[Bug]: main/systemEvent cron heartbeat inherits global heartbeat.to and leaks topic reminder to DM

[richardmqq]

Summary

A sessionTarget: "main" + payload.kind: "systemEvent" cron job that was bound to a Telegram forum topic session woke the correct topic heartbeat session, but its reminder reply was delivered to the user's Telegram DM instead of the originating topic.

This looks like a core delivery/heartbeat merge bug: the cron main-session path calls runHeartbeatOnce({ heartbeat: { target: "last" } }), but that shallow override still inherits the global agents.defaults.heartbeat.to value. The inherited explicit to then wins over the intended session-bound last route, causing a cross-context delivery leak.

Why this matters

This is a privacy / cross-context routing issue. A reminder created from a group/forum topic can leak into a DM if the global heartbeat config has a DM to configured.

Environment

• OpenClaw: v2026.4.26
• Channel: Telegram
• Scenario: Telegram forum supergroup topic -> user's Telegram DM
• Cron payload: sessionTarget: "main", payload.kind: "systemEvent", wakeMode: "now"

Relevant config shape

Global heartbeat defaults include an explicit DM target:

{
  "agents": {
    "defaults": {
      "heartbeat": {
        "accountId": "default",
        "every": "1h",
        "isolatedSession": true,
        "model": "openai-codex/gpt-5.5",
        "session": "main",
        "target": "none",
        "to": "telegram:<user-dm-id>"
      }
    }
  }
}

A one-shot cron reminder was created from a Telegram forum topic session:

{
  "sessionTarget": "main",
  "wakeMode": "now",
  "payload": {
    "kind": "systemEvent",
    "text": "Reminder: ..."
  },
  "sessionKey": "agent:main:telegram:group:<group-id>:topic:<topic-id>"
}

Observed behavior

The cron fired and created/used the expected topic heartbeat session:

agent:main:telegram:group:<group-id>:topic:<topic-id>:heartbeat

However, the runtime context for that heartbeat turn showed the DM chat as the delivery context, and the final reminder reply was sent to the user's Telegram DM.

Evidence from local logs/session store (IDs redacted):

cron job created at 07:47:54
original topic session final messages delivered to the topic at 07:47:59 / 07:48:01
heartbeat session started at 08:00:08:
  agent:main:telegram:group:<group-id>:topic:<topic-id>:heartbeat
runtime context chat_id for the heartbeat turn:
  <user-dm-id>
Telegram sent map at 08:00:44:
  <user-dm-id> -> message <dm-message-id>

The session store for the originating topic had the correct delivery context:

{
  "chatType": "group",
  "deliveryContext": {
    "channel": "telegram",
    "to": "telegram:<group-id>",
    "accountId": "default",
    "threadId": <topic-id>
  },
  "lastChannel": "telegram",
  "lastTo": "telegram:<group-id>",
  "lastThreadId": <topic-id>
}

Expected behavior

For a cron systemEvent bound to a session key like:

agent:main:telegram:group:<group-id>:topic:<topic-id>

the heartbeat wake should deliver any user-visible reminder reply back to that bound session route, including the forum topic thread id.

At minimum, if the cron path overrides heartbeat target to last, inherited global heartbeat.to should not override the session-bound route.

Actual behavior

The explicit global agents.defaults.heartbeat.to appears to be inherited during the cron wake. That explicit DM to overrides the intended target: "last" route, so the reminder reply is delivered to DM.

Likely root cause

In the main/systemEvent cron execution path, the runtime calls something equivalent to:

runHeartbeatOnce({
  reason,
  agentId,
  sessionKey: targetMainSessionKey,
  heartbeat: { target: "last" }
})

The server wrapper then merges this shallowly with the configured heartbeat defaults:

const heartbeatOverride = opts?.heartbeat
  ? { ...baseHeartbeat, ...opts.heartbeat }
  : undefined

Because opts.heartbeat only sets target: "last", other default fields remain, including to: "telegram:<user-dm-id>".

Later heartbeat delivery resolution treats explicit heartbeat.to as an explicit destination, so it wins over the session's delivery context.

Suggested fix

When cron main/systemEvent forces heartbeat.target = "last", it should either:

1. clear inherited explicit destination fields (to, possibly channel/accountId if appropriate), or
2. use a dedicated non-inheriting heartbeat override for cron/systemEvent wakes, or
3. make target: "last" semantically ignore inherited to unless to was explicitly supplied in the same override object.

The safest behavior is probably: session-bound systemEvent cron wakes should route to the bound session delivery context, not to global heartbeat.to.

Related issues

• 系统消息被错误推送到用户聊天界面 #47865 — systemEvent messages visible to user despite delivery none
• [Bug]: Cron job with delivery.channel "last" resolves to @heartbeat instead of actual Telegram chat #45806 — closed, heartbeat/last route resolved to @heartbeat
• [Bug] cron run + systemEvent + sessionTarget=main still results in deliveryStatus: "not-requested" on v2026.4.26 (regression from #60262 / #62296) #73777 / [Bug]: cron systemEvent payload.text lost in main-session handoff — agent receives bare heartbeat poll without payload (regression from 4.25 transient runtime context) #73189 — current open issues around sessionTarget: main + systemEvent handoff

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still allows a cron-forced heartbeat.target="last" wake to retain inherited global heartbeat destination fields, and PR #73968 is the open unmerged fix candidate for that exact route.

Reproducibility: yes. The reporter provided concrete config and redacted logs, and current source inspection traces the same path from cron target="last" through the shallow gateway merge into explicit outbound delivery resolution.

Next step
No separate repair lane because PR #73968 is already the focused open fix candidate with closing syntax for this issue.

Security
Needs attention: This non-PR issue is privacy-sensitive because current main can route a topic-bound cron reminder to an inherited global DM target.

Review details

Best possible solution:

Land PR #73968 or an equivalent narrow core fix that strips inherited explicit destination fields for cron-forced target="last" wakes while preserving the session-bound route and topic thread metadata.

Do we have a high-confidence way to reproduce the issue?

Yes. The reporter provided concrete config and redacted logs, and current source inspection traces the same path from cron target="last" through the shallow gateway merge into explicit outbound delivery resolution.

Is this the best way to solve the issue?

Yes. A narrow fix in the cron wake adapter that clears inherited explicit destination fields for cron-forced target="last" is the most maintainable boundary; changing all heartbeat last semantics would be broader than this bug requires.

Security concerns:

• [medium] Prevent inherited heartbeat.to from overriding the session route — src/gateway/server-cron.ts:279
  The gateway cron merge retains global explicit destination fields when cron supplies only target: "last", and heartbeat delivery then treats that inherited to as explicit before session fallback.
  Confidence: 0.91

What I checked:

• Cron wake override is destination-blind: The main-session cron path enqueues the system event on the bound session key, then calls runHeartbeatOnce with only heartbeat: { target: "last" }, leaving destination clearing to downstream code that does not do it for cron system events. (src/cron/service/timer.ts:1390, ae87f7800b2a)
• Gateway merge keeps inherited to: The gateway cron adapter builds baseHeartbeat from defaults and agent heartbeat config, then shallow-spreads opts.heartbeat; when cron supplies only target: "last", any configured heartbeat.to remains present. (src/gateway/server-cron.ts:275, ae87f7800b2a)
• Heartbeat delivery treats to as explicit: resolveHeartbeatDeliveryTarget passes heartbeat?.to as explicitTo, and session target resolution initializes delivery from that explicit value before falling back to the stored session route. (src/infra/outbound/targets.ts:117, ae87f7800b2a)
• Existing coverage asserts only target preservation: Current cron tests verify that target: "last" is passed/preserved, but the inspected tests do not cover inherited global heartbeat.to plus a bound topic session. (src/cron/service.main-job-passes-heartbeat-target-last.test.ts:57, ae87f7800b2a)
• Open linked fix PR: Provided GitHub context shows PR fix(cron): keep system events on session route #73968 is open, unmerged, uses closing syntax for this issue, and targets clearing inherited explicit destination fields for cron-supplied target: "last" wakes. (09bfecdcfcde)
• Feature history for target=last cron behavior: Commit 8ae1987 introduced the main-session cron heartbeat: { target: "last" } behavior and gateway wiring to restore delivery after the heartbeat default changed to none. (src/cron/service/timer.ts:1390, 8ae1987f2a49)

Likely related people:

• widingmarcus-cyber: The sessionTarget: "main" cron path that forces heartbeat.target="last" appears to date to commit 8ae1987, which restored main-session cron delivery through this exact override. (role: introduced behavior; confidence: high; commits: 8ae1987f2a49; files: src/cron/service/timer.ts, src/gateway/server-cron.ts, src/cron/service.main-job-passes-heartbeat-target-last.test.ts)
• obviyus: Recent related cron/main-session delivery work preserved heartbeat.target="last" through deferred wake queuing, gateway wake forwarding, and same-target coalescing, the same wake-routing area this bug exercises. (role: adjacent cron delivery owner; confidence: medium; commits: 8894b22893a4; files: src/cron/service/timer.ts, src/gateway/server-cron.ts, src/infra/heartbeat-wake.ts)
• mbelinky: Recent heartbeat and Telegram topic routing work kept target=last replies on bound forum topics and protected shared-session routing metadata during heartbeat, cron-event, and exec-event turns. (role: adjacent heartbeat/topic routing owner; confidence: medium; commits: 83b986a4c342, 314a93578ec9; files: src/infra/outbound/targets.ts, src/infra/heartbeat-runner.ts, src/auto-reply/reply/session.test.ts)

Remaining risk / open question:

• The current route remains privacy-sensitive until PR fix(cron): keep system events on session route #73968 or an equivalent fix lands because a topic-bound reminder can still resolve through an inherited global DM destination.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ae87f7800b2a.

[steipete]

Fixed on main in f994094cb4.

Proof:

• Moved cron heartbeat override merge/sanitization into the shared heartbeat runner boundary.
• Direct and queued cron target: "last" wakes now drop inherited explicit heartbeat.to / accountId, so the session-bound route remains authoritative.
• Added regression coverage for cron stripping and non-cron override preservation.

Verified:

• pnpm test src/infra/heartbeat-runner.scheduler.test.ts src/gateway/server-cron.test.ts -- --reporter=verbose
• pnpm test src/cron/service.runs-one-shot-main-job-disables-it.test.ts -- --reporter=verbose
• env -u OPENCLAW_TESTBOX pnpm check:changed
• git diff --check

Duplicate search: no related duplicate hit found in the local OpenClaw issue/PR archive for the reported route-leak wording.

[steipete]

Fixed on main.

Landed commits:

• 402fa0e935
• 2d2f4bb2bd

What changed:

• cron direct runHeartbeatOnce target-last wakes now merge the resolved agent heartbeat config and clear inherited to / accountId
• cron queued requestHeartbeat target-last wakes now explicitly clear to / accountId, so the heartbeat runner cannot re-inherit a global DM destination
• gateway cron regressions cover both direct and queued paths

Verification after rebase:

• pnpm test src/gateway/server-cron.test.ts -- --reporter=verbose
• pnpm test src/cron/service.runs-one-shot-main-job-disables-it.test.ts src/cron/service.main-job-passes-heartbeat-target-last.test.ts -- --reporter=verbose
• pnpm tsgo:core
• git diff --check