fix(cron-cli): bound loadCronJobForShow pagination (#83856)

[yaoyi1222]

Fixes #83856.

Summary

loadCronJobForShow was paginating with for (;;) — no max-pages cap, no check that nextOffset actually advances. If the gateway ever returns hasMore=true with nextOffset stuck at the same value, openclaw cron show <id-or-name> would loop forever, reissuing identical cron.list RPCs.

The sibling loadCronJobForEditSchedulePatch in register.cron-edit.ts already has this guard; this PR mirrors that pattern in register.cron-simple.ts:

• cap at CRON_SHOW_LOOKUP_MAX_PAGES = 50 iterations
• assert nextOffset > offset between pages, throw if not
• throw if the page cap is exceeded

Also exports loadCronJobForShow so the regression test can target it directly (the issue specifically calls out that this feature group has no tests).

AI-assisted (Claude Code).

Verification

• node scripts/run-vitest.mjs src/cli/cron-cli — 25/25 pass, including the four new regression tests
• node scripts/run-oxlint.mjs src/cli/cron-cli/register.cron-simple.ts src/cli/cron-cli/register.cron-simple.test.ts — 0 warnings, 0 errors
• oxfmt --check on both touched files — clean
• pnpm tsgo:core — clean

Real behavior proof

• Behavior addressed: openclaw cron show <name> would hang indefinitely if the gateway returned a cron.list page with hasMore=true and a non-advancing nextOffset (e.g. stuck at 0), reissuing the same RPC forever.

• Real environment tested: local macOS checkout, rebased on upstream main (d60ab48). The real openclaw cron CLI command tree (registerCronSimpleCommands) was driven through commander as a spawned node process against a minimal ws stub gateway running on 127.0.0.1. The stub completes the real connect / hello-ok handshake and returns { jobs: [], hasMore: true, nextOffset: 0 } for every cron.list call.

• Exact steps or command run after this patch:

  • Spawned the stub: node .tmp-repro/stub-gateway.mjs — prints READY ws://127.0.0.1:<port>.
  • Spawned the real CLI against it: node node_modules/.bin/tsx .tmp-repro/cron-show-shim.ts cron show foo --url ws://127.0.0.1:<port> --token stub (the shim does nothing but call the real registerCronSimpleCommands).

• Evidence after fix: copied live terminal output, including the full CLI stderr and the stub's per-RPC log. After this PR, the real cron show command exits via the new error after a single cron.list round-trip:

  [stub] cron.list #1 (offset=0)
  
  === CLI result ===
  exit code: 1
  signal: null
  timed out: false
  elapsed: 1330 ms
  --- cli stderr ---
  Error: cron.list pagination did not advance while looking up cron job
  --- stub stderr (RPC log) ---
  [stub] cron.list #1 (offset=0)
  

  For comparison, against an unbounded build of the same code path (loop temporarily reverted locally, then restored), the same node-spawned CLI hangs and gets SIGKILLed by the 6 s driver timeout after issuing over a thousand identical cron.list RPCs all at offset=0:

  [stub] cron.list #1 (offset=0)
  [stub] cron.list #150 (offset=0)
  [stub] cron.list #200 (offset=0)
  ... (continues to #1137+)
  === CLI result ===
  exit code: null
  signal: SIGKILL
  timed out: true
  elapsed: 6003 ms
  --- cli stderr ---
  (empty — process was spinning)
  

• Observed result after fix: the real node-spawned openclaw cron show foo CLI process exits with code 1 in ~1.3 s after a single cron.list round-trip, emitting Error: cron.list pagination did not advance while looking up cron job on stderr. No more hang; one RPC, one error, clean exit.

• What was not tested: I did not stand up the full production openclaw gateway and force it to actually misbehave at the cron.listPage source — the stub gateway above answers the same wire protocol as the real one (real hello-ok handshake, real cron.list req/res frames), which is what the issue itself recommends.

[clawsweeper]

Codex review: passed.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Adds a 50-page and advancing-nextOffset guard to loadCronJobForShow, exports that helper for regression tests, and adds an unreleased changelog entry.

Reproducibility: yes. Current main is source-reproducible because loadCronJobForShow loops while hasMore is true and accepts a repeated numeric nextOffset; the PR discussion also includes terminal before/after proof for the same CLI path.

PR rating
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Summary: Strong terminal proof supports a focused, normally mergeable patch with no blocking findings from this review.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (terminal): The PR body and follow-up comment provide terminal before/after output from a spawned real cron CLI command against a stub gateway that exercises the wire protocol and shows the hang becoming a one-RPC error exit.

Risk before merge

• This read-only review did not execute the PR's validation commands, so exact-head CI or maintainer-run checks should remain the merge gate.

Maintainer options:

1. Decide the mitigation before merge
   Land this focused guard through the existing automerge and CI gates, then let the linked cron CLI issue close after merge.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
No repair lane is needed; the PR has no blocking findings and should proceed through exact-head CI and automerge gates.

Security
Cleared: The diff only changes cron CLI lookup code, a colocated test, and changelog text; it does not touch dependencies, workflows, credentials, package scripts, or code-download paths.

Review details

Best possible solution:

Land this focused guard through the existing automerge and CI gates, then let the linked cron CLI issue close after merge.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main is source-reproducible because loadCronJobForShow loops while hasMore is true and accepts a repeated numeric nextOffset; the PR discussion also includes terminal before/after proof for the same CLI path.

Is this the best way to solve the issue?

Yes. Mirroring the existing cron edit page cap and advancing-offset check is the narrowest maintainable fix for this cron show lookup loop.

Label justifications:

• P2: This is a normal-priority CLI availability bug with limited blast radius to openclaw cron show lookups against malformed or buggy pagination responses.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🦞 diamond lobster, patch quality is 🐚 platinum hermit, and Strong terminal proof supports a focused, normally mergeable patch with no blocking findings from this review.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (terminal): The PR body and follow-up comment provide terminal before/after output from a spawned real cron CLI command against a stub gateway that exercises the wire protocol and shows the hang becoming a one-RPC error exit.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body and follow-up comment provide terminal before/after output from a spawned real cron CLI command against a stub gateway that exercises the wire protocol and shows the hang becoming a one-RPC error exit.

What I checked:

• Current main source-reproducible hang path: loadCronJobForShow on current main uses for (;;), keeps calling cron.list while hasMore is true, and assigns offset = page.nextOffset without checking that the offset advances. (src/cli/cron-cli/register.cron-simple.ts:95, 0c67dc7f82af)
• Existing sibling guard pattern: loadCronJobForEditSchedulePatch already caps lookup pagination at 50 pages and throws when nextOffset does not advance, matching the PR's chosen fix shape. (src/cli/cron-cli/register.cron-edit.ts:42, 0c67dc7f82af)
• PR implementation: The PR head changes loadCronJobForShow to use a 50-page loop, throw on non-advancing pagination, and throw when the page cap is exceeded. (src/cli/cron-cli/register.cron-simple.ts:91, 7828b4bdaef6)
• Regression tests: The PR adds focused tests for non-advancing pagination, excessive pagination, finding a job on a later page, and no-match termination. (src/cli/cron-cli/register.cron-simple.test.ts:28, 7828b4bdaef6)
• Gateway pagination contract: The gateway cron.list handler delegates to context.cron.listPage, whose normal implementation computes nextOffset = offset + jobs.length and reports hasMore from that offset, so the PR guards a malformed or buggy pagination response at the CLI boundary. (src/cron/service/ops.ts:349, 0c67dc7f82af)
• Real behavior proof from PR discussion: The PR body and contributor follow-up include terminal before/after output from a spawned cron CLI process against a stub gateway: current behavior spins until killed, while the patched command exits after one cron.list call with the new pagination error. (7828b4bdaef6)

Likely related people:

• Ayaan Zaidi: git blame and git log on the cron CLI files in this checkout attribute the current loadCronJobForShow, sibling edit lookup, and cron CLI tests to commit af5e0b26ef. (role: current-main code introducer and recent area contributor; confidence: medium; commits: af5e0b26efa2; files: src/cli/cron-cli/register.cron-simple.ts, src/cli/cron-cli/register.cron-edit.ts, src/cli/cron-cli.test.ts)
• Takhoffman: The PR discussion includes an explicit @clawsweeper automerge request from this account, making them a likely follow-up reviewer for this PR state. (role: automerge requester; confidence: medium)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 0c67dc7f82af.

[yaoyi1222]

Real behavior proof — stubbed gateway

Added the redacted terminal output the review asked for. Setup: a minimal ws server stubs the gateway, answers the handshake with hello-ok, and returns { jobs: [], hasMore: true, nextOffset: 0 } for every cron.list call. The real cron show CLI command (registered via the actual registerCronSimpleCommands) connects to it with --url/--token.

Before this PR (unbounded loop)

CLI hangs; killed externally with SIGKILL after a 6 s driver timeout. During that 6 s the stub received over a thousand identical cron.list RPCs, all at offset=0:

[stub.err] [stub] cron.list #1 (offset=0)
[stub.err] [stub] cron.list #150 (offset=0)
[stub.err] [stub] cron.list #200 (offset=0)
...
[stub.err] [stub] cron.list #1137 (offset=0)
...

=== CLI result ===
exit code: null
signal: SIGKILL
timed out: true
elapsed: 6003 ms
--- cli stderr ---
(empty — process was spinning)

After this PR (guard applied)

CLI exits cleanly after a single cron.list round-trip with the new error:

[stub.err] [stub] cron.list #1 (offset=0)

=== CLI result ===
exit code: 1
signal: null
timed out: false
elapsed: 1330 ms
--- cli stderr ---
Error: cron.list pagination did not advance while looking up cron job
--- stub stderr (RPC log) ---
[stub] cron.list #1 (offset=0)

One RPC, advancement guard fires, process exits 1. Same change in commit f9d9e0b as the original PR — pre-fix run was produced by temporarily reverting just loadCronJobForShow's loop locally, then restored.

— AI-assisted (Claude Code).

[Takhoffman]

@clawsweeper automerge

[clawsweeper]

🦞🧹
ClawSweeper automerge is enabled.

• Head: 7828b4bdaef6
• Label: clawsweeper:automerge
• Action: exact-head review queued (workflow sweep.yml, event repository_dispatch).
• Flow: review this head, repair/rebase only if needed, then re-review the exact repaired head before merge.

Draft PRs stay fix-only until GitHub marks them ready for review. Pause with /clawsweeper stop.

Automerge progress:

• 2026-05-19 11:51:51 UTC repair completed (no branch change) in 46s Run: https://github.com/openclaw/clawsweeper/actions/runs/26095168547 source PR fix(cron-cli): bound loadCronJobForShow pagination (#83856) #83989 is paused by clawsweeper:human-review; refusing to mutate the PR branch

• 2026-05-19 11:51:53 UTC repair finished (blocked) in 47s Run: https://github.com/openclaw/clawsweeper/actions/runs/26095168547 source PR fix(cron-cli): bound loadCronJobForShow pagination (#83856) #83989 is paused by clawsweeper:human-review; refusing to mutate the PR branch

• 2026-05-20 06:51:26 UTC review passed e055fa292a2f (structured ClawSweeper verdict: pass (sha=e055fa292a2fbc94eba65507fcb35d009582b...)

• 2026-05-20 06:51:46 UTC repair queued e055fa292a2f (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26146456364

• 2026-05-20 06:58:11 UTC repair started (running) in 0s Run: https://github.com/openclaw/clawsweeper/actions/runs/26146456364 automerge-openclaw-openclaw-83989

• 2026-05-20 06:58:30 UTC validation plan (passed) in 20s Run: https://github.com/openclaw/clawsweeper/actions/runs/26146456364 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-20 06:58:44 UTC Codex write preflight (passed) in 34s Run: https://github.com/openclaw/clawsweeper/actions/runs/26146456364 danger-full-access

• 2026-05-20 07:02:30 UTC Codex edit 1 67c12e036802 (complete) in 4m 20s Run: https://github.com/openclaw/clawsweeper/actions/runs/26146456364 exit 0

• 2026-05-20 07:09:39 UTC validation and review 1 7828b4bdaef6 (base moved) in 11m 28s Run: https://github.com/openclaw/clawsweeper/actions/runs/26146456364 codex-reconciled

• 2026-05-20 07:09:46 UTC repair completed 7828b4bdaef6 (branch updated) in 11m 36s Run: https://github.com/openclaw/clawsweeper/actions/runs/26146456364 initial automerge rebase is delegated to Codex repair

• 2026-05-20 07:09:46 UTC review queued 7828b4bdaef6 (after repair)

• 2026-05-20 07:19:22 UTC automerge wait 7828b4bdaef6 (ready) in 21m 11s Run: https://github.com/openclaw/clawsweeper/actions/runs/26146456364 checks and exact-head review are ready

• 2026-05-20 07:19:23 UTC repair finished 7828b4bdaef6 (pushed) in 21m 13s Run: https://github.com/openclaw/clawsweeper/actions/runs/26146456364 repair_contributor_branch

• 2026-05-20 07:17:00 UTC review passed 7828b4bdaef6 (structured ClawSweeper verdict: pass (sha=7828b4bdaef67c4487c2d10e66af2f29897f2...)

• 2026-05-20 07:19:41 UTC merged 7828b4bdaef6 (merged by ClawSweeper automerge)

• 2026-05-20 07:19:45 UTC review queued 7828b4bdaef6 (queued)

[clawsweeper]

🦞✅
ClawSweeper is pausing this repair loop for human review.

Source: clawsweeper[bot]
Reason: No ClawSweeper repair lane is needed; the patch has no blocking findings and should proceed through normal maintainer merge gates.; Cleared: The diff only touches cron CLI lookup code and colocated tests, with no dependency, workflow, credential, package, or code-download surface changed. (sha=f9d9e0b4deb87cb27c52d0437670643a398a5474)

Why human review is needed:
This item has security-sensitive risk. ClawSweeper is pausing instead of making an autonomous change that could affect trust, credentials, permissions, or exposure.

Recommended next action:
Have a maintainer review the security-sensitive detail and provide an explicit safe path before asking ClawSweeper to continue.

I added clawsweeper:human-review and left the final call with a maintainer.

[giodl73-repo]

Looks good. The fix mirrors the existing bounded cron edit lookup behavior for cron show, adds advancement and max-page guards, and includes focused regression coverage for the stuck-pagination, page-cap, later-page, and empty-result paths. The supplied stub-gateway proof demonstrates the previous hang and the new one-RPC failure mode, with current CI/checks green.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 💎 rare Mossy Review Wisp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 💎 rare.
Trait: keeps receipts.
Image traits: location review cove; accessory little merge flag; palette seafoam, black, and opal; mood patient; pose nestled inside a glowing shell; shell starlit enamel shell; lighting warm desk-lamp glow; background soft code-shaped tiles.
Share on X: post this hatch
Copy: My PR egg hatched a 💎 rare Mossy Review Wisp in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.