PR #70428: fix(outbound): hold active-delivery claim so reconnect drain skips live sends

• Repository: openclaw/openclaw
• Author: neeravmakwana
• State: closed | merged: True
• Link: https://github.com/openclaw/openclaw/pull/70428

Description (problem / solution / changelog)

Summary

Fixes #70386. Reconnect drain was re-driving the same queue entry while the original deliverOutboundPayloads was still mid-send, producing 7-12x outbound duplication on WhatsApp cron sends whenever the 30-minute inbound-silence watchdog fired during a delivery window.

Root cause

drainPendingDeliveries is intentionally allowed to replay fresh entries (retryCount === 0 && lastAttemptAt === undefined) to preserve crash-replay. That contract was safe while the reconnect drain previously required a specific "No active ... listener" lastError on the entry; once the drain selector was widened to match any pending entry for the reconnecting account, nothing prevented it from firing against an entry whose original deliverOutboundPayloads caller was still executing. The live delivery path persisted via enqueueDelivery but never held an in-memory claim on queueId during the send, so a concurrent reconnect passed claimRecoveryEntry, passed isEntryEligibleForRecoveryRetry (fresh entries are drain-eligible by design), and invoked deliver(...) a second (or Nth) time — once per reconnect that occurred inside the live send window.

Cron run records showed only one delivered: true per scheduled run because the drain's deliver() enqueues and acks a new entry path, leaving no visible audit in the scheduler.

Fix

Claim queueId against the existing entriesInProgress set immediately after enqueueDelivery, and release in the finally block that wraps ack/fail in deliverOutboundPayloads. Drain already consults the same set via claimRecoveryEntry and skips claimed ids with an "already being recovered" log, so no drain-side logic change is needed.

Two new thin exports on delivery-queue.ts:

• tryClaimActiveDelivery(entryId) — returns false if already claimed.
• releaseActiveDelivery(entryId) — pair in finally.

Why the fix is safe

• The claim is a process-local Set. A crashed owner leaves no claim behind, so recoverPendingDeliveries on the next startup reclaims any orphaned entries exactly as before — crash replay for fresh entries is preserved intentionally.
• Drain already had the skip path ("already being recovered") for in-progress recovery callers; this reuses it and adds a second legitimate owner: the live delivery path.
• No queue file format change, no migration, no persistence change.
• The shared concurrency guard claimRecoveryEntry / releaseRecoveryEntry is unchanged; the new helpers are a stable public wrapper over the same set so other callers (live sends) can participate without importing a private symbol.
• Regression test covers exactly the race: claim the entry (simulating a live send in flight), run the drain, assert deliver is not called and the "already being recovered" skip log is emitted; after release, a follow-up drain delivers exactly once.

Security / runtime controls unchanged

• No prompt-derived policy surface is involved. Concurrency is enforced structurally via the in-memory claim set, not by message text, metadata, or any LLM-facing behavior.
• No config defaults, no help metadata, no generated artifacts change.
• Plugin SDK public surface (src/plugin-sdk/infra-runtime.ts) selectively re-exports only drainPendingDeliveries; the two new helpers are deliberately not re-exposed there, so third-party plugin contracts and docs/.generated/plugin-sdk-api-baseline.* are intentionally untouched.
• Outbound delivery adapters, channel plugins, session/policy keys, transcript mirroring, and best-effort / abort behavior are all unmodified — the claim wraps the existing ack/fail flow in a finally without changing any of its branches.

Tests

Added regression test: src/infra/outbound/delivery-queue.reconnect-drain.test.ts → "skips entries that an in-flight live delivery has actively claimed".

Exact commands run locally:

• pnpm test src/infra/outbound/delivery-queue.reconnect-drain.test.ts — 14 passed (includes new case).
• pnpm test src/infra/outbound — 452 passed across 35 files.
• pnpm test src/gateway/server-restart-sentinel.test.ts src/gateway/server-runtime-services.test.ts src/plugin-sdk/infra-runtime.test.ts — the other consumers of the ./delivery-queue.js mock, 27 passed.
• pnpm test src/cron/isolated-agent — cron delivery-dispatch consumers of deliverOutboundPayloads, 222 passed across 20 files.
• pnpm check:changed — scoped typecheck/lint/guards green.
• pnpm tsgo — core prod typecheck green.

The pnpm tsgo:prod failures on unrelated qa-lab, qqbot, and tokenjuice extensions reproduce on origin/main at the same SHA and are not introduced by this change. Same for the pre-existing plugin-sdk-api-baseline hash drift — this PR does not add any public plugin-sdk surface.

Checklist

• Noted as AI-assisted
• Fully tested (new regression test plus full outbound/cron/infra lanes)
• Understand what the code does
• Will resolve/reply to bot review conversations after addressing them

Made with Cursor

Changed files

• CHANGELOG.md (modified, +1/-0)
• src/infra/outbound/deliver.test.ts (modified, +37/-0)
• src/infra/outbound/deliver.ts (modified, +25/-1)
• src/infra/outbound/delivery-queue-recovery.ts (modified, +29/-11)
• src/infra/outbound/delivery-queue.reconnect-drain.test.ts (modified, +67/-0)
• src/infra/outbound/delivery-queue.ts (modified, +2/-0)