[Feature] Recover faster from stalled reasoning-model connections before safe retry

[Astro-Han]

What task are you trying to do?

I want PawWork to recover faster when GPT/reasoning model connections stall before the provider produces any content.

Recent production session exports showed repeated failures where OpenAI gpt-5.5 never reached first provider progress. PawWork waited the reasoning-model connect watchdog ceiling (120000ms) each time before deciding the connection was interrupted. Once #914 lands, these early no-output/no-tool failures can be retried safely, but the first attempt can still leave the user waiting for roughly two minutes before recovery begins.

Which area would this change affect?

Model harness, prompts, tools, or session mechanics

What do you do today?

Today, when a reasoning model connection stalls before first provider progress, PawWork waits up to 120 seconds before it can retry or show recovery. This is especially painful for high-frequency GPT usage because one provider/network wobble can freeze the visible workflow for two minutes even though the attempt produced no output and ran no tools.

The 120-second ceiling was introduced by #758 for a real reason: some reasoning-model runs can take more than 30 seconds before first observable provider progress. That means simply reverting to the default 30-second connect watchdog would risk false timeouts on legitimate slow starts.

What would a good result look like?

PawWork should fail faster on the first stalled connection while still giving legitimate slow reasoning-model starts enough room to complete.

A likely direction to evaluate after #914:

• Use a shorter first-attempt connect watchdog for reasoning models, such as 45s or 60s.
• If the first attempt fails before provider progress and fix: allow safe retry before provider progress #914 proves no output or tool activity happened, retry automatically once.
• Let the automatic retry keep the longer 120s ceiling, so a legitimate slow first-progress run is not killed repeatedly.
• Keep conservative behavior for any attempt that reaches final text, tool input, tool call materialization, tool execution, provider-executed capability, external boundary, user cancel, lifecycle close, quota, context overflow, or another non-retryable error.

The exact timeout values and user-visible behavior should be discussed before implementation because this affects the trade-off between faster recovery and false-positive timeouts.

What would count as done?

• The issue has an agreed timeout strategy documented in a comment before implementation.
• The implementation does not broaden retry safety beyond fix: allow safe retry before provider progress #914's early no-output/no-tool recovery boundary.
• Reasoning-model first attempts no longer always wait 120s before safe retry can begin.
• Legitimate slow first-progress reasoning runs still have a protected path, likely by keeping a longer timeout on the retry attempt.
• Targeted tests cover the selected strategy, including first attempt timeout, retry attempt timeout, and non-retryable/conservative paths.
• Verification uses the captured session-export shape from the May 26 failures and existing fix: widen LLM connect timeout for reasoning models #758/fix: allow safe retry before provider progress #914 context.

What should stay out of scope?

• Do not change the broader provider retry taxonomy.
• Do not retry after final assistant text or tool activity has started.
• Do not change quota, context-overflow, user-cancel, or lifecycle-close behavior.
• Do not redesign the full incident recovery system.
• Do not change UI copy unless the agreed strategy requires it.

Which audience does this matter to most?

Both

Extra context

Related work:

• fix: widen LLM connect timeout for reasoning models #758 widened the reasoning-model first-progress watchdog to 120s because gpt-5.5 could legitimately exceed the previous 30s ceiling.
• fix: allow safe retry before provider progress #914 allows safe auto retry before first provider progress when no output or tool activity happened.
• Two May 26 production exports showed five failures clustered within about nine minutes, all before first provider progress, with no output and no tool activity:
  • pawwork-session-proud-comet-2026-05-26-02-33-44.json
  • pawwork-session-sunny-meadow-2026-05-26-02-31-46.json

Observed failure shapes:

• watchdog_timeout / connect, after 120000ms without provider progress.
• provider_transport_disconnect before first provider progress, with UND_ERR_SOCKET / other side closed.

This should be treated as a follow-up design/implementation slice after #914 rather than being folded into #914.

[Astro-Han]

Agreed direction

Use a two-attempt recovery strategy for reasoning-model connections that stall before first provider progress:

• First attempt connect watchdog: 60s.
• One automatic safe retry: 120s.
• No automatic third attempt.
• The shorter first-attempt timeout only applies when the terminal attempt is still inside the safe fix: allow safe retry before provider progress #914 boundary: no provider progress, no final text, no reasoning output, no tool input, no materialized tool call, and no tool execution.
• Conservative paths stay unchanged for final text, reasoning/tool activity where applicable, provider-executed capability, external boundary, user cancel, lifecycle close, quota, context overflow, and other non-retryable errors.

Rationale from local production data:

• 11222 successful first-provider-progress samples from the local PawWork database.
• Overall successful first-progress distribution: P50 ~2.6s, P90 ~5.8s, P95 ~7.5s, P99 ~13.3s.
• openai/gpt-5.5: 10286 successful samples, P95 ~7.6s, P99 ~13.2s.
• A 60s first-attempt threshold would have interrupted 3 / 11222 successful samples (~0.027%) and 3 / 10286 gpt-5.5 samples (~0.029%).
• Keeping the retry attempt at 120s protects the rare legitimate slow-start tail instead of killing the same slow request twice.

Agreed user-facing copy

Keep the user-facing message short and non-technical. Do not expose provider progress, watchdogs, timeout values, or side-effect proof details in the normal UI.

Retrying state

Chinese:

模型暂时没有响应，正在重试…

English:

No response yet. Retrying…

Final state after the automatic retry does not recover

Chinese:

模型暂时没有响应。你可以稍后再试，或换一个模型。

English:

The model isn’t responding right now. Try again later or switch models.

Actions

Chinese:

• 重试
• 换模型
• 关闭

English:

• Try Again
• Switch Model
• Dismiss

Copy non-goals

• Do not mention external side effects or translate it literally.
• Do not mention PawWork / 爪印 in the main failure copy; the system's internal retry action is not useful to the user here.
• Do not show 60s / 120s in the normal failure copy.
• Do not add a separate technical details section for this default failure state. Diagnostics can remain in exports/logs.
• Do not blame the user's network or proxy unless a future diagnostic can prove that specific cause.

[Astro-Han]

Review follow-up constraints

Implementation should treat the review points below as part of the #918 acceptance criteria.

Attempt-scoped timeout policy

Do not lower the global reasoning-model stream timeout in ProviderTransform.streamTimeouts(model) from 120s to 60s.

The 60s / 120s behavior must be decided at the session processor attempt layer for the main assistant response recovery flow:

• First reasoning-model main-response attempt: REASONING_FIRST_ATTEMPT_CONNECT_TIMEOUT_MS = 60_000.
• Automatic safe retry attempt after the fix: allow safe retry before provider progress #914 no-output/no-tool boundary is proven: REASONING_SAFE_RETRY_CONNECT_TIMEOUT_MS = 120_000.
• Other llm.stream() call sites, including title generation or non-recovery streams, should keep the existing reasoning-model timeout unless they explicitly enter the same recovery state machine.

Safe-recovery presentation

The before-progress fast path must explicitly enter the safe-recovery UI/status/notice branch. It should not depend on a variable or predicate that only names the older reasoning-only retry case.

The no_visible_output_or_tool_execution recovery reason introduced by #914 should show the agreed short retrying copy, and if the retry also fails, should write the safe_retry_failed notice and show the agreed final copy.

Observability

Because a 60s first-attempt cutoff can interrupt a very small legitimate slow-start tail, the implementation should emit enough diagnostics to observe:

• first-attempt 60s connect timeouts,
• whether an automatic safe retry was attempted,
• whether that retry reached first provider progress,
• retry first-provider-progress latency when it succeeds,
• final failure rate after the safe retry.

The timeout values should remain easy to tune or roll back.

Manual retry semantics

There is no automatic third attempt. If the final failure UI offers Try Again, that user action starts a fresh user-triggered run. It must not continue the previous automatic attempt counter, and it must still go through the same safe boundary and timeout policy.

Test coverage

Tests should cover the combined behavior, not only the policy predicate:

• first attempt uses 60000ms connect timeout,
• automatic safe retry uses 120000ms connect timeout,
• no automatic third attempt,
• before-progress timeout shows the safe-recovery retrying state,
• retry failure writes safe_retry_failed and shows the final copy,
• title generation and other non-recovery streams are not shortened to 60s,
• provider progress, final text, tool input, materialized tool calls, tool execution, user cancel, lifecycle close, quota, and context overflow remain conservative.