fix(cron): classify denied isolated runs

docs/automation/cron-jobs.md

@@ -47,6 +47,7 @@ Cron is the Gateway's built-in scheduler. It persists jobs, wakes the agent at t
 - One-shot jobs (`--at`) auto-delete after success by default.
 - Isolated cron runs best-effort close tracked browser tabs/processes for their `cron:<jobId>` session when the run completes, so detached browser automation does not leave orphaned processes behind.
 - Isolated cron runs also guard against stale acknowledgement replies. If the first result is just an interim status update (`on it`, `pulling everything together`, and similar hints) and no descendant subagent run is still responsible for the final answer, OpenClaw re-prompts once for the actual result before delivery.
+- Isolated cron runs classify known execution-denial markers in the final summary/output as failures, including host markers such as `SYSTEM_RUN_DENIED` and `INVALID_REQUEST`, so a blocked command is not reported as a green run.
 
 <a id="maintenance"></a>
 

docs/cli/cron.md

@@ -57,6 +57,11 @@ Note: if an isolated cron run returns only the silent token (`NO_REPLY` /
 `no_reply`), cron suppresses direct outbound delivery and the fallback queued
 summary path as well, so nothing is posted back to chat.
 
+Note: isolated cron runs treat known denial markers in final output, such as
+`SYSTEM_RUN_DENIED`, `INVALID_REQUEST`, and approval-binding refusal phrases, as
+errors. `cron list` and run history then surface the matched token in the error
+reason instead of reporting a blocked command as `ok`.
+
 Note: `cron add|edit --model ...` uses that selected allowed model for the job.
 If the model is not allowed, cron warns and falls back to the job's agent/default
 model selection instead. Configured fallback chains still apply, but a plain