[Bug] Safe retry is blocked by unknown exposed tool boundaries before provider progress

[Astro-Han]

What happened?

A production build still showed the conservative interruption message:

The connection was interrupted, and PawWork could not prove whether external side effects were possible.

The session export shows the terminal request failed with an OpenAI Service Unavailable before first provider progress. No assistant output started, no tool input started, no tool call materialized, and no tool execution started. However, incident recovery still downgraded the run to ask_user_before_retry because the global side-effect boundary proof was incomplete: 10 exposed tools were classified as unknown.

This means a run that appears dynamically safe to retry is blocked by static unknown exposed-tool metadata, even when none of those tools were called.

Which area seems affected?

Model harness, prompts, tools, or session mechanics

How much does this affect you?

Makes a workflow harder, but there is a workaround

Steps to reproduce

1. Open PawWork production build 0.0.0-prod-202605251621.
2. Start a session with the normal tool set exposed.
3. Hit a provider transport failure before first provider progress, such as OpenAI Service Unavailable.
4. Inspect the session export / incident diagnostics.
5. Observe that the terminal attempt has no visible output and no tool activity, but recovery still asks the user before retrying because side_effect_facts_complete is false.

Observed export facts from pawwork-session-mighty-cactus-2026-05-26-01-33-38.json:

{
  "classification": "external_stream_disconnect",
  "summary_key": "external_stream_disconnect.transport_failure",
  "provider_progress_seen": false,
  "visible_output_seen": false,
  "tool_input_started": false,
  "tool_call_materialized": false,
  "tool_execution_started": false,
  "unsafe_side_effect_started": false,
  "retry_safety": {
    "recommendation": "candidate_safe_auto_retry",
    "reason": "no_visible_output_or_tool_execution"
  },
  "side_effect_facts_complete": false,
  "side_effect_boundary_snapshot": {
    "exposed_tool_count": 16,
    "unknown_tool_count": 10,
    "proof_result": "incomplete",
    "proof_reason": "unknown_tool_boundary"
  },
  "incident": {
    "recovery": {
      "recommendation": "ask_user_before_retry",
      "reason": "side_effect_facts_incomplete"
    },
    "missing_provenance": ["side_effect.boundary_unknown"]
  }
}

Relevant code path:

• packages/opencode/src/session/processor.ts: sideEffectBoundarySnapshot() marks the exposed tool set incomplete when any exposed tool effect is unknown.
• packages/opencode/src/session/run-incident/policy.ts: !terminalFacts.side_effect_facts_complete returns ask_user_before_retry before the later retryable-transport auto-retry path can run.
• packages/opencode/src/session/processor.ts: side_effect_facts_incomplete maps to the conservative user-facing interruption message.

What did you expect to happen?

If the terminal attempt failed before first provider progress and no output/tool activity occurred, PawWork should auto-retry once or show the safer early-transport-failure message. Unknown exposed tools should not block safe retry when no tool input started, no tool call materialized, and no tool execution started.

PawWork version

0.0.0-prod-202605251621

OS version

macOS 25.5.0

Can you reproduce it again?

Only once so far

Diagnostics

Session export inspected locally:

/Users/yuhan/Downloads/pawwork-session-mighty-cactus-2026-05-26-01-33-38.json

Potential fix directions:

• Minimal: add an early recovery fast path for retryable transport failures before first provider progress with no visible output and no tool activity, bypassing incomplete exposed-tool boundary proof unless provider-executed/external boundaries are present.
• Cleaner follow-up: separate static offered-tool boundary completeness from dynamic attempt-side-effect possibility, so recovery policy is based on what actually happened before interruption.

[Astro-Han]

Proposed design direction

The current recovery logic conflates two different questions:

1. Static offered-tool boundary completeness — do we know the side-effect profile of every tool exposed to the model for this request?
2. Dynamic attempt side-effect possibility — did this particular failed attempt get far enough for output or side effects to be possible?

For retry safety, the second question should dominate. Unknown metadata for tools that were merely exposed should not block a retry when the terminal attempt failed before first provider progress and no tool activity happened.

Minimal fix

Add an early recovery fast path in packages/opencode/src/session/run-incident/policy.ts before the generic !terminalFacts.side_effect_facts_complete guard.

If all of these are true:

• the failure is a retryable provider transport disconnect / watchdog timeout;
• the terminal attempt failed before first provider progress;
• no text or visible output started;
• no tool input started;
• no tool call materialized;
• no tool execution started;
• no unsafe side effect started;
• no provider-executed capability or explicit external boundary is present;

then return auto_retry_once with reason no_visible_output_or_tool_execution.

Sketch:

if (
  retryableTransport &&
  noToolActivity &&
  !terminalFacts.provider_progress_seen &&
  !terminalFacts.visible_output_seen &&
  !terminalFacts.text_output_started &&
  !terminalFacts.unsafe_side_effect_started &&
  !terminalFacts.side_effect_boundary_snapshot?.provider_executed_capability_present &&
  !terminalFacts.side_effect_boundary_snapshot?.external_boundary_present
) {
  return {
    ...base,
    recommendation: "auto_retry_once",
    confidence: "high",
    reason: "no_visible_output_or_tool_execution",
    auto_retry: { max_attempts: 1, backoff_ms: 1_000 },
  }
}

This is the smallest change that fixes the observed production case while preserving the conservative path for later interruptions, partial tool input, materialized tool calls, executed tools, or visible output.

Cleaner long-term model

Split the current side_effect_facts_complete concept into two separate facts:

offered_tool_boundary_complete: boolean
attempt_side_effect_possible: boolean

Where:

• offered_tool_boundary_complete means the exposed tool set is fully classified. This is useful for diagnostics, export quality, and preventing tool metadata drift.
• attempt_side_effect_possible means the failed attempt actually reached a point where side effects could have occurred. This should drive recovery behavior.

Under that model, this incident would be represented as:

{
  "offered_tool_boundary_complete": false,
  "attempt_side_effect_possible": false,
  "recovery": {
    "recommendation": "auto_retry_once",
    "reason": "provider_failed_before_first_progress"
  }
}

The UI could then show an accurate message such as:

The provider connection failed before PawWork produced output or ran tools. Retrying once.

instead of implying PawWork could not prove whether external side effects were possible.

Tool metadata follow-up

The deeper fix is to stop inferring tool effects only from tool names in run-observability/sanitize.ts. Tool definitions should carry explicit effect metadata at registration time, for example:

{
  name: "read",
  effects: {
    kind: "read_only",
    boundary: "local_filesystem",
    complete: true,
  },
}

Then tests can fail when a new tool is registered without effect metadata, instead of letting the runtime silently classify it as unknown.

Suggested implementation order

1. Ship the minimal policy fast path first to restore safe retry for early provider failures.
2. Add regression coverage for the exact exported shape: provider failure before first progress, no output, no tool activity, exposed unknown tools.
3. Follow up by separating static offered-tool completeness from dynamic attempt-side-effect possibility.
4. Move tool effect classification to explicit tool registration metadata.

[Astro-Han]

Design review refinements

The overall direction still holds, but the minimal fix should be tightened before implementation. The key principle remains: retry safety should be based on what actually happened before the failure, not only on which tools were statically exposed. However, the fast path must remain fail-closed when evidence is missing or inconsistent.

P0

None.

P1

None.

P2

Fast path must not treat a missing boundary snapshot as safe

The previous sketch used optional chaining for boundary checks:

!terminalFacts.side_effect_boundary_snapshot?.provider_executed_capability_present
!terminalFacts.side_effect_boundary_snapshot?.external_boundary_present

That would pass when side_effect_boundary_snapshot is missing. That is too permissive: absence of evidence is not proof that no provider-executed or external boundary exists.

The fast path should require a snapshot to be present and should require explicit false values:

const snapshot = terminalFacts.side_effect_boundary_snapshot
if (!snapshot) return false
if (snapshot.provider_executed_capability_present !== false) return false
if (snapshot.external_boundary_present !== false) return false

If the snapshot is missing, recovery should stay conservative or emit a diagnostic that the evidence is incomplete.

Regression coverage should include a negative case where the transport failure occurs before provider progress but the boundary snapshot is missing. Expected result: no auto retry.

Dynamic side-effect possibility should be tri-state, not boolean

The long-term model should not use a plain boolean like:

attempt_side_effect_possible: boolean

Real incidents can have missing evidence, missing ordering, contradictory fields, old exports, or unrecorded provider boundaries. Those cases are not false; they are unknown.

Use a tri-state or discriminated model instead, for example:

attempt_side_effect_possibility:
  | { value: "no"; confidence: "high"; reason: string; evidence_basis: string[] }
  | { value: "possible"; confidence: "medium" | "high"; reason: string; evidence_basis: string[] }
  | { value: "unknown"; confidence: "low" | "medium"; reason: string; evidence_basis: string[] }

Recovery should only auto-retry from the "no" state with sufficiently strong evidence.

Regression coverage should include inconsistent evidence such as:

• evidence ordering missing;
• tool_input_completed without tool_input_started;
• tool_execution_completed without tool_execution_started;
• tool_execution_completed without tool materialization.

Expected result for those cases: unknown side-effect possibility and conservative recovery.

“No tool activity” should cover all tool state, including inconsistent telemetry

The fast path should not only check tool_input_started, tool_call_materialized, and tool_execution_started. It should also fail closed on residual or contradictory tool state, including:

• tool_input_completed;
• tool_execution_completed;
• interrupted or pending tool parts, if represented in the facts;
• any future tool-state flag that indicates partial tool activity.

This should be extracted into a predicate such as:

attemptHasNoOutputOrToolActivity(facts)

The predicate should return false when telemetry is contradictory, even if the normal “started” flag is absent.

Negative tests should cover:

• only tool_input_completed is true;
• pending/interrupted tool parts are present;
• tool_execution_completed is true without tool_execution_started.

P3

Prefer a named predicate over inline policy conditions

The fast-path conditions are safety boundaries, not incidental UI checks. They should not live as a long inline if in policy.ts.

Prefer a named helper such as:

canAutoRetryBeforeFirstProviderProgress({ cause, facts, retryable })

or similar. It should reuse or extend the existing boundary helper so that reasoning-only retry and before-progress retry apply consistent boundary rules.

Add both positive and negative regression coverage

The positive test should cover the observed export shape:

• retryable provider transport failure;
• before first provider progress;
• no visible/text output;
• no tool input;
• no tool call materialized;
• no tool execution;
• exposed unknown tools;
• boundary snapshot present with no provider-executed or external boundary.

Expected result: auto_retry_once.

Negative matrix should include at least:

• visible output started;
• text output started;
• tool input started;
• tool call materialized;
• tool execution started;
• unsafe side effect started;
• provider-executed capability present;
• external boundary present;
• boundary snapshot missing;
• retryable false;
• the one automatic retry has already been consumed, if that state is tracked at this seam.

The goal is to prove the fast path only allows truly early, no-output, no-tool, no-external-boundary failures.

Tool effect metadata follow-up needs stricter schema

Moving tool effect classification to tool registration metadata is still the right follow-up, but the schema should be stricter than the illustrative example.

The follow-up design should define:

• who is allowed to declare a tool effect as complete;
• the fail-closed default when metadata is missing;
• how provider-executed capabilities are represented;
• how explicit external boundaries are represented;
• how tests fail when a new tool is registered without effect metadata;
• how runtime behavior remains conservative if metadata is missing despite type/test coverage.