fix(telegram): audit follow-ups — block-mode chunk config, dedupe bucket cleanup, grammy contract trust

[obviyus]

Summary

Follow-ups from the telegram audit series (#91871, #91874, #91876, #91904):

• Wire streaming.preview.chunk into telegram block mode. channels.telegram.streaming.preview.chunk.maxChars now sizes preview rotation steps when streaming.mode: "block", matching how Discord consults the chunk config only for its block chunker. Other modes keep one growing preview at Telegram's 4096 edit cap, so default (partial) behavior is unchanged. Behavior note: block mode without explicit config moves from 4096 to the shared 800-char default, aligning telegram with Discord/SDK block chunk sizing. Doctor already migrates legacy draftChunk keys into this config for telegram, so it is no longer a silent no-op.
• Delete retired dispatch dedupe buckets after doctor import. Adds an optional removeSource hook to plugin-state-import migration plans (invoked only once every legacy entry is covered) and telegram now deletes the retired telegram.message-dispatch-dedupe bucket rows, including :lock rows, after importing into the SDK dedupe namespace from fix(telegram): use SDK dispatch dedupe #91904. The plan keeps emitting while any legacy rows remain (even TTL-expired), so previously-imported installs get swept on their next doctor --fix, after which detection goes quiet. This also deletes the hasCurrentMessageDispatchDedupeTargets gate.
• Trust grammy's API contract in handler seams. buildSyntheticContext requires getFile (drops the async () => ({}) fallback) and getChat binds bot.api.getChat directly — grammy's Api declares it concretely. Removes the NO_REPLY pre-count debug block in delivery (the SDK payload projection already normalizes NO_REPLY).

Verification

Regression proof — the new tests fail on main's production code and pass with this branch:

• sizes block-mode preview chunks from streaming.preview.chunk ✗ on main (got 4096, config ignored) → ✓
• uses the shared block chunk default when block mode has no chunk config ✗ on main → ✓
• removes plugin-state legacy sources through removeSource once covered ✗ on main (hook missing) → ✓
• migrates shipped Telegram message dispatch plugin-state buckets lifecycle ✗ on main (legacy rows linger, plan never re-emitted for cleanup) → ✓

Local (worktree, node scripts/run-vitest.mjs): bot-message-dispatch (124), state-migrations (8), doctor-state-migrations (46), bot.test (147), bot/delivery + helpers + media-dedup suites — all green.

Remote: blacksmith testbox run --id tbx_01ktrf67rfpa02v4xd82bjv7jv → pnpm check:changed green (tsgo core/test/extensions lanes, oxlint, import cycles, guards). An earlier run caught a Pick<TelegramContext, ...> mismatch at bot-handlers.runtime.ts:473; fixed by tightening buildCallbackSyntheticTextContext and re-run green.

Not tested: live Telegram block-mode streaming against a real bot.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 10, 2026, 6:24 AM ET / 10:24 UTC.

Summary
The branch wires Telegram block-mode preview sizing to streaming.preview.chunk, adds a doctor cleanup hook for legacy plugin-state dedupe buckets, removes grammy duck-typing fallbacks, and documents the Telegram block-mode behavior.

PR surface: Source -10, Tests +130, Docs +1. Total +121 across 10 files.

Reproducibility: yes. Current main hard-caps Telegram draft previews at 4096 characters, so block mode ignores streaming.preview.chunk; I confirmed the source path and the PR adds focused before/after tests, though I did not run them.

Review metrics: 2 noteworthy metrics.

• Telegram block-mode default: 1 default changed: 4096 cap to 800 shared maxChars when no chunk config is set. Existing Telegram block-mode users may see more preview rotations after upgrade.
• Plugin SDK contract surface: 1 optional migration-plan hook added. The exported channel-contract type change needs baseline and compatibility review before merge.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🦐 gold shrimp
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Commit the regenerated Plugin SDK API baseline hash for the new channel-contract type field.
• [P1] Add live Telegram proof for block-mode preview chunk sizing and final delivery, with private details redacted.

Proof guidance:

• [P1] Needs real behavior proof before merge: The PR provides focused tests and a remote changed gate, but no live Telegram proof; the body explicitly says live Telegram block-mode streaming was not tested. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Mantis proof suggestion
A native Telegram Desktop recording would directly show whether block-mode preview rotation honors streaming.preview.chunk.maxChars and still finalizes cleanly. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

telegram desktop proof: verify Telegram block-mode preview rotation honors streaming.preview.chunk.maxChars and final delivery remains one coherent answer.

Risk before merge

• [P1] Telegram block mode without explicit chunk config intentionally changes from one growing 4096-character preview to the shared 800-character preview rotation default, which is user-visible for existing block-mode users.
• [P1] No real Telegram proof is included; the PR body explicitly says live Telegram block-mode streaming was not tested.
• [P1] The PR changes an exported Plugin SDK channel-contract type without updating the tracked SDK API baseline hash.

Maintainer options:

1. Refresh contract artifact and prove Telegram live (recommended)
   Regenerate the Plugin SDK API baseline and add a live Telegram block-mode proof showing chunk sizing and final delivery before merge.
2. Accept the block-mode default change
   Maintainers can intentionally accept the 4096-to-800 default behavior change, but should make that upgrade impact explicit before landing.
3. Pause if the default is not settled
   If maintainers are not ready to change existing block-mode preview cadence, hold this PR and split the doctor cleanup from the streaming behavior.

Next step before merge

• [P1] Protected-label handling and live Telegram proof require maintainer/contributor action; the SDK baseline repair is mechanical but not enough to make automation merge this PR.

Security
Cleared: The diff does not add dependencies, secret handling, workflow permissions, downloads, or new code-execution paths; the state cleanup is doctor-time only.

Review findings

• [P2] Regenerate the SDK API baseline — src/channels/plugins/legacy-state-migration.types.ts:22

Review details

Best possible solution:

Update the SDK API baseline, then land only after maintainers accept the block-mode default change and there is live Telegram proof for the visible streaming path.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main hard-caps Telegram draft previews at 4096 characters, so block mode ignores streaming.preview.chunk; I confirmed the source path and the PR adds focused before/after tests, though I did not run them.

Is this the best way to solve the issue?

Mostly yes. The fix stays in the Telegram plugin and doctor migration boundaries and the grammy simplification matches the pinned dependency types, but the PR must refresh SDK baseline artifacts and add live Telegram proof before it is the best mergeable form.

Full review comments:

• [P2] Regenerate the SDK API baseline — src/channels/plugins/legacy-state-migration.types.ts:22
  Adding removeSource changes ChannelLegacyStateMigrationPlan, which is exported through openclaw/plugin-sdk/channel-contract, but the tracked docs/.generated/plugin-sdk-api-baseline.sha256 is unchanged between base and this head. The plugin SDK API check hashes exported type aliases, so this public contract addition needs the generated baseline hash committed before the PR can pass the SDK surface guard.
  Confidence: 0.86

Overall correctness: patch is incorrect
Overall confidence: 0.82

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against c84e52192063.

Label changes

Label changes:

• add P2: This is a normal-priority Telegram bugfix/cleanup PR with limited blast radius but real merge gates.
• add merge-risk: 🚨 compatibility: The PR changes existing Telegram block-mode default preview sizing and adds an exported SDK type field.
• add merge-risk: 🚨 message-delivery: The Telegram preview rotation change affects visible message delivery cadence in block-mode chats.
• add merge-risk: 🚨 automation: The public SDK type changes without the tracked API baseline hash update required by repository automation.
• add rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🦐 gold shrimp.
• add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR provides focused tests and a remote changed gate, but no live Telegram proof; the body explicitly says live Telegram block-mode streaming was not tested. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.
• add mantis: telegram-visible-proof: Mantis should capture Telegram visible proof. The PR changes visible Telegram block-mode preview rotation behavior that can be demonstrated in a short Telegram Desktop proof.

Label justifications:

• P2: This is a normal-priority Telegram bugfix/cleanup PR with limited blast radius but real merge gates.
• merge-risk: 🚨 compatibility: The PR changes existing Telegram block-mode default preview sizing and adds an exported SDK type field.
• merge-risk: 🚨 message-delivery: The Telegram preview rotation change affects visible message delivery cadence in block-mode chats.
• merge-risk: 🚨 automation: The public SDK type changes without the tracked API baseline hash update required by repository automation.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🦐 gold shrimp.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR provides focused tests and a remote changed gate, but no live Telegram proof; the body explicitly says live Telegram block-mode streaming was not tested. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.
• mantis: telegram-visible-proof: Mantis should capture Telegram visible proof. The PR changes visible Telegram block-mode preview rotation behavior that can be demonstrated in a short Telegram Desktop proof.

Evidence reviewed

PR surface:

Source -10, Tests +130, Docs +1. Total +121 across 10 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	6	67	77	-10
Tests	3	130	0	+130
Docs	1	1	0	+1
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	10	198	77	+121

What I checked:

• Protected label: Provided GitHub context lists the protected maintainer label, so this cleanup review must keep the PR open for explicit maintainer handling.
• Current main ignores block chunk config: On current main, Telegram draft preview size is still Math.min(textLimit, 4096), so block mode cannot use streaming.preview.chunk.maxChars. (extensions/telegram/src/bot-message-dispatch.ts:827, c84e52192063)
• PR implements block chunk sizing: The PR head switches block-mode draft sizing to resolveTelegramDraftStreamingChunking(...).maxChars while keeping non-block previews at the Telegram edit cap. (extensions/telegram/src/bot-message-dispatch.ts:832, 974490cf095e)
• Doctor cleanup hook added: The PR adds removeSource execution after plugin-state import entries are covered, which matches the doctor-time migration boundary. (src/infra/state-migrations.ts:1715, 974490cf095e)
• Public SDK type surface changed: ChannelLegacyStateMigrationPlan gains an optional removeSource hook and is re-exported from openclaw/plugin-sdk/channel-contract. (src/channels/plugins/legacy-state-migration.types.ts:22, 974490cf095e)
• SDK baseline not refreshed: The tracked docs/.generated/plugin-sdk-api-baseline.sha256 is identical on base and PR head despite the public SDK type addition. Public docs: docs/.generated/plugin-sdk-api-baseline.sha256. (docs/.generated/plugin-sdk-api-baseline.sha256:1, 974490cf095e)

Likely related people:

• obviyus: Provided related PR context shows obviyus authored the recently merged Telegram audit/dedupe/chunking PRs that this follow-up builds on. (role: recent Telegram audit contributor; confidence: high; commits: b9095bf70d81, 049c3c487789, 9c6186de436c; files: extensions/telegram/src/bot-message-dispatch.ts, extensions/telegram/src/state-migrations.ts, extensions/telegram/src/bot-handlers.runtime.ts)
• Vincent Koc: Local history shows recent work on the shared state migration runner touched by this PR. (role: recent adjacent state migration contributor; confidence: medium; commits: 7f1d82ab2518; files: src/infra/state-migrations.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[obviyus]

Land verification:

• Local: node scripts/run-vitest.mjs over bot-message-dispatch (124), state-migrations (8), doctor-state-migrations (46), bot.test (147), bot/delivery (229 incl. shared files), media-dedup + bot/helpers (91) — green.
• Regression proof: the four new tests fail with main's production files swapped in (config ignored at 4096; removeSource never invoked; legacy buckets linger) and pass on this branch.
• Remote: Blacksmith Testbox tbx_01ktrf67rfpa02v4xd82bjv7jv, pnpm check:changed green (tsgo core/test/extensions, oxlint, import cycles, guards). First run caught a Pick<TelegramContext> mismatch at bot-handlers.runtime.ts:473; fixed and re-run green.

Known failing checks, both dispositioned:

• build-artifacts: test/scripts/check-deadcode-unused-files.test.ts › "falls back to bare pnpm when no managed pnpm runner is available" fails identically on plain latest origin/main (reproduced locally on an untouched main checkout) — pre-existing main breakage, unrelated to this diff.
• Run agentic native Telegram proof: Mantis reports both baseline and candidate captures skipped ("capture path cannot start Telegram in block preview mode"), artifacts: [] — no comparison was performed; harness capability gap, not a behavior mismatch. Behavior is covered by the regression tests above.

Proof gap: no live Telegram block-mode streaming session against a real bot.