fix(doctor): warn and continue when cron job store is unreadable

[1052326311]

Summary

openclaw doctor aborts mid-run when the legacy cron job store exists but is unreadable by the runtime user (the Docker repro in #86102 leaves ~/.openclaw/cron/jobs.json as root:root 0600). loadCronStore only treats ENOENT as recoverable; every other read or parse failure rethrows, the legacy cron contribution awaits without a per-contribution catch (src/flows/doctor-health-contributions.ts), and later health checks never run.

This PR keeps runtime cron loading strict and only softens the doctor contribution: it catches the load failure inside maybeRepairLegacyCronStore, emits a Cron warning naming the store path with the underlying reason, and returns so subsequent health checks continue.

Closes #86102.

Change Type

• Bug fix
• Test

Scope

• CLI / Doctor

Linked Issue

• Closes doctor: warn and continue when cron store is unreadable #86102

Real behavior proof

Behavior or issue addressed: When ~/.openclaw/cron/jobs.json exists but is unreadable to the OpenClaw process (Docker root-owned 0600 file in #86102), loadCronStore throws a non-ENOENT error that propagates through maybeRepairLegacyCronStore and the doctor contribution loop, so openclaw doctor cannot complete the rest of the health checks.

Real environment tested: macOS Darwin 25.4.0 arm64, Node v22.22.0, openclaw branch fix/doctor-cron-unreadable-store rebased on upstream main commit 538fd32954267635cf2fef90c0f3c3ce77a91ece.

Exact steps or command run after this patch:

1. Created a temp cron store file and removed all permissions (chmod 0000) to reproduce the EACCES read failure from doctor: warn and continue when cron store is unreadable #86102 without Docker.
2. Ran the patched maybeRepairLegacyCronStore via node --import tsx pointing at the unreadable store to simulate the doctor cron contribution.
3. Confirmed the function returns cleanly, emits a Cron warning with the store path and EACCES reason, and prints "later health checks will continue".
4. Ran focused regression test: node scripts/run-vitest.mjs run src/commands/doctor-cron.test.ts (16/16 pass).
5. Drift proof: reverted src patch, re-ran tests — new test fails on EISDIR rethrow; restored — 16/16 pass.
6. Format, lint, typecheck all clean.

Evidence after fix:

Real CLI reproduction against an unreadable cron store (EACCES):

$ node --import tsx -e "
import { maybeRepairLegacyCronStore } from './src/commands/doctor-cron.ts';
await maybeRepairLegacyCronStore({
  cfg: { cron: { store: '/tmp/doctor-cron-86102/cron/jobs.json' } },
  options: {},
  prompter: { confirm: async () => true },
});
"

 Cron ───────────────────────────────────────────────────────────────────────────╮
│                                                                              │
│  Unable to read cron job store at                                            │
│  /tmp/doctor-cron-86102/cron/jobs.json.                                      │
│  - EACCES: permission denied, open                                           │
│    '/tmp/doctor-cron-86102/cron/jobs.json'                                   │
│  Fix the file's permissions or contents and re-run openclaw doctor;          │
│  later health checks will continue.                                          │
│                                                                              │
├──────────────────────────────────────────────────────────────────────────────╯

=== After fix: doctor continues to next health check ===

Focused regression test (16/16 pass):

$ node scripts/run-vitest.mjs run src/commands/doctor-cron.test.ts

 ✓  commands  ../../src/commands/doctor-cron.test.ts (16 tests) 59ms

 Test Files  1 passed (1)
      Tests  16 passed (16)

Drift proof (patch reverted — new test must fail):

$ git stash push -- src/commands/doctor-cron.ts

$ node scripts/run-vitest.mjs run src/commands/doctor-cron.test.ts

 ×  warns and continues when the cron job store cannot be read
   Caused by: Error: EISDIR: illegal operation on a directory, read
       at loadCronStore ../../src/cron/store.ts:218:17
       at Module.maybeRepairLegacyCronStore ../../src/commands/doctor-cron.ts:338:17

 Test Files  1 failed (1)
      Tests  1 failed | 15 passed (16)

$ git stash pop

Format, lint, typecheck:

$ pnpm exec oxfmt --check src/commands/doctor-cron.ts src/commands/doctor-cron.test.ts CHANGELOG.md
All matched files use the correct format.

$ pnpm exec oxlint src/commands/doctor-cron.ts src/commands/doctor-cron.test.ts
Found 0 warnings and 0 errors.

$ node scripts/run-tsgo.mjs -p tsconfig.json
(no diagnostics, exit 0)

Observed result after fix: maybeRepairLegacyCronStore returns cleanly after emitting a single Cron warning ("Unable to read cron job store at ... EACCES: permission denied ... later health checks will continue"). The prompter is never asked. The doctor contribution loop continues to subsequent contributions. On current main the same call throws and aborts the doctor run.

What was not tested: A live Docker reproduction with root-owned 0600 inside a container was not executed; the real CLI proof uses a local chmod 0000 file on macOS which triggers the same EACCES path that the reporter observed inside Docker.

Root Cause

loadCronStore (src/cron/store.ts) only catches ENOENT; any other read or parse failure rethrows. maybeRepairLegacyCronStore (src/commands/doctor-cron.ts:338) awaits it directly, and the legacy cron contribution in the doctor flow (src/flows/doctor-health-contributions.ts:413) awaits each contribution without a per-contribution catch, so an unreadable cron store aborts the whole openclaw doctor run.

Regression Test Plan

Added warns and continues when the cron job store cannot be read to src/commands/doctor-cron.test.ts. The test substitutes a directory at the cron store path (a non-ENOENT read failure that mirrors the reporter's permission case without depending on the test runner's effective uid) and asserts (1) maybeRepairLegacyCronStore resolves, (2) the prompter is never invoked, and (3) a Cron-titled note containing both the store path and "later health checks will continue" is emitted. With the patch reverted the new test fails on the rethrown EISDIR, confirming the test guards the regression.

User-visible / Behavior Changes

• openclaw doctor no longer aborts when the cron job store is unreadable; it now emits a single Cron warning naming the store path plus the underlying error reason and points the user at openclaw doctor to retry, then continues with the remaining health checks.
• No change to scheduler runtime behavior: loadCronStore still rethrows non-ENOENT errors so cron execution fails closed.

Scope boundary

• Only maybeRepairLegacyCronStore in src/commands/doctor-cron.ts is softened; loadCronStore and loadCronStoreSync keep their existing throw-on-read-failure contract for the scheduler.
• No changes to the cron file format, doctor prompter contract, or other doctor health contributions.

Prior art

No prior PR found targeting #86102 at the time of this submission. The closest adjacent work is the existing maybeRepairLegacyCronStore contribution introduced via the recent doctor cron migrations on src/commands/doctor-cron.ts; this PR only adds a defensive catch around loadCronStore and an accompanying focused test.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 25, 2026, 6:20 AM ET / 10:20 UTC.

Summary
The branch adds a doctor-only catch around cron store load failures, adds a regression test, and records the user-visible fix in the changelog.

PR surface: Source +14, Tests +23, Docs +1. Total +38 across 3 files.

Reproducibility: yes. Source inspection shows current main awaits loadCronStore in doctor without a catch while loadCronStore rethrows non-ENOENT read failures, and the PR body supplies terminal EACCES proof for the same path.

Review metrics: none identified.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none

Next step before merge
No ClawSweeper repair lane is needed; the PR is already a narrow fix, so the remaining action is maintainer merge/check handling.

Security
Cleared: The diff only changes doctor CLI error handling, a colocated test, and the changelog; it adds no dependency, workflow, secret-handling, or new code-execution surface.

Review details

Best possible solution:

Land the focused doctor-boundary warning/continue behavior after normal CI/checks, while keeping scheduler cron loading strict.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main awaits loadCronStore in doctor without a catch while loadCronStore rethrows non-ENOENT read failures, and the PR body supplies terminal EACCES proof for the same path.

Is this the best way to solve the issue?

Yes. The PR localizes soft-fail behavior to the doctor contribution and leaves runtime cron loading strict, which is the narrow maintainable fix for the linked issue.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5e944691b7f4.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix terminal output for an unreadable cron store, focused regression test output, drift proof, and format/lint/typecheck output.

Label justifications:

• P2: The PR fixes a limited doctor CLI failure that can block later health checks, without changing core cron runtime scheduling or data integrity.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes after-fix terminal output for an unreadable cron store, focused regression test output, drift proof, and format/lint/typecheck output.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix terminal output for an unreadable cron store, focused regression test output, drift proof, and format/lint/typecheck output.

Evidence reviewed

PR surface:

Source +14, Tests +23, Docs +1. Total +38 across 3 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	15	1	+14
Tests	1	23	0	+23
Docs	1	1	0	+1
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	3	39	1	+38

What I checked:

• Current main abort path: On current main, maybeRepairLegacyCronStore awaits loadCronStore(storePath) without a local catch, so non-ENOENT load failures propagate out of the doctor cron contribution. (src/commands/doctor-cron.ts:338, 5e944691b7f4)
• Cron store contract: loadCronStore returns an empty store only for ENOENT and rethrows other read/parse/state errors, which matches the reported unreadable-file failure path. (src/cron/store.ts:267, 5e944691b7f4)
• Doctor contribution awaits the cron repair: The doctor health flow awaits maybeRepairLegacyCronStore, so an uncaught load failure prevents later health contributions from running. (src/flows/doctor-health-contributions.ts:417, 5e944691b7f4)
• PR implementation boundary: The PR catches loadCronStore only inside maybeRepairLegacyCronStore, emits a Cron warning with the underlying reason, and returns so doctor can continue; it does not change the scheduler-side store loader. (src/commands/doctor-cron.ts:341, bbcc8120e75d)
• Regression coverage: The new test forces a non-ENOENT read failure by placing a directory at the store path, asserts the doctor helper resolves, confirms the prompter is not called, and checks for the continuation warning. (src/commands/doctor-cron.test.ts:570, bbcc8120e75d)
• Changelog coverage: The PR adds an Unreleased Fixes entry for doctor warning and continuing when an unreadable cron job store exists. (CHANGELOG.md:23, bbcc8120e75d)

Likely related people:

• shakkernerd: Current-main blame for maybeRepairLegacyCronStore, loadCronStore, and runLegacyCronHealth points to commit aa50c51, committed under the Shakker account. (role: introduced current main path; confidence: high; commits: aa50c51902d0; files: src/commands/doctor-cron.ts, src/commands/doctor-cron.test.ts, src/cron/store.ts)
• steipete: History on the doctor/cron files shows repeated adjacent work, including cron persistence and legacy delivery refactors that shape the current boundary. (role: recent area contributor; confidence: high; commits: 9267e694f7e7, 19d0c2dd1d25; files: src/cron/store.ts, src/commands/doctor-cron.ts)
• vincentkoc: Recent history includes doctor cron repair gating and JSON parsing work relevant to cron store load behavior. (role: adjacent doctor/cron contributor; confidence: medium; commits: d86647d7dbcb, a39c440d393b; files: src/commands/doctor-cron.ts, src/cron/store.ts)
• mbelinky: History shows a cron-owned delivery contract change that added a substantial doctor cron migration surface adjacent to this repair. (role: adjacent cron contract contributor; confidence: medium; commits: d4e59a3666d8; files: src/commands/doctor-cron.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Mossy Clawlet

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: sleeps inside passing CI.
Image traits: location flaky test forest; accessory miniature diff map; palette charcoal, cyan, and signal green; mood bright-eyed; pose guarding a tiny green check; shell glossy opal shell; lighting gentle morning glow; background small review tokens.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Mossy Clawlet in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[1052326311]

Updated PR body with real CLI reproduction against an EACCES-denied cron store (chmod 0000 on macOS, mirroring the Docker root:root 0600 scenario from #86102).

The patched maybeRepairLegacyCronStore now emits a single Cron warning (store path + EACCES reason + "later health checks will continue") and returns cleanly so subsequent doctor contributions continue.

Rebased on latest upstream/main to resolve the CHANGELOG.md merge conflict.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26393400263
• Updated: 2026-05-25T09:35:28.969Z