fix(cron): auto-migrate legacy cron store

[MonkeyLeeT]

Fixes #90072

Summary

• Add a non-interactive cron migration path that runs during doctor config preflight.
• Share the existing doctor cron repair implementation between doctor --fix and non-interactive preflight so legacy JSON cron jobs are merged into the SQLite store through one repair path.
• Keep existing SQLite rows as the winner for duplicate job ids, normalize legacy persisted cron shapes before writing, and archive legacy cron files only after the SQLite write succeeds.
• Trimmed out the earlier foreground gateway run fast-path and read-only/status startup-detection hardening; this PR now stays scoped to the original legacy cron migration issue.

Root Cause

Cron runtime now reads and writes the canonical SQLite-backed store only. The existing doctor cron repair flow could import legacy jobs.json / jobs-state.json, but ordinary doctor config preflight did not call that cron migration before Gateway startup/restart paths touched runtime state. This meant legacy cron JSON files could remain present while the SQLite cron table stayed empty or incomplete.

Verification

• git diff --check
• node scripts/run-vitest.mjs src/commands/doctor/cron/index.test.ts src/commands/doctor-config-preflight.state-migration.test.ts src/cron/store.test.ts src/cli/program/config-guard.test.ts src/cli/run-main.exit.test.ts src/cli/run-main.test.ts
• node --import tsx /private/tmp/openclaw-cron-preflight-proof.mjs
• .agents/skills/autoreview/scripts/autoreview --mode local --codex-bin /private/tmp/codex-autoreview-flex (one allowed draft-PR autoreview round, clean before later scope trimming; not rerun per local draft-PR guardrail)

GitHub CI for head ee962f7e2e9414728bce93626fcce52918734b0f: pending after simplification push.

Real behavior proof

Behavior addressed: legacy cron jobs are migrated into SQLite during doctor config preflight before Gateway runtime reads the SQLite-only cron store.

Real environment tested: local macOS source checkout using a throwaway OPENCLAW_HOME, source-aware scripts/run-node.mjs, direct source import of runDoctorConfigPreflight, real loopback Gateway readback, and a representative legacy cron store with jobs.json, split jobs-state.json, and a legacy JSONL run log. The temp home path was redacted.

Exact steps or command run after this patch: node --import tsx /private/tmp/openclaw-cron-preflight-proof.mjs. The script wrote legacy cron files into an isolated temp home, ran runDoctorConfigPreflight({ migrateState: true }), queried state/openclaw.sqlite, then started a loopback Gateway through scripts/run-node.mjs gateway run and called cron status --json plus cron list --all --json through the Gateway.

Evidence after fix:

{
  "before": {
    "legacyJobsJsonCount": 3,
    "legacyJobsStateCount": 3,
    "sqliteCronJobsRows": 0
  },
  "preflight": {
    "migratedSqlite": {
      "cronJobs": 3,
      "cronRunLogs": 1,
      "jobs": [
        { "jobId": "legacy-disabled-past", "enabled": 0, "scheduleKind": "at", "runningAtMs": null },
        { "jobId": "legacy-due-every", "enabled": 1, "scheduleKind": "every", "runningAtMs": null },
        { "jobId": "legacy-future-at", "enabled": 1, "scheduleKind": "at", "runningAtMs": null }
      ]
    },
    "archives": {
      "jobsJsonMigrated": true,
      "jobsStateMigrated": true,
      "legacyRunLogMigrated": true
    }
  },
  "afterGatewayStart": {
    "cronStatus": { "enabled": true, "jobs": 3 },
    "cronListAll": [
      { "id": "legacy-due-every", "enabled": true, "scheduleKind": "every", "lastRunStatus": "ok" },
      { "id": "legacy-future-at", "enabled": true, "scheduleKind": "at", "deliveryMode": "webhook" },
      { "id": "legacy-disabled-past", "enabled": false, "scheduleKind": "at", "deliveryMode": "webhook" }
    ],
    "sqlite": { "cronJobs": 3, "cronRunLogs": 2 }
  }
}

Observed result after fix: preflight converted the three legacy jobs into three SQLite cron_jobs rows, imported one legacy run-log row, and archived jobs.json, jobs-state.json, and the legacy run-log file. After Gateway startup, cron status reported jobs: 3, cron list --all returned all three jobs, legacy notify: true rows were converted to webhook delivery, and the overdue recurring job caught up once with lastRunStatus: "ok" while leaving runningAtMs: null.

What was not tested: a packaged 2026.5.28-to-PR-head install upgrade with a real user's cron store, and an actual gateway restart service-manager invocation. The service lifecycle command was not run locally because it can mutate launchd/systemd state; the proof exercises the same doctor config preflight hook and then verifies Gateway runtime readback from SQLite.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 5, 2026, 1:18 PM ET / 17:18 UTC.

Summary
The PR adds a non-interactive legacy cron repair call to doctor config preflight and refactors doctor cron repair so prompted doctor and preflight share the same migration path.

PR surface: Source +107, Tests +12. Total +119 across 3 files.

Reproducibility: yes. by source inspection: v2026.6.1 and current main load cron jobs from SQLite and do not call cron repair from config preflight, so legacy JSON-only cron jobs can remain invisible until doctor repair runs. The linked issue also provides a concrete 2026.5.28 to 2026.6.1 upgrade symptom.

Review metrics: 1 noteworthy metric.

• Automatic migration hooks: 1 non-interactive cron repair call added. This is the maintainer-relevant behavior change: preflight can now mutate persistent cron state before runtime commands read it.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Add packaged upgrade or service-manager restart proof if maintainers want to reduce the remaining compatibility uncertainty before merge.

Risk before merge

• [P1] This PR makes ordinary valid-config preflight write SQLite cron rows and archive legacy cron files before an operator explicitly runs doctor --fix, so maintainers need to accept that upgrade behavior.
• [P1] Restored overdue recurring jobs may catch up after Gateway startup and trigger webhook or channel delivery side effects that users did not see while the jobs were missing.
• [P1] The supplied proof is strong source-checkout and loopback Gateway proof, but it is not a packaged v2026.5.28-to-PR-head upgrade or real service-manager restart proof.

Maintainer options:

1. Accept the automatic cron migration policy (recommended)
   If maintainers agree that preserving legacy cron jobs during preflight outweighs the automatic write/archive and catch-up side effects, the current patch is a bounded fix path.
2. Ask for packaged upgrade proof first
   Require a packaged v2026.5.28-to-PR-head upgrade or service-manager restart smoke before merge to reduce uncertainty around the real upgrade path.
3. Keep migration behind explicit doctor repair
   Pause or close this PR if maintainers want legacy cron recovery to remain an operator-initiated doctor --fix action rather than an automatic preflight repair.

Next step before merge

• [P2] Needs human maintainer acceptance of compatibility-sensitive automatic cron migration and restored-job catch-up behavior; there is no narrow automated repair to request.

Security
Cleared: The diff touches cron migration code and tests only; I found no new CI, dependency, secret-handling, package-resolution, or third-party code-execution concern.

Review details

Best possible solution:

Land a doctor-owned, non-interactive cron migration only after maintainers explicitly accept the automatic upgrade semantics and the restored-job catch-up behavior.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection: v2026.6.1 and current main load cron jobs from SQLite and do not call cron repair from config preflight, so legacy JSON-only cron jobs can remain invisible until doctor repair runs. The linked issue also provides a concrete 2026.5.28 to 2026.6.1 upgrade symptom.

Is this the best way to solve the issue?

Yes, this is an acceptable owner-boundary fix because legacy compatibility stays in doctor migration code while runtime continues to read the canonical SQLite store. It still needs maintainer acceptance because the chosen solution makes that repair automatic during preflight.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 4752e9a67d4f.

Label changes

Label changes:

• add merge-risk: 🚨 message-delivery: Restoring overdue cron jobs can cause catch-up webhook or channel deliveries after Gateway startup.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live output from a local source checkout and loopback Gateway showing legacy cron files migrated into SQLite, archived, and read back through cron status/list.

Label justifications:

• P1: The linked regression loses persisted cron jobs on upgrade and affects a real user workflow, so the PR is urgent even though the remaining decision is compatibility acceptance.
• merge-risk: 🚨 compatibility: The PR changes upgrade behavior by automatically writing SQLite cron rows and archiving legacy cron files during ordinary preflight.
• merge-risk: 🚨 message-delivery: Restoring overdue cron jobs can cause catch-up webhook or channel deliveries after Gateway startup.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The PR body includes after-fix live output from a local source checkout and loopback Gateway showing legacy cron files migrated into SQLite, archived, and read back through cron status/list.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live output from a local source checkout and loopback Gateway showing legacy cron files migrated into SQLite, archived, and read back through cron status/list.

Evidence reviewed

PR surface:

Source +107, Tests +12. Total +119 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	2	225	118	+107
Tests	1	12	0	+12
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	237	118	+119

What I checked:

• Current main preflight still omits cron migration: On current main, runDoctorConfigPreflight computes baseConfig and then only calls autoMigrateLegacyState or task sidecar migration; there is no cron repair call before runtime-facing commands proceed. (src/commands/doctor-config-preflight.ts:175, 4752e9a67d4f)
• PR head adds the non-interactive cron preflight hook: The proposed head calls repairLegacyCronStoreWithoutPrompt when the config snapshot is valid, before the existing legacy state migration step. (src/commands/doctor-config-preflight.ts:184, f5aa1b67595b)
• PR head keeps legacy cron repair in doctor-owned migration code: The refactor introduces loadLegacyCronRepairState, applyLegacyCronStoreRepair, and repairLegacyCronStoreWithoutPrompt in the doctor cron module, so runtime can remain SQLite-only while compatibility handling stays in doctor migration code. (src/commands/doctor/cron/index.ts:74, f5aa1b67595b)
• Shipped v2026.6.1 has SQLite-only cron load without preflight cron repair: The latest release tag points at v2026.6.1; its preflight only runs generic state migration, and its cron store loader returns an empty store when SQLite has no cron rows, matching the linked upgrade-loss report. (src/cron/store.ts:63, 2e08f0f4221f)
• Existing shipped repair path was interactive doctor health only: v2026.6.1 already had maybeRepairLegacyCronStore able to detect legacy cron files and merge legacy jobs, but that path was reached from doctor health rather than ordinary config preflight. (src/commands/doctor/cron/index.ts:55, 2e08f0f4221f)
• CLI preflight is a broad command entry point: ensureConfigReady imports runDoctorConfigPreflight with migrateState: true for most state-migration-eligible CLI paths, so the PR changes upgrade behavior before commands such as gateway and cron read runtime state. (src/cli/program/config-guard.ts:171, 4752e9a67d4f)

Likely related people:

• steipete: Current-main blame and history for the doctor cron repair, doctor config preflight, and SQLite cron store paths point to the recent current-main commit by Peter Steinberger. (role: recent area contributor; confidence: medium; commits: bafe17e60bcd; files: src/commands/doctor/cron/index.ts, src/commands/doctor-config-preflight.ts, src/cron/store.ts)
• vincentkoc: The latest shipped v2026.6.1 commit by Vincent Koc contains the shipped doctor preflight and cron store behavior relevant to the upgrade regression. (role: release-path contributor; confidence: medium; commits: 2e08f0f4221f; files: src/commands/doctor/cron/index.ts, src/commands/doctor-config-preflight.ts, src/cron/store.ts)
• jalehman: The GitHub timeline shows jalehman assigned to this PR, and the latest PR head is a branch merge commit authored by jalehman, making them a likely review-routing contact even though the code history points elsewhere. (role: current PR reviewer; confidence: low; commits: f5aa1b67595b; files: src/commands/doctor-config-preflight.ts, src/commands/doctor/cron/index.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[MonkeyLeeT]

@clawsweeper re-review

Trimmed the PR scope and updated the PR body/proof for head ee962f7e2e9414728bce93626fcce52918734b0f.

The net diff now stays scoped to issue #90072 and is down to three files: it runs legacy cron migration during doctor config preflight and shares the existing doctor cron repair implementation between interactive doctor --fix and non-interactive preflight. The earlier foreground gateway run fast-path/bootstrap change, read-only/status startup-detection hardening, and the pass-through cron auto-migration wrapper were removed from the net PR diff.

Current proof includes git diff --check, focused Vitest coverage for the cron repair/preflight surface, and real behavior proof from node --import tsx /private/tmp/openclaw-cron-preflight-proof.mjs: legacy jobs.json, jobs-state.json, and run-log files were migrated into SQLite, archived after write, and then read back through a loopback Gateway with cron status and cron list --all.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26965787853
• Updated: 2026-06-04T16:50:52.640Z

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26976789965
• Updated: 2026-06-04T20:23:38.561Z

[jalehman]

Merged via squash.

• Prepared head SHA: f5aa1b67595b72f6a2f30f899a1efedb1b01a377
• Merge commit: 21aa297434e4f89b5e60aac88ab11929a7bfdf6b

Thanks @MonkeyLeeT!