fix(cron): isolate main-session cron wake lanes

[galiniliev]

Summary

• Problem: sessionTarget="main" cron jobs used the same main session key as human web-chat turns, so background cron work could occupy or confuse the interactive lane.
• Why it matters: short human web-chat messages can wait behind long scheduled review/poll turns on the same agent.
• What changed: main-session cron jobs now enqueue and wake a cron-owned run lane such as agent:<agent>:cron:<job>:run:<timestamp>, while preserving the target main session's delivery context for replies.
• What did NOT change (scope boundary): isolated/custom cron agent-turn execution and cron scheduling semantics are unchanged.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes Cron jobs can block human web-chat main-session turns #82766
• Related #
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior addressed: Scheduled main-session cron work no longer enqueues or wakes the human main-session lane; it uses a cron run lane derived from the target agent and job id.
• Real environment tested: Local Windows worktree with repo source at commit 30deebee52; direct Bun execution of the exported cron service seam.
• Exact steps or command run after this patch: bun - with an inline harness importing createCronServiceState and executeJobCore, seeding a redacted main session delivery context, then executing a sessionTarget="main", wakeMode="now" cron job whose target session key was agent:main-pr-router:main.
• Evidence after fix: Terminal output: manual cron lane proof passed.
• Observed result after fix: The cron result, queued system event, and runHeartbeatOnce call all used agent:main-pr-router:cron:review-poll:run:1778952000000; the queued event preserved { channel: "discord", to: "channel-1", accountId: "default" }; the heartbeat call did not use agent:main-pr-router:main.
• What was not tested: Full Vitest/CI in this local worktree. node scripts/run-vitest.mjs src/cron/service/timer.test.ts src/cron/service.main-job-passes-heartbeat-target-last.test.ts failed with spawn EPERM; pnpm install and pnpm docs:list failed at esbuild postinstall with spawnSync C:\Program Files\nodejs\node.exe EPERM; node scripts/crabbox-wrapper.mjs run --help failed because the local crabbox binary failed sanity checks.
• Before evidence (optional but encouraged): Redacted gateway logs showed a cron-triggered main-session run lasting about 66 seconds, a human web-chat run starting with prev=processing new=processing reason="run_started" queueDepth=1, and tiny human replies taking 12.6-37.6 seconds while sharing the same main-session lane.

Root Cause (if applicable)

• Root cause: executeMainSessionCronJob used job.sessionKey as the system-event and heartbeat target for sessionTarget="main", so scheduled cron work entered the same durable lane as human main web-chat turns.
• Missing detection / guardrail: Existing cron tests asserted heartbeat.target="last" but did not assert that main-session cron work stayed off the human main-session key.
• Contributing context (if known): Heartbeat delivery needed the target main session's last delivery context, which made the original implementation reuse the whole main session key.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/cron/service/timer.test.ts, src/cron/service.main-job-passes-heartbeat-target-last.test.ts
• Scenario the test should lock in: A main-session cron job targeting an agent main session queues and wakes agent:<agent>:cron:<job>:run:<timestamp>, not agent:<agent>:main, and preserves delivery context.
• Why this is the smallest reliable guardrail: The bug is at the cron service handoff seam before provider/model generation or channel delivery.
• Existing test that already covers this (if any): Existing heartbeat-target tests now also assert the isolated cron lane.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

Main-session cron jobs now run in a cron-owned wake lane instead of appending routine cron turns to the human main chat lane. Replies can still use the target main session's last delivery context.

Diagram (if applicable)

Before:
cron main job -> agent:<agent>:main -> shared with human web chat

After:
cron main job -> agent:<agent>:cron:<job>:run:<timestamp> -> reply uses main session delivery context
human web chat -> agent:<agent>:main

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: Windows local worktree for direct seam proof
• Runtime/container: Bun 1.3.13 direct TS execution
• Model/provider: NOT_ENOUGH_INFO for original live logs; not needed for seam proof
• Integration/channel (if any): web chat symptom; direct seam proof used redacted Discord-shaped delivery context
• Relevant config (redacted): main cron job targeting a redacted agent main session

Steps

1. Seed a session store row for the redacted main session with a last delivery target.
2. Execute a sessionTarget="main", wakeMode="now" cron job through executeJobCore.
3. Assert the queued system event and heartbeat wake use the cron run lane and preserve delivery context.

Expected

• Cron work uses agent:<agent>:cron:<job>:run:<timestamp> and does not use agent:<agent>:main as the execution lane.

Actual

• After the patch, the direct harness observed the expected cron lane and delivery context.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: git diff --check; direct Bun seam harness for the reported main-pr-router-shaped session key; live duplicate search via gh search issues/prs found no matching public issue/PR.
• Edge cases checked: delivery context from the target main session is carried to the cron run lane; task ledger records main cron child sessions as the cron run lane.
• What you did not verify: Vitest/CI/Testbox because local Node process spawning and Crabbox wrapper sanity checks are blocked as described above.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: Main-session cron jobs still need to reply to the previous chat target even though execution moved off the main lane.
  • Mitigation: The cron service copies the target main session's delivery context into the queued cron system event; tests and the direct harness assert this handoff.

[clawsweeper]

Codex review: needs changes before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Routes main-session cron system events and heartbeat wakes to a cron-owned run session key, forwards main-session delivery context, and updates cron/gateway tests plus cron docs.

Reproducibility: yes. at source level. Current main routes main-session cron events and heartbeat wakes through job.sessionKey, and the linked issue includes timing logs showing human web-chat work queued behind cron on that lane.

PR rating
Overall: 🦐 gold shrimp
Proof: 🐚 platinum hermit
Patch quality: 🦐 gold shrimp
Summary: Useful bug-fix direction with concrete terminal proof, but the remaining task-ledger mismatch keeps the patch below merge-ready quality.

Rank-up moves:

• Use one shared main cron run-lane resolver for manual, timer, and startup task records plus execution.
• Run the focused cron/gateway tests after the lane fix.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (terminal): The PR body includes after-fix terminal proof from a Bun seam harness showing the cron run lane and preserved delivery context, though it does not prove the remaining manual task-record path.

Risk before merge

• Manual CronService.run task records can still point at the human main session while the actual cron work runs on agent:<agent>:cron:<job>:run:<timestamp>, leaving task history and cleanup surfaces inconsistent.
• Global-scope session configurations intentionally collapse cron run keys to global under the current heartbeat contract, so maintainers should verify that this exception is acceptable before documenting universal main-session cron isolation.

Maintainer options:

1. Centralize Cron Run Lane Before Merge (recommended)
   Move the main-session cron run-key resolver into a shared cron service helper and use it for timer/startup/manual task records and execution so every surface agrees on the same lane.
2. Accept Global-Scope Compatibility Explicitly
   If global-scope cron runs must keep using the global queue, document and test that exception so the PR does not promise isolation that the heartbeat runner cannot provide.
3. Pause Until the Broader Cron Wake Work Settles
   If maintainers want one routing contract for this PR and fix(cron): capture originating session/agent on the cron wake tool call #83738, pause this branch until the shared cron wake/session behavior is decided.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Centralize main-session cron run lane resolution in a shared cron service helper, update manual `CronService.run` task creation to use the same cron run key as `executeJobCore`, keep global-scope behavior explicit, and add focused regression coverage for manual/forced main cron task `childSessionKey` matching the execution session key.

Next step before merge
A narrow automated repair can share the cron run-lane resolver with the manual task-record path and add targeted coverage without changing cron scheduling semantics.

Security
Cleared: The diff changes cron/session routing, tests, and docs only; I found no new dependency, workflow, permission, secret-handling, download, or command-execution surface.

Review findings

• [P2] Share the cron lane with manual task records — src/cron/service/timer.ts:433-440

Review details

Best possible solution:

Land a version that computes one main cron run lane per execution and uses it consistently for system events, heartbeat wakes, task records, run events, docs, and focused tests, with the global-scope behavior explicitly covered.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. Current main routes main-session cron events and heartbeat wakes through job.sessionKey, and the linked issue includes timing logs showing human web-chat work queued behind cron on that lane.

Is this the best way to solve the issue?

No, not yet. The execution-lane direction is the right narrow fix, but the branch should share the cron run lane with manual task records and explicitly cover the global-scope exception before merge.

Label changes:

• add merge-risk: 🚨 message-delivery: The PR changes which session queue receives cron system events and heartbeat wakes, so a wrong lane can strand or misroute scheduled cron replies.
• add merge-risk: 🚨 session-state: The current head still leaves manual task ledger records on a different session key than the actual cron execution lane.
• add rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🐚 platinum hermit, patch quality is 🦐 gold shrimp, and Useful bug-fix direction with concrete terminal proof, but the remaining task-ledger mismatch keeps the patch below merge-ready quality.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (terminal): The PR body includes after-fix terminal proof from a Bun seam harness showing the cron run lane and preserved delivery context, though it does not prove the remaining manual task-record path.

Label justifications:

• P1: The linked bug can make human web-chat turns wait behind long scheduled main-session cron work, which is an urgent broken agent workflow.
• merge-risk: 🚨 message-delivery: The PR changes which session queue receives cron system events and heartbeat wakes, so a wrong lane can strand or misroute scheduled cron replies.
• merge-risk: 🚨 session-state: The current head still leaves manual task ledger records on a different session key than the actual cron execution lane.
• rating: 🦐 gold shrimp: Current PR rating is 🦐 gold shrimp because proof is 🐚 platinum hermit, patch quality is 🦐 gold shrimp, and Useful bug-fix direction with concrete terminal proof, but the remaining task-ledger mismatch keeps the patch below merge-ready quality.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (terminal): The PR body includes after-fix terminal proof from a Bun seam harness showing the cron run lane and preserved delivery context, though it does not prove the remaining manual task-record path.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix terminal proof from a Bun seam harness showing the cron run lane and preserved delivery context, though it does not prove the remaining manual task-record path.

Full review comments:

• [P2] Share the cron lane with manual task records — src/cron/service/timer.ts:433-440
  The new main cron run key is computed only inside timer.ts, so manual CronService.run still creates its task record with params.job.sessionKey in ops.ts while executeJobCore wakes agent:<agent>:cron:<job>:run:<timestamp>. That leaves task history and cleanup surfaces pointed at the human lane for forced/manual main cron runs; move the lane resolver to a shared helper and use it in tryCreateManualTaskRun too.
  Confidence: 0.88

Overall correctness: patch is incorrect
Overall confidence: 0.86

Acceptance criteria:

• git diff --check
• node scripts/run-vitest.mjs src/cron/service/timer.test.ts src/cron/service.main-job-passes-heartbeat-target-last.test.ts src/cron/service/ops.test.ts src/cron/service.restart-catchup.test.ts src/gateway/server-cron.test.ts src/gateway/server.cron.test.ts
• pnpm docs:list if docs wording remains changed, in a healthy checkout or Testbox per repo policy

What I checked:

• current-main source reproduction: Current main's main-session cron path assigns targetMainSessionKey = job.sessionKey and uses that value for the queued system event plus immediate and fallback heartbeat wakes, matching the linked report's shared-lane failure mode. (src/cron/service/timer.ts:1709, c982358753bb)
• PR head central execution change: The PR head computes cronRunSessionKey from the target agent, job id, and run timestamp, then uses it for main cron system-event enqueueing and heartbeat wakes while preserving delivery context. (src/cron/service/timer.ts:1739, 96dcbddf6d5e)
• remaining manual task-record mismatch: On the same PR head, manual CronService.run task creation still records childSessionKey: params.job.sessionKey, so forced/manual main cron runs can have task ledger records pointing at the human lane while executeJobCore wakes the cron run lane. (src/cron/service/ops.ts:576, 96dcbddf6d5e)
• gateway adapter behavior: The PR head forwards delivery context through the gateway cron adapter and explicitly maps global-scope cron run keys back to the global queue, which should be treated as an upgrade/behavior boundary for maintainers to accept or document. (src/gateway/server-cron.ts:242, 96dcbddf6d5e)
• real behavior proof in PR body: The PR body includes terminal proof from a Bun seam harness showing after-fix cron lane selection, preserved delivery context, and no heartbeat call to the human main-session key. (30deebee5293)
• prior review context: The existing ClawSweeper review identified the same task-record lane inconsistency; the latest head fixed timer/startup coverage but did not update the manual run path in src/cron/service/ops.ts. (src/cron/service/ops.ts:576, 96dcbddf6d5e)

Likely related people:

• vincentkoc: Introduced the main/detached cron dispatch split and shared task-run registry surfaces that this PR now needs to keep in sync. (role: feature-history owner; confidence: high; commits: 1c9053802a98, 53bcd5769ef4; files: src/cron/service/timer.ts, src/cron/service/ops.ts, src/gateway/server-cron.ts)
• steipete: Recent history shows repeated cron manual-run, startup, and task reconciliation work near the affected execution and ledger paths. (role: recent area contributor; confidence: medium; commits: 7d1575b5df79, 49f3fbf726c0, 7b8e48ffb613; files: src/cron/service/timer.ts, src/cron/service/ops.ts, src/tasks/task-registry.ts)
• ngutman: Current-main blame in this checkout points the relevant timer, ops, and session-key helper lines to a recent broad restore commit, so this person is useful for latest-main integration context. (role: recent area contributor; confidence: low; commits: 94d8391c0323; files: src/cron/service/timer.ts, src/cron/service/ops.ts, src/routing/session-key.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against c982358753bb.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[galiniliev]

Landing verification for head 526018a.

Behavior addressed: main-session cron jobs now use a cron-owned wake lane while preserving the target main session delivery context, so scheduled cron work no longer contends with human main-session chat turns.

Exact local commands run after the prepared patch:

node scripts/run-vitest.mjs src/cron/service/timer.test.ts src/cron/service.main-job-passes-heartbeat-target-last.test.ts src/cron/service.every-jobs-fire.test.ts src/cron/service.runs-one-shot-main-job-disables-it.test.ts src/gateway/server-cron.test.ts src/gateway/server.cron.test.ts
git diff --check HEAD

Observed result after fix: focused Vitest passed 6 files / 60 tests, and diff whitespace check passed.

CI proof on this head: GitHub Actions completed with 77 successful checks, 1 neutral CodeQL aggregate, 23 skipped checks, no failures, and no pending checks. Primary CI run: https://github.com/openclaw/openclaw/actions/runs/26140551225. Security/quality runs: https://github.com/openclaw/openclaw/actions/runs/26140551207 and https://github.com/openclaw/openclaw/actions/runs/26140551206.

Known proof gap: I did not run a separate Crabbox/end-to-end packaged lane for this landing; the PR has real seam proof in the body, focused local cron/gateway tests, and full PR CI on the final rebased head.