@kynver-app/runtime 0.1.47 → 0.1.49

package/dist/doctor/runtime-takeover-scheduler.d.ts

@@ -0,0 +1,20 @@
+import type { DoctorCheck } from "./doctor.types.js";
+export interface RuntimeTakeoverSchedulerEnv {
+    kynverSchedulerProvider?: string;
+    /** True when this process has QStash credentials (typical Kynver server deploy). */
+    qstashTokenPresent?: boolean;
+    /** Explicit hosted-deploy marker (`KYNVER_HOSTED_DEPLOYMENT=1|true|yes`). */
+    kynverHostedDeployment?: boolean;
+}
+export interface RuntimeTakeoverSchedulerContext {
+    agentOsId?: string | null;
+    apiBaseUrl?: string | null;
+    hasScopedRunnerToken: boolean;
+}
+/**
+ * Scheduler readiness for runtime takeover.
+ *
+ * Runner hosts drive dispatch via `kynver daemon` → `pipeline-tick` → `operator/tick`
+ * and must not depend on OpenClaw cron. Server/hosted deploys should resolve to QStash.
+ */
+export declare function assessRuntimeTakeoverScheduler(env: RuntimeTakeoverSchedulerEnv, ctx: RuntimeTakeoverSchedulerContext): DoctorCheck;

package/dist/doctor/runtime-takeover.probes.d.ts

@@ -26,6 +26,8 @@ export interface RuntimeTakeoverProbes {
         kynverHarnessRoot?: string;
         opusHarnessRoot?: string;
         kynverSchedulerProvider?: string;
+        qstashTokenPresent?: boolean;
+        kynverHostedDeployment?: boolean;
     };
     harnessRoot(): string;
     legacyOpenclawHarnessRoot(): string;

package/dist/harness-expert-review.d.ts

@@ -0,0 +1,8 @@
+export interface HarnessExpertReviewTaskShape {
+    title?: string;
+    personaSlug?: string | null;
+    parentTaskId?: string | null;
+    executorRef?: string | null;
+}
+/** Expert review workers must not inherit landing-only PR gates or open new PRs. */
+export declare function isHarnessExpertReviewWorker(worker: HarnessExpertReviewTaskShape): boolean;

package/dist/index.js

@@ -1956,7 +1956,7 @@ function inferModelRoutingFromTask(task) {
       rule: "lane:landing"
     };
   }
-  if (ref.includes("review") || title.startsWith("review ") || roleLane.includes("review")) {
+  if (ref.includes("review") || /^review[\s:]/.test(title) || roleLane.includes("review")) {
     if (isOpusLane(ref, title) || roleLane === "deep_reviewer") {
       return { model: "claude-opus-4-7", provider: "claude", rule: "lane:deep_review" };
     }
@@ -2149,6 +2149,7 @@ function buildPrompt(input) {
     "Structured final result (recommended): record completion as JSON with summary, laneExpertise { whatChanged, why, files, prUrls, verification, risks, blockers, lessonsLearned, laneGuidance }, and targetPrReconciliation [{ prUrl, outcome: merged|skipped|blocked, mergeCommit?, reason? }] for every target PR on landing-only tasks.",
     "Completion handoff (required): before you stop, ensure the harness records a final result \u2014 summarize outcome in your last message and append a heartbeat line with phase `complete`. If you leave uncommitted changes or committed work without a PR, the orchestrator blocks completion until a GitHub PR exists (or you discard/commit cleanly). Exiting with only dirty files and no PR routes to salvage review, not production review.",
     "PR-ready handoff: for substantial implementation work, commit, push, and open a GitHub PR (draft OK) on your branch before finishing \u2014 or rely on the harness to run `gh pr create` at completion when `gh` is authenticated.",
+    "Expert review / production-review workers (Dalton/Lorentz, plan-review-task, scheduledJob reviewer children): do NOT open new implementation PRs \u2014 review the parent task's existing PR and record reviewVerdict in finalResult; landing-contract targetPrReconciliation does not apply.",
     "Worker resource guard: do not run full monorepo verification (`npm run typecheck`, `npm run build`, or equivalent) from this worker lane unless an operator explicitly requests it. Use targeted checks for touched paths and rely on CI/operator lanes for heavy gates.",
     "npm publish boundary: do not run `npm publish`, do not republish `@kynver-app/*` packages, and do not block on an operator to publish. When you need newer runtime code than npm, use this repo checkout (`npm run kynver:build`, `npm run kynver`) and record evidence: packages/kynver-runtime/package.json version + git ref in your completion report.",
     "If verification fails (including OOM), append a heartbeat line immediately with the last command, failure reason, dirty-file status, commit/PR handoff state, and next action so recovery does not require log spelunking.",
@@ -2390,8 +2391,39 @@ function completionPostSucceeded(summary) {
   return summary.taskAdvanced;
 }
 
+// src/harness-expert-review.ts
+var EXPERT_LANE_REVIEW_REF = "expert-lane-pr-review:";
+var PLAN_REVIEW_EXECUTOR_REF = "plan-review-task";
+var SCHEDULED_JOB_EXECUTOR_REF = "scheduledjob:";
+function normalizePersonaSlug(value) {
+  if (!value) return null;
+  const t = value.trim().toLowerCase();
+  return t.length ? t : null;
+}
+function isHarnessExpertReviewWorker(worker) {
+  const ref = (worker.executorRef ?? "").toLowerCase();
+  if (ref.startsWith(EXPERT_LANE_REVIEW_REF)) return true;
+  if (ref === PLAN_REVIEW_EXECUTOR_REF || ref.startsWith("daemon-review:")) return true;
+  if (ref.startsWith(SCHEDULED_JOB_EXECUTOR_REF) && worker.parentTaskId) {
+    const persona = normalizePersonaSlug(worker.personaSlug);
+    if (persona === "lorentz" || persona === "dalton") return true;
+  }
+  const title = (worker.title ?? "").toLowerCase();
+  if (title.includes("expert pr review")) return true;
+  if (worker.parentTaskId && (title.startsWith("review:") || title.includes("review required") || title.includes("runtime review"))) {
+    const persona = normalizePersonaSlug(worker.personaSlug);
+    if (persona === "lorentz" || persona === "dalton") return true;
+  }
+  return false;
+}
+
 // src/pr-handoff/pr-handoff-assess.ts
 var REVIEW_LANE_RULE = /^(lane:)?(review|deep_review|planning|landing)(:|$)/i;
+var REVIEW_PERSONA_SLUGS = /* @__PURE__ */ new Set(["lorentz", "sentinel"]);
+var NO_PR_COMMITS_BETWEEN_RE = /no commits between/i;
+function isGhNoCommitsBetweenError(detail) {
+  return Boolean(detail && NO_PR_COMMITS_BETWEEN_RE.test(detail));
+}
 function trimOrNull4(value) {
   if (typeof value !== "string") return null;
   const trimmed = value.trim();
@@ -2410,8 +2442,30 @@ function extractPrUrlFromText(value) {
   );
   return m ? trimOrNull4(m[0]) : null;
 }
-function hasWorkProduct(snapshot) {
+function countCommitsAheadOfBase(worktreePath, baseRef, exec) {
+  const base = baseRef.trim();
+  if (!base) return null;
+  const count = exec.git(worktreePath, ["rev-list", "--count", `${base}..HEAD`]);
+  if (count.status !== 0) return null;
+  const n = Number.parseInt(count.stdout.trim(), 10);
+  return Number.isFinite(n) ? n : null;
+}
+function isReviewArtifactWorker(worker, snapshot) {
+  if (snapshot.changedFiles.length > 0) return false;
+  const persona = trimOrNull4(worker.personaSlug)?.toLowerCase();
+  if (persona && REVIEW_PERSONA_SLUGS.has(persona)) return true;
+  const rule = trimOrNull4(worker.routingRule) ?? "";
+  if (rule && REVIEW_LANE_RULE.test(rule)) return true;
+  return false;
+}
+function hasWorkProduct(snapshot, options) {
   if (snapshot.changedFiles.length > 0) return true;
+  const baseRef = trimOrNull4(options?.baseRef);
+  if (baseRef && options?.exec && options.worktreePath) {
+    const ahead = countCommitsAheadOfBase(options.worktreePath, baseRef, options.exec);
+    if (ahead === 0) return false;
+    if (ahead !== null && ahead > 0) return true;
+  }
   if (trimOrNull4(snapshot.headCommit)) return true;
   if (committedHead(snapshot.gitAncestry)) return true;
   return false;
@@ -2420,18 +2474,38 @@ function assessPrHandoffRequirement(input) {
   if (!input.dispatched) {
     return { required: false, reason: "not_dispatched" };
   }
+  if (isHarnessExpertReviewWorker({
+    title: input.taskTitle ?? void 0,
+    personaSlug: input.personaSlug,
+    parentTaskId: input.parentTaskId,
+    executorRef: input.executorRef
+  })) {
+    return { required: false, reason: "expert_review_task" };
+  }
   const rule = trimOrNull4(input.routingRule) ?? "";
   if (rule && REVIEW_LANE_RULE.test(rule)) {
     return { required: false, reason: "review_lane" };
   }
+  const workerCtx = input.worker ?? {
+    personaSlug: input.personaSlug,
+    routingRule: input.routingRule
+  };
+  if (isReviewArtifactWorker(workerCtx, input.snapshot)) {
+    return { required: false, reason: "review_artifact" };
+  }
   if (trimOrNull4(input.patchPath) || trimOrNull4(input.artifactBundlePath)) {
     return { required: false, reason: "patch_or_bundle" };
   }
-  const prUrl = trimOrNull4(input.prUrl) ?? trimOrNull4(input.snapshot.prUrl);
+  const prUrl = trimOrNull4(input.prUrl) ?? trimOrNull4(input.taskPrUrl) ?? trimOrNull4(input.snapshot.prUrl);
   if (prUrl) {
     return { required: false, reason: "already_has_pr" };
   }
-  if (!hasWorkProduct(input.snapshot)) {
+  const workProductOpts = input.exec && input.baseRef ? {
+    baseRef: input.baseRef,
+    exec: input.exec,
+    worktreePath: input.snapshot.worktreePath
+  } : void 0;
+  if (!hasWorkProduct(input.snapshot, workProductOpts)) {
     return { required: false, reason: "no_work_product" };
   }
   return { required: true, snapshot: input.snapshot };
@@ -2640,10 +2714,19 @@ function ensurePrReadyHandoff(input, exec = defaultPrHandoffExec) {
     prUrl: prUrlHint,
     headCommit: null
   });
+  const baseRef = input.run.baseCommit?.trim() || input.run.base?.trim() || "origin/main";
   const requirement = assessPrHandoffRequirement({
     dispatched: input.worker.dispatched,
     routingRule: input.worker.routingRule,
+    personaSlug: input.worker.personaSlug,
     prUrl: prUrlHint,
+    taskTitle: input.worker.taskTitle,
+    executorRef: input.worker.executorRef,
+    parentTaskId: input.worker.parentTaskId,
+    taskPrUrl: input.worker.taskPrUrl,
+    baseRef,
+    exec,
+    worker: input.worker,
     snapshot
   });
   if (!requirement.required) {
@@ -2728,6 +2811,14 @@ function ensurePrReadyHandoff(input, exec = defaultPrHandoffExec) {
     exec
   });
   if (!pr.ok || !pr.prUrl) {
+    if (isGhNoCommitsBetweenError(pr.detail)) {
+      return {
+        ok: true,
+        headCommit: headCommit ?? void 0,
+        committed,
+        pushed
+      };
+    }
     const dirty = snapshot.changedFiles.length;
     const detail = dirty ? `${dirty} uncommitted change(s) and no PR URL after handoff attempt` : "no PR URL after handoff attempt";
     return {
@@ -3523,6 +3614,10 @@ function spawnWorkerProcess(run, opts) {
     ...!opts.agentOsId || !opts.taskId ? { localOnly: true } : {},
     routingRule: routing.rule,
     ...routing.requestedModel ? { requestedModel: routing.requestedModel } : {},
+    ...opts.executorRef ? { executorRef: String(opts.executorRef) } : {},
+    ...opts.parentTaskId ? { parentTaskId: String(opts.parentTaskId) } : {},
+    ...opts.taskTitle ? { taskTitle: String(opts.taskTitle) } : {},
+    ...opts.taskPrUrl ? { taskPrUrl: String(opts.taskPrUrl) } : {},
     startedAt: (/* @__PURE__ */ new Date()).toISOString()
   };
   saveWorker(run.id, worker);
@@ -4217,7 +4312,7 @@ function readHarnessWorkerContext(decision) {
     personaInjectionReady
   };
 }
-function normalizePersonaSlug(value) {
+function normalizePersonaSlug2(value) {
   if (typeof value !== "string") return null;
   const trimmed = value.trim().toLowerCase();
   return trimmed.length ? trimmed : null;
@@ -4348,7 +4443,7 @@ async function dispatchRun(args) {
       const task = decision.task;
       const harnessContext = readHarnessWorkerContext(decision);
       const taskId = String(task.id);
-      const expectedPersona = normalizePersonaSlug(task.personaSlug);
+      const expectedPersona = normalizePersonaSlug2(task.personaSlug);
       if (expectedPersona && (!harnessContext?.personaInjectionReady || !harnessContext.personaMarkdown)) {
         outcomes.push({
           taskId,
@@ -4392,6 +4487,10 @@ async function dispatchRun(args) {
           agentOsId,
           taskId: String(task.id),
           planId,
+          executorRef: task.executorRef ? String(task.executorRef) : void 0,
+          parentTaskId: task.parentTaskId ? String(task.parentTaskId) : void 0,
+          taskTitle: task.title ? String(task.title) : void 0,
+          taskPrUrl: task.prUrl ? String(task.prUrl) : void 0,
           instructionPolicyMarkdown: harnessContext?.instructionPolicyMarkdown ?? null,
           instructionPolicyFingerprint: harnessContext?.instructionPolicyFingerprint ?? null,
           instructionPolicyEvidence: harnessContext?.instructionPolicyEvidence ?? null,
@@ -6590,7 +6689,12 @@ var defaultRuntimeTakeoverProbes = {
     openclawCronSecret: Boolean(process.env.OPENCLAW_CRON_SECRET?.trim()),
     kynverHarnessRoot: process.env.KYNVER_HARNESS_ROOT?.trim() || void 0,
     opusHarnessRoot: process.env.OPUS_HARNESS_ROOT?.trim() || void 0,
-    kynverSchedulerProvider: process.env.KYNVER_SCHEDULER_PROVIDER?.trim() || void 0
+    kynverSchedulerProvider: process.env.KYNVER_SCHEDULER_PROVIDER?.trim() || void 0,
+    qstashTokenPresent: Boolean(process.env.QSTASH_TOKEN?.trim()),
+    kynverHostedDeployment: (() => {
+      const v = process.env.KYNVER_HOSTED_DEPLOYMENT?.trim().toLowerCase();
+      return v === "1" || v === "true" || v === "yes";
+    })()
   }),
   harnessRoot: () => resolveHarnessRoot(),
   legacyOpenclawHarnessRoot: () => path36.join(homedir6(), ".openclaw", "harness"),
@@ -6600,10 +6704,76 @@ var defaultRuntimeTakeoverProbes = {
   vercelWhoami: () => captureCommand("vercel", ["whoami"])
 };
 
-// src/doctor/runtime-takeover.ts
+// src/doctor/runtime-takeover-scheduler.ts
 function check(partial) {
   return partial;
 }
+function assessRuntimeTakeoverScheduler(env, ctx) {
+  const runnerOpenclaw = env.kynverSchedulerProvider === "openclaw-cron";
+  const runnerQstash = env.kynverSchedulerProvider === "qstash";
+  const hostedDeployment = Boolean(env.qstashTokenPresent) || Boolean(env.kynverHostedDeployment);
+  const daemonDispatchReady = Boolean(ctx.agentOsId?.trim()) && Boolean(ctx.apiBaseUrl?.trim()) && ctx.hasScopedRunnerToken;
+  const deploymentNeedsQstash = hostedDeployment && !env.qstashTokenPresent && env.kynverSchedulerProvider !== "qstash";
+  const deploymentOpenclaw = hostedDeployment && env.kynverSchedulerProvider === "openclaw-cron";
+  if (runnerOpenclaw) {
+    return check({
+      id: "hotspot_openclaw_scheduler",
+      label: "Scheduler provider (runtime daemon vs OpenClaw cron)",
+      status: "warn",
+      summary: "KYNVER_SCHEDULER_PROVIDER=openclaw-cron on this runner \u2014 hosted dispatch still depends on the OpenClaw local-cron adapter",
+      remediation: "Unset KYNVER_SCHEDULER_PROVIDER on user runners. Use `kynver daemon` (pipeline-tick \u2192 operator/tick). On the Kynver server set KYNVER_SCHEDULER_PROVIDER=qstash when QStash is configured.",
+      details: { schedulerProvider: env.kynverSchedulerProvider ?? null, hostedDeployment }
+    });
+  }
+  if (deploymentOpenclaw || deploymentNeedsQstash) {
+    return check({
+      id: "hotspot_openclaw_scheduler",
+      label: "Scheduler provider (runtime daemon vs OpenClaw cron)",
+      status: "warn",
+      summary: deploymentOpenclaw ? "Hosted deployment has KYNVER_SCHEDULER_PROVIDER=openclaw-cron \u2014 AgentOS scheduled ticks should use QStash" : "Hosted deployment without QSTASH_TOKEN \u2014 scheduler may fall back to openclaw-cron",
+      remediation: "Set QSTASH_TOKEN and KYNVER_SCHEDULER_PROVIDER=qstash on the Kynver server. User runners use `kynver daemon` for dispatch and should not set a scheduler provider.",
+      details: {
+        schedulerProvider: env.kynverSchedulerProvider ?? null,
+        qstashTokenPresent: env.qstashTokenPresent ?? false,
+        hostedDeployment
+      }
+    });
+  }
+  if (daemonDispatchReady) {
+    return check({
+      id: "hotspot_openclaw_scheduler",
+      label: "Scheduler provider (runtime daemon vs OpenClaw cron)",
+      status: "pass",
+      summary: runnerQstash ? "Runner override qstash present; hosted dispatch still owned by kynver daemon pipeline-tick" : "Hosted dispatch owned by kynver daemon (pipeline-tick \u2192 operator/tick); no OpenClaw cron on runner",
+      details: {
+        schedulerProvider: env.kynverSchedulerProvider ?? null,
+        dispatchPath: "kynver-daemon-pipeline-tick",
+        hostedDeployment
+      }
+    });
+  }
+  if (!env.kynverSchedulerProvider) {
+    return check({
+      id: "hotspot_openclaw_scheduler",
+      label: "Scheduler provider (runtime daemon vs OpenClaw cron)",
+      status: "pass",
+      summary: "No KYNVER_SCHEDULER_PROVIDER on runner (expected) \u2014 finish runner setup so daemon pipeline-tick owns dispatch",
+      details: { schedulerProvider: null, dispatchPath: "kynver-daemon-pipeline-tick-pending" }
+    });
+  }
+  return check({
+    id: "hotspot_openclaw_scheduler",
+    label: "Scheduler provider (runtime daemon vs OpenClaw cron)",
+    status: "pass",
+    summary: `KYNVER_SCHEDULER_PROVIDER=${env.kynverSchedulerProvider}`,
+    details: { schedulerProvider: env.kynverSchedulerProvider ?? null }
+  });
+}
+
+// src/doctor/runtime-takeover.ts
+function check2(partial) {
+  return partial;
+}
 function summarizeCounts(sections) {
   const counts = { pass: 0, warn: 0, fail: 0 };
   for (const section of sections) {
@@ -6620,14 +6790,14 @@ function assessCliPackage(probes) {
   const firstPath = onPath ? which.stdout.split(/\r?\n/)[0]?.trim() : void 0;
   const displayCliPath = firstPath ? displayUserPath(firstPath) : void 0;
   const checks = [
-    check({
+    check2({
       id: "cli_running_version",
       label: "Running @kynver-app/runtime version",
       status: "pass",
       summary: `@kynver-app/runtime ${runningVersion}`,
       details: { version: runningVersion }
     }),
-    check({
+    check2({
       id: "cli_on_path",
       label: "kynver executable on PATH",
       status: onPath ? "pass" : "warn",
@@ -6641,7 +6811,7 @@ function assessCliPackage(probes) {
     const installedVersion = versionProbe.stdout.replace(/^kynver\s+/i, "").trim() || void 0;
     const versionMatch = versionProbe.ok && (!installedVersion || installedVersion === runningVersion);
     checks.push(
-      check({
+      check2({
         id: "cli_installed_version",
         label: "Installed kynver CLI version matches running package",
         status: versionMatch ? "pass" : "warn",
@@ -6659,7 +6829,7 @@ function assessUserConfig(probes) {
   const exists = probes.pathExists(configPath);
   const config = probes.loadConfig();
   const checks = [
-    check({
+    check2({
       id: "config_file",
       label: "~/.kynver/config.json present",
       status: exists ? "pass" : "fail",
@@ -6674,7 +6844,7 @@ function assessUserConfig(probes) {
     const defaultRepo = config.defaultRepo?.trim();
     const displayDefaultRepo = defaultRepo ? displayUserPath(defaultRepo) : null;
     checks.push(
-      check({
+      check2({
         id: "config_api_base_url",
         label: "Default API base URL",
         status: apiBaseUrl ? "pass" : "warn",
@@ -6682,7 +6852,7 @@ function assessUserConfig(probes) {
         remediation: apiBaseUrl ? void 0 : "Set `apiBaseUrl` via `kynver setup --api-base-url https://\u2026`.",
         details: { apiBaseUrl: apiBaseUrl ?? null }
       }),
-      check({
+      check2({
         id: "config_agent_os_id",
         label: "Default AgentOS id",
         status: agentOsId ? "pass" : "warn",
@@ -6690,7 +6860,7 @@ function assessUserConfig(probes) {
         remediation: agentOsId ? void 0 : "Set `agentOsId` via `kynver setup --agent-os-id <uuid>`.",
         details: { agentOsId: agentOsId ?? null, agentOsSlug: config.agentOsSlug ?? null }
       }),
-      check({
+      check2({
         id: "config_default_repo",
         label: "Default repo path",
         status: defaultRepo ? "pass" : "warn",
@@ -6718,7 +6888,7 @@ function assessRunnerToken(probes) {
   const scopedSaved = Boolean(savedToken) && (!targetAgentOsId || !savedAgentOsId || savedAgentOsId === targetAgentOsId);
   const hasScoped = Boolean(envToken?.startsWith("krc1.")) || scopedSaved && savedToken?.startsWith("krc1.");
   const checks = [
-    check({
+    check2({
       id: "runner_token_scoped",
       label: "Scoped runner token (krc1.*) ready",
       status: hasScoped ? "pass" : "fail",
@@ -6731,7 +6901,7 @@ function assessRunnerToken(probes) {
         credentialsPath: displayCredPath
       }
     }),
-    check({
+    check2({
       id: "runner_token_agent_os_match",
       label: "Saved runner token matches configured agentOsId",
       status: !savedToken || !targetAgentOsId || !savedAgentOsId || savedAgentOsId === targetAgentOsId ? "pass" : "warn",
@@ -6739,7 +6909,7 @@ function assessRunnerToken(probes) {
       remediation: savedToken && targetAgentOsId && savedAgentOsId && savedAgentOsId !== targetAgentOsId ? "`kynver runner credential --agent-os-id <configured-id>` to mint a workspace-bound token." : void 0,
       details: { configuredAgentOsId: targetAgentOsId ?? null, savedAgentOsId: savedAgentOsId ?? null }
     }),
-    check({
+    check2({
       id: "runner_api_key_for_refresh",
       label: "API key available for token refresh",
       status: creds.hasApiKey || Boolean(process.env.KYNVER_API_KEY?.trim()) ? "pass" : "warn",
@@ -6758,7 +6928,7 @@ function assessVercelCli(probes) {
     id: "vercel_cli",
     label: "Vercel CLI",
     checks: [
-      check({
+      check2({
         id: "vercel_installed",
         label: "Vercel CLI installed",
         status: installed ? "pass" : "warn",
@@ -6766,7 +6936,7 @@ function assessVercelCli(probes) {
         remediation: installed ? void 0 : "Install Vercel CLI (`npm i -g vercel`) for deploy evidence and env pulls.",
         details: { stderr: version.stderr || null }
       }),
-      check({
+      check2({
         id: "vercel_authenticated",
         label: "Vercel CLI authenticated",
         status: !installed ? "warn" : whoami.ok ? "pass" : "warn",
@@ -6790,14 +6960,14 @@ function assessHarnessDirs(probes) {
     id: "harness_dirs",
     label: "Harness / daemon directories",
     checks: [
-      check({
+      check2({
         id: "harness_root",
         label: "Harness root resolved",
         status: "pass",
         summary: displayHarnessRoot,
         details: { harnessRoot: displayHarnessRoot }
       }),
-      check({
+      check2({
         id: "harness_runs_dir",
         label: "Runs directory ready",
         status: runsExists && probes.pathWritable(runsDir) ? "pass" : runsExists ? "warn" : "warn",
@@ -6805,7 +6975,7 @@ function assessHarnessDirs(probes) {
         remediation: runsExists && !probes.pathWritable(runsDir) ? `Fix permissions on ${displayRunsDir} or set KYNVER_HARNESS_ROOT to a writable path.` : void 0,
         details: { runsDir: displayRunsDir, exists: runsExists, writable: probes.pathWritable(runsDir) }
       }),
-      check({
+      check2({
         id: "harness_worktrees_dir",
         label: "Worktrees directory ready",
         status: worktreesExists && probes.pathWritable(worktreesDir) ? "pass" : "warn",
@@ -6826,7 +6996,7 @@ function assessCallbackAuth(probes) {
   const creds = probes.readCredentials();
   const savedScoped = creds.runnerTokenPrefix?.startsWith("krc1.");
   const checks = [
-    check({
+    check2({
       id: "callback_base_url",
       label: "Callback base URL configured",
       status: baseUrl ? usingLegacyBase ? "warn" : "pass" : "fail",
@@ -6837,7 +7007,7 @@ function assessCallbackAuth(probes) {
         baseUrl: baseUrl ?? null
       }
     }),
-    check({
+    check2({
       id: "callback_auth_mode",
       label: "Callback auth uses scoped runner token",
       status: envScoped || savedScoped ? "pass" : legacySecret ? "warn" : "fail",
@@ -6853,15 +7023,22 @@ function assessCallbackAuth(probes) {
 }
 function assessOpenclawHotspots(probes) {
   const env = probes.envSnapshot();
+  const config = probes.loadConfig();
+  const creds = probes.readCredentials();
   const harnessRoot = probes.harnessRoot();
   const legacyRoot = probes.legacyOpenclawHarnessRoot();
   const displayHarnessRoot = redactHomePath(harnessRoot);
   const displayLegacyRoot = redactHomePath(legacyRoot);
   const displayOpusHarnessRoot = env.opusHarnessRoot ? redactHomePath(env.opusHarnessRoot) : null;
   const legacyHarnessActive = harnessRoot === legacyRoot && probes.pathExists(legacyRoot);
-  const schedulerOpenclaw = !env.kynverSchedulerProvider || env.kynverSchedulerProvider === "openclaw-cron";
+  const targetAgentOsId = config.agentOsId?.trim();
+  const envToken = env.kynverRunnerTokenPrefix;
+  const savedToken = creds.runnerTokenPrefix;
+  const savedAgentOsId = creds.runnerTokenAgentOsId;
+  const scopedSaved = Boolean(savedToken) && (!targetAgentOsId || !savedAgentOsId || savedAgentOsId === targetAgentOsId);
+  const hasScopedRunnerToken = Boolean(envToken?.startsWith("krc1.")) || scopedSaved && Boolean(savedToken?.startsWith("krc1."));
   const checks = [
-    check({
+    check2({
       id: "hotspot_legacy_harness_root",
       label: "Legacy ~/.openclaw/harness still active",
       status: legacyHarnessActive ? "warn" : "pass",
@@ -6869,7 +7046,7 @@ function assessOpenclawHotspots(probes) {
       remediation: legacyHarnessActive ? "Set KYNVER_HARNESS_ROOT=~/.kynver/harness (or run setup), migrate artifacts, retire OPUS_HARNESS_ROOT." : env.opusHarnessRoot ? "Prefer KYNVER_HARNESS_ROOT over OPUS_HARNESS_ROOT." : void 0,
       details: { harnessRoot: displayHarnessRoot, legacyRoot: displayLegacyRoot, opusHarnessRoot: displayOpusHarnessRoot }
     }),
-    check({
+    check2({
       id: "hotspot_openclaw_env_secrets",
       label: "OpenClaw deployment secrets in runner env",
       status: env.openclawCronSecret || env.openclawCronFireBaseUrl ? "warn" : "pass",
@@ -6879,15 +7056,12 @@ function assessOpenclawHotspots(probes) {
       ].filter(Boolean).join("; ") : "No OpenClaw cron env overrides on this runner",
       remediation: env.openclawCronSecret || env.openclawCronFireBaseUrl ? "Move to KYNVER_API_URL + scoped runner tokens; unset OpenClaw cron env on user-hosted runners." : void 0
     }),
-    check({
-      id: "hotspot_openclaw_scheduler",
-      label: "openclaw-cron scheduler dependency (deployment)",
-      status: schedulerOpenclaw ? "warn" : "pass",
-      summary: schedulerOpenclaw ? env.kynverSchedulerProvider === "openclaw-cron" ? "KYNVER_SCHEDULER_PROVIDER=openclaw-cron \u2014 AgentOS ticks still routed via OpenClaw local cron adapter" : "KYNVER_SCHEDULER_PROVIDER unset \u2014 server may fall back to openclaw-cron when QStash is absent" : `KYNVER_SCHEDULER_PROVIDER=${env.kynverSchedulerProvider}`,
-      remediation: schedulerOpenclaw ? "On Kynver-hosted scheduler: set KYNVER_SCHEDULER_PROVIDER=qstash where QStash is configured; retire openclaw-cron stub when runtime daemon owns dispatch." : void 0,
-      details: { schedulerProvider: env.kynverSchedulerProvider ?? null }
+    assessRuntimeTakeoverScheduler(env, {
+      agentOsId: targetAgentOsId ?? null,
+      apiBaseUrl: config.apiBaseUrl?.trim() ?? env.kynverApiUrl ?? null,
+      hasScopedRunnerToken
     }),
-    check({
+    check2({
       id: "hotspot_lease_source_names",
       label: "Harness lease/completion source names",
       status: "pass",