fix(cron): honor isolated sessionTarget and fail missing cron.remove id

[stevenepalmer]

Summary

• prevent cron tool auto-injection of caller session key when a cron job explicitly targets sessionTarget: "isolated"
• make cron.remove return an invalid-request error when the target job id is not found, instead of ok: true, removed: false

Fixes #86202

Verification

• node scripts/run-vitest.mjs src/agents/tools/cron-tool.test.ts src/gateway/server-methods/cron.validation.test.ts
• autoreview clean after rebase on origin/main

Real behavior proof

Behavior addressed: isolated cron jobs should not inherit the caller/dashboard session key, and removing a missing cron id should be surfaced as an invalid request instead of a successful no-op.

Real environment tested: local OpenClaw source checkout on Node 24-compatible tooling, loading the real cron tool and gateway cron handler modules through the repo test harness.

Exact steps or command run after this patch: node scripts/run-vitest.mjs src/agents/tools/cron-tool.test.ts src/gateway/server-methods/cron.validation.test.ts

Evidence after fix: Test Files 4 passed (4) and Tests 204 passed (204). The new cron-tool assertion observed an isolated add payload with sessionTarget: "isolated" and no sessionKey; the gateway validation assertion observed INVALID_REQUEST for a missing cron.remove id.

Observed result after fix: isolated cron add requests remain isolated, and missing cron removals now return a clear invalid-request error.

What was not tested: a full long-running gateway cron scheduler process with wall-clock job execution; the changed request construction and gateway handler branches were tested directly.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 24, 2026, 8:47 PM ET / 00:47 UTC.

Summary
The PR skips caller sessionKey auto-stamping for isolated cron add requests, returns INVALID_REQUEST when cron.remove cannot find the job id, and adds focused Vitest coverage.

PR surface: Source +9, Tests +51. Total +60 across 4 files.

Reproducibility: yes. source inspection gives a high-confidence path: current main auto-stamps caller sessionKey after cron add normalization and returns success for missing cron.remove ids. I did not run the harness because this review is read-only.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Maintainer should decide whether to accept the stricter cron.remove missing-id contract or split it from the session fix.

Risk before merge

• Changing missing cron.remove ids from success with removed:false to INVALID_REQUEST can break callers that treat remove as idempotent or parse successful no-op responses.
• The session fix covers the cron tool's auto-injected sessionKey path; existing persisted conflicting jobs or explicitly supplied isolated-plus-sessionKey payloads may still need follow-up if maintainers expect the linked issue to be fully closed.

Maintainer options:

1. Accept stricter remove failures (recommended)
   Land the INVALID_REQUEST behavior as an intentional bug fix because false success hid failed deletes in the linked report, and record the contract change during landing.
2. Split the remove contract
   Keep the isolated-session fix here and move the missing-id cron.remove error behavior to a separate PR if maintainers want independent upgrade review.
3. Preserve idempotent removal
   If callers depend on idempotent deletes, keep gateway cron.remove success for missing ids and improve only CLI/user diagnostics in a narrower follow-up.

Next step before merge
Needs maintainer acceptance or split of the compatibility-sensitive cron.remove error contract; no automated repair is necessary because there are no blocking code findings.

Security
Cleared: The diff only touches cron request handling and tests; it does not add dependencies, workflows, secret handling, or new code-execution paths.

Review details

Best possible solution:

Land the isolated-session tool fix with regression coverage, and either explicitly accept or split the stricter remove error contract while tracking any existing-job cleanup separately.

Do we have a high-confidence way to reproduce the issue?

Yes, source inspection gives a high-confidence path: current main auto-stamps caller sessionKey after cron add normalization and returns success for missing cron.remove ids. I did not run the harness because this review is read-only.

Is this the best way to solve the issue?

Mostly yes: the PR fixes future tool-created isolated cron jobs that would inherit caller session keys. The missing-id remove error is a stricter API contract and should be maintainer-accepted or split before merge.

Codex review notes: model gpt-5.5, reasoning high; reviewed against f09b4ebe314e.

Label changes

Label changes:

• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Override: A maintainer applied proof: override for this PR.
• remove rating: 🦪 silver shellfish: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P1: The linked bug can misroute scheduled cron output into active dashboard sessions and disrupt real user workflows.
• merge-risk: 🚨 compatibility: The PR intentionally changes the observable cron.remove missing-id contract from successful no-op to gateway error.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Override: A maintainer applied proof: override for this PR.

Evidence reviewed

PR surface:

Source +9, Tests +51. Total +60 across 4 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	12	3	+9
Tests	2	51	0	+51
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	4	63	3	+60

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/tools/cron-tool.test.ts src/gateway/server-methods/cron.validation.test.ts

What I checked:

• Current main still auto-stamps sessionKey: Current main stamps resolvedSessionKey onto any cron add job missing sessionKey; this is the behavior the PR changes for normalized isolated jobs. (src/agents/tools/cron-tool.ts:673, f09b4ebe314e)
• PR branch guards isolated add requests: The PR branch adds a normalized sessionTarget check and skips the caller session key when the job is isolated. (src/agents/tools/cron-tool.ts:673, ac3ec4712b5c)
• Current main treats missing remove as successful no-op: Current main forwards context.cron.remove(jobId) and responds success even when removed is false. (src/gateway/server-methods/cron.ts:479, f09b4ebe314e)
• PR branch changes remove-not-found to invalid request: The PR branch returns INVALID_REQUEST and exits when context.cron.remove(jobId) reports removed: false. (src/gateway/server-methods/cron.ts:480, ac3ec4712b5c)
• Remove result contract is internal but observable: The cron service returns { ok: true, removed } after exact-id removal, so changing the gateway response for removed: false is an observable API/CLI contract change. (src/cron/service/ops.ts:462, f09b4ebe314e)
• Related issue shows user-visible impact: The linked report describes shipped v2026.5.22 cron jobs colliding with WebUI dashboard sessions and missing-id removals returning successful-looking removed:false, which matches the two changed surfaces.

Likely related people:

• vincentkoc: Current-line blame for the touched cron tool and gateway handler paths points to recent cron/e2e hardening work in commit 87a2eba. (role: recent area contributor; confidence: medium; commits: 87a2eba42763; files: src/agents/tools/cron-tool.ts, src/gateway/server-methods/cron.ts)
• steipete: Recent history shows broad cron file movement and stabilization work, including the latest shipped release commit touching the central cron files. (role: recent cron refactor contributor; confidence: medium; commits: a374c3a5bfd5, bcbfb357bec7; files: src/agents/tools/cron-tool.ts, src/gateway/server-methods/cron.ts, src/cron/service/ops.ts)
• vignesh07: The session namespace routing behavior around caller session resolution appears to date to commit f988abf. (role: session routing feature contributor; confidence: medium; commits: f988abf202e3; files: src/agents/tools/cron-tool.ts)
• thewilloftheshadow: Gateway cron parameter compatibility for jobId/id traces to commit 25297ce, which is adjacent to the changed cron.remove handler. (role: gateway cron method contributor; confidence: medium; commits: 25297ce3f504; files: src/gateway/server-methods/cron.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🌱 uncommon Velvet Test Hopper

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🌱 uncommon.
Trait: polishes edge cases.
Image traits: location workflow harbor; accessory review stamp; palette charcoal, cyan, and signal green; mood determined; pose leaning over a miniature review desk; shell matte ceramic shell; lighting golden review-room light; background small green status lights.
Share on X: post this hatch
Copy: My PR egg hatched a 🌱 uncommon Velvet Test Hopper in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.