[Task] Consolidate model execution retry pipeline

[Astro-Han]

Goal

Consolidate PawWork's model execution retry path so ordinary provider retry behavior and PawWork's safe-recovery checks run through one session retry pipeline.

The desired long-term shape is:

• Keep /global/event SSE reconnect separate because it only restores event delivery and must not re-run model requests.
• Reuse the existing session retry engine for retry execution mechanics: attempt count, retry-after/backoff, status updates, retry events, and terminal retry classification.
• Keep PawWork's safe-recovery logic as a safety gate inside that pipeline, not as a second retry loop in session.processor.
• Preserve the short-term fix: scope reasoning safe retry timeouts by attempt #922 behavior while the migration happens: reasoning-model first attempt can fail fast, the one automatic safe retry keeps the longer protected timeout, and there is no automatic third safe-recovery attempt.

Scope

In scope:

• Audit the current split between SessionRetry.policy, session.processor safe-recovery retry handling, run-incident recovery decisions, run observability, and UI retry presentation.
• Define a single model execution retry pipeline with clear layer ownership:
  • Retry Engine: technical retryability, retry-after/backoff, attempts, retry status/event emission.
  • Safety Gate: run-observability based decision about whether re-running the model turn is safe.
  • UI / Observability: user-facing retry state, final notices, and diagnostic evidence about both engine and gate decisions.
• Migrate in small PRs instead of one broad rewrite.
• Keep fix: scope reasoning safe retry timeouts by attempt #922's 60s -> 120s reasoning safe-retry behavior stable during the migration.
• Keep conservative behavior for visible output, tool input, materialized tool calls, tool execution, external boundaries, provider-executed capabilities, user cancel, lifecycle close, quota, context overflow, and other non-retryable failures.

Out of scope:

• Replacing /global/event SSE reconnect with the model retry pipeline.
• Implementing full turn resume after partial output or tool execution.
• Redesigning atomic file writes or tool idempotency in this issue.
• Broad provider retry taxonomy changes beyond what is needed to plug the safety gate into the retry pipeline.
• Promising that every interrupted run can be recovered automatically.

Proposed design

Treat safe recovery as a gate, not an executor.

Flow:

model stream fails
  -> classify whether the failure is technically retryable
  -> derive run-incident safety from observability
  -> if both allow retry, the retry engine schedules and emits retry state
  -> processor re-enters the next attempt through the same pipeline

Layer ownership:

• SessionRetry.policy or its successor owns retry execution mechanics: attempt numbering, retry-after / backoff delay, max attempts, retry status payload shape, and retry event emission.
• RunIncident.recoveryFor / a small extracted safety module owns product safety: whether this failed attempt can be automatically replayed, requires user confirmation, should offer continue/resume, or should stop.
• session.processor should orchestrate the stream attempts, but should not maintain a separate ad hoc retry engine with its own counter, sleep, presentation predicate, and terminal behavior.
• UI copy and safe_retry_failed presentation should key off stable retry decision metadata instead of processor-local predicate names.

This keeps the important PawWork safety check while avoiding three competing retry mechanisms.

Suggested migration slices

1. Extract the safety gate behind a small pure API.

   Move the safe-recovery boundary checks out of session.processor into a module owned by run-incident / observability. This PR should be mostly mechanical and should not change behavior.

2. Add retry-decision metadata that can carry both engine and gate results.

   The processor should be able to distinguish technical retryability from safety permission without duplicating predicates such as reasoningOnlySafeRetry versus beforeProgressSafeRetry.

3. Route safe-recovery scheduling through the retry engine.

   Replace processor-local counter/sleep/status mechanics with the shared retry policy path while preserving current behavior: one automatic safe retry, existing retry status semantics, lifecycle-close interruption handling, and fix: scope reasoning safe retry timeouts by attempt #922's timeout policy.

4. Clean up UI / observability naming and tests.

   Ensure retry state, notices, exports, and tests make it clear whether a retry was blocked by technical classification, blocked by safety, attempted by the engine, or completed/failed after retry.

Risks

• A migration that only moves code could accidentally broaden automatic retry beyond the current safe boundary.
• A migration that only centralizes retry mechanics could lose PawWork-specific safety proof, especially around tool calls and external/provider-executed boundaries.
• Retry attempt counting can become misleading if ordinary provider retries and safe-recovery attempts are conflated without clear metadata.
• The fix: scope reasoning safe retry timeouts by attempt #922 reasoning-model timeout behavior can regress if timeout selection is moved before the safety decision is available.
• SSE reconnect may be confused with model retry unless naming and tests keep the boundary explicit.

Acceptance criteria

• There is one model execution retry pipeline for ordinary retryable provider failures and safe-recovery retries.
• Safe-recovery checks still block automatic retry after visible output, text output, reasoning output where applicable, tool input, materialized tool calls, tool execution, unsafe side effects, external boundaries, provider-executed capabilities, user cancel, lifecycle close, quota, context overflow, and other non-retryable failures.
• fix: scope reasoning safe retry timeouts by attempt #922 behavior remains intact: reasoning-model first safe-recovery-eligible attempt uses the shorter timeout, the automatic safe retry keeps the longer timeout, and no automatic third safe-recovery attempt is made.
• /global/event reconnect remains independent and does not trigger model re-execution.
• Tests cover both the allowed safe-recovery path and conservative blocked paths.
• Observability can answer: whether the failure was technically retryable, whether the safety gate allowed it, whether a retry was attempted, which attempt timeout was used, and how the retry ended.

Relevant files or context

Likely files:

• packages/opencode/src/session/retry.ts
• packages/opencode/src/session/processor.ts
• packages/opencode/src/session/run-incident/policy.ts
• packages/opencode/src/session/run-observability/recorder.ts
• packages/opencode/src/session/run-observability/types.ts
• packages/ui/src/components/session-retry.tsx
• packages/ui/src/components/message-part/parts/notice.tsx
• packages/app/src/context/global-sdk.tsx

Related work:

• fix: allow safe retry before provider progress #914 allowed safe retry before first provider progress when no output or tool activity happened.
• [Feature] Recover faster from stalled reasoning-model connections before safe retry #918 / fix: scope reasoning safe retry timeouts by attempt #922 apply the short-term reasoning-model 60s -> 120s timeout strategy.
• Upstream OpenCode has ordinary SessionRetry.policy provider retry behavior and separate SSE reconnect behavior.

DeepSeek v4-pro review agreed with the direction: keep SSE reconnect separate, treat retry execution as the engine, and keep PawWork safe recovery as a safety gate inside the model execution retry pipeline.

Verification

• Add or update unit tests around SessionRetry.policy / the new retry pipeline for provider retry, safe-recovery retry, and blocked safety decisions.
• Keep or add processor-level tests for 60s -> 120s, no automatic third safe-recovery attempt, safe-retry notice behavior, lifecycle close, user cancel, quota, context overflow, visible output, tool input, materialized tool calls, and tool execution.
• Verify /global/event reconnect tests still pass and do not imply model retry.
• Run targeted opencode/session tests and UI retry contract tests.
• For visible retry copy changes, run the existing safe-retry snap target or equivalent visual check.

Execution mode

Design changes require approval before implementation. Implementation plans for already-approved design slices do not need a separate approval gate; agents may post the plan and proceed with code and PR work when the slice stays within the approved design.

[Astro-Han]

Proposed design: one model retry pipeline, two decisions

I think the long-term refactor should keep the #922 behavior as the short-term product baseline, but change the ownership boundaries underneath it.

The target model is not "replace PawWork Safe Retry with upstream OpenCode retry." The target is:

• OpenCode-style session retry is the Retry Engine: it owns how retries are executed.
• PawWork safe recovery is the Safety Gate: it owns whether re-running a model attempt is safe.
• /global/event reconnect remains separate: it restores event delivery and must not re-run a model request.

In other words: Safe Retry should stop being a second retry executor. It should become a gate inside the shared model execution retry pipeline.

Target flow

model stream fails
  -> classify whether the failure is technically retryable
  -> derive whether replaying the model attempt is safe from run observability
  -> if both checks allow it, schedule the retry through the shared retry engine
  -> processor runs the next attempt
  -> final UI / diagnostics explain why recovery succeeded, failed, or was blocked

Layer ownership

Retry Engine

Owned by SessionRetry.policy or a successor built around it.

Responsibilities:

• technical retry classification for provider/API failures,
• retry-after and backoff calculation,
• attempt numbering,
• max-attempt handling,
• retry status emission,
• retry event emission,
• terminal retry classification.

This layer should not inspect tool-side-effect boundaries or decide whether replaying a model attempt is product-safe.

Safety Gate

Owned by run-incident / run-observability code, ideally behind a small pure API.

Responsibilities:

• decide whether a failed attempt can be automatically replayed,
• distinguish auto_retry_once, ask_user_before_retry, offer_continue, and do_not_retry,
• block automatic replay when there is visible output, text output, reasoning output where applicable, tool input, materialized tool calls, tool execution, unsafe side effects, external boundaries, provider-executed capabilities, user cancel, lifecycle close, quota, context overflow, or other non-retryable failures,
• return stable reason metadata for UI and diagnostics.

This layer should not sleep, count attempts, emit retry status, or write final notices.

Processor

Owned by session.processor.

Responsibilities:

• run one model stream attempt,
• record attempt facts,
• pass failure facts into the retry pipeline,
• re-enter the next attempt when the pipeline allows retry,
• perform attempt cleanup that is genuinely local to the attempt.

The processor should not maintain its own retry engine via automaticStreamRetriesUsed, ad hoc sleep, processor-local presentation predicates, and separate terminal behavior.

UI / Observability

Responsibilities:

• show one coherent user-facing recovery state,
• avoid exposing internal mechanism splits such as provider retry vs safe retry vs SSE reconnect,
• preserve diagnostic detail in exports/logs: technical retryability, safety-gate result, selected timeout, retry attempt, and final outcome.

Migration plan

PR 1: Introduce shared retry decision metadata without changing behavior

Suggested title:

refactor(session): add unified retry decision metadata

Scope:

• Add a small typed decision shape that can carry both technical retryability and safety-gate output.
• Preserve existing execution paths.
• Keep fix: scope reasoning safe retry timeouts by attempt #922 behavior exactly unchanged.
• Do not move retry scheduling yet.

Expected result:

The code can represent these as separate facts:

• the error is technically retryable,
• replay is product-safe,
• replay is blocked by a safety reason,
• retry presentation should use safe recovery copy,
• retry should use the short or long reasoning timeout.

Verification:

• Unit tests for the decision shape / adapters.
• Existing processor retry tests remain green.
• No UI behavior change.

PR 2: Extract the Safety Gate from processor-local predicates

Suggested title:

refactor(session): extract safe recovery gate

Scope:

• Move safe-recovery boundary checks into a run-incident / observability-owned module.
• Keep the function pure where possible: input facts, output decision.
• Remove duplicate boundary predicates from session.processor when they can be replaced by the shared gate.
• Preserve current behavior for before-progress safe retry and reasoning-only safe retry.

Expected result:

session.processor can ask one question: "does the safety gate allow automatic replay?" It no longer needs to know every safety predicate in detail.

Verification:

• Tests for allowed before-progress safe recovery.
• Tests for allowed reasoning-only safe recovery if that remains in scope.
• Tests for blocked visible output, reasoning output where unsafe, tool input, materialized tool call, tool execution, external boundary, provider-executed capability, user cancel, lifecycle close, quota, and context overflow.

PR 3: Route safe-recovery scheduling through the Retry Engine

Suggested title:

refactor(session): route safe recovery through retry policy

Scope:

• Replace processor-local retry counter/sleep/status mechanics with the shared retry policy path.
• Keep the safety gate as a required input before automatic replay.
• Preserve lifecycle-close interruption checks around retry backoff.
• Preserve safe_retry_failed behavior, but drive it from stable retry decision metadata instead of processor-local predicate names.

Hard behavior constraints:

• fix: scope reasoning safe retry timeouts by attempt #922 must keep the 60s -> 120s reasoning-model timeout behavior.
• There must be no automatic third safe-recovery attempt.
• Ordinary provider retry behavior must not accidentally become safe-recovery replay after output or tool activity.
• Quota/context-overflow/user-cancel/lifecycle-close behavior must stay conservative.

Verification:

• Processor-level test for first reasoning attempt using the shorter timeout.
• Processor-level test for the automatic safe retry using the longer timeout.
• Test that a third automatic safe-recovery attempt is not made.
• Test that retry status/event emission still happens through the shared path.
• Existing provider retry tests stay green.

PR 4: Normalize retry UI and observability names

Suggested title:

refactor(ui): normalize retry recovery presentation

Scope:

• Keep user-facing recovery as one coherent state: "recovering" / "recovery failed" rather than exposing internal retry mechanisms.
• Make safe-recovery notices depend on stable decision metadata.
• Ensure exports/logs can answer:
  • was the failure technically retryable?
  • did the safety gate allow automatic replay?
  • was retry attempted?
  • which timeout was selected?
  • did the retry reach provider progress?
  • how did the retry end?
• Keep /global/event reconnect naming distinct from model retry naming.

Verification:

• UI contract tests for retry presentation.
• Safe-retry snap or equivalent visual check if visible copy/state changes.
• Export / run-observability tests for retry decision fields.
• SSE reconnect tests still prove reconnect does not imply model re-execution.

Non-goals for this refactor

• Do not remove PawWork's safe-recovery boundary checks.
• Do not merge /global/event reconnect into model retry.
• Do not implement full turn resume after partial output/tool execution in this issue.
• Do not redesign atomic file writes or tool idempotency here.
• Do not broaden automatic retry beyond the current proven-safe boundary.
• Do not promise perfect recovery from every interrupted model stream.

Review checkpoints before implementation

Before coding, the implementation plan should answer these explicitly:

1. Where does the new shared retry decision type live?
2. What is the exact distinction between provider retry attempts and safe-recovery replay attempts?
3. How does the retry engine enforce "no automatic third safe-recovery attempt" while still preserving ordinary provider retry behavior?
4. At what point is the reasoning-model timeout selected, and how do we guarantee fix: scope reasoning safe retry timeouts by attempt #922's 60s -> 120s behavior survives?
5. What stable metadata should UI and exports consume so they do not depend on processor-local predicate names?

Recommended execution mode for this issue remains: investigate and post a concrete PR plan first, then wait for explicit approval before writing code.

[Astro-Han]

Follow-up implementation constraints to avoid misreading "shared retry engine" as "shared retry budget":

1. Shared engine does not mean shared retry budget.

   Ordinary provider retry attempts and safe-recovery replay attempts need separate metadata and limits. Preserving fix: scope reasoning safe retry timeouts by attempt #922 means safe recovery still gets at most one automatic replay, even if ordinary provider retry has a larger max-attempt policy.

   The exact field names can change, but the model should preserve this distinction, for example:

   retry_kind: provider_retry | safe_recovery_replay
   provider_retry_attempt: number
   safe_recovery_attempt: 0 | 1
   

2. Technical terminal classification should stay with retry classification / engine ownership.

   Quota exhaustion, context overflow, user cancel, and lifecycle close should not become Safety Gate taxonomy ownership. The retry classification layer can mark these as terminal or non-retryable; the Safety Gate can receive that terminal result and stay conservative, but it should not become the owner of provider error taxonomy.

   Desired ownership:

   Retry classification / engine:
     Is this failure technically retryable? Is it terminal because of quota/context/user cancel/lifecycle close?
   
   Safety Gate:
     Even if technically retryable, is replaying this model attempt product-safe?
   

3. Reasoning output must not be treated as a blanket retry blocker.

   Some reasoning-output cases are unsafe, but fix: scope reasoning safe retry timeouts by attempt #922 intentionally preserves one automatic safe-recovery path for the allowed reasoning-only shape: no final text, no tool activity, and no external/provider-executed side effect. That path should remain allowed, and failed-attempt reasoning parts should still be cleaned up before presenting the final safe-retry failure state.

   In short: reasoning output is a safety input, not an automatic do_not_retry flag.

[Astro-Han]

Future-proofing note for the retry metadata work:

#925 should not grow into full turn resume after partial output or tool execution. That belongs in a separate Run Recovery / Turn Resume track.

However, the metadata introduced here should use recovery-oriented naming where possible, so this refactor does not lock future work into a binary safe retry allowed / safe retry denied model.

Important distinction:

visible output / tool activity / external boundary
  => automatic replay may be blocked
  != the run is permanently unrecoverable

The Safety Gate in #925 answers a narrow question:

Can this failed model attempt be automatically replayed now?

It should not claim to answer the broader future question:

Can this run be recovered through provider resume, app-level continuation, tool-result reuse, or tool recovery?

For PR 1, prefer metadata names that leave room for future recovery modes. For example, avoid a narrow shape like:

safeRetryAllowed: boolean
safeRetryReason: string

Prefer a shape that can grow, such as:

technicalRetryability
safetyGateDecision
recoveryMode
blockedReason
attemptKind
timeoutPolicy
presentation

Current recoveryMode values can stay limited to replay-oriented behavior, for example:

replay
auto_replay_blocked
ask_user
offer_continue
stop

But the naming should not prevent future values such as:

provider_resume
app_continuation
tool_result_reuse
tool_recovery
resume_after_tool_result

In short: #925 should keep its scope as retry-pipeline consolidation, but it should describe blocked automatic replay as blocked automatic replay, not as permanent unrecoverability.