diff --git a/src/config/redact-snapshot.raw.test.ts b/src/config/redact-snapshot.raw.test.ts
index b44375c86c6..17f3cdc09bf 100644
--- a/src/config/redact-snapshot.raw.test.ts
+++ b/src/config/redact-snapshot.raw.test.ts
@@ -67,13 +67,19 @@ describe("replaceSensitiveValuesInRaw", () => {
   });
 
   it("handles non-string raw input gracefully", () => {
-    const result = replaceSensitiveValuesInRaw({
+    const nullResult = replaceSensitiveValuesInRaw({
       raw: null as unknown as string,
       sensitiveValues: ["test"],
       redactedSentinel: "***",
     });
-    // String(null) returns "null", but our defensive code returns empty string
-    expect(result).toBe("");
+    const objectResult = replaceSensitiveValuesInRaw({
+      raw: { secret: "test" } as unknown as string,
+      sensitiveValues: ["test"],
+      redactedSentinel: "***",
+    });
+
+    expect(nullResult).toBe("");
+    expect(objectResult).toBe("");
   });
 
   it("handles unicode strings", () => {
diff --git a/src/config/redact-snapshot.raw.ts b/src/config/redact-snapshot.raw.ts
index d2818134456..06c0b2ef0bb 100644
--- a/src/config/redact-snapshot.raw.ts
+++ b/src/config/redact-snapshot.raw.ts
@@ -5,9 +5,8 @@ import JSON5 from "json5";
  * Redacts sensitive values from a raw config string.
  * Filters out empty/null/undefined values to prevent RangeError (#41247).
  *
- * Note: When `params.raw` is not a string (e.g., null, number), it is
- * converted to a string via `String(params.raw ?? "")` and returned
- * without redaction. This is a silent fallback for invalid input.
+ * Note: When `params.raw` is not a string, this returns an empty string
+ * defensively instead of returning a stringified unredacted value.
  */
 export function replaceSensitiveValuesInRaw(params: {
   raw: string;
@@ -16,7 +15,7 @@ export function replaceSensitiveValuesInRaw(params: {
 }): string {
   // Defensive: validate input types
   if (typeof params.raw !== "string") {
-    return String(params.raw ?? "");
+    return "";
   }
 
   // Defensive: normalize and filter sensitive values
diff --git a/src/gateway/server-cron.ts b/src/gateway/server-cron.ts
index 6a76e6043d1..1f1cd1f5359 100644
--- a/src/gateway/server-cron.ts
+++ b/src/gateway/server-cron.ts
@@ -292,10 +292,7 @@ export function buildGatewayCronService(params: {
         abortSignal,
         agentId,
         sessionKey: `cron:${job.id}`,
-        // FIX #41266: Use subagent lane to avoid deadlock with cron lane
-        // The outer enqueueRun already holds CommandLane.Cron; using "cron"
-        // here would cause deadlock since cron lane has concurrency=1.
-        lane: "subagent",
+        lane: "cron",
       });
     },
     sendCronFailureAlert: async ({ job, text, channel, to, mode, accountId }) => {