cron: encode sessionKey when deriving jobId to support channel-native conversation IDs

[BrilliantWang]

Problem

runtime.channel.routing.buildAgentSessionKey(...) passes the channel-provided id segment through verbatim. For DingTalk, that segment is the platform's native conversationId, which routinely contains /. A real example:

agent:main:dingtalk:group:cid3tmd4xb19xjfk/wogxwy2a==

This sessionKey is valid everywhere else in the runtime (routing, dedup, session locks, the agent session store, logs), but cron rejects it at job creation:

src/cron/session-target.ts:8-10

if (trimmed.includes("/") || trimmed.includes("\\") || trimmed.includes("\0")) {
  throw new Error(INVALID_CRON_SESSION_TARGET_ID_ERROR);
}

The same guard is mirrored in src/cron/run-log.ts:58-67 (assertSafeCronRunLogJobId).

Impact

Cron jobs cannot target any DingTalk group conversation. This is the entire group-chat surface of the DingTalk channel — not a corner case. Other channels whose native IDs are base64-ish are likely to hit the same wall.

Root cause

The guard exists for a real reason: src/cron/run-log.ts:69-78 builds run-log filesystem paths directly from jobId:

const resolvedPath = path.resolve(runsDir, `${safeJobId}.jsonl`);

And jobId is derived from sessionKey. So a / in sessionKey would become a real path-traversal vector. The blocklist is correct defense; the design choice that forced it — using a sessionKey-derived string directly as a filename — is where the mismatch lives.

Notably, openclaw's own agent session store does not have this problem. src/config/sessions/types.ts:315 generates a random UUID:

const sessionId = patch.sessionId ?? existing?.sessionId ?? crypto.randomUUID();

and src/config/sessions/paths.ts:248-251 uses that UUID as the filename, keeping sessionKey as an opaque map key inside sessions.json. Cron is the only subsystem that couples the filesystem name to sessionKey's character set.

Proposed fix (minimal)

Encode sessionKey when deriving jobId, e.g.:

const jobId = `cron:${base64url(sessionKey)}`;

• Scope: one derivation site in the cron module.
• assertSafeCronSessionTargetId can drop the / \ check on sessionKey (it no longer touches the filesystem directly). assertSafeCronRunLogJobId stays as a belt-and-suspenders guard against anything outside the base64url alphabet.
• Existing jobs are unaffected — they keep their old jobIds and continue reading their old run-log files. New jobs use the encoded format. No migration, no double-write, no schema change.
• base64url is preferred over a hash because it's reversible: operators can still decode a run-log filename back to the originating sessionKey when debugging.

Alternative considered

Normalizing inside buildAgentSessionKey itself — rejected. It would change every existing persisted sessionKey across all channels and all subsystems (dedup, session locks, the agent session store's sessions.json keys), requiring a versioned prefix and migration for a problem that only cron actually has.

Repro

1. Receive a message in any DingTalk group chat.
2. Attempt to create a cron job with session:<that sessionKey> as the target.
3. INVALID_CRON_SESSION_TARGET_ID_ERROR is thrown at job creation.

[Jah-yee]

Clear fix proposal. Use base64url encoding when deriving jobId from sessionKey. This is reversible and avoids filesystem issues while preserving backward compatibility. Implementation: wrap sessionKey with base64url before using as jobId. See your proposed fix for details - it is correct.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open. Current main still rejects slash- and backslash-bearing cron session:<id> targets in normalization and persisted job validation, while the linked fix PR is closed unmerged and no canonical replacement owns the same narrow cron/session-target bug.

Reproducibility: yes. by source inspection. A cron create or patch payload with sessionTarget: "session:agent:main:dingtalk:group:cid3tmd4xb19xjfk/wogxwy2a==" reaches assertSafeCronSessionTargetId, which throws on /, and current tests still assert separator rejection.

Next step
This is a narrow source-reproducible cron bug with clear implementation/test files and no required product or config decision.

Review details

Best possible solution:

Implement a cron-boundary fix that treats session:<id> payloads and current-resolved session keys as opaque runtime session keys, while preserving empty/NUL rejection and strict run-log job-id path validation.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection. A cron create or patch payload with sessionTarget: "session:agent:main:dingtalk:group:cid3tmd4xb19xjfk/wogxwy2a==" reaches assertSafeCronSessionTargetId, which throws on /, and current tests still assert separator rejection.

Is this the best way to solve the issue?

Yes in direction, but the clean current-main fix is to decouple session-key validation from filename safety rather than changing global session-key routing. Since cron job ids are UUID-backed, the narrow maintainable repair is to accept opaque session keys and keep strict checks at filesystem path boundaries.

Label justifications:

• P2: This is a normal-priority cron/channel bug with a clear source path and limited blast radius to persistent cron session targeting for native ids containing separators.
• impact:session-state: The failure treats valid runtime session keys as path-safe ids and blocks cron from targeting the intended persistent conversation session.

Acceptance criteria:

• node scripts/run-vitest.mjs src/cron/session-target.test.ts src/cron/normalize.test.ts src/cron/service.jobs.test.ts src/cron/run-log.test.ts
• node scripts/run-vitest.mjs src/gateway/server.cron.test.ts src/gateway/protocol/cron-validators.test.ts src/cron/isolated-agent/run.session-key-isolation.test.ts
• pnpm exec oxfmt --check --threads=1 src/cron/session-target.ts src/cron/session-target.test.ts src/cron/normalize.ts src/cron/normalize.test.ts src/cron/service/jobs.ts src/cron/service.jobs.test.ts src/cron/run-log.ts src/cron/run-log.test.ts src/gateway/server-cron.ts src/gateway/server.cron.test.ts src/gateway/protocol/cron-validators.test.ts CHANGELOG.md

What I checked:

• Current source still rejects slash-bearing session targets: assertSafeCronSessionTargetId trims the session id and throws when it contains /, \, or NUL, so the reported DingTalk-style session key is rejected before cron can persist it. (src/cron/session-target.ts:12, 48acdd3d85ea)
• Explicit cron session targets hit the guard: normalizeSessionTarget returns session:${assertSafeCronSessionTargetId(trimmed.slice(8))}, so an add/patch payload containing session:agent:main:dingtalk:group:cid3tmd4xb19xjfk/wogxwy2a== fails during normalization. (src/cron/normalize.ts:355, 48acdd3d85ea)
• Persisted job validation repeats the rejection: assertSupportedJobSpec revalidates every session: target with assertSafeCronSessionTargetId, covering create, patch, load/preflight-style validation paths. (src/cron/service/jobs.ts:264, 48acdd3d85ea)
• Current cron job ids are UUID-backed: createJob assigns crypto.randomUUID() to job.id, so the run-log filename boundary is the job id rather than the raw session key on current main. (src/cron/service/jobs.ts:671, 48acdd3d85ea)
• Run-log path safety is already a separate boundary: Run-log path resolution still validates jobId and builds runs/<jobId>.jsonl only after rejecting path separators and NUL, so accepting opaque session keys does not require accepting unsafe filenames. (src/cron/run-log.ts:79, 48acdd3d85ea)
• Current tests still lock in rejection behavior: Cron helper, normalization, service, and run-log tests still assert separator-bearing custom session targets or job ids should throw rather than accepting a channel-native slash-bearing session key. (src/cron/normalize.test.ts:685, 48acdd3d85ea)

Likely related people:

• steipete: The unsafe custom-session target guard traces to commit 39bcf69, and the related PR body explicitly routed cron service path handling to this handle. (role: guard introducer and adjacent cron contributor; confidence: high; commits: 39bcf695dce4; files: src/cron/session-target.ts, src/cron/normalize.ts, src/cron/service/jobs.ts)
• kkhomej33-netizen: Commit e7d9648 introduced cron sessionTarget: "current" and session:<id> support, the feature boundary affected by this bug. (role: feature introducer; confidence: high; commits: e7d9648fba27; files: src/cron/normalize.ts, src/cron/service/jobs.ts, docs/automation/cron-jobs.md)
• mvanhorn: Commit b33eb93 hardened missing sessionTarget load and validation behavior in the same persisted cron job validation path. (role: recent adjacent contributor; confidence: medium; commits: b33eb93aac8a; files: src/cron/service/jobs.ts, src/cron/service/store.ts)

Remaining risk / open question:

• A repair must keep run-log jobId filename validation strict; accepting opaque session keys should not make runs/<jobId>.jsonl path-derived from raw channel ids.
• If a repair stores encoded session targets instead of raw keys, every runtime read path must decode before session lookup or jobs can run in a different persistent session.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 48acdd3d85ea.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. Current main still rejects slash- and backslash-bearing cron session:<id> targets even though cron job ids are now UUID-backed, so the original filename-coupling concern is only partly addressed. The linked fix PR #64057 was closed unmerged, and current tests still assert the rejection behavior instead of covering DingTalk-style native conversation ids.

Required change / next step:

This is a valid, narrow cron bug with clear implementation and regression-test boundaries; a focused repair PR can accept opaque session keys while preserving run-log path safety.

Review details

Best possible solution:

Implement a cron-boundary fix that treats session:<id> payloads and resolved current session keys as opaque runtime session keys, while keeping run-log filenames keyed by safe UUID job ids and preserving strict validation at actual filesystem path boundaries.

Acceptance criteria:

• pnpm test src/cron/session-target.test.ts src/cron/normalize.test.ts src/cron/service.jobs.test.ts src/cron/run-log.test.ts
• pnpm test src/gateway/server.cron.test.ts
• pnpm exec oxfmt --check --threads=1 src/cron/session-target.ts src/cron/session-target.test.ts src/cron/normalize.test.ts src/cron/service.jobs.test.ts src/cron/run-log.test.ts src/gateway/server.cron.test.ts CHANGELOG.md

What I checked:

• Session target guard rejects native separators: assertSafeCronSessionTargetId trims the id and throws when it contains /, \, or NUL, so the reported DingTalk-style session key still fails before cron can persist it. (src/cron/session-target.ts:7, acae48b790fa)
• Explicit and current session targets call the same guard: normalizeSessionTarget validates explicit session: values through the guard, and current binding stores the live session key via the same guard, so both user entry points reject slash-bearing native ids. (src/cron/normalize.ts:341, acae48b790fa)
• Create, update, and manual run validation repeat the rejection: assertSupportedJobSpec revalidates every persisted session: target; create and patch call it, and manual-run preflight calls it before execution, so the failure is not limited to normalization. (src/cron/service/jobs.ts:156, acae48b790fa)
• Job ids are UUID-backed but run-log job-id safety remains separate: createJob assigns crypto.randomUUID() to job.id, while run-log path resolution still rejects unsafe job ids before building runs/<jobId>.jsonl; that protects filenames without requiring session keys to be path-safe. (src/cron/service/jobs.ts:556, acae48b790fa)
• Routing keeps group peer ids opaque: Group peer session keys are built from the channel peer id after lowercasing/trimming only; normalizeLowercaseStringOrEmpty does not escape or remove /, so cron remains stricter than the routing/session-key surface. (src/routing/session-key.ts:174, acae48b790fa)
• Tests still lock in rejection behavior: Current cron tests expect custom session ids with path separators to throw in normalization, create, patch, gateway add/update, and persisted invalid-spec paths; there is no regression test accepting a DingTalk-style slash-bearing session key. (src/cron/normalize.test.ts:685, acae48b790fa)

Likely related people:

• steipete: Introduced src/cron/session-target.ts and the early unsafe custom-session target guard in 39bcf69, then recently maintained adjacent cron session notification routing in 85148f3 and 332cdd7. (role: recent maintainer and guard introducer; confidence: high; commits: 39bcf695dce4, 85148f3b2099, 332cdd7acaf3; files: src/cron/session-target.ts, src/cron/normalize.ts, src/cron/service/jobs.ts)
• kkhomej33-netizen: Implemented cron sessionTarget: "current" and session:<id> support in e7d9648, the feature boundary affected by this bug. (role: feature introducer; confidence: medium; commits: e7d9648fba27; files: src/cron/normalize.ts, src/cron/service/jobs.ts, docs/automation/cron-jobs.md)
• mvanhorn: Recently hardened missing sessionTarget load/validation behavior in jobs/store paths, which overlaps the fail-closed persisted validation surface for malformed cron session targets. (role: recent adjacent maintainer; confidence: medium; commits: b33eb93aac8a; files: src/cron/service/jobs.ts, src/cron/service/store.ts)

Remaining risk / open question:

• A fix must not remove filesystem-boundary protections for run-log job ids; accepting opaque session keys should preserve empty/NUL rejection and keep path traversal checks where filenames are built.

Codex review notes: model gpt-5.5, reasoning high; reviewed against acae48b790fa.