Telegram resolver failure caching + missing degraded-state detection after cold-boot resolver exhaustion

[iws17]

PR: Telegram platform fails silently on cold boot due to insufficient retry budget

Problem

On systems where the Hermes gateway starts at boot time (e.g. macOS launchd, systemd with default ordering), the Telegram platform's connect() routine can fail before the OS network stack is ready:

ERROR telegram.ext.Updater: telegram.error.NetworkError:
  httpx.ConnectError: All connection attempts failed
WARNING gateway.platforms.telegram_network:
  Primary api.telegram.org connection failed
  ([Errno 8] nodename nor servname provided, or not known)

Errno 8 is EAI_NONAME from getaddrinfo() — the resolver itself can't resolve the hostname, which happens briefly at cold boot before network is fully up. Once the Python process is running, subsequent resolution attempts also fail because the resolver has cached the failure state.

The gateway does not exit — it logs the error and keeps running in a degraded state where the Telegram platform is silently dead until a manual restart. This is especially bad because:

1. Gateway looks healthy to launchctl / systemctl
2. No Telegram messages are received
3. KeepAlive on non-zero exit does not help because the process stays alive
4. Users don't notice until they try to DM the bot

Root cause

Two issues in gateway/platforms/telegram.py connect():

Issue 1: Retry budget is too small for cold boot

# Line ~558-572
_max_connect = 3
for _attempt in range(_max_connect):
    try:
        await self._app.initialize()
        break
    except (NetworkError, TimedOut, OSError) as init_err:
        if _attempt < _max_connect - 1:
            wait = 2 ** _attempt   # 1s, 2s
            await asyncio.sleep(wait)
        else:
            raise

3 attempts with 1s/2s backoff = ~3 seconds total before giving up. At cold boot the network stack can take 10-30 seconds to come up on macOS, and even longer on systems with VPN/proxy startup.

Issue 2: discover_fallback_ips() called once, before the retry loop

# Line ~513-514
if not fallback_ips:
    fallback_ips = await discover_fallback_ips()

Called before the retry loop. At cold boot, DoH queries to dns.google and cloudflare-dns.com also fail, so discover_fallback_ips() falls through to the hardcoded seed 149.154.167.220. The TelegramFallbackTransport is then built with only this stale seed, and every retry inside the loop tries the same dead endpoints. When network finally comes up mid-loop, the gateway already exhausted its budget.

Proposed fix

Two small changes in connect():

1. Increase retry budget from 3 attempts (~3s) to 8 attempts (~60s) with capped exponential backoff
2. Move discover_fallback_ips() inside the retry loop so each retry gets a fresh discovery attempt when network finally comes up

Patch

# Replace existing block around lines 510-572:

            # Build the application (base builder without transport; we'll add it per-attempt)
            base_token = self.config.token

            # Start polling — retry initialize() for cold-boot DNS races + transient TLS resets
            try:
                from telegram.error import NetworkError, TimedOut
            except ImportError:
                NetworkError = TimedOut = OSError  # type: ignore[misc,assignment]

            _max_connect = 8  # up from 3 — covers cold-boot network stack delay
            _backoff_cap = 15  # seconds

            last_err: Exception | None = None
            for _attempt in range(_max_connect):
                try:
                    # Re-discover fallback IPs on each attempt — DoH may be down at
                    # cold boot but recover before we exhaust our retry budget.
                    fallback_ips = self._fallback_ips()
                    if not fallback_ips:
                        fallback_ips = await discover_fallback_ips()
                        if _attempt == 0:
                            logger.info(
                                "[%s] Auto-discovered Telegram fallback IPs: %s",
                                self.name,
                                ", ".join(fallback_ips),
                            )

                    builder = Application.builder().token(base_token)
                    if fallback_ips:
                        if _attempt == 0:
                            logger.warning(
                                "[%s] Telegram fallback IPs active: %s",
                                self.name,
                                ", ".join(fallback_ips),
                            )
                        transport = TelegramFallbackTransport(fallback_ips)
                        request = HTTPXRequest(httpx_kwargs={"transport": transport})
                        get_updates_request = HTTPXRequest(httpx_kwargs={"transport": transport})
                        builder = builder.request(request).get_updates_request(get_updates_request)

                    self._app = builder.build()
                    self._bot = self._app.bot

                    # (move handler registration to a helper and call here, or keep inline)
                    self._register_handlers()

                    await self._app.initialize()
                    break
                except (NetworkError, TimedOut, OSError) as init_err:
                    last_err = init_err
                    if _attempt < _max_connect - 1:
                        wait = min(2 ** _attempt, _backoff_cap)  # 1,2,4,8,15,15,15
                        logger.warning(
                            "[%s] Connect attempt %d/%d failed: %s — retrying in %ds",
                            self.name, _attempt + 1, _max_connect, init_err, wait,
                        )
                        await asyncio.sleep(wait)
                    else:
                        logger.error(
                            "[%s] Exhausted %d connect attempts over ~%ds, giving up: %s",
                            self.name, _max_connect, sum(min(2**i, _backoff_cap) for i in range(_max_connect-1)), init_err,
                        )
                        raise

Total retry budget becomes: 1 + 2 + 4 + 8 + 15 + 15 + 15 = 60 seconds, covering typical cold-boot delays.

Handler registration currently lives between builder.build() and initialize() — extracting to _register_handlers(self) keeps the retry loop clean and avoids re-registering handlers on a stale app instance.

Testing

1. Cold boot simulation: stop networking (sudo ifconfig en0 down), start hermes, wait 20s, re-enable networking. Should see retries in logs, eventual success.
2. DoH block simulation: block dns.google and cloudflare-dns.com in /etc/hosts, start hermes. Should fall through to seed IPs as before.
3. Normal boot: should behave identically (first attempt succeeds).

Impact

• Affects: every Hermes user with ai.hermes.gateway running at boot via launchd/systemd
• Severity: silent Telegram outage until manual restart — users often don't notice for hours
• Risk: low — changes only the retry budget and moves one function call inside the loop

Local workaround (already deployed)

As an interim fix while the PR is in review, the gateway can be wrapped in a DNS-readiness shim. Example for macOS launchd:

#!/bin/bash
VENV_PY="/Users/dg/.hermes/hermes-agent/venv/bin/python"
MAX_WAIT=90
WAITED=0
while ! "$VENV_PY" -c "import socket; socket.getaddrinfo('api.telegram.org', 443)" 2>/dev/null; do
    [ "$WAITED" -ge "$MAX_WAIT" ] && break
    sleep 2
    WAITED=$((WAITED + 2))
done
exec "$VENV_PY" -m hermes_cli.main gateway run --replace

This is a workaround only — the upstream fix is correct because it makes Hermes self-healing without requiring users to write launchd wrappers.

[alt-glitch]

Related to merged #10947 which increased cold-boot retry budget. This issue reports the fix may be insufficient — resolver failure caching and degraded-state detection still unaddressed.

[alt-glitch]

Related to merged #10947 which increased cold-boot retry budget. This issue reports the fix may be insufficient — resolver failure caching and degraded-state detection still unaddressed.

[iws17]

Thanks @alt-glitch — you're right that the retry budget increase in #10947 doesn't fully address this. The cold-boot pathology has two distinct failure modes, and #10947 only addresses the first:

1. Retry budget exhaustion during initial DNS resolution — addressed by fix(telegram): send resilience — retry transient tool sends + increase cold-boot budget (#9101, #5770) #10947.
2. Resolver failure caching after exhaustion — once a cold-boot resolver attempt fails, the failure is cached and subsequent attempts use the cached failure rather than re-resolving. Combined with the absence of degraded-state detection, the platform stays "started" while effectively non-functional.

The second mode is what's still load-bearing here. Updating the issue title to reflect that scope.

[rblakemesser]

Adding a recent macOS launchd field report that looks related to resolver/degraded-state detection.

On 2026-05-07, the gateway logged resolver/network failures for both Telegram and Home Assistant, so this was not isolated to Telegram credentials:

• api.telegram.org: [Errno 8] nodename nor servname provided, or not known
• my.homeassistant.dev: Cannot connect ... [nodename nor servname provided, or not known]

Timeline:

• 08:49-09:36 CDT: repeated Telegram DNS/connect failures; Home Assistant also failed DNS/reconnect.
• 09:36 CDT: Telegram polling logged resumed.
• 13:20 CDT: another short Telegram DNS/connect failure, then resumed.
• Later, the gateway process remained alive and Telegram API was reachable, but Telegram messages were not being handled until a manual gateway restart.

At diagnosis time:

• curl https://api.telegram.org/ worked.
• getMe worked.
• getWebhookInfo showed no webhook and pending_update_count=0.
• launchd still reported the gateway running.

This supports the “network recovered but adapter/gateway health signal stayed insufficient” part of this issue.

[iws17]

Thanks @rblakemesser — the cross-service Errno 8 detail nailed the diagnosis. After reading current main (292f46836), the gap and fix are sharper than I had them.

What's already shipped (more than I credited initially):

• _handle_polling_network_error — exponential backoff ladder, drains polling pool, restarts polling, escalates to fatal-retryable for supervisor restart on exhaustion
• _verify_polling_after_reconnect — heartbeat probe scheduled 60s after error-driven reconnect: checks Updater.running + bot.get_me() with 10s timeout
• _drain_polling_connections — resets Bot._request[0] (the getUpdates pool) before reconnect to clear half-closed httpx connections
• fix(telegram): send resilience — retry transient tool sends + increase cold-boot budget (#9101, #5770) #10947 — cold-boot retry budget bumped to 8 attempts, backoff cap 15s

Two precise holes that map onto the field reports:

Hole 1 — heartbeat probes the wrong pool. PTB v22 _bot.py:717:

request = self._request[0] if endpoint == "getUpdates" else self._request[1]

bot.get_me() routes through the general pool (_request[1]); the long-poll runs on the polling pool (_request[0]). _drain_polling_connections only resets _request[0]. So a wedged polling pool with a healthy general pool — exactly the "getMe worked but messages weren't handled" trace — passes the heartbeat probe falsely.

Hole 2 — heartbeat is never scheduled on cold-boot path. _verify_polling_after_reconnect is only triggered from _handle_polling_network_error (line 546). The cold-boot connect() calls start_polling and falls through to _mark_connected() (line 1131) with no post-start probe. A wedge that starts at cold boot produces no exception (silent wedge → no error callback → no heartbeat scheduled). Matches the "polling logged resumed, no messages handled" trace.

Fix submitted as #21548. Two surgical changes (Change 2 depends on Change 1):

1. Replace the probe primitive so it routes through _request[0]. The probe must be non-destructive — calling any getUpdates flavor (including offset=-1, limit=1) is forbidden by Telegram's API contract: offset=-1 "forgets" the queue, and concurrent getUpdates on the same pool returns 409 Conflict. Right shape: bypass Bot._do_post's endpoint dispatch and call BaseRequest.post directly on _request[0] against getMe:

   pool = self._app.bot._request[0]
   await asyncio.wait_for(pool.post(f"{self._app.bot.base_url}/getMe"), 65)

   Same connection pool the long-poll uses; no destructive Telegram-side semantics. 65s timeout exceeds the long-poll contention window; pair with a two-strike-within-5min escalation gate to suppress single transient blips.

2. Schedule the same probe after cold-boot start_polling, not just from the error-driven path. This change depends on Change 1 — shipping it without the probe redesign is strictly worse than the status quo (it would schedule a probe of the wrong pool, falsely declaring health on cold-boot wedges).

Plus four small hardening pieces in the PR: (a) shared asyncio.Lock between probe and _drain_polling_connections to prevent racing on a half-torn-down pool, (b) startup shape-check on bot._request with log-and-skip fallback for custom HTTPXRequest injection / PTB version drift, (c) probe task cancellation on disconnect(), (d) trigger= parameter so structured logs distinguish cold_boot vs reconnect for operator triage. Probe-related logs redact bot.base_url (Telegram's URL format embeds the bot token).

Residual blind spot: flood-wait masking. If Telegram is rate-limiting the bot, getMe via pool 0 returns success (different rate-limit bucket from getUpdates). Probe says healthy, polling pool is throttled not wedged. Same false-positive shape as today, just narrower. Documented in PR body.

PR: #21548. Tests cover both holes plus the long-poll non-interference assertion (mock _request[0].post to hang, assert last_update_id unchanged across the probe call). 368 telegram tests pass.