Fix Telegram stop debounce bypass

[VACInc]

Summary

• Make Telegram abort controls (stop, /stop, and bot-addressed /stop) bypass inbound debounce immediately.
• Cancel pending same-conversation/sender Telegram debounce buffers across both default and forwarded-burst lanes, so older buffered prompts do not run after stop.
• Keep the fix scoped to Telegram ingress plus the existing generic debounce helper.

Root Cause

Telegram inbound debounce could hold a normal message for a short window. When stop or /stop arrived before that window flushed, the abort turn could either become debounceable itself or only cancel the current message's debounce lane, leaving an older same-chat buffered prompt to run after the stop.

Real behavior proof

Behavior addressed: Telegram stop//stop bypasses and cancels pending same-chat inbound debounce.
Real environment tested: Focused Telegram bot middleware harness in a fresh tmp worktree from origin/main.
Exact steps or command run after this patch: node scripts/run-vitest.mjs extensions/telegram/src/bot.create-telegram-bot.test.ts
Evidence after fix: Test Files 1 passed (1); Tests 80 passed (80)
Observed result after fix: stop, /stop@openclaw_bot, and stop after a forwarded-burst buffer ran immediately while the earlier same-chat debounced prompt was still pending, and the earlier prompt did not flush afterward.
What was not tested: Manual live Telegram E2E was not run in this pass.

Verification

• node scripts/run-vitest.mjs extensions/telegram/src/bot.create-telegram-bot.test.ts
• pnpm build
• ~/.codex/skills/codex-review/scripts/codex-review --mode branch
• git diff --check

What was not tested

• Manual live Telegram group/topic/DM E2E.

[clawsweeper]

Codex review: passed.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by maintainer comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors can comment @clawsweeper re-review or @clawsweeper re-run on their own open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds a generic inbound debounce cancelKey, uses Telegram stop-like controls to cancel same-chat pending debounce buffers and bypass debounce, and adds focused Telegram regression coverage plus updated channel test mocks.

Reproducibility: yes. by source inspection: current main enqueues Telegram text through inbound debounce before abort handling, and the debouncer only has flush semantics for pending keyed work. I did not run a live Telegram repro in this read-only pass.

Real behavior proof
Override: A maintainer applied proof: override for this PR.

Mantis proof suggestion
A live Telegram transcript with diagnostics would best prove the timing-sensitive stop bypass, cancellation, and unauthorized-stop behavior. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

telegram live: verify stop and /stop@openclaw_bot bypass Telegram inbound debounce, cancel pending same-chat prompts, and unauthorized stop leaves pending prompts intact.

Next step before merge
No repair lane is needed: the reviewed patch has no blocking code findings, and remaining handling is exact-head checks plus maintainer-approved proof override.

Security
Cleared: The diff gates buffer cancellation on Telegram command ingress authorization and does not touch dependencies, workflows, secrets, package resolution, or downloaded code.

Review details

Best possible solution:

Land this bounded Telegram ingress fix after exact-head checks, keeping the generic helper small and preserving authorization-gated cancellation semantics.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection: current main enqueues Telegram text through inbound debounce before abort handling, and the debouncer only has flush semantics for pending keyed work. I did not run a live Telegram repro in this read-only pass.

Is this the best way to solve the issue?

Yes. A generic cancelKey plus Telegram-owned authorization and same-conversation key selection is the narrowest maintainable fix for this stop-buffer problem.

What I checked:

• Current-main Telegram debounce path: Current main builds a per-account/conversation/sender/lane Telegram debounce key and enqueues every processed inbound message through the generic debouncer, so a bare stop can sit behind or interact with a pending same-key buffered prompt before this PR. (extensions/telegram/src/bot-handlers.runtime.ts:1738, d85a7c6b67bd)
• Current-main debouncer lacks discard semantics: The existing helper can flush a pending key, and immediate keyed work explicitly flushes old buffered items first; there is no current-main API to drop a pending same-key buffer without running it. (src/auto-reply/inbound-debounce.ts:165, d85a7c6b67bd)
• PR authorization-gated cancellation: The PR checks isAbortRequestText, resolves Telegram command ingress authorization, cancels text-fragment and inbound debounce buffers only for authorized abort controls, and sends the abort turn through the debouncer with no key so it can run immediately. (extensions/telegram/src/bot-handlers.runtime.ts:1541, 19245a341de7)
• PR generic cancel helper: The PR adds cancelKey, which deletes the buffer, clears its timer, empties pending items, and releases the reserved keyed task without flushing canceled entries. (src/auto-reply/inbound-debounce.ts:170, 19245a341de7)
• PR regression coverage: The added tests cover authorized stop, bot-addressed /stop, forwarded-lane cancellation, and an unauthorized group stop that must not cancel the pending same-sender prompt. (extensions/telegram/src/bot.create-telegram-bot.test.ts:731, 19245a341de7)
• Telegram review standard: The Telegram maintainer notes require real Telegram proof for transport, authorization, and reply-context behavior; the live proof gap is addressed here by the maintainer-applied proof: override label, not by contributor-provided live evidence. (.agents/maintainer-notes/telegram.md:37)

Likely related people:

• osolmaz: Onur Solmaz authored the Telegram debounce ordering commits that shaped the same-key ordering behavior this PR changes around cancellation. (role: inbound debounce ordering contributor; confidence: high; commits: 9a34a602bd6c, bcaadc39eaed; files: src/auto-reply/inbound-debounce.ts)
• steipete: Peter Steinberger carried later shared inbound debounce policy and tracked-key accounting work near the helper this PR extends. (role: shared debounce policy contributor; confidence: medium; commits: 47083460eacc, 323ae73b3028; files: src/auto-reply/inbound-debounce.ts, src/channels/inbound-debounce-policy.ts)
• vincentkoc: Vincent Koc has recent merged work across Telegram runtime handling and inbound debounce cleanup adjacent to the affected paths. (role: recent Telegram area contributor; confidence: medium; commits: df27091f5f69, 77f1ea0de813; files: extensions/telegram/src/bot-handlers.runtime.ts, src/auto-reply/inbound-debounce.ts)
• Takhoffman: Tak Hoffman recently fixed Telegram default debounce account handling and then opted this PR into automerge with proof override in the discussion. (role: recent adjacent contributor and approval signal; confidence: medium; commits: f7f467b04205; files: extensions/telegram/src/bot-handlers.runtime.ts, extensions/telegram/src/bot-handlers.debounce-key.ts)

Remaining risk / open question:

• Tests and build were not rerun because this was a read-only review; the PR body reports focused harness and build verification.
• Live Telegram E2E proof was not independently inspected; the maintainer-applied proof override is the merge-gate signal.

Codex review notes: model gpt-5.5, reasoning high; reviewed against d85a7c6b67bd.

[openclaw-mantis]

Mantis Telegram Desktop Proof

Summary: Mantis skipped Telegram Desktop before/after GIF proof because this PR did not have an honest native Telegram-visible before/after.

• Scenario: telegram-desktop-proof
• Trigger: pull_request_target
• Run: https://github.com/openclaw/openclaw/actions/runs/26000999125
• Overall: skipped

[Takhoffman]

@clawsweeper automerge

[clawsweeper]

🦞🧹
ClawSweeper automerge is enabled.

• Head: 19245a341de7
• Label: clawsweeper:automerge
• Action: exact-head review queued (workflow sweep.yml, event repository_dispatch).
• Flow: review this head, repair/rebase only if needed, then re-review the exact repaired head before merge.

Draft PRs stay fix-only until GitHub marks them ready for review. Pause with /clawsweeper stop.

Automerge progress:

• 2026-05-17 20:56:23 UTC repair completed 19245a341de7 (branch updated) in 14m 50s Run: https://github.com/openclaw/clawsweeper/actions/runs/26002098514 initial automerge rebase is delegated to Codex repair

• 2026-05-17 20:56:22 UTC review queued 19245a341de7 (after repair)

• 2026-05-17 20:56:59 UTC automerge wait 19245a341de7 (blocked) in 15m 27s Run: https://github.com/openclaw/clawsweeper/actions/runs/26002098514 GitHub checks failed: Real behavior proof:FAILURE

• 2026-05-17 20:57:00 UTC repair finished 19245a341de7 (pushed) in 15m 28s Run: https://github.com/openclaw/clawsweeper/actions/runs/26002098514 repair_contributor_branch

• 2026-05-17 21:10:38 UTC review passed 19245a341de7 (structured ClawSweeper verdict: pass (sha=19245a341de7ff7d8664a7e738179dfef6574...)

• 2026-05-17 21:02:37 UTC repair queued 19245a341de7 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26002631103

• 2026-05-17 21:05:08 UTC repair started (running) in 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/26002631103 automerge-openclaw-openclaw-83248

• 2026-05-17 21:05:25 UTC validation plan (passed) in 17s Run: https://github.com/openclaw/clawsweeper/actions/runs/26002631103 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-17 21:05:35 UTC Codex write preflight (passed) in 27s Run: https://github.com/openclaw/clawsweeper/actions/runs/26002631103 danger-full-access

• 2026-05-17 21:09:29 UTC Codex edit 1 19245a341de7 (complete) in 4m 21s Run: https://github.com/openclaw/clawsweeper/actions/runs/26002631103 exit 0

• 2026-05-17 21:23:39 UTC validation and review 1 675098d38699 (base moved) in 18m 31s Run: https://github.com/openclaw/clawsweeper/actions/runs/26002631103 codex-reconciled

• 2026-05-17 21:10:56 UTC merged 19245a341de7 (merged by ClawSweeper automerge)

• 2026-05-17 21:10:59 UTC review queued 19245a341de7 (queued)

• 2026-05-17 21:31:08 UTC Codex edit 1 c93d6d8daa37 (complete) in 26m Run: https://github.com/openclaw/clawsweeper/actions/runs/26002631103 exit 0

• 2026-05-17 21:34:24 UTC validation and review 1 70c0ca45daa3 (complete) in 29m 16s Run: https://github.com/openclaw/clawsweeper/actions/runs/26002631103 already-current

• 2026-05-17 21:34:53 UTC repair finished 70c0ca45daa3 (opened) in 29m 45s Run: https://github.com/openclaw/clawsweeper/actions/runs/26002631103 open_fix_pr

[Takhoffman]

@clawsweeper automerge