fix(messaging): enable Telegram/Discord channels and verify bridge after rebuild

[yimoj]

Summary

Fixes #4314
Fixes #4390

This is now the unified messaging-channel PR: it keeps the original #4403 runtime verification path and folds in the full #4400 OpenClaw channel activation / plugin-build / E2E coverage set.

OpenClaw 2026.5.22+ no longer auto-starts a messaging bridge from the account-level enabled flag alone — the channel must also be marked enabled at the top level for the bridge module to load. NemoClaw#4189 fixed this for Slack (PR #4222); the same gap silently produced "no Telegram process / no logs" for Telegram (#4314, #4390) and would silently break Discord too.

This PR:

• Bakes channels.<name>.enabled: true for Telegram, Discord, Slack, and WhatsApp in generated openclaw.json.
• Enables matching plugins.entries.<channel> records so OpenClaw discovers selected messaging providers through its real channel/plugin path.
• Pins external OpenClaw messaging plugins at image build time with scripts/openclaw-build-messaging-plugins.py instead of relying on unversioned openclaw doctor --fix catalog drift.
• Adds a gated Telegram startup-grace diagnostic breadcrumb when the bridge fails to log startup within the grace window.
• Adds a post-rebuild runtime check to nemoclaw <sandbox> channels add <channel> for verifiable OpenClaw channels (telegram/discord/slack), surfacing missing enabled flags, missing startup breadcrumbs, and credential/startup warnings.
• Extends messaging-provider E2E coverage with generated activation checks, openclaw channels list --all --json runtime discovery checks, pinned plugin build coverage, fake provider APIs, and optional live Telegram/Discord/Slack openclaw message send paths when repository secrets are configured.
• Keeps WeChat out of upfront generated channel config; WeChat remains on the existing late seed path after plugin install.

Reproduction (issue #4390 + #4314)

Before the fix, generated config with Telegram selected during onboarding:

"channels": { "telegram": { "accounts": { "default": { ... } } } }

No top-level enabled: true meant OpenClaw skipped loading the bridge. No Telegram process spawned, /sandbox/.openclaw/telegram/ stayed empty, and no startup/error breadcrumb appeared.

After the fix:

"channels": { "telegram": { "enabled": true, "accounts": { "default": { ..., "enabled": true } } } }

The bridge module is loadable, diagnostics can report silent startup failure, and channels add telegram probes the rebuilt runtime instead of leaving users with radio silence.

Test plan

Local validation on the unified branch:

• python3 -m py_compile scripts/generate-openclaw-config.py scripts/openclaw-build-messaging-plugins.py
• NEMOCLAW_MESSAGING_CHANNELS_B64=$(printf '%s' '["telegram","discord","slack","whatsapp"]' | base64 | tr -d '\n') OPENCLAW_VERSION=2026.5.22 python3 scripts/openclaw-build-messaging-plugins.py --dry-run
• bash -n test/e2e/test-messaging-providers.sh test/e2e/lib/discord-rest-policy-proof.sh test/e2e/lib/slack-api-proof.sh test/e2e/lib/telegram-api-proof.sh
• git diff --check HEAD~1..HEAD
• npm ci --ignore-scripts
• npm run build:cli
• npx vitest run test/generate-openclaw-config.test.ts test/openclaw-build-messaging-plugins.test.ts test/sandbox-build-context.test.ts test/sandbox-provisioning.test.ts test/channels-add-preset.test.ts test/telegram-diagnostics.test.ts test/e2e-script-workflow.test.ts test/validate-e2e-coverage.test.ts — 160 passed

Live Telegram bot E2E was not run from the local triage worktree because no Telegram bot credential is available locally; the PR wires optional live repository secrets through the nightly reusable workflow and keeps hermetic fake-provider proofs for CI.

DCO

Signed-off-by: Yimo Jiang <yimoj@nvidia.com>

Summary by CodeRabbit

• New Features

  • Startup watchdog emits a single breadcrumb when an OpenClaw gateway bridge fails to start within a configurable grace period.
  • Post-channel-add now verifies bridged channels after a rebuild.
  • Image/sandbox build now includes a messaging-plugin installer to pin/install provider plugins.

• Bug Fixes

  • Ensure channels, accounts, and plugin entries are marked enabled so bridges activate reliably.

• Tests

  • Expanded regression/E2E coverage with fake provider APIs, startup diagnostics, and live-credential wiring for Telegram/Discord/Slack.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: afbffcb8-03be-4213-9f57-3d78976559c2

📥 Commits

Reviewing files that changed from the base of the PR and between 0fb1829 and 83ae969.

📒 Files selected for processing (2)

• test/e2e/test-messaging-providers.sh
• test/validate-e2e-coverage.test.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• test/validate-e2e-coverage.test.ts
• test/e2e/test-messaging-providers.sh

---

📝 Walkthrough

Walkthrough

Marks messaging channels enabled in generated OpenClaw config, adds a gateway-only Telegram startup-grace watchdog, performs post-rebuild bridge verification, introduces a build-time messaging-plugin installer invoked during image build, and adds extensive E2E fake-provider servers, helpers, and tests validating activation and startup signals.

Changes

Bridge startup detection and verification

Layer / File(s)	Summary
Channel enabled flag generation scripts/generate-openclaw-config.py, test/generate-openclaw-config.test.ts	Generated config now sets channels.<channel>.enabled: true and ensures accounts.default.enabled: true for credential-backed channels; tests assert channel- and plugin-entry enablement.
Build-time messaging plugin installer & Docker integration scripts/openclaw-build-messaging-plugins.py, Dockerfile, src/lib/sandbox/build-context.ts, test/openclaw-build-messaging-plugins.test.ts	New CLI computes pinned plugin install specs, doctor env overrides, installs plugins and runs openclaw doctor; script copied into staged build context and invoked during image build; tests validate dry-run output and install/doctor ordering.
Telegram startup-grace watchdog nemoclaw-blueprint/scripts/telegram-diagnostics.js, test/telegram-diagnostics.test.ts	Diagnostics preload runs only in gateway process flavors and starts a configurable startup-grace timer that emits a single "[telegram] [default] bridge did not start within …s" breadcrumb when Telegram is enabled in baked config and no startup-confirmation appears; tests cover emission/suppression scenarios.
Post-rebuild bridge verification src/lib/actions/sandbox/policy-channel.ts, test/channels-add-preset.test.ts	promptAndRebuild returns whether a rebuild occurred; verifyChannelBridgeAfterRebuild checks baked /sandbox/.openclaw/openclaw.json, tails /tmp/gateway.log for startup signals or credential warnings, and is invoked after QR/token channel-rebuild flows; tests assert detection, warnings, and correct skipping for Hermes/QR-only flows.
Fake provider servers & E2E helpers test/e2e/lib/fake-telegram-api.cjs, test/e2e/lib/fake-discord-message-api.cjs, test/e2e/lib/telegram-api-proof.sh, test/e2e/lib/discord-rest-policy-proof.sh, test/e2e/lib/slack-api-proof.sh, test/e2e/test-messaging-providers.sh	Add hermetic fake Telegram/Discord servers, helper scripts to start/verify captures, updated Slack proof resolver and hermetic workspace creation; E2E script now asserts both channels and plugins.entries activation and routes live sends via OpenClaw CLI when real credentials are provided.
E2E workflow & secrets validation .github/workflows/e2e-script.yaml, .github/workflows/nightly-e2e.yaml, test/e2e-script-workflow.test.ts, test/validate-e2e-coverage.test.ts	Expose optional real-message secrets in reusable workflow and forward them into the runner; tests verify the reusable workflow/job secret wiring and nightly job secret mappings.
Auxiliary test/timeouts & staging updates test/bootstrap-windows.test.ts, src/lib/sandbox/build-context.ts, test/sandbox-build-context.test.ts, test/sandbox-provisioning.test.ts	Centralize PowerShell execution timeouts, include openclaw-build-messaging-plugins.py in staged build context and fixture sets, and assert its executable permission normalization.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4222: Both PRs modify scripts/generate-openclaw-config.py’s build_config() to change how generated channels.<channel>.enabled and plugins.entries.<channel>.enabled are emitted.
• NVIDIA/NemoClaw#4288: Related Telegram diagnostics and breadcrumb/probe handling adjustments.
• NVIDIA/NemoClaw#4151: Reusable E2E runner/workflow changes extended here with messaging-provider secrets and wiring.

Suggested labels

E2E, Docker

Suggested reviewers

• ericksoa
• cv
• jyaunches

"I’m a rabbit in the code-lit glade,
I hop where bridges wake or fade. 🐇
I count the timers, tail the logs,
I stamp a breadcrumb through the fog. ✨
Hooray — bridges found where silence clogs."

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 10.34% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(messaging): enable Telegram/Discord channels and verify bridge after rebuild' clearly and concisely summarizes the main change: enabling messaging channels and adding verification logic for bridge startup after rebuild.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/test-messaging-providers.sh`:
- Around line 383-389: The current env var assignments (TELEGRAM_TOKEN,
DISCORD_TOKEN, SLACK_TOKEN, SLACK_APP) give precedence to *_REAL values which
then leak into CI logs where code prints the first 10 characters; fix by
preserving the precedence but introducing separate safe logging variables (e.g.,
TELEGRAM_TOKEN_LOG, DISCORD_TOKEN_LOG, SLACK_TOKEN_LOG, SLACK_APP_LOG) that are
derived from the same sources but mask or replace real secrets (when
TELEGRAM_BOT_TOKEN_REAL / DISCORD_BOT_TOKEN_REAL / SLACK_BOT_TOKEN_REAL are set
return a fixed placeholder like "<redacted-real>" or a minimal non-secret token
prefix, otherwise show the harmless fake/truncated value); update any logging to
use these *_LOG variables instead of TELEGRAM_TOKEN / DISCORD_TOKEN /
SLACK_TOKEN / SLACK_APP.
- Around line 1138-1141: The assertions calling
assert_openclaw_config_activation for "M6a"/"M6b"/"M6c"/"M6d" unconditionally
cause failures when channel blocks (channels.telegram, channels.discord,
channels.slack, channels.whatsapp) are absent in non-root sandboxes; change the
test to first detect whether each channel block exists and, if absent in
non-root mode, skip the call (or pass an explicit "skipped" expectation) instead
of calling assert_openclaw_config_activation; alternatively modify
assert_openclaw_config_activation to accept a nullable expected state and treat
missing channel blocks as expected skip so M6a/M6b/M6c/M6d do not produce false
negatives.

In `@test/validate-e2e-coverage.test.ts`:
- Around line 259-267: The validator assumes nested objects exist and can throw
TypeError; update the nested lookups around reusableRunner, reusableSecrets,
reusableSecretDefs, runnerJobs, runStepEnv (getStepEnv), workflow.jobs and
messagingJob to use defensive checks/optional chaining and sensible defaults
(e.g., {} or []), e.g., replace direct property accesses with optional chaining
and fallback assignments so missing nodes don’t throw and the test can collect
entries into the missing array; ensure getStepEnv(...) return is defaulted to {}
when undefined and any cast to Record<string, unknown> is only applied after
confirming the value exists.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 489bb9dd-980b-47ef-a02b-c672912f840a

📥 Commits

Reviewing files that changed from the base of the PR and between 2b34bee and e3a2e72.

📒 Files selected for processing (18)

• .github/workflows/e2e-script.yaml
• .github/workflows/nightly-e2e.yaml
• Dockerfile
• scripts/generate-openclaw-config.py
• scripts/openclaw-build-messaging-plugins.py
• src/lib/sandbox/build-context.ts
• test/e2e-script-workflow.test.ts
• test/e2e/lib/discord-rest-policy-proof.sh
• test/e2e/lib/fake-discord-message-api.cjs
• test/e2e/lib/fake-telegram-api.cjs
• test/e2e/lib/slack-api-proof.sh
• test/e2e/lib/telegram-api-proof.sh
• test/e2e/test-messaging-providers.sh
• test/generate-openclaw-config.test.ts
• test/openclaw-build-messaging-plugins.test.ts
• test/sandbox-build-context.test.ts
• test/sandbox-provisioning.test.ts
• test/validate-e2e-coverage.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• test/generate-openclaw-config.test.ts

[coderabbitai]

Actionable comments posted: 0

[coderabbitai]

Actionable comments posted: 0

[coderabbitai]

Actionable comments posted: 0

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26587189571
Target ref: 83ae9692609e76cc151b2b24944e48335b3402ef
Workflow ref: main
Requested jobs: all (no filter)
Summary: 50 passed, 2 failed, 2 skipped

Job	Result
bedrock-runtime-compatible-anthropic-e2e	✅ success
brave-search-e2e	✅ success
channels-add-remove-e2e	✅ success
channels-stop-start-e2e	✅ success
cloud-e2e	✅ success
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
credential-migration-e2e	✅ success
credential-sanitization-e2e	✅ success
device-auth-health-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
double-onboard-e2e	✅ success
gpu-double-onboard-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
hermes-discord-e2e	✅ success
hermes-e2e	✅ success
hermes-inference-switch-e2e	✅ success
hermes-onboard-security-posture-e2e	✅ success
hermes-root-entrypoint-smoke-e2e	✅ success
hermes-slack-e2e	✅ success
inference-routing-e2e	✅ success
issue-2478-crash-loop-recovery-e2e	✅ success
issue-3600-gpu-proof-optional-e2e	✅ success
kimi-inference-compat-e2e	✅ success
launchable-smoke-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success
messaging-providers-e2e	✅ success
network-policy-e2e	✅ success
onboard-negative-paths-e2e	✅ success
onboard-repair-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-discord-pairing-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
openclaw-onboard-security-posture-e2e	✅ success
openclaw-slack-pairing-e2e	✅ success
openclaw-tui-chat-correlation-e2e	❌ failure
openshell-gateway-upgrade-e2e	❌ failure
overlayfs-autofix-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success
rebuild-openclaw-e2e	✅ success
runtime-overrides-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
skill-agent-e2e	✅ success
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
telegram-injection-e2e	✅ success
token-rotation-e2e	✅ success
tunnel-lifecycle-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success
vm-driver-privileged-exec-routing-e2e	✅ success

Failed jobs: openclaw-tui-chat-correlation-e2e, openshell-gateway-upgrade-e2e. Check run artifacts for logs.

[ericksoa]

Approved after checking the unified #4400/#4403 updates, current passing checks, clean CodeRabbit state, and no unresolved review threads.

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26587189571
Target ref: 83ae9692609e76cc151b2b24944e48335b3402ef
Workflow ref: main
Requested jobs: all (no filter)
Summary: 50 passed, 2 failed, 2 skipped

Job	Result
bedrock-runtime-compatible-anthropic-e2e	✅ success
brave-search-e2e	✅ success
channels-add-remove-e2e	✅ success
channels-stop-start-e2e	✅ success
cloud-e2e	✅ success
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
credential-migration-e2e	✅ success
credential-sanitization-e2e	✅ success
device-auth-health-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
double-onboard-e2e	✅ success
gpu-double-onboard-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
hermes-discord-e2e	✅ success
hermes-e2e	✅ success
hermes-inference-switch-e2e	✅ success
hermes-onboard-security-posture-e2e	✅ success
hermes-root-entrypoint-smoke-e2e	✅ success
hermes-slack-e2e	✅ success
inference-routing-e2e	✅ success
issue-2478-crash-loop-recovery-e2e	✅ success
issue-3600-gpu-proof-optional-e2e	✅ success
kimi-inference-compat-e2e	✅ success
launchable-smoke-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success
messaging-providers-e2e	✅ success
network-policy-e2e	✅ success
onboard-negative-paths-e2e	✅ success
onboard-repair-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-discord-pairing-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
openclaw-onboard-security-posture-e2e	✅ success
openclaw-slack-pairing-e2e	✅ success
openclaw-tui-chat-correlation-e2e	❌ failure
openshell-gateway-upgrade-e2e	❌ failure
overlayfs-autofix-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success
rebuild-openclaw-e2e	✅ success
runtime-overrides-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
skill-agent-e2e	✅ success
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
telegram-injection-e2e	✅ success
token-rotation-e2e	✅ success
tunnel-lifecycle-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success
vm-driver-privileged-exec-routing-e2e	✅ success

Failed jobs: openclaw-tui-chat-correlation-e2e, openshell-gateway-upgrade-e2e. Check run artifacts for logs.

[wscurran]

✨
Related open PRs:

• #4222 fix(messaging): enable generated Slack channel config

---

Related open issues:

• #4390 [DGX Spark aarch64] Telegram credential placeholder not resolved in sandbox env after v0.0.53 fix
• #4314 [Ubuntu 22.04][Agent&Skills] nemoclaw v0.0.52 telegram bridge does not spawn inside sandbox after channels add + rebuild — no E2E messaging possible
• #4189 Slack channel never starts despite config enabled: true, env vars present, and plugin installed

[github-actions]

Selective E2E Results — ❌ Some jobs failed

Run: 26587189571
Target ref: 83ae9692609e76cc151b2b24944e48335b3402ef
Workflow ref: main
Requested jobs: all (no filter)
Summary: 51 passed, 1 failed, 2 skipped

Job	Result
bedrock-runtime-compatible-anthropic-e2e	✅ success
brave-search-e2e	✅ success
channels-add-remove-e2e	✅ success
channels-stop-start-e2e	✅ success
cloud-e2e	✅ success
cloud-inference-e2e	✅ success
cloud-onboard-e2e	✅ success
credential-migration-e2e	✅ success
credential-sanitization-e2e	✅ success
device-auth-health-e2e	✅ success
diagnostics-e2e	✅ success
docs-validation-e2e	✅ success
double-onboard-e2e	✅ success
gpu-double-onboard-e2e	⏭️ skipped
gpu-e2e	⏭️ skipped
hermes-discord-e2e	✅ success
hermes-e2e	✅ success
hermes-inference-switch-e2e	✅ success
hermes-onboard-security-posture-e2e	✅ success
hermes-root-entrypoint-smoke-e2e	✅ success
hermes-slack-e2e	✅ success
inference-routing-e2e	✅ success
issue-2478-crash-loop-recovery-e2e	✅ success
issue-3600-gpu-proof-optional-e2e	✅ success
kimi-inference-compat-e2e	✅ success
launchable-smoke-e2e	✅ success
messaging-compatible-endpoint-e2e	✅ success
messaging-providers-e2e	✅ success
network-policy-e2e	✅ success
onboard-negative-paths-e2e	✅ success
onboard-repair-e2e	✅ success
onboard-resume-e2e	✅ success
openclaw-discord-pairing-e2e	✅ success
openclaw-inference-switch-e2e	✅ success
openclaw-onboard-security-posture-e2e	✅ success
openclaw-slack-pairing-e2e	✅ success
openclaw-tui-chat-correlation-e2e	❌ failure
openshell-gateway-upgrade-e2e	✅ success
overlayfs-autofix-e2e	✅ success
rebuild-hermes-e2e	✅ success
rebuild-hermes-stale-base-e2e	✅ success
rebuild-openclaw-e2e	✅ success
runtime-overrides-e2e	✅ success
sandbox-operations-e2e	✅ success
sandbox-survival-e2e	✅ success
shields-config-e2e	✅ success
skill-agent-e2e	✅ success
snapshot-commands-e2e	✅ success
state-backup-restore-e2e	✅ success
telegram-injection-e2e	✅ success
token-rotation-e2e	✅ success
tunnel-lifecycle-e2e	✅ success
upgrade-stale-sandbox-e2e	✅ success
vm-driver-privileged-exec-routing-e2e	✅ success

Failed jobs: openclaw-tui-chat-correlation-e2e. Check run artifacts for logs.