fix(cron): protect tick loop from cascading mark_job_run failures

[jooray]

Summary

• cron/jobs.py: Wrap compute_next_run in mark_job_run with try/except so a scheduling-expression error doesn't prevent save_jobs from running. Without this, a single bad schedule can leave next_run_at as null, permanently disabling the job until manual intervention.
• cron/scheduler.py: Wrap the fallback mark_job_run call in the tick() exception handler. Previously, if the primary job execution failed and mark_job_run also raised, the unhandled exception would abort the tick loop for all remaining due jobs.

Both changes are purely defensive error-handling — no behavioral change when everything works normally.

Reproduction

1. Create a cron job whose delegate_task times out (900s+)
2. If compute_next_run raises during mark_job_run, next_run_at is set to null
3. On next tick, the job is skipped (not a one-shot, so recovery logic doesn't apply
4. The job never runs again until is manually edited

Test plan

• Verify existing cron tests pass
• Create a job, kill the gateway mid-execution, restart — job should recover with a valid
• Inject a bad schedule expression — job should log error but not break other jobs in the same tick
  EOF
  )

[Copilot]

Pull request overview

This PR hardens the cron scheduler against cascading failures by ensuring exceptions inside mark_job_run() (and its compute_next_run() call) can’t abort the tick loop or prevent job state from being persisted.

Changes:

• Wrap the fallback mark_job_run() call inside tick()’s exception handler so a secondary failure doesn’t terminate the tick loop.
• Wrap compute_next_run() inside mark_job_run() so schedule-computation errors don’t prevent save_jobs() from persisting updates.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
cron/scheduler.py	Prevents tick-loop abort when mark_job_run() fails during error handling.
cron/jobs.py	Ensures save_jobs() is still reached even if compute_next_run() raises.

Comments suppressed due to low confidence (1)

cron/jobs.py:629

• If compute_next_run raises, next_run_at is left unchanged and the code proceeds to state transitions. In cases where the stored next_run_at is already <= now (e.g., the job became due but advance_next_run failed due to the same schedule issue), this can lead to the job being picked up and failing on every subsequent tick, creating a noisy error loop. Consider explicitly pausing/disabling the job (or setting a safe future next_run_at) when compute_next_run fails to avoid repeated immediate retries.

            try:
                job["next_run_at"] = compute_next_run(job["schedule"], now)
            except Exception as exc:
                logger.error(
                    "Job '%s': compute_next_run failed (%s); keeping previous next_run_at",
                    job_id, exc,
                )

            # If no next run (one-shot completed), disable
            if job["next_run_at"] is None:
                job["enabled"] = False
                job["state"] = "completed"
            elif job.get("state") != "paused":
                job["state"] = "scheduled"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The exception handler for compute_next_run logs with logger.error but drops the traceback. Since this is catching a broad Exception and will be the primary signal for diagnosing bad schedule payloads/croniter failures, consider using logger.exception (or logger.error(..., exc_info=True)) so the stack trace is preserved in logs.

Suggested change

	logger.error(
	logger.exception(

[Copilot]

There are existing unit tests for mark_job_run, but no coverage for the new defensive path where compute_next_run raises. Please add a test that forces compute_next_run to raise (e.g., via patch) and verifies mark_job_run still persists updates and leaves next_run_at in a sane state (unchanged from its previous value, or the chosen fallback).

[Copilot]

The log message prefix says "CRITICAL:" but this uses logger.exception (ERROR level). To avoid misleading severity in logs, either log at critical level (logger.critical(..., exc_info=True)) or remove the "CRITICAL" label from the message.

Suggested change

	logger.exception(
	"CRITICAL: mark_job_run also failed for job %s "
	"(original error: %s, mark_job_run error: %s)",
	job['id'], e, e2,
	logger.critical(
	"CRITICAL: mark_job_run also failed for job %s "
	"(original error: %s, mark_job_run error: %s)",
	job['id'], e, e2,
	exc_info=True,

[Copilot]

tick() has extensive tests, but there isn’t coverage for the newly added nested failure path (original job processing fails and mark_job_run also raises). Please add a test that sets up multiple due jobs, forces mark_job_run to raise in the except path, and asserts tick() continues processing remaining jobs without raising.