fix(cron): normalize node denial wrappers

abnershang · abnershang · commit 119fa5d69f83 · 2026-05-19T22:47:22.000+08:00
diff --git a/docs/automation/cron-jobs.md b/docs/automation/cron-jobs.md
@@ -51,7 +51,7 @@ Cron is the Gateway's built-in scheduler. It persists jobs, wakes the agent at t
 - Isolated cron runs best-effort close tracked browser tabs/processes for their `cron:<jobId>` session when the run completes, so detached browser automation does not leave orphaned processes behind.
 - Isolated cron runs that receive the narrow cron self-cleanup grant can still read scheduler status, a self-filtered list of their current job, and that job's run history, so status/heartbeat checks can inspect their own schedule without gaining broader cron mutation access.
 - Isolated cron runs also guard against stale acknowledgement replies. If the first result is just an interim status update (`on it`, `pulling everything together`, and similar hints) and no descendant subagent run is still responsible for the final answer, OpenClaw re-prompts once for the actual result before delivery.
-- Isolated cron runs prefer structured execution-denial metadata from the embedded run, then fall back to known final summary/output markers such as `SYSTEM_RUN_DENIED` and `INVALID_REQUEST`, so a blocked command is not reported as a green run.
+- Isolated cron runs use structured execution-denial metadata from the embedded run, including node-host `UNAVAILABLE` wrappers whose nested error message starts with `SYSTEM_RUN_DENIED` or `INVALID_REQUEST`, so a blocked command is not reported as a green run while ordinary assistant prose is not treated as a denial.
 - Isolated cron runs also treat run-level agent failures as job errors even when no reply payload is produced, so model/provider failures increment error counters and trigger failure notifications instead of clearing the job as successful.
 - When an isolated agent-turn job reaches `timeoutSeconds`, cron aborts the underlying agent run and gives it a short cleanup window. If the run does not drain, Gateway-owned cleanup force-clears that run's session ownership before cron records the timeout, so queued chat work is not left behind a stale processing session.
 - If an isolated agent-turn stalls before the runner starts or before the first model call, cron records a phase-specific timeout such as `setup timed out before runner start` or `stalled before first model call (last phase: context-engine)`. These watchdogs cover embedded providers and CLI-backed providers before their external CLI process is actually started, and are capped independently from long `timeoutSeconds` values so cold-start/auth/context failures surface quickly instead of waiting for the full job budget.
diff --git a/src/agents/pi-embedded-subscribe.handlers.tools.test.ts b/src/agents/pi-embedded-subscribe.handlers.tools.test.ts
@@ -580,8 +580,8 @@ describe("handleToolExecutionEnd timeout metadata", () => {
             error: "UNAVAILABLE: SYSTEM_RUN_DENIED: approval required",
             gatewayCode: "UNAVAILABLE",
             nodeError: {
-              code: "SYSTEM_RUN_DENIED",
-              message: "approval required",
+              code: "UNAVAILABLE",
+              message: "SYSTEM_RUN_DENIED: approval required",
             },
           },
         },
diff --git a/src/agents/pi-embedded-subscribe.tools.test.ts b/src/agents/pi-embedded-subscribe.tools.test.ts
@@ -63,8 +63,8 @@ describe("extractToolErrorMessage", () => {
           status: "failed",
           gatewayCode: "UNAVAILABLE",
           nodeError: {
-            code: "SYSTEM_RUN_DENIED",
-            message: "approval required",
+            code: "UNAVAILABLE",
+            message: "SYSTEM_RUN_DENIED: approval required",
           },
         },
       }),
@@ -107,8 +107,8 @@ describe("extractToolErrorMessage", () => {
     error.gatewayCode = "UNAVAILABLE";
     error.details = {
       nodeError: {
-        code: "SYSTEM_RUN_DENIED",
-        message: "approval required",
+        code: "UNAVAILABLE",
+        message: "SYSTEM_RUN_DENIED: approval required",
       },
     };
 
diff --git a/src/agents/pi-embedded-subscribe.tools.ts b/src/agents/pi-embedded-subscribe.tools.ts
@@ -16,6 +16,7 @@ import { normalizeToolName } from "./tool-policy.js";
 
 const TOOL_RESULT_MAX_CHARS = 8000;
 const TOOL_ERROR_MAX_CHARS = 400;
+const TOOL_DENIAL_ERROR_CODES = ["SYSTEM_RUN_DENIED", "INVALID_REQUEST"] as const;
 
 function truncateToolText(text: string): string {
   if (text.length <= TOOL_RESULT_MAX_CHARS) {
@@ -104,12 +105,30 @@ function readErrorCodeField(value: unknown): string | undefined {
   return typeof value === "string" ? normalizeOptionalString(value) : undefined;
 }
 
+function readDenialErrorCodeFromMessage(value: unknown): string | undefined {
+  const message = typeof value === "string" ? normalizeOptionalString(value) : undefined;
+  if (!message) {
+    return undefined;
+  }
+  for (const code of TOOL_DENIAL_ERROR_CODES) {
+    if (message === code || message.startsWith(`${code}:`)) {
+      return code;
+    }
+  }
+  return undefined;
+}
+
 function readNestedErrorCodeField(value: unknown): string | undefined {
   if (!value || typeof value !== "object") {
     return undefined;
   }
   const record = value as Record<string, unknown>;
-  return readErrorCodeField(record.code) ?? readErrorCodeField(record.gatewayCode);
+  return (
+    readDenialErrorCodeFromMessage(record.message) ??
+    readDenialErrorCodeFromMessage(record.error) ??
+    readErrorCodeField(record.code) ??
+    readErrorCodeField(record.gatewayCode)
+  );
 }
 
 function extractDirectErrorCodeField(value: unknown): string | undefined {
