fix(agent): exclude ssl.SSLError from is_local_validation_error to prevent non-retryable abort

[Bartok9]

Problem

Fixes #14367.

ssl.SSLError (and its subclass ssl.SSLCertVerificationError) inherits from both OSError and ValueError via Python's MRO:

ssl.SSLCertVerificationError
  └─ ssl.SSLError
       ├─ OSError
       └─ (via adapter) ValueError

The is_local_validation_error check at run_agent.py ~line 10681:

is_local_validation_error = (
    isinstance(api_error, (ValueError, TypeError))
    and not isinstance(api_error, UnicodeEncodeError)
)

…catches ssl.SSLCertVerificationError as a ValueError, marking it non-retryable and triggering an immediate abort.

The error classifier already maps SSLCertVerificationError to FailoverReason.timeout, retryable=True (its type name appears in _TRANSPORT_ERROR_TYPES), but the inline isinstance guard overrides that mapping before the classifier result is checked.

Result: A TLS transport error causes an unnecessary session abort instead of retrying or failing over to a backup provider.

Fix

Add ssl.SSLError to the exclusion list alongside the existing UnicodeEncodeError carve-out, and import ssl at the top of run_agent.py:

import ssl
# …
is_local_validation_error = (
    isinstance(api_error, (ValueError, TypeError))
    and not isinstance(api_error, UnicodeEncodeError)
    and not isinstance(api_error, ssl.SSLError)   # ← new
)

Verification

import ssl
e = ssl.SSLCertVerificationError("certificate verify failed")

# Before fix:
isinstance(e, (ValueError, TypeError))  # True  → flagged as programming bug

# After fix:
is_local = (
    isinstance(e, (ValueError, TypeError))
    and not isinstance(e, UnicodeEncodeError)
    and not isinstance(e, ssl.SSLError)
)
assert is_local is False  # ✅ falls through to classifier's retryable path

[alt-glitch]

Competing PRs for #14367: this, #14434, and #14374 all fix the same ssl.SSLError misclassification. #14374 extracts a helper function; this and #14434 are inline fixes.

[Bartok9]

Thanks @alt-glitch. Agreed — three competing fixes for the same bug. Among the three, #14374 by @sgaofen is the most thorough (extracts a helper, which makes the guard easier to extend in future). Happy to close this in favor of #14374 if maintainers prefer. Deferring to their judgment.

[teknium1]

Thanks for the fix, @Bartok9! This is an automated hermes-sweeper review.

The change proposed here is already on main — the exact commit from this PR (4e27e498f) is in main's ancestry (164 commits ahead of it now).

Evidence:

• run_agent.py line 34: import ssl ✔
• run_agent.py lines 11164–11178: and not isinstance(api_error, ssl.SSLError) with the explanatory comment ✔
• Commit 4e27e498f (fix(agent): exclude ssl.SSLError from is_local_validation_error…) is reachable from HEAD
• PR fix(agent): consolidated fallback/retry correctness — SSL retry, cooldown, config context, auth fallback parity #15134 (consolidated retry/fallback fix, cross-referenced from this PR's timeline) was merged 2026-04-24

As noted by @alt-glitch and agreed by you, three PRs raced to fix #14367. The fix has landed. Closing as implemented on main.