fix(telegram): use SDK dispatch dedupe

[obviyus]

Summary

• Replace Telegram dispatch replay dedupe buckets/locks with the SDK persistent claimable dedupe helper.
• Keep persisted replay protection at the prior 50k window under a dedicated dedupe state owner, with account id folded into the key.
• Move legacy JSON and shipped bucketed plugin-state imports into doctor-time migration for the SDK namespace/key shape.

Verification

• node scripts/run-vitest.mjs src/plugin-sdk/memory-host-events.test.ts extensions/telegram/src/state-migrations.test.ts extensions/telegram/src/message-dispatch-dedupe.test.ts extensions/telegram/src/bot.create-telegram-bot.test.ts src/plugin-sdk/api-baseline.test.ts src/commands/doctor-state-migrations.test.ts
• pnpm plugin-sdk:api:check
• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main
• Testbox changed gate: tbx_01ktrayhbr7rszsded12tsmayw, provider blacksmith-testbox, passed
• Post-Testbox rebase sanity: git diff --check; focused Vitest command above

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 10, 2026, 5:20 AM ET / 09:20 UTC.

Summary
The PR replaces Telegram message-dispatch replay dedupe with SDK claimable persistent dedupe, changes the persisted owner/key shape, and adds doctor-time migration support for legacy JSON and bucketed plugin-state entries.

PR surface: Source -240, Tests +56. Total -184 across 11 files.

Reproducibility: no. high-confidence reproduction path was established in this review. Source inspection shows the Telegram handler-to-dedupe path, but the PR body and available context do not include a live replay reproduction or after-fix transport proof.

Review metrics: 3 noteworthy metrics.

• Public SDK exports: 1 runtime-doctor function export added. Doctor SDK is a plugin API and security boundary, so maintainers should explicitly approve any new unscoped state access before merge.
• Migration contract fields: 1 optional defaultTtlMs field added. Doctor imports now carry TTL into plugin state, which affects upgrade behavior for existing persisted caches.
• Replay state owner: 1 Telegram dedupe owner/namespace changed. Existing replay protection must migrate cleanly to avoid duplicate or suppressed Telegram dispatch after restart.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🧂 unranked krab
Result: blocked until real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Remove or replace the unscoped public runtime-doctor store export with a scoped/narrow migration path.
• [P1] Add redacted real Telegram proof that a replayed update is deduped and a new message dispatches exactly once.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR body has tests and Testbox only; the contributor should add redacted live Telegram transcript, recording, terminal output, or logs showing replay dedupe and normal dispatch, then update the PR body to trigger re-review or ask a maintainer to comment @clawsweeper re-review.

Mantis proof suggestion
A live Telegram transcript would materially prove the transport dedupe path beyond unit and migration tests. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

telegram live QA: verify replayed Telegram update is deduped and a new message still dispatches exactly once.

Risk before merge

• [P1] The new public runtime-doctor export can let plugin doctor code open arbitrary non-core plugin-state owners instead of using a context-bound store tied to the active trusted plugin.
• [P1] The Telegram replay-dedupe owner, namespace, key, and migration changes are upgrade-sensitive: a wrong import or namespace decision can duplicate or suppress Telegram dispatches after restart or replay.
• [P1] The PR still lacks after-fix real Telegram behavior proof, so tests do not show that a replayed update is deduped while a normal new message still dispatches once.

Maintainer options:

1. Keep state migration access scoped (recommended)
   Replace the public runtime-doctor store-factory export with a narrow internal/core migration helper or a context-bound API, then rerun SDK API checks and Telegram migration tests.
2. Explicitly approve the broader SDK surface
   Maintainers can accept that plugin doctor code may open arbitrary non-core plugin state, but that should be an intentional documented contract before merge.
3. Require live Telegram replay proof
   Keep this PR blocked until a redacted transcript, recording, terminal output, or logs prove replay dedupe and one normal dispatch against the current head.

Next step before merge

• [P1] Human review is needed for the SDK/security-boundary decision and for the missing real Telegram proof; this is not a safe ClawSweeper repair lane.

Security
Needs attention: The diff introduces a concrete plugin-state boundary concern by exposing an arbitrary plugin-id store factory through a public doctor SDK subpath.

Review findings

• [P1] Keep doctor state access bound to the active plugin — src/plugin-sdk/runtime-doctor.ts:26

Review details

Best possible solution:

Keep the SDK dedupe refactor only after plugin-state migration access remains bound or narrowly internal, upgrade migration semantics are verified, and redacted live Telegram replay proof shows normal delivery plus duplicate suppression.

Do we have a high-confidence way to reproduce the issue?

No high-confidence reproduction path was established in this review. Source inspection shows the Telegram handler-to-dedupe path, but the PR body and available context do not include a live replay reproduction or after-fix transport proof.

Is this the best way to solve the issue?

No. Moving Telegram dispatch replay protection to the SDK dedupe helper is a plausible direction, but the unscoped public doctor store export is not the best boundary for migrating plugin state.

Full review comments:

• [P1] Keep doctor state access bound to the active plugin — src/plugin-sdk/runtime-doctor.ts:26
runtime-doctor is a public plugin SDK subpath, and the existing doctor migration context binds plugin-state access to the active pluginId. Exporting createPluginStateSyncKeyedStore here lets any plugin doctor code choose another non-core plugin id and read or write its state, so please keep this as an internal core migration helper or expose a context-bound/narrow migration API instead.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.87

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 43bbde483046.

Label changes

Label justifications:

• P1: Telegram replay dedupe sits on the transport delivery path, and mistakes can duplicate or suppress real user messages.
• merge-risk: 🚨 compatibility: The PR changes a public SDK doctor surface and migrates existing Telegram replay-dedupe state into a new owner/namespace.
• merge-risk: 🚨 message-delivery: Replay-dedupe key or migration mistakes can make Telegram messages dispatch twice or be incorrectly suppressed.
• merge-risk: 🚨 security-boundary: The added runtime-doctor store export bypasses the existing runtime/plugin-bound state access boundary.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🧂 unranked krab.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body has tests and Testbox only; the contributor should add redacted live Telegram transcript, recording, terminal output, or logs showing replay dedupe and normal dispatch, then update the PR body to trigger re-review or ask a maintainer to comment @clawsweeper re-review.
• mantis: telegram-visible-proof: Mantis should capture Telegram visible proof. This changes Telegram message dispatch replay behavior, which can be shown in a short Telegram proof as duplicate suppression plus normal delivery.

Evidence reviewed

PR surface:

Source -240, Tests +56. Total -184 across 11 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	7	334	574	-240
Tests	4	237	181	+56
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	11	571	755	-184

Security concerns:

• [medium] Unscoped plugin-state store in doctor SDK — src/plugin-sdk/runtime-doctor.ts:26
  The added export lets plugin doctor code open a sync keyed store for any non-core plugin id instead of using the context-bound store that core creates for the active plugin, which can cross plugin state ownership boundaries.
  Confidence: 0.86

What I checked:

• Unscoped public doctor store export: The PR adds createPluginStateSyncKeyedStore to the public runtime-doctor SDK subpath, allowing callers to choose a plugin id directly. (src/plugin-sdk/runtime-doctor.ts:26, fa61b16a47a6)
• Existing doctor context is plugin-bound: Current main creates plugin doctor migration context with openPluginStateKeyedStore bound to the active pluginId, which is the safer boundary this PR bypasses. (src/infra/state-migrations.ts:2578, 43bbde483046)
• Runtime state docs describe plugin-id isolation: The SDK runtime docs say keyed stores are isolated by the runtime-bound plugin id, supporting the boundary concern for an arbitrary plugin-id store factory. Public docs: docs/plugins/sdk-runtime.md. (docs/plugins/sdk-runtime.md:527, 43bbde483046)
• Telegram replay state owner changes: The PR moves dispatch replay protection to createClaimableDedupe with a dedicated plugin-state owner and namespace prefix. (extensions/telegram/src/message-dispatch-dedupe.ts:72, fa61b16a47a6)
• Upgrade migration touches replay-dedupe storage: The PR migrates legacy JSON and shipped bucketed plugin-state dispatch dedupe into the new persistent-dedupe namespace with TTL preservation. (extensions/telegram/src/state-migrations.ts:451, fa61b16a47a6)
• Telegram proof policy applies: Maintainer notes require real Telegram proof for Telegram behavior PRs touching transport behavior, preferring bot-to-bot QA or equivalent live probes. (.agents/maintainer-notes/telegram.md:37, 43bbde483046)

Likely related people:

• vincentkoc: Recent history shows Vincent Koc introduced and fixed the claimable persistent dedupe helper this PR now relies on, and has multiple recent Telegram callback/runtime fixes. (role: persistent dedupe and Telegram adjacent contributor; confidence: high; commits: 028434a00ffd, 6c12ec1ed22c, 77f1ea0de813; files: src/plugin-sdk/persistent-dedupe.ts, extensions/telegram/src/bot-handlers.runtime.ts)
• steipete: History on runtime-doctor, state migrations, and plugin SDK boundary refactors repeatedly points to Peter Steinberger as a central contributor for this API boundary. (role: SDK and doctor migration boundary owner by history; confidence: high; commits: 62ddc9d9e0d9, 40ffada812b9, 44e7c1142e60; files: src/plugin-sdk/runtime-doctor.ts, src/infra/state-migrations.ts, src/plugins/doctor-contract-registry.ts)
• obviyus: The PR author also appears in current-main history for recent Telegram callback and handler-seam work, so this is an adjacent ownership signal beyond merely opening this PR. (role: recent Telegram area contributor; confidence: medium; commits: 1265da2a5cae, 049c3c487789, edcf3e9d32d3; files: extensions/telegram/src/bot-handlers.runtime.ts, extensions/telegram/src/message-dispatch-dedupe.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[obviyus]

Landed via rebase onto main.

• Scoped tests: pnpm plugin-sdk:api:check; node scripts/run-vitest.mjs src/plugin-sdk/memory-host-events.test.ts extensions/telegram/src/state-migrations.test.ts extensions/telegram/src/message-dispatch-dedupe.test.ts extensions/telegram/src/bot.create-telegram-bot.test.ts src/plugin-sdk/api-baseline.test.ts src/commands/doctor-state-migrations.test.ts; .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main; Testbox changed gate tbx_01ktrayhbr7rszsded12tsmayw passed on blacksmith-testbox.
• Changelog: not updated; release generation owns CHANGELOG.md for normal PRs.
• Unrelated CI: build-artifacts / core-support-boundary failed in test/scripts/check-deadcode-unused-files.test.ts; same failure reproduced on clean origin/main.
• Land commit: 40231a3d2c
• Merge commit: 9c6186de436c6d4e5bd2e257b5e05a32b7b0be25