fix(cron): cancel active cron task runs

[ai-hpc]

Summary

• Track active cron runs by job id and run id with their live abort handles.
• Allow the task registry to cancel active cron task rows when the cron wrapper owns the live run.
• Keep main-session cron task rows honest: the wrapper no longer exposes a cancellation handle for work it only enqueued into a downstream child session.
• Route openclaw tasks cancel for cron tasks through the live Gateway first, so a CLI process can cancel the Gateway-owned cron run.
• Keep cron timeout cleanup armed after operator cancellation when a runner ignores the abort signal.

Refs #90630

Verification

• OPENCLAW_HEAVY_CHECK_LOCK_SCOPE=worktree OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test src/cron/service/timer.regression.test.ts -- -t "does not report main-session cron task rows cancelled"
• OPENCLAW_HEAVY_CHECK_LOCK_SCOPE=worktree OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test src/cron/service/timer.regression.test.ts src/tasks/task-registry.test.ts src/commands/tasks.test.ts
• OPENCLAW_HEAVY_CHECK_LOCK_SCOPE=worktree pnpm tsgo:core
• OPENCLAW_HEAVY_CHECK_LOCK_SCOPE=worktree pnpm tsgo:core:test
• node_modules/.bin/oxfmt --check --threads=1 src/cron/service/timer.ts src/cron/service/timer.regression.test.ts
• node_modules/.bin/oxlint src/cron/service/timer.ts src/cron/service/timer.regression.test.ts
• git diff --check

Real behavior proof

behavior: A running cron task shown in the task ledger can be cancelled through the task cancellation surface when the cron service owns the active run. Main-session cron wrapper rows do not claim cancellation unless the downstream queued work is actually cancellable.

environment: Ubuntu source checkout, Node 22.22.2, fixed branch ai-hpc/fix-cron-task-cancel.

steps:

1. Create an isolated OpenClaw state directory.
2. Create a real task registry row for a running cron task with sourceId and runId.
3. Register the matching active cron run with a real AbortController.
4. Cancel the task through the shared detached task cancellation surface.
5. Confirm the abort signal and terminal task state.
6. Exercise a main-session cron run that enqueues into a per-run child session while the heartbeat remains in progress.
7. Cancel the main-session cron task row and confirm it does not report a false terminal cancellation while queued downstream work can still continue.

evidence:

{
  "behavior": "cron task cancellation aborts the active run and marks the ledger row cancelled",
  "stateLayout": "isolated state-only OpenClaw home",
  "taskIdPrefix": "f0e0a630",
  "runtime": "cron",
  "sourceId": "proof-cron-job",
  "runId": "cron:proof-cron-job:run-1",
  "beforeStatus": "running",
  "cancellation": {
    "found": true,
    "cancelled": true,
    "task": {
      "runtime": "cron",
      "sourceId": "proof-cron-job",
      "runId": "cron:proof-cron-job:run-1",
      "task": "Proof cron run",
      "status": "cancelled",
      "deliveryStatus": "not_applicable",
      "notifyPolicy": "silent",
      "error": "Cancelled by operator."
    }
  },
  "signalAborted": true,
  "signalReason": "Cancelled by operator.",
  "afterStatus": "cancelled",
  "stateDirCreated": true
}

observedResult: The cron run abort signal was triggered with Cancelled by operator., and the task row moved from running to terminal cancelled.

additional main-session boundary proof:

src/cron/service/timer.regression.test.ts
  ✓ does not report main-session cron task rows cancelled while queued work can continue

The regression starts a main-session cron run, creates its task row, enqueues the payload into the per-run child session, holds the heartbeat in progress, and calls the shared task cancellation surface. The result is found=true, cancelled=false with "Cron task has no active cancellation handle.", and the task row remains running while the queued child-session work can continue.

observedResult: Main-session cron wrapper cancellation no longer marks the task row cancelled when the wrapper does not own the downstream child-session work.

additional watchdog proof:

src/cron/service/timer.regression.test.ts
  ✓ keeps timeout cleanup armed after operator cancellation

The regression starts a timeout-enabled isolated cron run, cancels the matching active run, leaves the runner unresolved, advances past timeout, and verifies cleanupTimedOutAgentRun is called and the job records a timed-out error.

observedResult: Operator cancellation no longer prevents timeout cleanup when the underlying cron runner ignores the abort signal.

notTested: Full Gmail MCP runaway cron E2E from the original report was not replayed locally. The focused proof covers the shared cron runtime and task cancellation path that produced the unsupported-runtime failure; regression tests cover task-registry cancellation, CLI-to-Gateway routing, cancel-before-timeout cleanup, and the main-session queued-work cancellation boundary.

[clawsweeper]

Codex review: needs changes before merge. Reviewed June 8, 2026, 8:09 PM ET / 00:09 UTC.

Summary
Adds active cron cancellation handles, routes cron task cancellation through the Gateway, updates task-registry cron cancellation, and adds cron/task command regression coverage.

PR surface: Source +168, Tests +441. Total +609 across 8 files.

Reproducibility: yes. source inspection gives a high-confidence path: current main routes cron task cancellation to the generic unsupported-runtime branch, and the PR's latest timed-cancel test shows cleanup is not called for an unresolved runner after operator cancellation.

Review metrics: none identified.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🌊 off-meta tidepool
Patch quality: 🧂 unranked krab
Result: blocked by patch quality or review findings.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Fix the timed operator-cancel path so abort-ignoring runners still reach timeout cleanup.
• [P2] Update the PR body or verification notes after the fix so the described watchdog proof matches the current head.

Risk before merge

• [P2] Timed cron cancellation can now mark the wrapper cancelled/error and dispose the watchdog while an abort-ignoring runner remains alive, leaving the original runaway-resource failure mode without timeout cleanup.
• [P1] The task ledger can become misleading for timed runs: it can report terminal operator cancellation even though the underlying cron agent work has not actually stopped.
• [P1] A second open implementation, fix(cron): cancel active cron task runs #90671, targets the same linked bug, so maintainers should choose one canonical owner-boundary shape before landing.

Maintainer options:

1. Preserve timed cleanup before merge (recommended)
   Update the timed cancellation path so operator cancel aborts the run without disposing the timeout watchdog before cleanupTimedOutCronAgentRun can handle an unresolved runner.
2. Choose the alternate canonical PR
   If maintainers prefer the alternate open implementation, pause or close this PR after moving any useful unique tests or behavior into fix(cron): cancel active cron task runs #90671.
3. Accept immediate unwind knowingly
   Maintainers could intentionally accept that cancelled timed runs may skip timeout cleanup, but that should be an explicit product/operations tradeoff because it weakens the runaway-job escape hatch.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Update this PR branch so executeJobCoreWithTimeout preserves timeout cleanup after operator cancellation for timed cron runs whose runner ignores AbortSignal. Adjust src/cron/service/timer.regression.test.ts so the unresolved timed-run cancellation test expects cleanupTimedOutCronAgentRun to run after the configured timeout, while keeping main-session cron rows non-cancellable and timeout-disabled cancellation behavior intentional. Validate with node scripts/run-vitest.mjs src/cron/service/timer.regression.test.ts src/tasks/task-registry.test.ts src/commands/tasks.test.ts.

Next step before merge

• [P2] A narrow automated repair can target the timed-cancellation watchdog regression without changing the broader Gateway-first cron cancellation design.

Security
Cleared: No concrete security or supply-chain concern was found in the cron/task runtime and test changes.

Review findings

• [P1] Keep the watchdog cleanup after cancellation — src/cron/service/timer.ts:211-212

Review details

Best possible solution:

Keep the Gateway-owned active cron handle approach, but merge only after timed cancellation preserves cleanup for abort-ignorant runners and the branch/proof matches that behavior.

Do we have a high-confidence way to reproduce the issue?

Yes, source inspection gives a high-confidence path: current main routes cron task cancellation to the generic unsupported-runtime branch, and the PR's latest timed-cancel test shows cleanup is not called for an unresolved runner after operator cancellation.

Is this the best way to solve the issue?

No, not yet: the active-handle and Gateway-first shape is a good owner-boundary direction, but the timed cancellation path must keep or replace watchdog cleanup before this is the safest fix.

Full review comments:

• [P1] Keep the watchdog cleanup after cancellation — src/cron/service/timer.ts:211-212
  For timed cron runs, operator cancellation now wins the race and returns immediately, then the finally block disposes the watchdog. If the runner ignores AbortSignal, cleanupTimedOutCronAgentRun never fires, so the task ledger can show cancellation while the underlying cron agent keeps running, which is the runaway case this PR is trying to fix. Keep the abort/cancel result, but leave timeout cleanup armed or explicitly clean up ignored-abort runners.
  Confidence: 0.91

Overall correctness: patch is incorrect
Overall confidence: 0.89

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ebb9c6a013b5.

Label changes

Label changes:

• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The contributor proof gate is not applicable to this member-authored PR, though the PR body proof should be refreshed after the timed cleanup behavior is fixed.
• remove status: 📣 needs proof: Current PR status label is status: ⏳ waiting on author.

Label justifications:

• P2: This is a normal-priority user-visible cron/task cancellation bug with limited blast radius but real operator impact for runaway jobs.
• merge-risk: 🚨 session-state: The PR can make task state terminal while the underlying timed cron runner is still unresolved after an ignored abort.
• merge-risk: 🚨 availability: Disposing the watchdog after operator cancellation can skip cleanup for an abort-ignoring timed cron run, preserving the runaway-resource failure mode.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🌊 off-meta tidepool and patch quality is 🧂 unranked krab.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The contributor proof gate is not applicable to this member-authored PR, though the PR body proof should be refreshed after the timed cleanup behavior is fixed.

Evidence reviewed

PR surface:

Source +168, Tests +441. Total +609 across 8 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	5	224	56	+168
Tests	3	442	1	+441
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	8	666	57	+609

Acceptance criteria:

• [P1] node scripts/run-vitest.mjs src/cron/service/timer.regression.test.ts src/tasks/task-registry.test.ts src/commands/tasks.test.ts.
• [P1] pnpm tsgo:core.
• [P1] pnpm tsgo:core:test.
• [P1] git diff --check.

What I checked:

• Root policy read: Root AGENTS.md was read fully; its PR review, best-fix, proof, owner-boundary, and merge-risk guidance applies to this cron/task PR. (AGENTS.md:8, ebb9c6a013b5)
• Current-main source repro: Current main has no cron-specific cancellation branch, so a non-CLI cron task without a cancellable child session reaches the unsupported-runtime result reported by the linked issue. (src/tasks/task-registry.ts:2118, ebb9c6a013b5)
• PR implementation path: The PR registers process-local cron abort handles for non-main cron runs and routes cron task cancellation through cancelActiveCronTaskRun before marking the task cancelled. (src/tasks/task-registry.ts:2084, 62c3d3633078)
• Blocking cleanup regression: For timed cron runs, operator cancellation now wins the race and returns a cancellation outcome before the timeout path can call cleanupTimedOutCronAgentRun; the finally block then disposes the watchdog. (src/cron/service/timer.ts:210, 62c3d3633078)
• Regression test currently locks in the risky behavior: The latest regression test asserts cleanupTimedOutAgentRun is not called after operator cancellation even though the mocked runner remains unresolved, which contradicts the PR body's watchdog-cleanup claim. (src/cron/service/timer.regression.test.ts:1001, 62c3d3633078)
• Related open implementation: The provided GitHub context shows fix(cron): cancel active cron task runs #90671 is still open for the same linked cron cancellation issue, so maintainers should avoid landing two competing shapes.

Likely related people:

• shakkernerd: The timeline shows assignment and force-pushes by shakkernerd, and the latest branch commits address cron cancellation runtime cycles, timeout terminal state, and timed cancellation behavior. (role: current PR branch steward and recent fix author; confidence: high; commits: 29b6a406f047, 211376c5033a, 4cb0f4914fed; files: src/cron/service/timer.ts, src/tasks/task-registry.ts, src/tasks/cron-task-cancel.ts)
• Vincent Koc: Current-main blame/log in this checkout points the central cron timer and task registry files at Vincent Koc commits, but the local history is shallow/collapsed so this is a weak routing signal. (role: current-main area provenance; confidence: low; commits: 0176429ad787, ebb9c6a013b5; files: src/cron/service/timer.ts, src/tasks/task-registry.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[ai-hpc]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27071315571
• Updated: 2026-06-06T19:18:21.737Z

[shakkernerd]

Rebased onto current origin/main (ebb9c6a) and resolved the conflict in src/commands/tasks.test.ts by preserving both the session-state cleanup from main and the cron cancellation gateway mock from this PR.

Verification:

• Local sanity: git diff --check; conflict-marker/stale-symbol scan across the touched cron/task files.
• Blacksmith Testbox tbx_01ktmtrcsefnx929fxcdwdq3n5 / run 27174702268: corepack pnpm check:architecture; focused tests for src/commands/tasks.test.ts, src/cron/service/timer.regression.test.ts, src/tasks/task-registry.test.ts, and src/tasks/task-executor.test.ts; corepack pnpm build; scripts/check-gateway-watch-regression.mjs --skip-build.
• GitHub CI on head 62c3d36: initial CI attempt hit self-hosted runner communication failures; reran failed jobs and attempt 2 passed. Latest Real behavior proof run also passed.
• Confirmed the contributor-authored commits still resolve to @ai-hpc after the rebase.