The per-caller ownership enforcement introduced for issue #35447 was
silently bypassed: all four mutation/list schemas used
additionalProperties:false but did not declare callerSessionKey, causing
AJV to strip the field before the handler could read it. As a result
resolveCronCallerOptions always received an empty caller and fell back to
allow-all behaviour.
Fix:
- Add optional callerSessionKey (NonEmptyString) to CronListParamsSchema,
CronUpdateParamsSchema, CronRemoveParamsSchema and CronRunParamsSchema.
- Update the four handlers in server-methods/cron.ts to read
p.callerSessionKey instead of the previous p.sessionKey (which was
never populated through these schemas).
- Add validator tests covering acceptance of the new field and rejection
of empty strings across all four operations.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
feat(cron): support persistent session targets for cron jobs (#9765)
Add support for `sessionTarget: "current"` and `session:<id>` so cron jobs can
bind to the creating session or a persistent named session instead of only
`main` or ephemeral `isolated` sessions.
Also:
- preserve custom session targets across reloads and restarts
- update gateway validation and normalization for the new target forms
- add cron coverage for current/custom session targets and fallback behavior
- fix merged CI regressions in Discord and diffs tests
- add a changelog entry for the new cron session behavior
Co-authored-by: kkhomej33-netizen <kkhomej33-netizen@users.noreply.github.com>
Co-authored-by: ImLukeF <92253590+ImLukeF@users.noreply.github.com>
