck behind stale active work.
• Routes visible stale recovery through the existing diagnostic recovery coordinator so diagnostic session state is cleaned up consistently.
• Preserves the diagnostics enable gate and keeps disabled-diagnostics behavior as wait-for-active, not recovery/abort.
• Releases inbound dedupe only for busy admission before agent/model work starts; once processing begins, busy completion still commits dedupe to avoid duplicate work.

Verification

• node scripts/run-vitest.mjs src/auto-reply/reply/dispatch-from-config.stale-recovery.test.ts src/logging/diagnostic.test.ts src/logging/diagnostic-stuck-session-recovery.runtime.test.ts src/logging/diagnostic-stuck-session-recovery.integration.test.ts
• node --import tsx scripts/check-import-cycles.ts
• pnpm -s tsgo:core:test
• .agents/skills/autoreview/scripts/autoreview --mode local

Real behavior proof

Behavior addressed: A visible channel turn can wait behind stale replyRunRegistry work forever or return busy without retrying after stale recovery.

Real environment tested: Final patch was verified with focused local regression tests; AWS Crabbox live Telegram bot-to-bot proof was run earlier on this branch before the final coordinator/gating cleanup.

Exact steps or command run after this patch: node scripts/run-vitest.mjs src/auto-reply/reply/dispatch-from-config.stale-recovery.test.ts src/logging/diagnostic.test.ts src/logging/diagnostic-stuck-session-recovery.runtime.test.ts src/logging/diagnostic-stuck-session-recovery.integration.test.ts

Evidence after fix: Focused final-patch tests passed: 92 diagnostic tests and 6 stale visible recovery tests, including disabled diagnostics, active lane task, already-in-flight recovery, released-lane wait, stale abort retry, and inbound dedupe release coverage.

Observed result after fix: Stale visible dispatch retries after coordinator recovery when diagnostics are enabled; active recovery outcomes keep waiting; disabled diagnostics keep waiting without invoking recovery; pre-processing busy paths release inbound dedupe for retry.

What was not tested: The live Telegram channel proof was not rerun after the final coordinator/gating cleanup. Earlier proof on this branch passed on AWS Crabbox run_c8e3fd6f041f / lease cbx_dd5487ad6a36: Telegram canary passed in 1018ms and telegram-reply-chain-exact-marker passed in 1783ms with 2/2 scenarios passing.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 10, 2026, 3:48 AM ET / 07:48 UTC.

Summary
The PR adds diagnostic-coordinated stale visible reply recovery, retries reply admission after cleared stale work, adjusts busy-path inbound dedupe handling, and adds focused regression tests.

PR surface: Source +159, Tests +722. Total +881 across 7 files.

Reproducibility: yes. source-reproducible: current main sends visible turns into an unbounded waitForIdle when a reply operation remains active, and waitForIdle only times out for finite timeoutMs. I did not run a failing repro because this review is read-only.

Review metrics: none identified.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Have a maintainer explicitly accept the session-state and message-delivery recovery risk before landing.

Risk before merge

• [P1] The patch can force-clear an exact per-session ReplyOperation after diagnostic recovery; a wrong recovery classification would affect session ownership and visible reply delivery.
• [P1] The live proof covers the packaged Telegram reply path after the runtime cleanup, while the actual stale replyRunRegistry recovery branch is proven by focused tests rather than a naturally wedged live session.

Maintainer options:

1. Land after session-recovery review (recommended)
   Maintainers can accept the recovery behavior if they agree that diagnostics-gated force-clear of the unchanged ReplyOperation is the right boundary for stale visible replies.
2. Ask for stale-lock live proof
   If higher assurance is needed, ask for a packaged proof or diagnostic log artifact that injects or naturally hits a stale replyRunRegistry lock and shows recovery.
3. Pause for registry-owned design
   If visible dispatch should not invoke diagnostic recovery, pause this PR and move the fix into a narrower reply-run-registry timeout or reaper design.

Next step before merge

• [P2] The PR is protected by the maintainer label and has deliberate session/message-delivery merge risk, so the next action is human maintainer review rather than an automated repair lane.

Security
Cleared: The diff only changes TypeScript runtime and tests under reply dispatch/logging, with no dependency, workflow, secret, package, or supply-chain surface changes.

Review details

Best possible solution:

A human maintainer should review and explicitly accept the bounded recovery semantics, then land this PR if the session/message-delivery tradeoff is acceptable.

Do we have a high-confidence way to reproduce the issue?

Yes, source-reproducible: current main sends visible turns into an unbounded waitForIdle when a reply operation remains active, and waitForIdle only times out for finite timeoutMs. I did not run a failing repro because this review is read-only.

Is this the best way to solve the issue?

Yes, this appears to be an acceptable narrow fix: it reuses the existing diagnostic recovery coordinator and preserves disabled-diagnostics behavior instead of adding a separate global registry reaper. The maintainer decision is whether that recovery boundary is acceptable for visible dispatch.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against fd7e1815006a.

Label changes

Label justifications:

• P1: The PR targets a broken visible channel reply workflow where subsequent inbound messages can hang or be skipped behind stale session state.
• merge-risk: 🚨 message-delivery: The changed admission/recovery path decides whether visible inbound messages wait, retry, or return busy.
• merge-risk: 🚨 session-state: The diff can clear per-session reply registry state after diagnostic recovery and therefore changes session ownership behavior.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): The PR has live Telegram Docker RTT proof for the branch runtime plus focused stale-recovery regression tests; the final head commit is test-only.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR has live Telegram Docker RTT proof for the branch runtime plus focused stale-recovery regression tests; the final head commit is test-only.
• mantis: telegram-visible-proof: Mantis should capture Telegram visible proof. The PR changes visible channel reply delivery behavior, so Telegram-visible proof is useful and the PR already provides live Telegram lane evidence.

Evidence reviewed

PR surface:

Source +159, Tests +722. Total +881 across 7 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	4	207	48	+159
Tests	3	722	0	+722
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	7	929	48	+881

What I checked:

• Repository policy read: Root AGENTS.md was read fully; no scoped AGENTS.md exists under the touched src/auto-reply or src/logging paths, and the Telegram maintainer note requires real Telegram proof for visible reply-context behavior. (AGENTS.md:1, fd7e1815006a)
• Current-main stale wait path: Current main lets visible turns fall through to replyRunRegistry.waitForIdle with no timeout when a reply operation is already active; waitForIdle only installs a timer when timeoutMs is finite. (src/auto-reply/reply/reply-turn-admission.ts:65, fd7e1815006a)
• PR recovery implementation: The PR gates stale visible recovery on enabled diagnostics, waits only to the resolved stuck-session abort threshold, requests diagnostic recovery, and force-clears only when the same ReplyOperation remains after a recovery outcome that says active work was cleared. (src/auto-reply/reply/dispatch-from-config.ts:1269, fc29c452bb65)
• Regression coverage: The added stale-recovery test covers successful retry, pure stale registry reclaim, fresh-operation identity protection, active-work keep-waiting outcomes, failed recovery, disabled diagnostics, released lanes, and pre-processing dedupe release. (src/auto-reply/reply/dispatch-from-config.stale-recovery.test.ts:52, fc29c452bb65)
• Coordinator return-path change: The diagnostic recovery coordinator now exposes requestStuckSessionRecoveryOutcome while preserving the existing fire-and-forget requestStuckSessionRecovery wrapper, giving visible dispatch an auditable recovery result. (src/logging/diagnostic-session-recovery-coordinator.ts:176, fc29c452bb65)
• Real behavior proof: The PR discussion includes live AWS Crabbox Telegram Docker RTT proof for a tarball built from the branch at 6be4195, and the final fc29c45 commit only adds a regression test for failed recovery admission. (fc29c452bb65)

Likely related people:

• steipete: Peter Steinberger is the top shortlog contributor across the touched reply/logging files and authored the reply-dispatch hook surface that sits in this dispatch path. (role: feature-history owner; confidence: medium; commits: 82ce30b7895a; files: src/auto-reply/reply/dispatch-from-config.ts, src/plugins/hooks.ts)
• vincentkoc: Vincent Koc recently changed inbound dedupe behavior after dispatch errors, which is adjacent to this PR's busy-path dedupe release change. (role: adjacent owner; confidence: medium; commits: 7c91d0dbc985, 5181e4f7c82b; files: src/auto-reply/reply/dispatch-from-config.ts)
• shakkernerd: Current-main blame in this shallow checkout attributes the central reply admission and diagnostic recovery lines to Shakker's latest touch of the affected files. (role: recent area contributor; confidence: medium; commits: 21104cd52eb1; files: src/auto-reply/reply/dispatch-from-config.ts, src/auto-reply/reply/reply-turn-admission.ts, src/logging/diagnostic-session-recovery-coordinator.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[joshavant]

Addressed the stale reply-registry gap from the review in 6be4195bacac4ce22306589c3c670306334dd053.

What changed:

• After visible stuck-session recovery reports that active work was cleared (aborted, released, or noop/no_active_work), dispatch now rechecks replyRunRegistry and force-clears only the exact same ReplyOperation object that blocked admission.
• The identity guard intentionally avoids clearing a fresh operation that reused the same session key/session id while recovery was awaited.
• Recovery outcomes that prove live work (active_reply_work, active_embedded_run, active_lane_task, already_in_flight) still keep waiting instead of clearing.

Proof run after the patch:

• node scripts/run-vitest.mjs src/auto-reply/reply/dispatch-from-config.stale-recovery.test.ts src/auto-reply/reply/reply-run-registry.test.ts
• node scripts/run-vitest.mjs src/auto-reply/reply/dispatch-from-config.stale-recovery.test.ts src/logging/diagnostic.test.ts src/logging/diagnostic-stuck-session-recovery.runtime.test.ts src/logging/diagnostic-stuck-session-recovery.integration.test.ts
• pnpm -s tsgo:core:test
• node --import tsx scripts/check-import-cycles.ts
• git diff --check
• pnpm -s format:check src/auto-reply/reply/dispatch-from-config.ts src/auto-reply/reply/dispatch-from-config.stale-recovery.test.ts
• node scripts/run-oxlint.mjs src/auto-reply/reply/dispatch-from-config.ts src/auto-reply/reply/dispatch-from-config.stale-recovery.test.ts
• .agents/skills/autoreview/scripts/autoreview --mode local -> clean, no accepted/actionable findings

CI on 6be4195bacac4ce22306589c3c670306334dd053: all non-Real behavior proof checks are green; PR merge state is CLEAN.

[joshavant]

@clawsweeper re-review my crab

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27260618608
• Updated: 2026-06-10T07:37:26.310Z

[joshavant]

Fresh live channel proof at current PR head:

• Package under test: OpenClaw 2026.6.2 (6be4195) installed from a tarball built from this branch, not the published beta package.
• Environment: AWS Crabbox run_c87dc9b4b4a7, lease cbx_efb1f68c1bcd, Docker Telegram RTT lane, exit 0, lease stopped.
• Credential source: Convex broker telegram kind, role maintainer; no telegram-user credential was leased.
• Result: package Telegram RTT Docker E2E passed (pr-91840-6be4195bac).
• Artifact summary:
  • telegram-canary: pass, observed SUT message 20223, RTT 1338ms.
  • telegram-mentioned-message-reply: pass, 1/1 strict warm sample passed, observed SUT message 20225, RTT 1994ms, reply text exactly OPENCLAW_E2E_OK_1.

This covers the live channel path after the final cleanup commit: installable package -> gateway startup -> Telegram provider startup -> canary -> normal mentioned reply through the channel.

[joshavant]

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27260172047
• Updated: 2026-06-10T07:32:04.863Z