fix(cron): Object.assign clobbers defaults.auth in isolated agent runner

[alexey-pelykh]

Summary

Object.assign in the cron isolated agent runner merges agent config override into defaults without filtering undefined values. When an agent has no explicit auth field, resolveAgentConfig returns { auth: undefined }, and Object.assign overwrites defaults.auth with undefined.

This causes cfgWithAgentDefaults.agents.defaults.auth to lose the configured default auth profile, breaking auth env injection via withAuthKeyRetry (#2079).

Reproduction

1. Configure agents.defaults.auth: "claude:profile-name" (default auth for all agents)
2. Configure an agent WITHOUT an explicit auth field (inherits from defaults)
3. Create an isolated cron job for that agent
4. Observe: [CLI_ERROR] Not logged in · Please run /login

Interactive messages for the same agent work because the auto-reply path passes the original cfg (preserving defaults.auth), while the cron path passes cfgWithAgentDefaults (where defaults.auth was clobbered).

Root Cause

src/cron/isolated-agent/run.ts:172-175:

const agentCfg: AgentDefaultsConfig = Object.assign(
  {},
  params.cfg.agents?.defaults,          // { auth: "claude:...", ... }
  (agentConfigOverride ?? {}) as Partial<AgentDefaultsConfig>,  // { auth: undefined, ... }
);
// Result: { auth: undefined } — defaults.auth is clobbered

Fix

Filter undefined values from the agent config override before merging:

const defined = Object.fromEntries(
  Object.entries(agentConfigOverride ?? {}).filter(([, v]) => v !== undefined),
);
const agentCfg: AgentDefaultsConfig = Object.assign(
  {},
  params.cfg.agents?.defaults,
  defined,
);

Upstream

This Object.assign pattern originates from upstream OpenClaw (introduced across commits bcbfb357be, d0ca02e963, d3f08884db). Upstream does not hit this bug because their auth propagation uses resolveSessionAuthProfileOverride → runCliAgent param passing (a path gutted in RemoteClaw). However, it is a latent bug that could affect other default fields. The fix should be submitted upstream.

Related

• fix(cron): wire auth profile env injection into isolated cron runner #2079 — withAuthKeyRetry wrapper for cron (this bug makes that fix a no-op for agents inheriting default auth)
• fix(cron): wire auth profile env injection into isolated cron runner #2081 — PR that landed the withAuthKeyRetry wrapper

[alexey-pelykh]

Upstream Applicability

The Object.assign pattern that clobbers defaults with undefined agent config values is upstream OpenClaw code (introduced across bcbfb357be, d0ca02e963, d3f08884db).

Upstream file: src/cron/isolated-agent/run.ts:172-175

const agentCfg = Object.assign(
  {},
  params.cfg.agents?.defaults,
  (agentConfigOverride ?? {}) as Partial<AgentDefaultsConfig>,
);

Upstream doesn't hit this for auth specifically (their auth propagation uses resolveSessionAuthProfileOverride → runCliAgent, a different path). However, this is a latent bug for any defaults.* field: any agent config property that is undefined on the agent entry will clobber the corresponding default. Future additions to agents.defaults are at risk.

Impact: Low today (upstream auth path avoids it), but a correctness issue that will bite anyone adding new inheritable default fields.

Action: Submit fix to upstream OpenClaw as a defensive improvement. The fix (filter undefined from agent config override before Object.assign) is safe and has no behavioral change for agents with explicit values.