[AI-assisted] fix(cron): preserve legacy array stores

[IWhatsskill]

Summary

• Problem: legacy cron jobs.json files stored as a top-level array are loaded as empty after upgrade, so the first cron add can rewrite the file with only the new job.
• Solution: normalize both supported persisted shapes in one cron store loader path: { version, jobs } and legacy [...].
• What changed: async load, sync load, doctor repair, service add, and gateway cron.add now preserve legacy array jobs through load/add/save.
• What did NOT change: no cron timeout defaults, auth cooldowns, delivery behavior, storage schema migration, or broad concurrency changes.

Motivation

This is a P0 data-loss guard for users upgrading from a legacy plain-array cron store. A valid existing cron file should never be interpreted as empty and clobbered by the next write.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes cron: v2026.4.2 silently drops jobs.json (plain-array format) and first add clobbers all data #60799
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior or issue addressed: legacy top-level array cron stores are preserved when a new cron job is added.
• Real environment tested: isolated Linux testserver checkout on current origin/main plus this patch; no real secrets or user cron store used.
• Exact steps or command run after this patch: seeded a temp cron jobs.json with two legacy array jobs, called the real cron store load path and cron service add(), then read the persisted file.
• Evidence after fix:

{
  "commit": "a54c73687f+6e2ab35417",
  "phase": "after",
  "legacyInputIds": ["legacy-alpha", "legacy-beta"],
  "loadCronStoreJobCount": 2,
  "loadedIds": ["legacy-alpha", "legacy-beta"],
  "persistedShape": "versioned-object",
  "persistedJobCount": 3,
  "persistedIds": ["legacy-alpha", "legacy-beta", "f4c00803-9730-4de8-8f09-674604ac6d7f"],
  "legacyPreservedAfterAdd": true
}

• Observed result after fix: both legacy jobs load, the new job is added, and all three jobs persist in the versioned store.
• What was not tested: a real user home cron store and live scheduled job execution were not used; this intentionally used isolated temp state.
• Before evidence:

{
  "commit": "a54c73687f",
  "phase": "before",
  "legacyInputIds": ["legacy-alpha", "legacy-beta"],
  "loadCronStoreJobCount": 0,
  "loadedIds": [],
  "persistedShape": "versioned-object",
  "persistedJobCount": 1,
  "legacyPreservedAfterAdd": false
}

Root Cause (if applicable)

• Root cause: loadCronStore() and loadCronStoreSync() only read parsed.jobs from an object envelope. If jobs.json was the older top-level array shape, the loader fell back to an empty job list.
• Missing detection / guardrail: there was no regression coverage for loading a top-level array through async/sync store reads or through the add/save paths.
• Contributing context: doctor repair uses the store loader, so the same normalization gap could make a repair pass treat valid legacy jobs as absent.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file:
  • src/cron/store.test.ts
  • src/cron/service/ops.test.ts
  • src/commands/doctor-cron.test.ts
  • src/gateway/server.cron.test.ts
• Scenario the test should lock in: legacy top-level array jobs load through async/sync store reads and survive service/gateway cron.add plus doctor repair.
• Why this is the smallest reliable guardrail: the bug is in cron store normalization, with service/gateway tests proving the user-facing add path does not clobber data.
• Existing test that already covers this (if any): none for top-level array stores.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

OpenClaw now preserves cron jobs from legacy top-level array jobs.json files instead of treating them as empty on load.

Diagram (if applicable)

Before:
legacy jobs.json array -> load as [] -> cron add -> persisted file contains only new job

After:
legacy jobs.json array -> load legacy jobs -> cron add -> persisted file contains legacy jobs plus new job

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: Linux testserver
• Runtime/container: Node.js v22.22.2, pnpm v11.1.2, isolated temp checkout/state
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): temp cron store path only

Steps

1. Write a temp cron/jobs.json as a top-level array with two valid legacy jobs.
2. Load the store and call the real cron service add() path.
3. Read cron/jobs.json after save.

Expected

• Both legacy job IDs and the new job ID are present after add/save.

Actual

• Before patch: only the new job was present.
• After patch: both legacy jobs plus the new job were present.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios:
  • Before/after runtime proof on current origin/main and this patch.
  • Focused vitest: src/cron/store.test.ts, src/cron/service/ops.test.ts, src/commands/doctor-cron.test.ts, src/gateway/server.cron.test.ts = 4 files / 71 tests passed.
  • Core typecheck passed.
  • Core test typecheck passed.
  • oxfmt --check passed for all touched files.
  • Targeted run-oxlint passed for all touched files with 0 warnings / 0 errors.
  • git diff --check passed.
• Edge cases checked:
  • non-object array rows are ignored
  • sync and async store load both accept the legacy array
  • runtime state still splits into the state sidecar after save
  • doctor repair normalizes a legacy array instead of treating it as empty
  • gateway cron.add preserves legacy jobs through the RPC handler path
• What you did not verify:
  • full pnpm check:changed completion; the testserver OOM-killed tsgolint during full core lint, so the touched-file lint/typecheck/test lanes were run directly and passed.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: accepting the legacy array shape could preserve malformed scalar rows.
  • Mitigation: the normalizer keeps the existing object-row filter, so non-object rows are ignored before hydration.
• Risk: async/sync/doctor paths could diverge again later.
  • Mitigation: both loaders now share the same normalizer and have focused regression coverage.

[clawsweeper]

Codex review: passed.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR changes cron store loading to normalize legacy top-level array jobs.json files into the versioned store shape and adds store, service, doctor, gateway tests plus a changelog entry.

Reproducibility: yes. Current main clearly maps a top-level parsed array to {} before reading .jobs, and the PR body supplies before/after runtime output for the load/add/save path.

PR rating
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Summary: Focused data-loss fix with sufficient real-behavior proof, relevant regression tests, and no blocking findings from this review.

Rank-up moves:

• Let the exact-head CI/automerge gate complete before merge.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (live_output): The PR body includes copied before/after runtime output from an isolated Linux setup showing legacy array jobs preserved after a real store load and cron service add/save path.

Risk before merge

• This read-only review did not execute the focused tests locally; final merge should still honor exact-head required checks/automerge gating.

Maintainer options:

1. Decide the mitigation before merge
   Land the shared cron store normalizer with the focused regression coverage, while leaving broader cron write-merge and diagnostics follow-ups to separately scoped work if maintainers want them.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
No repair lane is needed; the remaining action is normal exact-head CI/automerge gating or maintainer landing.

Security
Cleared: The diff only changes cron store normalization, tests, and changelog text; it adds no dependency, CI, permission, secret, command execution, or network surface.

Review details

Best possible solution:

Land the shared cron store normalizer with the focused regression coverage, while leaving broader cron write-merge and diagnostics follow-ups to separately scoped work if maintainers want them.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main clearly maps a top-level parsed array to {} before reading .jobs, and the PR body supplies before/after runtime output for the load/add/save path.

Is this the best way to solve the issue?

Yes. A shared cron store-file normalizer is the narrow maintainable fix because it keeps async load, sync load, doctor, service, and gateway paths on one persisted-shape contract.

Label justifications:

• P0: The PR fixes an upgrade path where valid persisted cron jobs can be silently loaded as empty and overwritten on the first write.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🐚 platinum hermit, patch quality is 🐚 platinum hermit, and Focused data-loss fix with sufficient real-behavior proof, relevant regression tests, and no blocking findings from this review.
• status: 🚀 automerge armed: This PR is in ClawSweeper's automerge lane. Sufficient (live_output): The PR body includes copied before/after runtime output from an isolated Linux setup showing legacy array jobs preserved after a real store load and cron service add/save path.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes copied before/after runtime output from an isolated Linux setup showing legacy array jobs preserved after a real store load and cron service add/save path.

What I checked:

• Current-main bug path: Current main parses the cron store, rejects top-level arrays by replacing them with {}, and then reads only parsedRecord.jobs, so a valid legacy array loads as zero jobs before add/save. (src/cron/store.ts:218, 5c39e0019d2f)
• Add path can clobber after empty load: cron.add calls ensureLoaded(state), appends the new job to the in-memory store, and persists that store, so an empty load from a legacy array can rewrite the file with only the new job. (src/cron/service/ops.ts:365, 5c39e0019d2f)
• Patch normalizes both persisted shapes: The PR adds a shared normalizer that uses the parsed value directly when it is an array, otherwise uses parsed.jobs, and routes both async and sync loaders through it. (src/cron/store.ts:54, 446014b4c1f2)
• Regression coverage added: The patch adds coverage for async/sync legacy array loads, load-add-save preservation, service add, doctor repair, and gateway cron.add preserving legacy jobs. (src/cron/store.test.ts:136, 446014b4c1f2)
• Contributor real-behavior proof: The PR body includes before/after copied runtime output from an isolated Linux checkout showing loadCronStoreJobCount changing from 0 to 2 and legacyPreservedAfterAdd changing from false to true after the patch. (446014b4c1f2)
• History provenance: Blame ties the current loader behavior that ignores top-level arrays to the current imported/reverted store implementation, and broader cron history shows active recent maintenance around the same persistence and gateway surfaces. (src/cron/store.ts:207, 3d96111a5afe)

Likely related people:

• steipete: Peter Steinberger introduced the original cron scheduler/store surface and is the dominant recent contributor across cron, doctor, and gateway cron history sampled for this review. (role: feature owner and heavy area contributor; confidence: high; commits: f9409cbe43d2, 50a2481652b6; files: src/cron/store.ts, src/commands/doctor-cron.ts, src/gateway/server.cron.test.ts)
• Dallin Romney: Current loadCronStore and loadCronStoreSync lines in this checkout blame to the imported/reverted store implementation commit that carries the envelope-only read behavior. (role: current store-line provenance; confidence: medium; commits: 3d96111a5afe; files: src/cron/store.ts)
• galiniliev: Galin Iliev recently changed cron service and gateway cron behavior in the same runtime area touched by this PR. (role: recent adjacent contributor; confidence: medium; commits: 9eee202a694b; files: src/cron/service/timer.ts, src/gateway/server-cron.ts, src/gateway/server.cron.test.ts)
• neeravmakwana: Neerav Makwana recently worked on legacy cron job identity loading and service/store regression coverage, which is adjacent to this legacy store-shape fix. (role: legacy persistence compatibility contributor; confidence: medium; commits: 242b2e66f29b; files: src/cron/service/store.ts, src/commands/doctor-cron-store-migration.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5c39e0019d2f.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Brave Lint Imp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: stacks clean commits.
Image traits: location status garden; accessory miniature diff map; palette amber, ink, and glacier blue; mood sleepy but ready; pose waving from a small platform; shell matte ceramic shell; lighting cool dashboard glow; background tiny shells and proof notes.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Brave Lint Imp in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[Takhoffman]

@clawsweeper automerge

[IWhatsskill]

sry for the Comment @Takhoffman my clanke was too motivated xD

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=446014b4c1f2832e3162e3969db4060648e9533f)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-20T05:01:25Z
Merge commit: 29f8715f05c8

What merged:

• The PR changes cron store loading to normalize legacy top-level array jobs.json files into the versioned store shape and adds store, service, doctor, gateway tests plus a changelog entry.
• Reproducibility: yes. Current main clearly maps a top-level parsed array to {} before reading .jobs, and the PR body supplies before/after runtime output for the load/add/save path.

Automerge notes:

• PR branch already contained follow-up commit before automerge: [AI-assisted] fix(cron): preserve legacy array stores

The automerge loop is complete.

Automerge progress:

• 2026-05-20 04:29:18 UTC review queued 6e2ab35417e5 (queued)

• 2026-05-20 04:31:20 UTC repair queued 6e2ab35417e5 (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/26141412348

• 2026-05-20 04:36:12 UTC repair started (running) in 0s Run: https://github.com/openclaw/clawsweeper/actions/runs/26141412348 automerge-openclaw-openclaw-84433

• 2026-05-20 04:36:28 UTC validation plan (passed) in 16s Run: https://github.com/openclaw/clawsweeper/actions/runs/26141412348 pnpm check:changed; pnpm lint; pnpm check:test-types

• 2026-05-20 04:36:41 UTC Codex write preflight (passed) in 29s Run: https://github.com/openclaw/clawsweeper/actions/runs/26141412348 danger-full-access

• 2026-05-20 04:42:48 UTC Codex edit 1 72f564434a1b (complete) in 6m 36s Run: https://github.com/openclaw/clawsweeper/actions/runs/26141412348 exit 0

• 2026-05-20 04:45:24 UTC validation and review 1 446014b4c1f2 (complete) in 9m 12s Run: https://github.com/openclaw/clawsweeper/actions/runs/26141412348 already-current

• 2026-05-20 04:45:29 UTC repair completed 446014b4c1f2 (branch updated) in 9m 17s Run: https://github.com/openclaw/clawsweeper/actions/runs/26141412348 initial automerge rebase is delegated to Codex repair

• 2026-05-20 04:45:29 UTC review queued 446014b4c1f2 (after repair)

• 2026-05-20 04:52:27 UTC automerge wait 446014b4c1f2 (ready) in 16m 15s Run: https://github.com/openclaw/clawsweeper/actions/runs/26141412348 checks and exact-head review are ready

• 2026-05-20 05:01:12 UTC review passed 446014b4c1f2 (structured ClawSweeper verdict: pass (sha=446014b4c1f2832e3162e3969db4060648e95...)

• 2026-05-20 04:52:28 UTC repair finished 446014b4c1f2 (pushed) in 16m 16s Run: https://github.com/openclaw/clawsweeper/actions/runs/26141412348 repair_contributor_branch

• 2026-05-20 04:54:04 UTC review queued 446014b4c1f2 (queued)

• 2026-05-20 05:01:27 UTC merged 446014b4c1f2 (merged by ClawSweeper automerge)