openclaw-scheduler 0.2.8 → 0.2.10

package/dispatch/watcher.mjs

@@ -39,6 +39,7 @@ import {
 import { getDispatchLivenessPolicy } from './liveness.mjs';
 import { resolveLabelsPath } from './paths.mjs';
 import { sendMessage } from '../messages.js';
+import { ensureArtifactsDir, resolveArtifactsDir } from '../paths.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const INDEX_PATH = process.env.DISPATCH_INDEX_PATH || join(__dirname, 'index.mjs');
@@ -54,12 +55,68 @@ const MAX_GW_RESTART_RETRIES = 2; // Max retries for gateway-restart-kill recove
 
 const FLAT_WINDOW_MS = 3 * 60 * 1000; // 3 min flat = genuinely stuck
 const ACTIVITY_POLL_MS = 30_000;
+const COMPLETION_INLINE_LIMIT_BYTES = parsePositiveEnvInt('DISPATCH_COMPLETION_INLINE_LIMIT_BYTES', 60 * 1024);
 
 /** How often the watcher writes lastPing to labels.json (heartbeat signal).
  *  The watchdog guard in index.mjs treats pings older than 3x this as stale,
  *  so PING_INTERVAL_MS must stay well below PING_STALE_MS (3 * 60_000). */
 const PING_INTERVAL_MS = 60_000; // 60 seconds
 
+function parsePositiveEnvInt(name, fallback) {
+  const value = Number.parseInt(String(process.env[name] ?? ''), 10);
+  return Number.isFinite(value) && value > 0 ? value : fallback;
+}
+
+function byteLength(text) {
+  return Buffer.byteLength(String(text ?? ''), 'utf8');
+}
+
+function sliceUtf8Bytes(text, maxBytes) {
+  const source = String(text ?? '');
+  if (byteLength(source) <= maxBytes) return source;
+
+  let usedBytes = 0;
+  let endIndex = 0;
+  for (const char of source) {
+    const charBytes = byteLength(char);
+    if (usedBytes + charBytes > maxBytes) break;
+    usedBytes += charBytes;
+    endIndex += char.length;
+  }
+  return source.slice(0, endIndex).trimEnd();
+}
+
+function completionArtifactPath(label) {
+  const safeLabel = String(label || 'completion')
+    .replace(/[^a-z0-9._-]+/gi, '-')
+    .replace(/^-+|-+$/g, '')
+    .slice(0, 80) || 'completion';
+  const dir = ensureArtifactsDir(join(resolveArtifactsDir({ env: process.env }), 'dispatch-completions'));
+  return join(dir, `${new Date().toISOString().replace(/[:.]/g, '-')}-${safeLabel}.txt`);
+}
+
+function formatCompletionStdout(label, deliveryText) {
+  const header = `🌶️ *dispatch* [${label}] completed:\n\n`;
+  const body = String(deliveryText ?? '');
+  const bodyBytes = byteLength(body);
+
+  if (bodyBytes <= COMPLETION_INLINE_LIMIT_BYTES) {
+    return `${header}${body}\n`;
+  }
+
+  let artifactNote;
+  try {
+    const artifactPath = completionArtifactPath(label);
+    writeFileSync(artifactPath, body, 'utf8');
+    artifactNote = `\n\nFull completion report saved to ${artifactPath} (${bodyBytes} bytes). Inline delivery capped at ${COMPLETION_INLINE_LIMIT_BYTES} bytes to avoid dumping an oversized report.`;
+  } catch (err) {
+    artifactNote = `\n\nFull completion report was ${bodyBytes} bytes, but saving the oversized report failed: ${err.message}. Inline delivery capped at ${COMPLETION_INLINE_LIMIT_BYTES} bytes.`;
+  }
+
+  const bodyBudget = Math.max(0, COMPLETION_INLINE_LIMIT_BYTES - byteLength(artifactNote));
+  const inlineBody = sliceUtf8Bytes(body, bodyBudget);
+  return `${header}${inlineBody}${artifactNote}\n`;
+}
 
 function getGatewayToken() {
   if (process.env.OPENCLAW_GATEWAY_TOKEN) return process.env.OPENCLAW_GATEWAY_TOKEN;
@@ -922,11 +979,7 @@ function deliverResult(label, lastReply, fallbackSummary, completionPayload = nu
   markLabelDone(label, completion.summary);
 
   if (completion.deliveryText) {
-    const maxLen = 3500;
-    const reply = completion.deliveryText.length > maxLen
-      ? completion.deliveryText.slice(0, maxLen) + '\n\n..[truncated]'
-      : completion.deliveryText;
-    process.stdout.write(`🌶️ *dispatch* [${label}] completed:\n\n${reply}\n`);
+    process.stdout.write(formatCompletionStdout(label, completion.deliveryText));
     process.exit(0);
   }
 
@@ -1120,14 +1173,18 @@ function runOnceAndExit() {
   }
 
   const ageMs = status.liveness?.ageMs;
-  const idleResultCheckMs = getCurrentLivenessPolicy().idleProbeMs;
+  const livenessPolicy = getCurrentLivenessPolicy();
+  const idleResultCheckMs = livenessPolicy.idleProbeMs;
+  const idleFailureMs = livenessPolicy.idleFailureMs;
   if (ageMs != null && ageMs >= idleResultCheckMs) {
     const result = dispatch('result', ['--label', label]);
     if (hasStructuredCompletion(result)) {
       deliverResult(label, result?.lastReply || null, null, result?.completion || null);
     }
 
-    const stallReason = getRunningSessionStallReason(status, idleResultCheckMs);
+    const stallReason = ageMs >= idleFailureMs
+      ? getRunningSessionStallReason(status, idleFailureMs)
+      : null;
     if (stallReason) {
       process.stderr.write(`[watcher] [${label}] ${stallReason}\n`);
       markLabelError(label, stallReason);
@@ -1504,14 +1561,18 @@ while (Date.now() < deadline) {
   // while this watcher's lastPing heartbeat is fresh (written every 60s);
   // this path handles normal completion before the ping goes stale.
   const ageMs = status.liveness?.ageMs;
-  const idleResultCheckMs = getCurrentLivenessPolicy().idleProbeMs;
+  const livenessPolicy = getCurrentLivenessPolicy();
+  const idleResultCheckMs = livenessPolicy.idleProbeMs;
+  const idleFailureMs = livenessPolicy.idleFailureMs;
   if (ageMs != null && ageMs >= idleResultCheckMs) {
     const result = dispatch('result', ['--label', label]);
     if (hasStructuredCompletion(result)) {
       deliverResult(label, result?.lastReply || null, null, result?.completion || null);
     }
 
-    const stallReason = getRunningSessionStallReason(status, idleResultCheckMs);
+    const stallReason = ageMs >= idleFailureMs
+      ? getRunningSessionStallReason(status, idleFailureMs)
+      : null;
     if (stallReason) {
       process.stderr.write(`[watcher] [${label}] ${stallReason}\n`);
       markLabelError(label, stallReason);
@@ -1530,6 +1591,14 @@ while (Date.now() < deadline) {
 // Timed out -- try one last result check
 const finalResult = dispatch('result', ['--label', label]);
 const finalStatus = dispatch('status', ['--label', label]);
+if (hasStructuredCompletion(finalResult)) {
+  deliverResult(
+    label,
+    finalResult?.lastReply || null,
+    finalStatus?.summary || null,
+    finalResult?.completion || finalStatus?.completion || null,
+  );
+}
 if (finalStatus?.status === 'done') {
   const rc = getRetryCount(label);
   if (rc > 0) setRetryCount(label, 0);

package/dispatcher-strategies.js

@@ -1214,6 +1214,93 @@ export async function executeShell(job, ctx, deps) {
 
 // -- Strategy: Agent (isolated session) ----------------------
 
+function describeAgentSelection(selection) {
+  return {
+    model: selection?.model || null,
+    auth_profile: selection?.authProfile || null,
+  };
+}
+
+function sameAgentSelection(left, right) {
+  return (left?.model || undefined) === (right?.model || undefined)
+    && (left?.authProfile || undefined) === (right?.authProfile || undefined);
+}
+
+async function resolveConfiguredAuthProfile(authProfile, deps, jobId, fieldName = 'auth_profile') {
+  const { listSessions, log } = deps;
+  let resolvedAuthProfile = authProfile || undefined;
+  if (resolvedAuthProfile !== 'inherit') return resolvedAuthProfile;
+
+  try {
+    const sessions = await listSessions({ kinds: ['main'], activeMinutes: 120, limit: 10 });
+    const sessionList = sessions?.result?.details?.sessions || sessions?.result?.sessions || sessions?.sessions || sessions || [];
+    const mainSession = Array.isArray(sessionList)
+      ? sessionList.find(s => {
+          const key = s.key || s.sessionKey || '';
+          return key.includes(':main:') || key.endsWith(':main') || key === 'main';
+        })
+      : null;
+    const profileId = mainSession?.authProfileOverride || mainSession?.authProfile || mainSession?.profile;
+    if (profileId) {
+      resolvedAuthProfile = profileId;
+      log('debug', `Resolved ${fieldName} 'inherit' -> '${profileId}'`, { jobId });
+    } else {
+      log('debug', `${fieldName} 'inherit' -- no main session profile found, passing 'inherit' as-is`, { jobId });
+    }
+  } catch (err) {
+    log('warn', `Failed to resolve ${fieldName} 'inherit': ${err.message}`, { jobId });
+    // Fall through with 'inherit' -- gateway may handle it.
+  }
+
+  return resolvedAuthProfile;
+}
+
+async function runAgentTurnForSelection(job, deps, prompt, sessionKey, selection, dispatchAgentTurn) {
+  const { log } = deps;
+  const { syncAuthStoreToSession: syncAuth, applySessionOverridesToSessionStore: applySessionOverrides } = deps;
+
+  // Always sync the live auth store before each attempt so refreshed credentials
+  // are visible to any embedded/isolated runner startup.
+  if (typeof syncAuth === 'function') {
+    const syncResult = syncAuth(job.agent_id || 'main');
+    if (syncResult.ok) {
+      log('debug', `Synced live auth store to agent '${job.agent_id || 'main'}'`, { jobId: job.id });
+    } else {
+      log('warn', `Failed to sync auth store: ${syncResult.error}`, { jobId: job.id });
+    }
+  }
+
+  if (typeof applySessionOverrides === 'function') {
+    const applyResult = applySessionOverrides(
+      sessionKey,
+      {
+        authProfile: selection.authProfile,
+        modelRef: selection.model || null,
+      },
+      job.agent_id || 'main',
+    );
+    if (applyResult.ok) {
+      log('debug', `Applied session overrides for ${sessionKey}`, {
+        jobId: job.id,
+        authProfile: selection.authProfile || null,
+        modelRef: selection.model || null,
+      });
+    } else {
+      log('warn', `Failed to apply session overrides: ${applyResult.error}`, { jobId: job.id, sessionKey });
+    }
+  }
+
+  return dispatchAgentTurn({
+    message: prompt,
+    agentId: job.agent_id || 'main',
+    sessionKey,
+    authProfile: selection.authProfile,
+    idleTimeoutMs: (job.payload_timeout_seconds || 120) * 1000,
+    pollIntervalMs: 60000,
+    absoluteTimeoutMs: job.run_timeout_ms || 300000,
+  });
+}
+
 export async function executeAgent(job, ctx, deps) {
   const {
     waitForGateway, updateRunSession, setAgentStatus,
@@ -1224,7 +1311,6 @@ export async function executeAgent(job, ctx, deps) {
     runIsolatedAgentTurn,
     updateContextSummary, releaseDispatch, releaseIdempotencyKey,
     updateJob, matchesSentinel, detectTransientError,
-    listSessions,
     sqliteNow, log,
   } = deps;
   const dispatchAgentTurn = runIsolatedAgentTurn || runAgentTurnWithActivityTimeout;
@@ -1264,82 +1350,45 @@ export async function executeAgent(job, ctx, deps) {
   const { prompt, contextMeta } = buildJobPrompt(job, ctx.run);
   try { updateContextSummary(ctx.run.id, contextMeta); } catch (_e) { /* column may not exist yet */ }
 
-  // Resolve auth_profile: use effective profile from child credential policy
-  // if available (set by 'inherit' policy), otherwise fall back to the job's own.
-  let resolvedAuthProfile = ctx.v02Outcomes?.effective_auth_profile || job.auth_profile || undefined;
-  if (resolvedAuthProfile === 'inherit') {
-    try {
-      const sessions = await listSessions({ kinds: ['main'], activeMinutes: 120, limit: 10 });
-      const sessionList = sessions?.result?.details?.sessions || sessions?.result?.sessions || sessions?.sessions || sessions || [];
-      const mainSession = Array.isArray(sessionList)
-        ? sessionList.find(s => {
-            const key = s.key || s.sessionKey || '';
-            return key.includes(':main:') || key.endsWith(':main') || key === 'main';
-          })
-        : null;
-      const profileId = mainSession?.authProfileOverride || mainSession?.authProfile || mainSession?.profile;
-      if (profileId) {
-        resolvedAuthProfile = profileId;
-        log('debug', `Resolved auth_profile 'inherit' -> '${profileId}'`, { jobId: job.id });
-      } else {
-        log('debug', `auth_profile 'inherit' -- no main session profile found, passing 'inherit' as-is`, { jobId: job.id });
-      }
-    } catch (err) {
-      log('warn', `Failed to resolve 'inherit' auth_profile: ${err.message}`, { jobId: job.id });
-      // Fall through with 'inherit' -- gateway may handle it
-    }
-  }
+  const primarySelection = {
+    model: job.payload_model || undefined,
+    authProfile: await resolveConfiguredAuthProfile(
+      ctx.v02Outcomes?.effective_auth_profile || job.auth_profile || undefined,
+      deps,
+      job.id,
+      ctx.v02Outcomes?.effective_auth_profile ? 'effective_auth_profile' : 'auth_profile'
+    ),
+  };
+  const hasConfiguredFallback = job.payload_model_fallback != null || job.auth_profile_fallback != null;
+  const fallbackSelection = hasConfiguredFallback ? {
+    model: job.payload_model_fallback || primarySelection.model || undefined,
+    authProfile: job.auth_profile_fallback != null
+      ? await resolveConfiguredAuthProfile(job.auth_profile_fallback, deps, job.id, 'auth_profile_fallback')
+      : primarySelection.authProfile,
+  } : null;
+
+  let turnResult;
+  try {
+    turnResult = await runAgentTurnForSelection(job, deps, prompt, sessionKey, primarySelection, dispatchAgentTurn);
+  } catch (primaryError) {
+    const canTryConfiguredFallback = fallbackSelection && !sameAgentSelection(primarySelection, fallbackSelection);
+    if (!canTryConfiguredFallback) throw primaryError;
 
-  // Always sync the live auth store to the agent's auth-profiles.json BEFORE
-  // every agent turn. This ensures sessions that reuse a stable key (scheduler:<jobId>)
-  // always have fresh credentials -- token refreshes, order changes, and new
-  // profiles are picked up automatically without requiring an explicit auth_profile
-  // on every job.
-  const { syncAuthStoreToSession: syncAuth } = deps;
-  if (typeof syncAuth === 'function') {
-    const syncResult = syncAuth(job.agent_id || 'main');
-    if (syncResult.ok) {
-      log('debug', `Synced live auth store to agent '${job.agent_id || 'main'}'`, { jobId: job.id });
-    } else {
-      log('warn', `Failed to sync auth store: ${syncResult.error}`, { jobId: job.id });
-    }
-  }
+    log('warn', 'Primary agent selection failed; retrying with configured fallback', {
+      jobId: job.id,
+      primary: describeAgentSelection(primarySelection),
+      fallback: describeAgentSelection(fallbackSelection),
+      error: primaryError.message,
+    });
 
-  // Apply auth profile to session store BEFORE the agent turn.
-  // The x-openclaw-auth-profile HTTP header is not read by the gateway (dead header).
-  // Writing authProfileOverride directly to sessions.json is the effective mechanism
-  // for auth profile propagation to isolated/embedded sessions.
-  if (resolvedAuthProfile && resolvedAuthProfile !== 'inherit') {
-    const { applyAuthProfileToSessionStore: applyAuthProfile } = deps;
-    if (typeof applyAuthProfile === 'function') {
-      const applyResult = applyAuthProfile(sessionKey, resolvedAuthProfile, job.agent_id || 'main');
-      if (applyResult.ok) {
-        log('debug', `Applied auth profile '${resolvedAuthProfile}' to session store for ${sessionKey}`, { jobId: job.id });
-      } else {
-        log('warn', `Failed to apply auth profile to session store: ${applyResult.error}`, { jobId: job.id, sessionKey });
-      }
+    try {
+      turnResult = await runAgentTurnForSelection(job, deps, prompt, sessionKey, fallbackSelection, dispatchAgentTurn);
+      log('info', 'Configured agent fallback succeeded', { jobId: job.id, fallback: describeAgentSelection(fallbackSelection) });
+    } catch (fallbackError) {
+      throw new Error(`Primary agent selection failed: ${primaryError.message}; configured fallback also failed: ${fallbackError.message}`, { cause: fallbackError });
     }
   }
 
-  // Isolated dispatch primitive: HTTP-only chat completions call. The
-  // scheduler must never fork a sibling `openclaw` process to spawn an
-  // isolated session -- that variant has historically SIGTERM'd the
-  // launchd-tracked gateway parent and orphaned a node process on port
-  // 18789 (see ISOLATED_DISPATCH_PRIMITIVE in gateway.js).
-  const turnResult = await dispatchAgentTurn({
-    message: prompt,
-    agentId: job.agent_id || 'main',
-    sessionKey,
-    model: job.payload_model || undefined,
-    authProfile: resolvedAuthProfile,
-    // materializedEnv deferred: the x-openclaw-env-inject header is not sent
-    // until the OpenClaw gateway implements the receiver side. See
-    // openclaw/docs/env-inject-proposal.md for the gateway spec.
-    idleTimeoutMs: (job.payload_timeout_seconds || 120) * 1000,
-    pollIntervalMs: 60000,
-    absoluteTimeoutMs: job.run_timeout_ms || 300000,
-  });
-
   const content = turnResult.content || '';
   const trimmed = content.trim();
 

package/dispatcher.js

@@ -54,7 +54,7 @@ import {
   runAgentTurnWithActivityTimeout, runIsolatedAgentTurn,
   sendSystemEvent, getAllSubAgentSessions, listSessions,
   deliverMessage, checkGatewayHealth, waitForGateway, resolveDeliveryAlias,
-  applyAuthProfileToSessionStore,
+  applySessionOverridesToSessionStore,
   syncAuthStoreToSession,
 } from './gateway.js';
 import { normalizeShellResult } from './shell-result.js';
@@ -314,7 +314,7 @@ function buildDispatchDeps() {
     updateContextSummary, releaseIdempotencyKey,
     matchesSentinel, detectTransientError,
     listSessions,
-    applyAuthProfileToSessionStore,
+    applySessionOverridesToSessionStore,
     syncAuthStoreToSession,
     // Finalize
     updateIdempotencyResultHash,
@@ -430,8 +430,10 @@ function buildJobPrompt(job, run) {
     execution_intent: job.execution_intent || 'execute',
     execution_read_only: Boolean(job.execution_read_only),
     payload_model: job.payload_model || null,
+    payload_model_fallback: job.payload_model_fallback || null,
     payload_thinking: job.payload_thinking || null,
     auth_profile: job.auth_profile || null,
+    auth_profile_fallback: job.auth_profile_fallback || null,
   };
 
   const triggerContext = buildTriggeredRunContext(run);

package/docs/gateway-contract.md

@@ -90,6 +90,10 @@ single user message to an agent and receives the complete assistant response.
 The `model` field defaults to `openclaw:<agentId>` but can be overridden via
 `job.payload_model`.
 
+If `job.payload_model_fallback` and/or `job.auth_profile_fallback` are set, the
+scheduler retries once in the same run with the configured fallback selection
+after a primary selection error.
+
 **Response body** (expected):
 
 ```json
@@ -653,6 +657,23 @@ directly as the `x-openclaw-auth-profile` header value without resolution.
 
 ---
 
+## Fallback Model / Auth Selection
+
+Jobs can optionally persist `payload_model_fallback` and `auth_profile_fallback`
+alongside the primary `payload_model` / `auth_profile` fields.
+
+Runtime behavior:
+
+- The scheduler attempts the primary selection first.
+- If the primary chat-completions request errors before a usable assistant
+  reply is returned, `executeAgent()` retries once in the same run using the
+  configured fallback overrides.
+- Any fallback dimension left unset keeps the primary effective value.
+- Existing jobs remain backward-compatible because both fallback fields default
+  to `NULL` and no retry is attempted unless a fallback override is configured.
+
+---
+
 ## Env-Inject Forwarding
 
 When credential materialization for an agent task produces a non-empty plain

package/gateway.js

@@ -144,6 +144,7 @@ export async function runAgentTurn(opts) {
  * @param {number} opts.pollIntervalMs    - How often to poll session activity (default: 60000)
  * @param {number} opts.absoluteTimeoutMs - Hard ceiling regardless of activity (default: 300000)
  * @param {string} opts.authProfile       - Auth profile override (null, 'inherit', or 'provider:label')
+ * @param {string[]} [opts.sessionKinds]  - Optional session kinds to track for activity polling
  */
 export async function runAgentTurnWithActivityTimeout(opts) {
   const {
@@ -155,10 +156,46 @@ export async function runAgentTurnWithActivityTimeout(opts) {
     idleTimeoutMs = 120000,       // per-check idle threshold (from payload_timeout_seconds)
     pollIntervalMs = 60000,       // check activity every 60s
     absoluteTimeoutMs = 300000,   // hard ceiling (run_timeout_ms)
+    sessionKinds,
   } = opts;
 
   const controller = new AbortController();
   let abortReason = null;
+  const normalizedAgentId = (agentId || 'main').toLowerCase();
+  const normalizedSessionKey = String(sessionKey || '').toLowerCase();
+
+  const inferSessionKinds = () => {
+    if (Array.isArray(sessionKinds) && sessionKinds.length > 0) {
+      return [...new Set(sessionKinds.map(k => String(k).toLowerCase()).filter(Boolean))];
+    }
+
+    // Explicitly isolated/subagent sessions should not be pinned to main session
+    // so they can report idleness based on their own active session records.
+    if (
+      normalizedSessionKey === 'isolated' ||
+      normalizedSessionKey.startsWith('isolated:') ||
+      normalizedSessionKey.endsWith(':isolated') ||
+      normalizedSessionKey.includes(':isolated:') ||
+      normalizedAgentId === 'subagent'
+    ) {
+      return ['subagent', 'isolated'];
+    }
+
+    // Default to including main unless we can clearly infer this is an isolated run.
+    if (
+      normalizedAgentId === 'main' ||
+      normalizedSessionKey === 'main' ||
+      normalizedSessionKey.startsWith('main:') ||
+      normalizedSessionKey.includes(':main:') ||
+      normalizedSessionKey.endsWith(':main')
+    ) {
+      return ['main', 'subagent', 'isolated'];
+    }
+
+    return ['main', 'subagent', 'isolated'];
+  };
+
+  const resolvedSessionKinds = inferSessionKinds();
 
   // Hard absolute ceiling -- always fires regardless of activity
   const absoluteTimer = setTimeout(() => {
@@ -171,7 +208,7 @@ export async function runAgentTurnWithActivityTimeout(opts) {
 
   const checkActivity = async () => {
     try {
-      const result = await listSessions({ kinds: ['subagent', 'isolated'], activeMinutes: 60 });
+      const result = await listSessions({ kinds: resolvedSessionKinds, activeMinutes: 60 });
       // Normalise: gateway wraps result in several layers
       const sessions =
         result?.result?.details?.sessions ||
@@ -551,20 +588,55 @@ export async function waitForGateway(timeoutMs = 30000, intervalMs = 2000) {
  * @param {string} [agentId='main'] - Agent ID for store path resolution
  * @returns {{ ok: boolean, error?: string }}
  */
-export function applyAuthProfileToSessionStore(sessionKey, authProfile, agentId = 'main') {
-  if (!sessionKey || !authProfile) {
-    return { ok: false, error: 'sessionKey and authProfile are required' };
-  }
-
-  // The gateway may persist session state under either the canonical agent-scoped
-  // key or the flat transport key, depending on which path created the session.
-  // Keep both aliases in sync so isolated scheduler jobs cannot miss the override.
+function resolveSessionKeyAliases(sessionKey, agentId = 'main') {
   const canonicalMatch = sessionKey.match(/^agent:[^:]+:(.+)$/);
   const canonicalKey = sessionKey.startsWith('agent:')
     ? sessionKey
     : `agent:${agentId}:${sessionKey}`;
   const flatSessionKey = canonicalMatch?.[1] || sessionKey;
-  const keyAliases = Array.from(new Set([canonicalKey, flatSessionKey]));
+  return Array.from(new Set([canonicalKey, flatSessionKey]));
+}
+
+function parseSessionModelRef(modelRef) {
+  const trimmed = typeof modelRef === 'string' ? modelRef.trim() : '';
+  if (!trimmed) {
+    return { providerOverride: undefined, modelOverride: undefined };
+  }
+  const slashIndex = trimmed.indexOf('/');
+  if (slashIndex <= 0 || slashIndex >= trimmed.length - 1) {
+    return { providerOverride: undefined, modelOverride: trimmed };
+  }
+  const providerOverride = trimmed.slice(0, slashIndex).trim();
+  const modelOverride = trimmed.slice(slashIndex + 1).trim();
+  return {
+    providerOverride: providerOverride || undefined,
+    modelOverride: modelOverride || undefined,
+  };
+}
+
+/**
+ * Write scheduler-managed session overrides directly to the gateway's sessions.json store.
+ *
+ * The gateway reads sessions.json on each agent turn (with mtime-based cache
+ * invalidation), so writing here before dispatch ensures the embedded runner
+ * picks up the correct auth profile and model selection.
+ *
+ * @param {string} sessionKey - Session key as used in the HTTP request (e.g. 'scheduler:<jobId>')
+ * @param {{ authProfile?: string | null, modelRef?: string | null }} overrides - Desired session overrides
+ * @param {string} [agentId='main'] - Agent ID for store path resolution
+ * @returns {{ ok: boolean, error?: string }}
+ */
+export function applySessionOverridesToSessionStore(sessionKey, overrides = {}, agentId = 'main') {
+  if (!sessionKey) {
+    return { ok: false, error: 'sessionKey is required' };
+  }
+
+  const authProfile = typeof overrides.authProfile === 'string' ? overrides.authProfile.trim() : '';
+  const shouldSetAuthProfile = Boolean(authProfile) && authProfile !== 'inherit';
+  const { providerOverride, modelOverride } = parseSessionModelRef(overrides.modelRef);
+  const shouldSetModelOverride = Boolean(modelOverride);
+
+  const keyAliases = resolveSessionKeyAliases(sessionKey, agentId);
   const sessionsPath = join(HOME_DIR, '.openclaw', 'agents', agentId, 'sessions', 'sessions.json');
 
   try {
@@ -579,28 +651,59 @@ export function applyAuthProfileToSessionStore(sessionKey, authProfile, agentId
     let changed = false;
 
     for (const key of keyAliases) {
-      const entry = store[key];
-      if (!entry) {
-        // Session doesn't exist yet -- create a minimal entry.
-        // The gateway will populate the rest on the first agent turn.
-        store[key] = {
-          updatedAt: now,
-          authProfileOverride: authProfile,
-          authProfileOverrideSource: 'user',
-        };
-        changed = true;
+      const existingEntry = store[key];
+      if (!existingEntry && !shouldSetAuthProfile && !shouldSetModelOverride) {
         continue;
       }
 
-      if (entry.authProfileOverride !== authProfile || entry.authProfileOverrideSource !== 'user') {
-        // Update existing entry
-        entry.authProfileOverride = authProfile;
-        entry.authProfileOverrideSource = 'user';
-        entry.updatedAt = now;
-        // Clear compaction count so the override sticks across compactions
+      const entry = existingEntry || { updatedAt: now };
+      let entryChanged = false;
+
+      if (shouldSetAuthProfile) {
+        if (entry.authProfileOverride !== authProfile || entry.authProfileOverrideSource !== 'user') {
+          entry.authProfileOverride = authProfile;
+          entry.authProfileOverrideSource = 'user';
+          delete entry.authProfileOverrideCompactionCount;
+          entryChanged = true;
+        }
+      } else if (
+        entry.authProfileOverride !== undefined ||
+        entry.authProfileOverrideSource !== undefined ||
+        entry.authProfileOverrideCompactionCount !== undefined
+      ) {
+        delete entry.authProfileOverride;
+        delete entry.authProfileOverrideSource;
         delete entry.authProfileOverrideCompactionCount;
-        changed = true;
+        entryChanged = true;
       }
+
+      if (shouldSetModelOverride) {
+        if (entry.modelOverride !== modelOverride) {
+          entry.modelOverride = modelOverride;
+          entryChanged = true;
+        }
+        if (providerOverride) {
+          if (entry.providerOverride !== providerOverride) {
+            entry.providerOverride = providerOverride;
+            entryChanged = true;
+          }
+        } else if (entry.providerOverride !== undefined) {
+          delete entry.providerOverride;
+          entryChanged = true;
+        }
+      } else if (entry.modelOverride !== undefined || entry.providerOverride !== undefined) {
+        delete entry.modelOverride;
+        delete entry.providerOverride;
+        entryChanged = true;
+      }
+
+      if (!entryChanged) {
+        continue;
+      }
+
+      entry.updatedAt = now;
+      store[key] = entry;
+      changed = true;
     }
 
     if (!changed) {
@@ -614,9 +717,16 @@ export function applyAuthProfileToSessionStore(sessionKey, authProfile, agentId
   }
 }
 
+export function applyAuthProfileToSessionStore(sessionKey, authProfile, agentId = 'main') {
+  if (!sessionKey || !authProfile) {
+    return { ok: false, error: 'sessionKey and authProfile are required' };
+  }
+  return applySessionOverridesToSessionStore(sessionKey, { authProfile }, agentId);
+}
+
 /**
- * Sync the live auth-profiles.json from ~/.openclaw/credentials/ to the agent's
- * auth store at ~/.openclaw/agents/<agentId>/agent/auth-profiles.json.
+ * Sync the live auth-profiles.json from the main agent store to the target
+ * agent store at ~/.openclaw/agents/<agentId>/agent/auth-profiles.json.
  *
  * This ensures scheduler sessions always use fresh credentials (tokens, order,
  * default profile) even when no explicit auth_profile is set on the job.
@@ -630,7 +740,7 @@ export function applyAuthProfileToSessionStore(sessionKey, authProfile, agentId
  * @returns {{ ok: boolean, error?: string }}
  */
 export function syncAuthStoreToSession(agentId = 'main') {
-  const livePath = join(HOME_DIR, '.openclaw', 'credentials', 'auth-profiles.json');
+  const livePath = join(HOME_DIR, '.openclaw', 'agents', 'main', 'agent', 'auth-profiles.json');
   const agentStorePath = join(HOME_DIR, '.openclaw', 'agents', agentId, 'agent', 'auth-profiles.json');
 
   try {