feat(cron): per-job auth profile override

[alexey-pelykh]

Context

Cron jobs currently inherit the agent's default auth profile. Upstream solved per-job auth via resolveSessionAuthProfileOverride (v2026.2.22), which resolves auth profiles per cron session using the Pi-embedded agent's authProfileId parameter. Our fork uses a different auth system (src/auth/) and a different execution path (ChannelBridge), so the upstream approach doesn't apply directly.

After #2079 lands (wiring withAuthKeyRetry into cron), all cron jobs will get auth credentials — but all jobs for the same agent use the same profile pool. This issue adds the ability to specify which auth profile a specific cron job should use.

Depends on: #2079

What

Add an optional auth field to CronJob that overrides the agent-level auth profile for that specific job's execution.

Design

1. Schema: Add auth?: string to CronJob type and zod schema (same format as agents.defaults.auth / per-agent auth — e.g., "claude:work-profile")

2. Resolution: In src/cron/isolated-agent/run.ts, before calling withAuthKeyRetry, resolve the effective auth config:

   job.auth → agent-level auth → agents.defaults.auth → no auth
   

   Pass the override to resolveAuthEnv (or to withAuthKeyRetry via a new option) so the correct profile is selected.

3. CLI/API: Extend cron add and cron update to accept --auth <profile> flag. Expose in MCP tool and agent tool schemas.

4. Validation: At job creation, validate that the specified auth profile exists in the auth store. Warn (don't error) if profile not found — it may be added later.

Use cases

• Different cron jobs for the same agent using different API keys (e.g., one job uses a high-rate-limit key, another uses a budget key)
• Jobs that need a specific provider's credentials when the agent has multiple
• Separating auth for external-facing cron jobs vs internal ones

Acceptance Criteria

• CronJob type and zod schema include optional auth field
• cron add --auth <profile> creates job with auth override
• cron update --auth <profile> updates existing job's auth
• Job execution resolves auth as: job.auth → agent auth → defaults auth
• MCP tool and agent tool schemas updated
• Tests for override resolution (job-level, fallback to agent, fallback to defaults)
• CI passes

Files

• src/cron/types.ts (add auth field to CronJob)
• src/gateway/protocol/schema/cron.ts (zod schema update)
• src/cron/isolated-agent/run.ts (resolve job-level auth before execution)
• src/cron/service/ops.ts (pass through auth on add/update)
• src/cli/cron-cli/register.cron-add.ts (CLI flag)
• src/agents/tools/cron-tool.ts (agent tool schema)
• src/middleware/mcp-handlers/cron.ts (MCP tool schema)

Related

• fix(cron): wire auth profile env injection into isolated cron runner #2079 — fix(cron): wire auth profile env injection into isolated cron runner (prerequisite)
• gut: fix heartbeat and cron agent resolution #1579 — gut: fix heartbeat and cron agent resolution
• Upstream equivalent: resolveSessionAuthProfileOverride in src/cron/isolated-agent/run.ts (v2026.2.22)