fix(cron): validate custom session ids

[eleqtrizit]

Summary

• Reject invalid session:<id> cron targets that contain path separator characters or NULs
• Reuse the same validation when resolving the isolated cron run sessionKey

Changes

• Added a shared cron custom-session validator in src/cron/normalize.ts
• Applied that validator during cron job normalization so invalid custom session targets fall back to default isolated behavior
• Applied the same validator in the gateway cron runner so previously stored invalid jobs fall back to cron:<job-id>
• Added regression coverage for create-time normalization and run-time fallback behavior

Validation

• Ran corepack pnpm test -- src/cron/normalize.test.ts src/gateway/server.cron.test.ts
• Verified invalid session:../../... values no longer survive normalization
• Verified stored invalid session: targets do not override the cron-scoped fallback session key
• Attempted local agentic review with claude -p "/review"; it requested interactive GitHub approval and returned no code findings in this environment

Notes

• Scope is limited to custom cron session IDs; valid session:<id> inputs still behave as before
• This also hardens previously persisted invalid jobs by failing closed at execution time

[greptile-apps]

Greptile Summary

This PR hardens cron custom session ID handling by introducing normalizeCronCustomSessionId in src/cron/normalize.ts, which rejects path-separator characters and enforces SAFE_SESSION_ID_RE. The validator is applied at job-create time (invalid targets fall back to "isolated") and at run time (invalid stored targets fall back to cron:<job-id>). The run-time path also adds a fast-track for full agent-format session keys via parseAgentSessionKey before falling through to the custom-ID validator. Tests cover forward-slash, backslash, and NUL-byte rejection at both layers, and the integration test confirms the fallback session key used for malicious stored jobs.

Confidence Score: 5/5

Safe to merge — the fix is narrowly scoped, fails closed on invalid input, and all prior review concerns are addressed.

Both previous thread concerns (adding SAFE_SESSION_ID_RE enforcement and backslash/NUL test cases) are resolved in this diff. No new P0/P1 issues introduced. The two-path run-time logic (parseAgentSessionKey fast-track → normalizeCronCustomSessionId fallback → cron: default) is correct and covered by tests at both the unit and integration level.

No files require special attention.

_{Reviews (3): Last reviewed commit: "fix(cron): preserve colon-delimited sess..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 41557fe2a5

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 41557fe2a5

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c01bdd74fd

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[eleqtrizit]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e988192ec6

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[eleqtrizit]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Can't wait for the next one!

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".