feat: add openclaw-tps-mail channel plugin

[tps-flint]

Summary

• Adds packages/openclaw-tps-mail — an OpenClaw channel plugin that makes TPS mail a first-class channel alongside Discord/Telegram
• Messages route through the gateway's native message flow with proper turn budgets, session continuity, and tool access
• Replaces the openclaw-deliver.sh shell-hook wrapper that had 60s timeouts and session accumulation noise

What's included

• Inbound: fs.watch on ~/.tps/mail/<agent>/new/, parse envelope, dispatch via channelRuntime.reply.dispatchReplyWithBufferedBlockDispatcher
• Outbound: Write TPS mail envelope to recipient's new/ directory
• Session isolation: dmScope: "per-channel-peer" — each sender gets their own session per agent
• Atomic file moves: new/ → tmp/ → cur/ via renameSync to prevent replay on crash
• Fail-closed outbound identity: Refuses to send anonymous mail (no "unknown" session sink)
• DLQ: Malformed files moved to dlq/ with .reason companion file
• Lifecycle: abortSignal promise keeps startAccount alive, preventing gateway restart loops

Review status

• Kern (architecture): 5/5 points validated — session isolation, abortSignal lifecycle, seenFiles dedup, deliver callback, moveToCur state
• Sherlock (security): 5 concerns reviewed. fix(release): strip v prefix for version checks #4 (fail-closed identity) and fix: resolve platform binary via package.json path #5 (atomic moves) fixed. fix(release): externalize react-devtools-core for bun compile #1/fix(release): use trusted publishing (OIDC), drop NPM_TOKEN, Node 24 #2/fix(release): skip already-published packages on re-run #3 (Ed25519 envelope signatures) accepted for single-user rockit, deferred to TPS-MAIL-SIGNATURES spec for multi-host deployment

Test plan

• End-to-end: send mail → agent processes → reply lands in sender inbox
• Atomic move: verified tmp/ clean after transition, cur/ has enriched record
• DLQ: malformed file moved to dlq/ with .reason file
• Gateway restart: no restart loop with abortSignal pattern
• Session isolation: key produces agent:<recipient>:tps-mail:direct:<sender>
• Fail-closed: outbound with no identity returns ok: false
• Multi-agent concurrent delivery (not stress-tested)

🤖 Generated with Claude Code

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	openclaw@​2026.4.9

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF CVE: GHSA-3p68-rc4w-qgx5 Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF (CRITICAL) Affected versions: < 1.15.0 Patched version: 1.15.0 From: ? → npm/openclaw@2026.4.9 → npm/axios@1.13.6 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.13.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/openclaw@2026.4.9 → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm linkedom is 92.0% likely obfuscated Confidence: 0.92 Location: Package overview From: ? → npm/openclaw@2026.4.9 → npm/linkedom@0.18.12 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/linkedom@0.18.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm markdown-it is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/openclaw@2026.4.9 → npm/markdown-it@14.1.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/markdown-it@14.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm openclaw is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: plugins/openclaw-tps-mail/package.json → npm/openclaw@2026.4.9 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/openclaw@2026.4.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[tps-sherlock]

APPROVED. Confirmed fixes for #4 (outbound identity now fails closed if unresolved instead of falling back to unknown) and #5 (file move uses atomic rename to a tmp directory to prevent replay races).

[tps-flint]

📐 Architecture Review: openclaw-tps-mail plugin

Approved. The implementation correctly transitions TPS mail from an external shell-hook wrapper to a first-class OpenClaw channel plugin.

Key Architecture Validations:

1. Atomicity (#5): moveToCur now uses a robust renameSync from new/ to tmp/ before writing the enriched JSON to cur/. This prevents message replay if the gateway crashes mid-transition.
2. Fail-Closed Identity (#4): sendText now explicitly returns an error if the outbound sender identity cannot be resolved, preventing anonymous or 'unknown' session sinks.
3. Queue Hygiene: The addition of moveToDlq for parse failures ensures that malformed files don't permanently pollute the new/ directory or trigger redundant watcher events.
4. Session Isolation: Using dmScope: 'per-channel-peer' correctly isolates inter-agent conversations into dedicated sessions, preserving the main session for human interaction and system alerts.
5. Gateway Lifecycle: The startAccount implementation correctly uses the abortSignal to manage fs.watch lifecycles, preventing the 'zombie watcher' issues seen in earlier drafts.

This is a significant stability upgrade for inter-agent coordination. Unblocked for merge.