cron: v2026.4.2 silently drops jobs.json (plain-array format) and first add clobbers all data

[slideshow-dingo]

Bug type

Regression (worked before, now fails) / Data Loss

OpenClaw version

OpenClaw 2026.4.2 (d74a122)

OS and install method

• Linux 6.8.0-106-generic (x64),
• Node.js v24.14.1,
• npm global (~/.npm-global/lib/node_modules/openclaw),
• systemd user service (systemctl --user).

Summary

After upgrading to 2026.4.2, the gateway silently reports jobCount: 0 at startup despite ~/.openclaw/cron/jobs.json containing 37 valid, working cron jobs. The jobs are valid JSON, parse correctly, and were fully operational on the prior version. On first cron add or job write, only the new job is persisted — all 37 existing jobs are permanently lost.

Steps to reproduce

1. Run a working OpenClaw instance on 2026.3.x with persisted cron jobs in ~/.openclaw/cron/jobs.json (plain JSON array format: [{job}, {job}, ...]).
2. Upgrade to 2026.4.2.
3. Restart the gateway.
4. Observe cron list returns 0 jobs.
5. Run cron add to create a test job.
6. Observe the file is rewritten with only the new job — all previous jobs are gone.

Expected behavior

• The loader reads existing valid JSON arrays and loads all jobs, or
• If a format migration is required, it migrates the old format and warns, or
• At minimum, the loader logs an ERROR explaining why it rejects the file.

Actual behavior

Gateway logs show exactly:

{"module":"cron","storePath":"/home/moltbot/.openclaw/cron/jobs.json"}
{"jobCount":0,"enabledCount":0,"withNextRun":0}
"cron: armTimer skipped - no jobs with nextRunAtMs"
"cron: started"

Zero jobCount, zero warnings, zero errors. The file is valid JSON but silently skipped. The first subsequent write clobbers the file: it creates a new { "version": 1, "jobs": [...] } envelope containing only the newly-added job, destroying all pre-existing entries.

Logs and evidence

Gateway startup log — jobCount: 0 despite valid file:

{"module":"cron","storePath":"/home/moltbot/.openclaw/cron/jobs.json"}
{"jobCount":0,"enabledCount":0,"withNextRun":0}
"cron: armTimer skipped - no jobs with nextRunAtMs"
"cron: started"

Before write — file is valid plain array with 37 items:

$ python3 -c "import json; jobs=json.load(open(\"/home/moltbot/.openclaw/cron/jobs.json\")); print(len(jobs))"
37
$ python3 -c "import json; jobs=json.load(open(\"/home/moltbot/.openclaw/cron/jobs.json\")); print(jobs[0].keys())"
["id","agentId","sessionKey","name","enabled","createdAtMs","updatedAtMs","schedule","sessionTarget","wakeMode","payload","delivery","state","failureAlert","description"]

After cron add — file overwritten with single job in new versioned format:

{
  "version": 1,
  "jobs": [{ /* only the newly-added test job */ }]
}

The add call itself succeeds (returns a valid job ID), but the write path ignores the pre-existing 37 jobs and replaces them.

Root cause analysis

The 2026.4.2 cron loader appears to have changed the store format from a plain JSON array ([{job}, ...]) to a versioned envelope ({ "version": 1, "jobs": [{job}, ...] }). The loader:

1. Does not recognize or migrate the old plain-array format.
2. Does not log an error or warning when it fails to parse the file.
3. Reports jobCount: 0 silently, making operators believe there were never jobs.
4. Writes the new versioned format on first mutation, silently clobbering all old data.

Impact

• Data loss is automatic and irreversible: the first write after startup permanently destroys all pre-migration jobs. With 37 jobs in my case, all scheduling, delivery config, failure alerts, and job history are lost.
• openclaw doctor --fix does not detect or migrate the issue.
• This is the third distinct report of cron jobs being silently lost (see Related issues).

Related issues

• #52569 — "Cron jobs silently lost after upgrading 2026.3.12 → 2026.3.13" (same symptom, older version)
• #53746 — "saveCronStore overwrites jobs.json from partial in-memory state after restart" (same destructive-write pattern)
• #60334 — "2026.4.2 update rejects legacy config keys and cron jobs.json may require manual backup restore" (same version, though reporter had malformed JSON)
• #33451 — "legacy cron jobs with string schedule + top-level command are not migrated on load" (related migration gap)

None of the above have been resolved. This report adds the specific v2026.4.2 format-change migration gap with full evidence and repro.

Proposed fix

1. Backward-compatible loader: The cron store loader should detect both formats (plain array and versioned envelope) and load them transparently.
2. Graceful migration: If the file is a plain array, wrap it in { "version": 1, "jobs": [...] } on the next write.
3. Fail-safe write path: Use a read-merge-write pattern instead of writing-only-in-memory-state (see Bug: saveCronStore overwrites jobs.json from partial in-memory state after restart, causing silent job loss #53746 for details).
4. Explicit error logging: If the file cannot be parsed, log a WARN or ERROR with the first 200 characters so operators can diagnose instead of seeing silent zero-count failures.

[slideshow-dingo]

Additional RCA — full cascade from silent job loss

Investigating today's cron cascade failure on moltbot (v2026.4.2, d74a122) confirmed the silent job-loss bug triggered a cascading timeout storm. Here's the complete evidence chain:

How the cascade started

After the v2026.4.2 upgrade, cron list showed 0 jobs. The openclaw cron scheduler started with an empty job store. Meanwhile, the MiniMax API key (sk-cp-aIc...) had expired earlier, returning HTTP 401.

When the gateway eventually reloaded jobs (after the first cron add which created the v1 envelope and clobbered the old data), all jobs were in the new format but the MiniMax key was still invalid. With auth failures mounting, the fallback chain kicked in — but each job took ~130s to boot the model before hitting the auth error. The default cronTimeoutSec=120s fired first, timing out every job before the auth failure surfaced.

7 jobs timed out simultaneously:

• pr47305-monitor (70s timeout)
• unifi-client-count (30s)
• pr-43573-merge-watch (90s)
• context7-usage-monitor (180s)
• ollama-provider-health-probe
• pve-host-backup-verify
• sync-auth-profiles

The 3 health-check jobs (memory-health-unified, synology-consolidated-check, 6-hourly-checks) were also affected but recovered first because they run on shorter schedules.

Two distinct bugs confirmed

Bug 1 — Silent format migration data loss (this issue #60799):

• Root cause: cron store loader rejects plain-array format without warning
• Trigger: v2026.4.2 upgrade + gateway restart
• Outcome: 37 jobs silently dropped, first cron add clobbers the file

Bug 2 — cronTimeoutSec=120s below model boot time:

• The default timeout is shorter than the time it takes MiniMax to boot (~130s)
• When the key is invalid, auth failure takes ~130s to surface, but timeout fires at 120s
• Result: every job times out before the fallback chain or auth error can be detected
• Fix: bumped all affected jobs to timeoutSeconds=300 as a workaround
• Suggestion: consider raising the default or making it configurable per-job

Auth profile cooldown issue (related)

When the MiniMax key went invalid, the gateway's internal auth profile entered cooldown state (reason=auth window=cooldown). After key rotation, the gateway's in-memory state still rejected the new valid key. No way to clear auth profile cooldown without gateway restart. A openclaw auth clear <profile> command or automatic key-change detection would help.

Proposed fixes (from our local remediation)

1. Backward-compatible loader — detect both plain-array and versioned envelope formats
2. Fail-safe write path — read-merge-write instead of write-from-memory-state
3. Warn on unrecognized format — log ERROR with file excerpt instead of silent jobCount: 0
4. Higher default cronTimeoutSec — 120s is too close to model boot time for warm-start cloud LLMs; suggest 300s or configurable
5. openclaw auth clear <profile> command — clear cooldown state without restart

All 37 jobs recovered after manual reconstruction. No permanent data beyond the initial clobber.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main and v2026.5.18 still treat a valid top-level array cron store as empty, so the reported load-empty then first-write data-loss path remains source-reproducible; the focused fix at #61113 was closed unmerged.

Reproducibility: yes. by source inspection. A valid top-level array parses successfully but fails both loader guards because they require a non-array object, after which cron add persists only the newly-created in-memory store.

Next step
This is a safe repair candidate: the data-loss path is source-reproducible, the affected loader/save files are clear, and a closed unmerged PR provides a focused implementation sketch.

Review details

Best possible solution:

Add a shared cron-store normalizer used by async, sync, and doctor-related load paths that accepts both { version: 1, jobs: [...] } and legacy top-level arrays, then prove legacy jobs survive a load-add-save round trip.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection. A valid top-level array parses successfully but fails both loader guards because they require a non-array object, after which cron add persists only the newly-created in-memory store.

Is this the best way to solve the issue?

Yes. Narrow loader normalization plus regression coverage is the maintainable fix; timeout defaults, auth cooldown, and broader read-merge-write concurrency should stay separate unless preservation tests prove they share this path.

Label justifications:

• P0: The current source still supports an upgrade path that can silently overwrite persisted scheduled-job data.
• impact:data-loss: The reported behavior silently drops persisted cron jobs and can rewrite jobs.json with only newly-added jobs.

Acceptance criteria:

• node scripts/run-vitest.mjs src/cron/store.test.ts src/cron/service/ops.test.ts src/commands/doctor-cron.test.ts
• pnpm exec oxfmt --check --threads=1 src/cron/store.ts src/cron/store.test.ts src/cron/service/ops.ts src/cron/service/ops.test.ts src/commands/doctor-cron.ts src/commands/doctor-cron.test.ts CHANGELOG.md
• node scripts/crabbox-wrapper.mjs run --provider blacksmith-testbox --shell -- "pnpm check:changed"

What I checked:

• Current async loader drops top-level arrays: loadCronStore() parses JSON successfully but only accepts parsed values that are non-array objects; a top-level [{...}] file falls through to parsedRecord = {} and jobs = []. (src/cron/store.ts:218, 5e0850fc548c)
• Current sync loader repeats the same guard: loadCronStoreSync() has the same non-array object guard, so sync readers also cannot see a legacy top-level array store. (src/cron/store.ts:288, 5e0850fc548c)
• First add persists only in-memory state: add() calls ensureLoaded(), pushes the new job into the loaded store, recomputes, then calls persist(), matching the reported empty-load then write-one-job path. (src/cron/service/ops.ts:365, 5e0850fc548c)
• Save path rewrites canonical config from the supplied store: saveCronStore() serializes stripRuntimeOnlyCronFields(store) from the supplied in-memory store and writes it to jobs.json; it does not re-read a legacy array before replacement. (src/cron/store.ts:372, 5e0850fc548c)
• Doctor cannot repair this shape first: maybeRepairLegacyCronStore() calls loadCronStore() and returns when the loaded job list is empty, so a top-level array never reaches the legacy normalization preview. (src/commands/doctor-cron.ts:337, 5e0850fc548c)
• Docs define persisted cron jobs as restart-safe: The cron docs say job definitions persist at ~/.openclaw/cron/jobs.json so restarts do not lose schedules, which makes silent load-empty behavior a contract bug. Public docs: docs/automation/cron-jobs.md. (docs/automation/cron-jobs.md:44, 5e0850fc548c)

Likely related people:

• Feelw00: Authored the merged split-store work that rewrote the current cron store load/save surface and adjacent tests. (role: adjacent feature contributor; confidence: high; commits: 4be6ff9d5f3e, ad996e132093; files: src/cron/store.ts, src/cron/store.test.ts, docs/automation/cron-jobs.md)
• gumadeiras: Co-authored or reviewed split-store work and authored follow-up hardening around missing split config files and store tests. (role: reviewer and adjacent contributor; confidence: high; commits: 4be6ff9d5f3e, 470bb2561fa4; files: src/cron/store.ts, src/cron/store.test.ts, docs/automation/cron-jobs.md)
• vincentkoc: Authored a recent cron legacy-row normalization fix adjacent to this store-format compatibility gap, though it does not cover top-level array stores. (role: recent adjacent legacy-migration contributor; confidence: medium; commits: e0546edd9820; files: src/cron/normalize.ts, src/cron/normalize.test.ts, src/cron/service.store-load-invalid-main-job.test.ts)
• BryanTegomoh: Opened the closed unmerged focused fix for this exact legacy plain-array cron store bug, including normalization and regression-test direction. (role: source-fix contributor; confidence: medium; commits: 9af9cbabc9b1; files: src/cron/store.ts, src/cron/store.test.ts)

Remaining risk / open question:

• No runtime regression command was run in this read-only sweep; the repair still needs focused tests for legacy-array load and load-add-save preservation.
• The reporter's timeout-default and auth-cooldown follow-ups are separate behavior questions and should not be bundled into the narrow data-preservation fix without new proof that they share the same path.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5e0850fc548c.