Feature: Reason-aware cron guardrails (quota/auth/rate-limit aware backoff + circuit breaker)

[futuremind2026]

Problem

OpenClaw cron jobs already apply an exponential backoff based on consecutive errors, but the backoff is reason-agnostic. In practice, different failure reasons should trigger different safety behavior:

• billing/quota exhausted (402 / insufficient_quota): continuing to retry is wasteful; jobs should stop (or switch model/provider if configured) and notify once.
• auth (401/403): retries are wasteful until credentials are fixed; jobs should stop and notify once.
• rate limit (429): retries should use Retry-After and/or exponential backoff; do not disable jobs by default.
• timeout/network: temporary; backoff but keep enabled.
• format (400): likely prompt/tooling bug; disable and surface actionable error.

This matters most for background/automated workloads (cron/heartbeat) where silent retry storms create unnecessary cost and log noise.

Current Behavior

• src/cron/service/timer.ts applies a fixed backoff schedule based on consecutiveErrors (30s→1m→5m→15m→60m), regardless of error type.
• Agents already have error classification via FailoverReason (billing/rate_limit/auth/timeout/format) in src/agents/failover-error.ts, but cron does not use it to select mitigation.

Proposed Behavior (Default Policy)

Introduce a reason-aware cron guard layer that classifies terminal errors and applies policy:

Classification

• Reuse/align with FailoverReason classification (billing, rate_limit, auth, timeout, format, unknown).
• Ensure tool-level failures (e.g. Brave 429) don’t get misclassified as billing (see Bug: Tool failures (e.g., Brave Search 429) incorrectly surfaced as 'billing error' in Telegram #14245).

Mitigations

• billing/auth/format: circuit-break (disable job) after 1 failure (or small N), persist lastError, and optionally deliver a single user-facing alert (once per window).
• rate_limit: respect Retry-After/provider headers when available; apply exponential backoff but keep job enabled.
• timeout/network: apply backoff; keep enabled.
• unknown: conservative backoff; optionally circuit-break after higher threshold.

Observability

• Record lastErrorReason in job state to aid debugging and UI visibility.
• Optional: add cooldownUntilMs/disabledUntilMs fields at the job level (separate from auth-profile cooldowns).

Acceptance Criteria

• Cron avoids retry storms when quota is exhausted or auth is invalid.
• Rate limits back off appropriately without disabling jobs.
• Job state exposes the reason for the last error.
• Behavior is configurable but has safe defaults.

Related

• feat: Add automatic retry with exponential backoff for rate limits (429) #8894 (429 retry/backoff)
• Add retry logic for failed cron jobs #13609 (retry logic for failed cron jobs)
• Feature Request: Per-model usage logging for cost tracking #13219 (usage logging for cost tracking)
• [Feature]: Provider rate-limit / quota query tool #13923 (provider quota/rate limit query tool)
• [Bug]: Gateway sends empty messages on persistent API errors (429/402) instead of user-facing explanation #2202 (429/402 handling)
• Bug: Tool failures (e.g., Brave Search 429) incorrectly surfaced as 'billing error' in Telegram #14245 (misclassification of tool failures as billing)

Implementation Sketch

• Extend cron execution pipeline to capture/normalize error objects and classify via shared helper (or reuse coerceToFailoverError/resolveFailoverReasonFromError).
• Adjust applyJobResult in src/cron/service/timer.ts to compute nextRun / disable decision based on reason + counters.
• Persist reason into job state and expose via cron.list/UI.

[bradz86]

Real-world data: cron retry cascade burned ~$10+ in one day

Adding cost data from a retry storm on v2026.2.13 (Ubuntu 24.04).

The scenario

TikTok carousel cron job (sessionTarget: "isolated", daily at 9am PT) hit image generation failures. OpenClaw's retry behavior:

• 18 sessions spawned for what should have been 1 post
• Runs Track and persist Claude's returned session ID for conversation continuity #8-11 had 0-second gaps between session end and next session start
• Each session consumed Sonnet API tokens (re-reading SKILL.md, re-planning content, re-attempting image gen)
• Only 3 of 18 sessions were productive

Timeline showing the cascade

Run #8  finished 12:43 PM -> Run #9  started 12:43 PM (0s gap)
Run #9  finished 12:44 PM -> Run #10 started 12:44 PM (0s gap)
Run #10 finished 12:46 PM -> Run #11 started 12:46 PM (0s gap)

No backoff. No max retry count. The agent just kept spawning new isolated sessions.

Cost breakdown

Category	Runs	Est. Cost
Productive work (2 actual posts)	3	~$4.50
Wasted retries	15	~$6.30
Total	18	~$10.80

What would have helped

1. Reason-aware backoff (as proposed in this issue) - image gen failures are tool-level errors, not transient network issues. Should have backed off aggressively after 2-3 failures.
2. Max retry count per cron period - e.g., max 3 retries per scheduled fire, then stop and notify.
3. consecutiveErrors threshold to auto-disable - after 5+ consecutive errors, disable the job and send one alert.

Current workaround

Added a "loop guard" in the cron payload itself (the agent checks for 3+ attempt folders and stops). But this is fragile since it depends on the agent following instructions. A framework-level solution would be much more reliable.

+1 on the proposed reason-aware guardrail layer. The current backoff schedule (30s/1m/5m/15m/60m) in timer.ts clearly isn't being applied in this case, or it resets between "ok" status runs that still represent failures (the agent completed but the task failed).