fix(onboard): detect messaging bot-token conflicts across sandboxes (#1953) (#1979)

## Summary

Closes #1953. Telegram/Discord/Slack bot tokens only allow one consumer
per token, globally — enforced by the platform, not by NemoClaw. Two
NemoClaw sandboxes resolving the same token from `credentials.json` both
start polling, each kicks the other off, and neither delivers messages.
`nemoclaw status` still reports the bridge as running; the only evidence
is a repeating 409 line inside `/tmp/gateway.log`.

This PR adds three layers of defense inside NemoClaw. No OpenClaw
changes needed.

## What changed

- **Onboard-time prevention** — before creating a sandbox that enables a
messaging channel, check the registry for any other sandbox already
using that channel. Prompt `[y/N]` default No; hard-exit 1 in
non-interactive mode.
- **Status-time overlap warning** — `nemoclaw status` lists every
cross-sandbox messaging-channel overlap so users who upgrade or click
through the onboard prompt still see the problem.
- **Status-time 409 detection** — `nemoclaw status` tails
`/tmp/gateway.log` inside the default sandbox and flags Telegram's
`getUpdates conflict` / `409 Conflict` pattern as `degraded`. Short
timeout (3s) and silent on failure — it never breaks status.
- **Registry backfill** — new `messagingChannels` field on
`SandboxEntry`. Pre-existing sandboxes have no record of their channels,
so the check would miss conflicts after an upgrade; a lazy backfill
probes OpenShell for `${name}-{telegram,discord,slack}-bridge` providers
and fills the field. Runs on first onboard/status after upgrade.
- **Troubleshooting docs** — new section explaining the 409 pattern, how
to diagnose via `/tmp/gateway.log`, and how to recover.

The conflict-detection logic is factored into a pure
`src/lib/messaging-conflict.ts` with dependency injection and unit tests
— no `child_process` or `openshell` imports, so it's trivially testable.

## Scope notes

- **Option B from the issue ("only default sandbox polls")** is
intentionally not implemented. Silently disabling a feature the user
explicitly enabled is worse UX than a clear warning. The issue listed
all three expected results as `OR` alternatives; this PR picks the
detect-and-warn branch.
- **Discord/Slack log-pattern matching** is not included. The only
verified log signature is Telegram's (from the issue reporter's actual
output). Discord gateway and Slack Socket Mode have similar
protocol-level conflicts but different log formats that belong to
OpenClaw, not NemoClaw. The registry-based overlap warning covers
Discord/Slack for prevention; log-based diagnosis for those platforms
can be added when OpenClaw exposes a structured bridge-health signal.



<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Detects when the same messaging bot token/channel is enabled in
multiple sandboxes; status shows warnings and onboarding will prompt (or
abort in non-interactive mode) to prevent conflicts.
* Sandboxes now persist selected messaging channels so status reflects
configured channels.
* **Documentation**
* Added a troubleshooting guide with symptoms, diagnosis steps, example
log indicators, and remediation for messaging-bridge token conflicts.
* **Tests**
* Added tests covering conflict detection, channel backfill, overlap
reporting, and status warnings.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: cjagwani

.agents/skills/nemoclaw-user-reference/references/troubleshooting.md

@@ -414,6 +414,25 @@ In that case:
 - inspect gateway logs and blocked requests with `openshell term`
 - treat the failure as a native Discord gateway problem, not as a bridge startup problem
 
+### Messaging bridge appears running but no messages arrive
+
+Bot tokens for Telegram (`getUpdates`), Discord (gateway), and Slack (Socket Mode) only allow one active consumer per token. If two NemoClaw sandboxes are configured with the same bot token, each one kicks the other off its polling connection and neither delivers messages. `nemoclaw status` still reports the bridge as running because the gateway process itself is alive.
+
+To diagnose, open a shell in the sandbox and inspect the gateway log:
+
+```console
+$ openshell term <sandbox-name>
+$ tail -f /tmp/gateway.log
+```
+
+A repeating line like the following confirms the conflict:
+
+```text
+[telegram] getUpdates conflict: 409: Conflict: terminated by other getUpdates request; retrying in 30s.
+```
+
+To fix, run `nemoclaw <other-sandbox> destroy` on whichever sandbox should stop polling, or rerun onboarding on it with the channel disabled. Current NemoClaw warns at `nemoclaw onboard` time when another sandbox already has the same channel enabled, but sandboxes created before that check was added may still be in a conflict loop.
+
 ### Landlock filesystem restrictions silently degraded
 
 After sandbox creation, NemoClaw checks whether the host kernel supports Landlock (Linux 5.13+).

docs/reference/troubleshooting.md

@@ -444,6 +444,25 @@ In that case:
 - inspect gateway logs and blocked requests with `openshell term`
 - treat the failure as a native Discord gateway problem, not as a bridge startup problem
 
+### Messaging bridge appears running but no messages arrive
+
+Bot tokens for Telegram (`getUpdates`), Discord (gateway), and Slack (Socket Mode) only allow one active consumer per token. If two NemoClaw sandboxes are configured with the same bot token, each one kicks the other off its polling connection and neither delivers messages. `nemoclaw status` still reports the bridge as running because the gateway process itself is alive.
+
+To diagnose, open a shell in the sandbox and inspect the gateway log:
+
+```console
+$ openshell term <sandbox-name>
+$ tail -f /tmp/gateway.log
+```
+
+A repeating line like the following confirms the conflict:
+
+```text
+[telegram] getUpdates conflict: 409: Conflict: terminated by other getUpdates request; retrying in 30s.
+```
+
+To fix, run `nemoclaw <other-sandbox> destroy` on whichever sandbox should stop polling, or rerun onboarding on it with the channel disabled. Current NemoClaw warns at `nemoclaw onboard` time when another sandbox already has the same channel enabled, but sandboxes created before that check was added may still be in a conflict loop.
+
 ### Landlock filesystem restrictions silently degraded
 
 After sandbox creation, NemoClaw checks whether the host kernel supports Landlock (Linux 5.13+).

src/lib/inventory-commands.test.ts

@@ -88,6 +88,77 @@ describe("inventory commands", () => {
     );
   });
 
+  it("flags messaging bridge as degraded when checkMessagingBridgeHealth reports conflicts", () => {
+    const lines: string[] = [];
+    const checkMessagingBridgeHealth = vi.fn().mockReturnValue([
+      { channel: "telegram", conflicts: 7 },
+    ]);
+    showStatusCommand({
+      listSandboxes: () => ({
+        sandboxes: [
+          {
+            name: "alpha",
+            model: "m",
+            messagingChannels: ["telegram"],
+          },
+        ],
+        defaultSandbox: "alpha",
+      }),
+      getLiveInference: () => null,
+      showServiceStatus: vi.fn(),
+      checkMessagingBridgeHealth,
+      log: (message = "") => lines.push(message),
+    });
+
+    expect(checkMessagingBridgeHealth).toHaveBeenCalledWith("alpha", ["telegram"]);
+    expect(lines).toContain(
+      "  ⚠ telegram bridge: degraded (7 conflict errors in /tmp/gateway.log)",
+    );
+  });
+
+  it("skips messaging bridge check when the default sandbox has no channels", () => {
+    const lines: string[] = [];
+    const checkMessagingBridgeHealth = vi.fn().mockReturnValue([]);
+    showStatusCommand({
+      listSandboxes: () => ({
+        sandboxes: [{ name: "alpha", model: "m" }],
+        defaultSandbox: "alpha",
+      }),
+      getLiveInference: () => null,
+      showServiceStatus: vi.fn(),
+      checkMessagingBridgeHealth,
+      log: (message = "") => lines.push(message),
+    });
+
+    expect(checkMessagingBridgeHealth).not.toHaveBeenCalled();
+    expect(lines.some((l) => l.includes("degraded"))).toBe(false);
+  });
+
+  it("prints a cross-sandbox overlap warning when backfillAndFindOverlaps reports overlaps", () => {
+    const lines: string[] = [];
+    const backfillAndFindOverlaps = vi.fn().mockReturnValue([
+      { channel: "telegram", sandboxes: ["alice", "bob"] },
+    ]);
+    showStatusCommand({
+      listSandboxes: () => ({
+        sandboxes: [
+          { name: "alice", model: "m", messagingChannels: ["telegram"] },
+          { name: "bob", model: "m", messagingChannels: ["telegram"] },
+        ],
+        defaultSandbox: "alice",
+      }),
+      getLiveInference: () => null,
+      showServiceStatus: vi.fn(),
+      backfillAndFindOverlaps,
+      log: (message = "") => lines.push(message),
+    });
+
+    expect(backfillAndFindOverlaps).toHaveBeenCalled();
+    expect(
+      lines.some((l) => l.includes("telegram is enabled on both 'alice' and 'bob'")),
+    ).toBe(true);
+  });
+
   it("prints stored sandbox models in status and delegates service status", () => {
     const lines: string[] = [];
     const showServiceStatus = vi.fn();

src/lib/inventory-commands.ts

@@ -9,6 +9,12 @@ export interface SandboxEntry {
   provider?: string | null;
   gpuEnabled?: boolean;
   policies?: string[] | null;
+  messagingChannels?: string[] | null;
+}
+
+export interface MessagingBridgeHealth {
+  channel: string;
+  conflicts: number;
 }
 
 export interface RecoveryResult {
@@ -25,10 +31,20 @@ export interface ListSandboxesCommandDeps {
   log?: (message?: string) => void;
 }
 
+export interface MessagingOverlap {
+  channel: string;
+  sandboxes: [string, string];
+}
+
 export interface ShowStatusCommandDeps {
   listSandboxes: () => { sandboxes: SandboxEntry[]; defaultSandbox?: string | null };
   getLiveInference: () => GatewayInference | null;
   showServiceStatus: (options: { sandboxName?: string }) => void;
+  checkMessagingBridgeHealth?: (
+    sandboxName: string,
+    channels: string[],
+  ) => MessagingBridgeHealth[];
+  backfillAndFindOverlaps?: () => MessagingOverlap[];
   log?: (message?: string) => void;
 }
 
@@ -99,4 +115,42 @@ export function showStatusCommand(deps: ShowStatusCommandDeps): void {
   }
 
   deps.showServiceStatus({ sandboxName: defaultSandbox || undefined });
+
+  if (deps.backfillAndFindOverlaps) {
+    const overlaps = deps.backfillAndFindOverlaps();
+    if (overlaps.length > 0) {
+      log("");
+      for (const { channel, sandboxes: pair } of overlaps) {
+        log(
+          `  ⚠ ${channel} is enabled on both '${pair[0]}' and '${pair[1]}'. Bot tokens only allow one sandbox to poll — both bridges will fail.`,
+        );
+      }
+      log(
+        "    Run `nemoclaw <sandbox> destroy` on whichever sandbox should stop polling, or rerun onboarding with the channel disabled.",
+      );
+    }
+  }
+
+  if (deps.checkMessagingBridgeHealth && defaultSandbox) {
+    // Re-fetch: backfillAndFindOverlaps above may have populated
+    // messagingChannels for the default sandbox on first run after upgrade,
+    // and the original `sandboxes` snapshot is stale.
+    const refreshed = deps.listSandboxes().sandboxes;
+    const defaultEntry = refreshed.find((sb) => sb.name === defaultSandbox);
+    const channels = defaultEntry?.messagingChannels;
+    if (Array.isArray(channels) && channels.length > 0) {
+      const degraded = deps.checkMessagingBridgeHealth(defaultSandbox, channels);
+      if (degraded.length > 0) {
+        log("");
+        for (const { channel, conflicts } of degraded) {
+          log(
+            `  ⚠ ${channel} bridge: degraded (${conflicts} conflict errors in /tmp/gateway.log)`,
+          );
+        }
+        log(
+          "    Another sandbox is likely polling with the same bot token. See docs/reference/troubleshooting.md.",
+        );
+      }
+    }
+  }
 }

src/lib/messaging-conflict.test.ts

@@ -0,0 +1,173 @@
+// SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { describe, expect, it, vi } from "vitest";
+
+import type { SandboxEntry } from "./registry";
+import {
+  backfillMessagingChannels,
+  findAllOverlaps,
+  findChannelConflicts,
+} from "./messaging-conflict";
+
+function makeRegistry(sandboxes: SandboxEntry[]) {
+  const store = new Map(sandboxes.map((s) => [s.name, { ...s }]));
+  return {
+    listSandboxes: () => ({
+      sandboxes: Array.from(store.values()),
+      defaultSandbox: sandboxes[0]?.name ?? null,
+    }),
+    updateSandbox: vi.fn((name: string, updates: Partial<SandboxEntry>) => {
+      const entry = store.get(name);
+      if (!entry) return false;
+      Object.assign(entry, updates);
+      return true;
+    }),
+  };
+}
+
+describe("findChannelConflicts", () => {
+  it("returns conflicts when another sandbox already has the channel", () => {
+    const registry = makeRegistry([
+      { name: "alice", messagingChannels: ["telegram"] },
+      { name: "bob", messagingChannels: [] },
+    ]);
+    expect(findChannelConflicts("bob", ["telegram"], registry)).toEqual([
+      { channel: "telegram", sandbox: "alice" },
+    ]);
+  });
+
+  it("excludes the current sandbox from its own conflicts", () => {
+    const registry = makeRegistry([{ name: "alice", messagingChannels: ["telegram"] }]);
+    expect(findChannelConflicts("alice", ["telegram"], registry)).toEqual([]);
+  });
+
+  it("skips entries with no messagingChannels field (pre-backfill)", () => {
+    const registry = makeRegistry([{ name: "alice" }, { name: "bob", messagingChannels: [] }]);
+    expect(findChannelConflicts("bob", ["telegram"], registry)).toEqual([]);
+  });
+
+  it("returns empty when no channels are enabled", () => {
+    const registry = makeRegistry([{ name: "alice", messagingChannels: ["telegram"] }]);
+    expect(findChannelConflicts("bob", [], registry)).toEqual([]);
+  });
+});
+
+describe("findAllOverlaps", () => {
+  it("reports each overlapping pair once", () => {
+    const registry = makeRegistry([
+      { name: "alice", messagingChannels: ["telegram"] },
+      { name: "bob", messagingChannels: ["telegram"] },
+      { name: "carol", messagingChannels: ["discord"] },
+    ]);
+    expect(findAllOverlaps(registry)).toEqual([
+      { channel: "telegram", sandboxes: ["alice", "bob"] },
+    ]);
+  });
+
+  it("reports all pairs when three sandboxes share a channel", () => {
+    const registry = makeRegistry([
+      { name: "a", messagingChannels: ["telegram"] },
+      { name: "b", messagingChannels: ["telegram"] },
+      { name: "c", messagingChannels: ["telegram"] },
+    ]);
+    expect(findAllOverlaps(registry)).toEqual([
+      { channel: "telegram", sandboxes: ["a", "b"] },
+      { channel: "telegram", sandboxes: ["a", "c"] },
+      { channel: "telegram", sandboxes: ["b", "c"] },
+    ]);
+  });
+
+  it("returns empty when channels do not overlap", () => {
+    const registry = makeRegistry([
+      { name: "alice", messagingChannels: ["telegram"] },
+      { name: "bob", messagingChannels: ["discord"] },
+    ]);
+    expect(findAllOverlaps(registry)).toEqual([]);
+  });
+});
+
+describe("backfillMessagingChannels", () => {
+  it("fills in missing messagingChannels by probing OpenShell", () => {
+    const registry = makeRegistry([{ name: "alice" }]);
+    const probe = {
+      providerExists: vi.fn((name: string) =>
+        name === "alice-telegram-bridge" ? "present" : "absent",
+      ) as (name: string) => "present" | "absent" | "error",
+    };
+    backfillMessagingChannels(registry, probe);
+    expect(registry.updateSandbox).toHaveBeenCalledWith("alice", {
+      messagingChannels: ["telegram"],
+    });
+    expect(probe.providerExists).toHaveBeenCalledWith("alice-telegram-bridge");
+    expect(probe.providerExists).toHaveBeenCalledWith("alice-discord-bridge");
+    expect(probe.providerExists).toHaveBeenCalledWith("alice-slack-bridge");
+  });
+
+  it("leaves entries with existing messagingChannels alone", () => {
+    const registry = makeRegistry([
+      { name: "alice", messagingChannels: ["telegram"] },
+    ]);
+    const probe = {
+      providerExists: vi.fn(() => "present") as (name: string) => "present" | "absent" | "error",
+    };
+    backfillMessagingChannels(registry, probe);
+    expect(registry.updateSandbox).not.toHaveBeenCalled();
+    expect(probe.providerExists).not.toHaveBeenCalled();
+  });
+
+  it("writes an empty array when all probes return absent", () => {
+    const registry = makeRegistry([{ name: "alice" }]);
+    const probe = {
+      providerExists: vi.fn(() => "absent") as (name: string) => "present" | "absent" | "error",
+    };
+    backfillMessagingChannels(registry, probe);
+    expect(registry.updateSandbox).toHaveBeenCalledWith("alice", { messagingChannels: [] });
+  });
+
+  it("does NOT persist when a probe returns error (retry on next call)", () => {
+    // "error" is distinct from "absent": a transient gateway failure must not
+    // be collapsed into "provider not attached" and persisted, because that
+    // would prevent all future backfill retries and hide real overlaps.
+    const registry = makeRegistry([{ name: "alice" }]);
+    const probe = {
+      providerExists: vi.fn((name: string) => {
+        if (name.endsWith("-telegram-bridge")) return "error";
+        return name.endsWith("-discord-bridge") ? "present" : "absent";
+      }) as (name: string) => "present" | "absent" | "error",
+    };
+    backfillMessagingChannels(registry, probe);
+    expect(registry.updateSandbox).not.toHaveBeenCalled();
+  });
+
+  it("also treats a thrown probe as error (defensive; callers should return 'error' instead)", () => {
+    const registry = makeRegistry([{ name: "alice" }]);
+    const probe = {
+      providerExists: vi.fn(() => {
+        throw new Error("unexpected");
+      }) as (name: string) => "present" | "absent" | "error",
+    };
+    backfillMessagingChannels(registry, probe);
+    expect(registry.updateSandbox).not.toHaveBeenCalled();
+  });
+
+  it("re-attempts backfill on a subsequent call after a prior error", () => {
+    const registry = makeRegistry([{ name: "alice" }]);
+    let firstPass = true;
+    const probe = {
+      providerExists: vi.fn((name: string) => {
+        if (name.endsWith("-telegram-bridge") && firstPass) {
+          firstPass = false;
+          return "error";
+        }
+        return name === "alice-telegram-bridge" ? "present" : "absent";
+      }) as (name: string) => "present" | "absent" | "error",
+    };
+    backfillMessagingChannels(registry, probe);
+    expect(registry.updateSandbox).not.toHaveBeenCalled();
+    backfillMessagingChannels(registry, probe);
+    expect(registry.updateSandbox).toHaveBeenCalledWith("alice", {
+      messagingChannels: ["telegram"],
+    });
+  });
+});