[Bug]: blockedUntil for subscription_limit set far in the future never re-probes when no fallback is configured

[brtkwr]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

On 2026.5.28, when an openai-codex auth profile hits its subscription cap and the upstream reports a "next reset in N days" timestamp, OpenClaw stores that timestamp verbatim into auth-state.json as blockedUntil; with fallbacks: [], the probe-during-cooldown path short-circuits on hasFallbackCandidates, so the profile is never re-probed and stays blocked for days even after the rolling cap has recovered.

Steps to reproduce

1. Install OpenClaw 2026.5.28 and @openclaw/codex@2026.5.28, configure with agents.defaults.model.primary: openai-codex/gpt-5.5 and fallbacks: [].
2. Drive enough usage to exhaust the rolling weekly cap (in this case, an accidental heartbeat firing every 30 min for ~24 hours).
3. Observe the upstream returns: You've reached your Codex subscription usage limit. Next reset in 6 days, Jun 7 at 3:43 PM UTC.
4. Check auth-state.json at agents/main/agent/auth-state.json:

   "openai-codex:<account>": {
     "blockedUntil": 1780846982712,
     "blockedReason": "subscription_limit",
     "blockedSource": "wham",
     "errorCount": 1,
     "failureCounts": { "rate_limit": 1 },
     "lastFailureAt": 1780401970719
   }

5. Wait 3 days. Observe every scheduled cron lane logs decision=skip_candidate ... Provider openai-codex is in cooldown (suspending lanes). No model calls made.
6. Run openclaw infer model run --prompt "say hello in one word" directly. Returns successfully — the upstream API is callable. The block is purely OpenClaw-side stale state.

Expected behavior

After the upstream's rolling cap recovers (which happens before the reported "next reset" since it's a rolling window, not a discrete reset), OpenClaw should re-probe the primary and resume serving calls. With no fallback configured, recovery probing should still happen, since "is the primary callable yet?" is a recovery question, not a fallback-switching question.

Actual behavior

The profile stays blocked until blockedUntil arrives literally, regardless of actual API state. In dist/model-fallback-DRgKirrj.js:

function shouldProbePrimaryDuringCooldown(params) {
  if (!params.isPrimary || !params.hasFallbackCandidates) return false;
  // ...
}

The early return on !hasFallbackCandidates means with fallbacks: [], no probe ever fires. Gateway logs confirm: ~250 skip_candidate entries over 3 days, zero attempts at the actual upstream.

OpenClaw version

2026.5.28

Operating system

Ubuntu 24.04

Install method

npm global

Model

openai-codex/gpt-5.5

Provider / routing chain

openclaw -> @openclaw/codex@2026.5.28 -> openai (ChatGPT Plus OAuth)

Additional provider/model setup details

• Single auth profile: openai-codex:<account> (OAuth, ChatGPT Plus subscription)
• agents.defaults.model.fallbacks: [] (no fallback configured)
• compaction.maxActiveTranscriptBytes: "500kb", truncateAfterCompaction: true
• auth.cooldowns: {} (defaults)

Logs, screenshots, and evidence

Jun 02 12:06:10 [model-fallback/decision] decision=candidate_failed
    requested=openai-codex/gpt-5.5 candidate=openai-codex/gpt-5.5
    reason=rate_limit next=none
    detail=You've reached your Codex subscription usage limit. Next reset in 6 days, Jun 7 at 3:43 PM UTC.
Jun 02 14:30:00 [model-fallback/decision] decision=skip_candidate
    requested=openai-codex/gpt-5.5 candidate=openai-codex/gpt-5.5
    reason=rate_limit next=none
    detail=Provider openai-codex is in cooldown (suspending lanes)
(repeats every scheduled cron tick for 3 days)

The auth-state.json snippet above. Direct openclaw infer model run succeeded immediately after manually clearing blockedUntil.

Impact and severity

• Affected: any single-host OpenClaw install with one upstream and fallbacks: [] that hits a subscription cap.
• Severity: blocks workflow — scheduled crons and channel replies stop posting for the entire duration of blockedUntil.
• Frequency: triggered once per cap exhaustion, then sticks until manual intervention.
• Consequence: agents go silent for days. In our case, 3 days of no replies to scheduled telegram interactions and four daily cron jobs not firing.

Additional information

• Related design discussion: Feature request: native Codex quota/auth diagnosis plus brokered reauth execution #54278 (proposes a quota_wait state separate from reauth_required). This bug is the concrete shape of one of the problems Feature request: native Codex quota/auth diagnosis plus brokered reauth execution #54278 describes.
• Two suggested minimal fixes (either alone would have prevented this):
  1. Cap blockedUntil for subscription_limit reasons. Store min(reportedReset, now + MAX_SUBSCRIPTION_BLOCK_MS). With a cap of e.g. 1 hour, the profile gets re-probed an hour later; if still exhausted, the upstream returns the same error and the block is re-armed; if recovered, work resumes. Keep the reported timestamp in a separate expectedFullResetAt field for display only.
  2. Drop the hasFallbackCandidates short-circuit for recovery probes. Split shouldProbePrimaryDuringCooldown into "should we try a fallback now?" (legitimately needs fallback candidates) and "should we re-probe the primary now?" (doesn't). The recovery-probe branch should fire on any time-based throttle regardless of fallback configuration.
• Workaround currently in place: hourly cron clearing blockedUntil for subscription_limit blocks where blockedUntil > now + 12h AND lastFailureAt < now - 6h.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 5, 2026, 11:25 AM ET / 15:25 UTC.

Summary
Keep open: current main still has the reported fallback gate, and the shipped v2026.6.1 code still asserts that a single rate-limited candidate with fallbacks: [] is not probed. The related quota/auth diagnosis issue is broader and still open, but this issue is a narrow current bug in recovery probing.

Reproducibility: yes. from source inspection, but not from a live current-main run. Current tests explicitly assert that fallbacks: [] plus a rate-limit cooldown skips the only candidate and never calls the model.

Next step
This is a narrow, source-reproducible bug with clear affected files and regression tests, and no protected labels or open linked fix PR.

Review details

Best possible solution:

Add a narrow recovery-probe path for subscription-limit/rate-limit primary cooldowns when no fallback candidates exist, with regression coverage that proves a throttled primary probe happens without adding new config.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection, but not from a live current-main run. Current tests explicitly assert that fallbacks: [] plus a rate-limit cooldown skips the only candidate and never calls the model.

Is this the best way to solve the issue?

Yes, the best fix is a narrow recovery-probe change in the existing model fallback/auth cooldown path. A new config knob or broad quota/auth UX feature would be more than this bug needs.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• No live OAuth/WHAM recovery run was performed in this read-only review; the current-main source and tests reproduce the control-flow bug, while the early recovery timing is reporter-provided.
• A fix should preserve probe throttling and avoid making fallback-configured chains re-probe the primary on every scheduled run.

Codex review notes: model gpt-5.5, reasoning high; reviewed against da88940c6c30.

Label changes

Label changes:

• add P1: The report describes current behavior that can leave single-provider agents and scheduled/channel workflows silent for days after a recoverable subscription-limit cooldown.
• add impact:message-loss: When the stale block is active, scheduled cron lanes and channel replies are skipped instead of attempting delivery.
• add impact:auth-provider: The affected state is auth-profile/provider cooldown routing for Codex/OpenAI subscription-limit recovery.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P1: The report describes current behavior that can leave single-provider agents and scheduled/channel workflows silent for days after a recoverable subscription-limit cooldown.
• impact:auth-provider: The affected state is auth-profile/provider cooldown routing for Codex/OpenAI subscription-limit recovery.
• impact:message-loss: When the stale block is active, scheduled cron lanes and channel replies are skipped instead of attempting delivery.

Evidence reviewed

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/model-fallback.probe.test.ts
• node scripts/run-vitest.mjs src/agents/auth-profiles/usage.test.ts src/agents/auth-profiles.getsoonestcooldownexpiry.test.ts

What I checked:

• Current main gates primary cooldown probes on fallback candidates: shouldProbePrimaryDuringCooldown returns false when hasFallbackCandidates is false, before considering cooldown expiry or rate-limit recovery rules. (src/agents/model-fallback.ts:1063, da88940c6c30)
• Runtime path uses the gate for all-profile cooldown decisions: The fallback loop sets hasFallbackCandidates = candidates.length > 1, passes it into resolveCooldownDecision, and emits the same Provider ... is in cooldown (suspending lanes) skip path described by the report. (src/agents/model-fallback.ts:1273, da88940c6c30)
• Existing test covers the reported no-fallback skip behavior: A current test configures fallbacks: [], makes the primary nearly expired from rate-limit cooldown, expects All models failed, and asserts the model run was not called. (src/agents/model-fallback.probe.test.ts:677, da88940c6c30)
• WHAM subscription limits are stored as active blockedUntil state: WHAM results with blockedUntil are persisted as blockedReason: "subscription_limit", and tests assert exhausted rolling/team windows store exact future block timestamps. (src/agents/auth-profiles/usage.ts:192, da88940c6c30)
• Codex contract inspected: Sibling Codex source exposes /wham/usage / /api/codex/usage rate-limit payloads with limit_reached, primary_window, secondary_window, and reset timestamps, matching OpenClaw's WHAM parsing surface. (../codex/codex-rs/backend-client/src/client.rs:296, a14a73b54af2)
• Latest release has the same behavior: The v2026.6.1 tag still contains the !params.hasFallbackCandidates probe gate and the no-fallback test that expects run not to be called, so this is not fixed in the latest release either. (src/agents/model-fallback.ts:1060, 2e08f0f4221f)

Likely related people:

• steipete: Git blame ties the current probe predicate, WHAM blockedUntil handling, and no-fallback skip test to the same commit authored by Peter Steinberger. (role: introduced behavior in current history; confidence: medium; commits: deff9ea18095; files: src/agents/model-fallback.ts, src/agents/model-fallback.probe.test.ts, src/agents/auth-profiles/usage.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[849261680]

Fix proposed in #90717.

Root cause: shouldProbePrimaryDuringCooldown returned false on !hasFallbackCandidates before checking any recovery conditions, so a single-provider setup (fallbacks: []) with a rate/subscription-limit cooldown was never re-probed.

Fix: Split the guard — non-primary still short-circuits, but a single-provider primary returns true (probe allowed) when the 30-second throttle slot is open. Multi-fallback setups keep the existing near-expiry probe logic. The billing branch in resolveCooldownDecision is simplified to reuse the unified shouldProbe result.

Proof: node scripts/run-vitest.mjs src/agents/model-fallback.probe.test.ts — 14 tests passed, including:

• New: re-probes a single-provider primary blocked by a far-future subscription_limit (#90702)
• Updated: re-probes a single-provider rate-limited primary instead of suspending