fix(ui): tolerate malformed cron payloads

[BunsDev]

Summary

• Filters malformed cron.list rows that do not have a valid cron payload before they enter Control UI state.
• Adds shared runtime payload guards for stale cron state in app render, Cron edit form hydration, and Cron job detail rendering.
• Adds regression coverage for malformed persisted cron rows so a bad snapshot cannot blank unrelated Control UI sections.

Bug / Behavior

Issue #55047 reports Control UI sidebar sections rendering blank after update, leaving only the section title. The live issue is still open. ClawSweeper linked the same failure class to #54439, where the browser console showed Cannot read properties of undefined (reading 'kind') after navigating through sidebar sections.

Current origin/main still read job.payload.kind directly in shared app render and Cron consumers. The prior focused fixes #54550 and #54552 were both closed unmerged, so there was no current-main resolution to close the issue against.

Duplicate / Related Work

• Related issue: Control UI - Cannot switch back to chat after clicking other sidebar items (TypeError: Cannot read properties of undefined (reading 'kind')) #54439 describes the same Control UI/Cron malformed payload crash class with explicit undefined.kind evidence.
• Prior PRs: fix(ui): tolerate malformed cron payloads in chat nav #54550 and fix(ui): tolerate malformed cron payloads in chat nav #54552 attempted the narrower app-render-only guard but were closed unmerged.
• I attempted the requested duplicate tagging flow with prtags, but prtags search text and prtags search similar both returned request failed (502) from prtags.dutiful.dev, so duplicate curation writes are blocked by the backend right now. This PR records the duplicate relationship in the body and changelog instead of forcing a partial write.

Closes #55047.
Closes #54439.
Supersedes #54550.
Supersedes #54552.

Security / Safety Review

• No new trust boundary or credential handling is introduced.
• The new helper treats gateway/runtime cron rows as untrusted data at the UI boundary and only exposes payload fields after runtime shape checks.
• Existing markdown sanitization for Cron agent-turn prompt rendering is preserved; this change only validates payload shape before reaching that renderer.

Verification

• pnpm test ui/src/ui/controllers/cron.test.ts ui/src/ui/views/cron.test.ts ui/src/ui/app-render.assistant-avatar.test.ts - 3 files, 50 tests passed.
• pnpm exec oxfmt --check --threads=1 CHANGELOG.md ui/src/ui/cron-payload.ts ui/src/ui/app-render.ts ui/src/ui/app-render.assistant-avatar.test.ts ui/src/ui/controllers/cron.ts ui/src/ui/controllers/cron.test.ts ui/src/ui/views/cron.ts ui/src/ui/views/cron.test.ts - passed.
• git diff --check - passed.
• pnpm changed:lanes --json - selected core prod + core tests for the touched UI files.
• Testbox pnpm check:changed on tbx_01kqmj7edvfpgn7vem6rmchc6c - passed. Run: https://github.com/openclaw/openclaw/actions/runs/25254388916

[clawsweeper]

Codex review: needs changes before merge.

Summary
The PR adds a shared Control UI cron-payload guard, filters invalid cron.list rows, guards app render/edit/detail consumers, adds regression tests, and adds an Unreleased changelog bullet.

Reproducibility: yes. A high-confidence source-level reproduction is to put a Cron row with a missing or non-object payload into state.cronJobs or a cron.list response on current main; app render, edit hydration, and job detail paths dereference job.payload.kind.

Next step before merge
A repair worker can add the missing human changelog credit without touching runtime behavior; maintainers still need normal exact-head validation afterward.

Security
Cleared: No concrete security or supply-chain concern found; the diff only adds UI-side runtime validation, tests, and a changelog entry.

Review findings

• [P3] Add a human credit to the changelog entry — CHANGELOG.md:17

Review details

Best possible solution:

Land this narrow UI-boundary hardening after adding valid changelog credit and keeping exact-head validation green, without moving stale persisted-row repair into startup core.

Do we have a high-confidence way to reproduce the issue?

Yes. A high-confidence source-level reproduction is to put a Cron row with a missing or non-object payload into state.cronJobs or a cron.list response on current main; app render, edit hydration, and job detail paths dereference job.payload.kind.

Is this the best way to solve the issue?

Yes for the functional bug. A shared UI payload guard plus list-boundary filtering is the narrowest maintainable fix for stale malformed Cron rows, with only changelog attribution remaining.

Full review comments:

• [P3] Add a human credit to the changelog entry — CHANGELOG.md:17
  OpenClaw changelog policy asks contributor-facing user-visible fix entries to include at least one human Thanks @... credit. This new Control UI/Cron fix entry lacks one, so add the appropriate reporter or contributor credit before merge.
  Confidence: 0.9

Overall correctness: patch is correct
Overall confidence: 0.86

Acceptance criteria:

• git diff --check
• pnpm exec oxfmt --check --threads=1 CHANGELOG.md

What I checked:

• Protected routing: The PR author association is MEMBER and the PR has the protected maintainer label, so conservative cleanup policy keeps it open rather than closing it. (21354f06acb0)
• Current-main app render crash path: Current main builds Cron model suggestions by directly reading job.payload.kind and job.payload.model, so a stale Cron row with payload: undefined can throw during shared app render. (ui/src/ui/app-render.ts:841, 33eebc29c31f)
• Current-main Cron list trusts rows: loadCronJobsPage assigns every array entry returned by cron.list into state.cronJobs without validating payload shape first. (ui/src/ui/controllers/cron.ts:303, 33eebc29c31f)
• Current-main edit hydration crash path: Cron edit/clone hydration directly dereferences job.payload.kind, text, message, and timeoutSeconds, so malformed stale UI state can crash when a Cron row is opened or cloned. (ui/src/ui/controllers/cron.ts:463, 33eebc29c31f)
• Current-main Cron detail crash path: Cron job detail rendering directly reads job.payload.kind and job.payload.message, matching the linked undefined.kind failure class when malformed rows reach the view. (ui/src/ui/views/cron.ts:1583, 33eebc29c31f)
• Gateway contract requires payloads: The protocol schema requires Cron jobs to carry a payload matching either systemEvent with text or agentTurn with message, so the PR correctly treats malformed persisted/runtime rows as tainted UI-boundary data. (src/gateway/protocol/schema/cron.ts:137, 33eebc29c31f)

Likely related people:

• BunsDev: Provided PR context and prior review discussion tie this maintainer to recent Control UI/Cron work; local author search over the affected UI paths also found prior dashboard/app-render history associated with the same author query. (role: recent Control UI contributor and PR owner; confidence: medium; commits: e697ec273a85, 5fce2f6b0fb1; files: ui/src/ui/app-render.ts, ui/src/ui/controllers/cron.ts, ui/src/ui/views/cron.ts)
• steipete: Current-main blame on the Cron controller, view, and shared UI types points to a recent broad maintainer commit over the affected paths. (role: recent maintainer/refactor owner; confidence: medium; commits: c06739d773da; files: ui/src/ui/controllers/cron.ts, ui/src/ui/views/cron.ts, ui/src/ui/types.ts)
• Val Alexander: Recent local history over affected UI files includes Control UI app-render work and older dashboard polish touching this surface. (role: recent Control UI maintainer; confidence: medium; commits: 5fce2f6b0fb1, e697ec273a85; files: ui/src/ui/app-render.ts, ui/src/ui/app-render.assistant-avatar.test.ts)

Remaining risk / open question:

• The only known pre-merge cleanup is the missing human changelog credit for a user-facing fix entry.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 33eebc29c31f.