fix(heartbeat): propagate sessionKey in exec/hooks to fix async context loss

[BingqingLyu]

Summary

Fixes openclaw#52305. Related: openclaw#18237, openclaw#14191 (closed as stale).

Update 2026-04-26: openclaw#39978 (originally also in this PR's scope) was closed 2026-04-24, fixed upstream by openclaw#70258 (merged 2026-04-23). openclaw#70258 takes a narrower approach — adding deliveryContext / lastChannel / lastTo fallback in auto-reply/reply/dispatch-from-config.ts (3 files). openclaw#66648 (related "exec leakage to wrong sessions") was also closed 2026-04-25.

This PR's remaining unique value is the sessionKey-targeting fix for openclaw#52305 — wake events not being session-targeted, causing async task completions to route to whatever session is active rather than the originating one. The 14-file scope below covers that broader sessionKey-propagation path (heartbeat-runner, exec runtimes, cron event session keys, ACP spawn stream). Pending verification on v2026.4.24 to confirm openclaw#70258 doesn't incidentally cover openclaw#52305.

Async exec completion events silently vanish instead of being relayed to the originating channel. The root cause is a session key mismatch: events are enqueued under cron or channel-specific session keys, but the heartbeat runner always checks the agent's main session key.

Changes

1. Propagate sessionKey in wake requests — exec/hook/ACP paths now pass sessionKey through scopedHeartbeatWakeOptions(), which scopes agent sessions correctly while preserving unscoped behavior for non-agent keys.

2. Cron session key remapping — new resolveEventSessionKey() centralizes cron→agent-main remapping for event enqueueing. All affected enqueue sites updated: bash exec runtime, node exec events, ACP spawn stream.

3. Custom mainKey threading — scopedHeartbeatWakeOptions() now accepts optional mainKey so cron wake targets align with enqueue targets in custom session.mainKey configurations.

4. Exec completion delivery override — when a pending exec completion event is detected, resolveHeartbeatDeliveryTarget overrides target: "none" to fall back to the session's last delivery target, so exec results reach the user. Respects upstream fix(heartbeat): keep exec-event runs on the non-owner tool surface openclaw/openclaw#57652 auth blocking (ForceSenderIsOwnerFalse). Note: this overlaps with fix(auto-reply): restore route replies for exec-event completions openclaw/openclaw#70258's lastChannel/lastTo fallback, but operates at the heartbeat-delivery-target layer rather than the auto-reply route-resolution layer — they may be complementary or one may make the other redundant. Verification pending.

5. Exec completion detection — start-anchored regex matching for both exec finished (gateway/node approval path) and Exec completed/failed/killed (backgrounded allowlisted commands). Supports word-based session slugs from createSessionSlug().

Test plan

• Ghost-reminder test: exec events with target: none relay to last channel with ForceSenderIsOwnerFalse
• Returns-default-unset test: exec completion delivers to WhatsApp with auth blocking
• Exec completion regex: matches slug IDs (amber-at), hex IDs, case-insensitive
• False-positive rejection: free-form cron text with "exec" phrases
• resolveEventSessionKey unit tests: cron remapping with custom mainKey
• TODO: rebase onto current main (post-fix(auto-reply): restore route replies for exec-event completions openclaw/openclaw#70258), confirm tests still demonstrate uncovered scenarios for [Bug]: async task completion reports can be lost because system event/wake is not reliably session-targeted openclaw/openclaw#52305
• CI green

🤖 Generated with Claude Code