fix(cron): preflight model fallbacks before skip

[chen-zhang-cs-code]

Summary

Scheduled isolated cron jobs could stop before the real agent turn when the primary model was a local provider and that local endpoint was down.
This change makes cron preflight use the same model candidate chain as normal model fallback, so a dead local primary can move to the configured fallback instead of marking the run skipped.
It keeps fallbacks: [] strict and keeps the existing local endpoint preflight cache and timeout behavior.

What Changed

The fix moves cron preflight away from its own fallback list logic and onto the shared model fallback candidate builder.
Cron now preflights the selected primary first, then walks the configured candidate chain and runs the turn with the first candidate whose provider preflight passes.
If preflight advances past a dead candidate, execution receives only the remaining candidates so the same dead local primary is not retried later in that run.

• Exported resolveModelCandidateChain from src/agents/model-fallback.ts.
• Changed src/cron/isolated-agent/run-fallback-policy.ts to return the full cron preflight candidate chain, including the primary.
• Changed src/cron/isolated-agent/run.ts to select an available fallback before returning skipped.
• Changed src/cron/isolated-agent/run-executor.ts to honor the narrowed post-preflight fallback list.
• Kept explicit empty payload fallbacks strict: fallbacks: [] only preflights the selected primary.
• Added regression coverage for fallback handoff, strict fallback behavior, and execution fallback narrowing.

Testing

I tested the focused source path, adjacent cron behavior, the build, and a real scheduled cron tick with a temporary Gateway.
The live proof used a dead Ollama primary and a local OpenAI-compatible fallback server, so it did not need real provider credentials.
After rebasing onto current origin/main, the current head fe884dab90 was revalidated with the commands below.

• node scripts/run-vitest.mjs src/agents/model-fallback.test.ts src/cron/isolated-agent.model-preflight.test.ts src/cron/isolated-agent/run-fallback-policy.test.ts src/cron/isolated-agent/run.payload-fallbacks.test.ts src/cron/isolated-agent/run.live-session-model-switch.test.ts src/cron/isolated-agent/run.message-tool-policy.test.ts
• pnpm exec oxfmt --check --threads=1 src/agents/model-fallback.ts src/agents/model-fallback.test.ts src/cron/isolated-agent/run-fallback-policy.ts src/cron/isolated-agent/run-fallback-policy.test.ts src/cron/isolated-agent/run.ts src/cron/isolated-agent/run-executor.ts src/cron/isolated-agent.model-preflight.test.ts src/cron/isolated-agent/run.payload-fallbacks.test.ts src/cron/isolated-agent/run.live-session-model-switch.test.ts src/cron/isolated-agent/run.message-tool-policy.test.ts docs/cli/cron.md docs/automation/cron-jobs.md
• node scripts/run-oxlint.mjs src/agents/model-fallback.ts src/agents/model-fallback.test.ts src/cron/isolated-agent/run-fallback-policy.ts src/cron/isolated-agent/run-fallback-policy.test.ts src/cron/isolated-agent/run.ts src/cron/isolated-agent/run-executor.ts src/cron/isolated-agent.model-preflight.test.ts src/cron/isolated-agent/run.payload-fallbacks.test.ts src/cron/isolated-agent/run.live-session-model-switch.test.ts src/cron/isolated-agent/run.message-tool-policy.test.ts
• node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core.tsbuildinfo
• git diff --check origin/main...HEAD
• pnpm build
• codex review --base origin/main

Real behavior proof

Behavior addressed: scheduled cron local-model preflight should not mark the run skipped before trying configured fallbacks.

Real environment tested: local OpenClaw branch build at 445a40a before the final rebase; temporary Gateway with cron.enabled: true; primary ollama/qwen3:32b configured at unused loopback http://127.0.0.1:59998; fallback fakecloud/fake-chat configured as an OpenAI-compatible provider at http://127.0.0.1:43200/v1. Current head fe884dab90 contains the same implementation rebased onto current origin/main and passed the post-rebase validation above.

Exact steps or command run after this patch: built the branch with pnpm build, started the temporary Gateway from node openclaw.mjs gateway run, scheduled one-shot cron job 1eb9f68f-8ed7-497f-b956-e8b537dae514 through cron.add, and waited for the scheduler to fire.

Evidence after fix: the Gateway log contained:

[cron:1eb9f68f-8ed7-497f-b956-e8b537dae514] Local provider preflight failed for ollama/qwen3:32b at http://127.0.0.1:59998; continuing with fallback fakecloud/fake-chat.
[agent/embedded] embedded run start: runId=caec41ae-ee72-4013-8cce-ee138e6bd658 sessionId=caec41ae-ee72-4013-8cce-ee138e6bd658 provider=fakecloud model=fake-chat thinking=off messageChannel=unknown
[provider-transport-fetch] [model-fetch] response provider=fakecloud api=openai-completions model=fake-chat status=200 elapsedMs=4 contentType=text/event-stream

The recorded cron run was:

{
  "action": "finished",
  "status": "ok",
  "summary": "fallback reached",
  "model": "fake-chat",
  "provider": "fakecloud",
  "deliveryStatus": "not-requested",
  "sessionId": "caec41ae-ee72-4013-8cce-ee138e6bd658"
}

The fake fallback server also received GET /v1/models for preflight and POST /v1/chat/completions for the model turn.

Observed result after fix: the scheduled cron run did not skip. It selected the fallback provider and completed with status: "ok".

What was not tested: I did not call a real OpenRouter model or a live Ollama daemon. The proof used a synthetic OpenAI-compatible fallback so the cron scheduler, preflight, fallback selection, and model turn ran without external credentials.

Risks

The main behavior risk is candidate ordering.
Using the shared model fallback candidate builder lowers that risk because cron preflight now follows the same alias resolution, dedupe, primary, and fallback override rules as runtime model fallback.

• Existing behavior for healthy local primaries is unchanged: the primary passes preflight and runs normally.
• Existing behavior for no available fallback is preserved: the run is still recorded as skipped.
• The change does not add retry or wake-up budget knobs from cron: allow retries for local model preflight #82145.

Linked Issue

Fixes #79329.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 28, 2026, 11:36 PM ET / 03:36 UTC.

Summary
The PR updates isolated cron model preflight so configured fallbacks are checked before a local-provider preflight failure records the run as skipped.

PR surface: Source +73, Tests +198, Docs +3. Total +274 across 8 files.

Reproducibility: yes. by source inspection: current main calls local preflight only for the resolved primary and returns skipped before fallback resolution. The linked issue also supplies a standalone repro, and this PR adds targeted regression coverage plus after-fix runtime logs.

Review metrics: 1 noteworthy metric.

• Cron fallback decision path: 1 behavior changed. Cron preflight now advances to configured fallback candidates before recording a skipped run, which is the central provider/auth behavior maintainers need to accept.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• [P2] Existing cron jobs with a local primary and configured cloud fallback will now run against the fallback provider when local preflight fails instead of being skipped; that is the intended fix, but it can change provider, credential, and billing behavior for existing configurations.

Maintainer options:

1. Accept configured fallback routing (recommended)
   Maintainers can merge once they explicitly accept that configured cron fallbacks may use a different provider/auth profile when the local primary preflight fails.
2. Require stronger provider proof
   Maintainers can ask for one more live provider proof, such as a real local Ollama plus real cloud fallback, before accepting the auth/provider behavior.
3. Pause if billing behavior is not wanted
   If cron should never move from a local primary to a cloud fallback during preflight without a new opt-in, pause this PR and redesign the policy first.

Next step before merge

• No ClawSweeper repair is needed; the next action is maintainer review of the auth-provider fallback semantics and normal merge gates.

Security
Cleared: The diff changes cron runtime routing, docs, and tests without adding dependencies, CI, package metadata, secret storage, or credential-handling code; the provider routing concern is tracked as merge risk.

Review details

Best possible solution:

Land this after a maintainer explicitly accepts the configured-fallback provider/auth semantics, keeping fallbacks: [] strict and preserving the shared runtime candidate ordering.

Do we have a high-confidence way to reproduce the issue?

Yes, by source inspection: current main calls local preflight only for the resolved primary and returns skipped before fallback resolution. The linked issue also supplies a standalone repro, and this PR adds targeted regression coverage plus after-fix runtime logs.

Is this the best way to solve the issue?

Yes, the shared candidate-chain approach is the maintainable fix because it aligns cron preflight with runtime fallback ordering and preserves strict empty fallback overrides. The remaining question is maintainer acceptance of the provider/auth behavior, not a code repair.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against cb085ec5f1f5.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body and maintainer update include after-fix Gateway logs and recorded cron output showing the dead local primary continuing to a fallback provider and finishing successfully.
• add rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• remove rating: 🐚 platinum hermit: Current PR rating is rating: 🦞 diamond lobster, so this older rating label is no longer current.

Label justifications:

• P1: The linked bug can silently skip scheduled cron agent runs for real users when a local primary is temporarily unavailable despite configured fallbacks.
• merge-risk: 🚨 auth-provider: The PR changes cron provider/model routing before the agent turn, so existing jobs may use fallback credentials or billing profiles instead of staying skipped.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (logs): The PR body and maintainer update include after-fix Gateway logs and recorded cron output showing the dead local primary continuing to a fallback provider and finishing successfully.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body and maintainer update include after-fix Gateway logs and recorded cron output showing the dead local primary continuing to a fallback provider and finishing successfully.

Evidence reviewed

PR surface:

Source +73, Tests +198, Docs +3. Total +274 across 8 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	4	91	18	+73
Tests	2	199	1	+198
Docs	2	3	0	+3
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	8	293	19	+274

What I checked:

• Current main behavior: Current main preflights only the resolved primary provider/model and returns skipped immediately when that local preflight is unavailable, so configured fallbacks are not reached before the skip. (src/cron/isolated-agent/run.ts:641, cb085ec5f1f5)
• PR implementation: The PR head builds the cron preflight candidate chain, probes candidates in order, switches provider/model to the first available candidate, and only keeps skipping after no candidate passes preflight. (src/cron/isolated-agent/run.ts:643, fe884dab9096)
• Fallback handoff: The executor accepts the narrowed modelFallbacksOverride, so once preflight advances past a dead local primary, runtime fallback does not retry that dead candidate in the same run. (src/cron/isolated-agent/run-executor.ts:160, fe884dab9096)
• Shared candidate builder: Cron preflight now reuses the shared model candidate chain resolver with the same fallback override semantics, including explicit empty fallbacks: []. (src/cron/isolated-agent/run-fallback-policy.ts:40, fe884dab9096)
• Regression coverage: The new tests cover dead local primary handoff to a configured fallback, strict empty payload fallbacks, full candidate-chain planning, and docs coverage for the preflight behavior. (src/cron/isolated-agent.model-preflight.test.ts:94, fe884dab9096)
• Repository policy: Root AGENTS.md treats provider routing, auth state, and fallback behavior as compatibility-sensitive merge risk even with green CI, which applies to this intentional local-to-fallback cron routing change. (AGENTS.md:19, cb085ec5f1f5)

Likely related people:

• Vincent Koc: Current-main blame attributes the isolated cron preflight skip path and fallback-policy helper snapshot to this author, and git history shows many recent isolated cron runtime/performance changes. (role: recent area contributor; confidence: high; commits: 60392a1136ff, 35176f3cb730, 241349cdc5b2; files: src/cron/isolated-agent/run.ts, src/cron/isolated-agent/run-fallback-policy.ts, src/agents/model-fallback.ts)
• Peter Steinberger: Git history links this author to the original models/fallbacks work and later isolated cron runner seam refactors that shaped the current fallback path. (role: model fallback and cron seam contributor; confidence: medium; commits: 734bb6b4fd9a, bbb73d3171e5, 91d20781ed03; files: src/agents/model-fallback.ts, src/cron/isolated-agent/run-executor.ts, src/cron/isolated-agent/run-fallback-policy.ts)
• Dallin Romney: Merged adjacent isolated cron fallback test-harness work in test(cron): speed up isolated fallback tests #87520, which cross-referenced this PR and touches the same test surface. (role: recent adjacent test contributor; confidence: medium; commits: 127c0ad4181a; files: src/cron/isolated-agent/run.payload-fallbacks.test.ts, src/cron/isolated-agent/run.test-harness.ts)
• osolmaz: GitHub context shows this reviewer/assignee completed the latest implementation loop and authored the final PR commits on the branch after maintainer review. (role: recent PR follow-up owner; confidence: medium; commits: dab4ce3396ce, 5eb21e4e0310, fe884dab9096; files: src/cron/isolated-agent/run.ts, src/cron/isolated-agent/run-executor.ts, src/cron/isolated-agent/run-fallback-policy.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[osolmaz]

Implementation loop complete for current head fe884dab90.

Summary:

• Cron local-provider preflight now walks the same model fallback candidate chain used by runtime fallback before returning skipped.
• If preflight selects a fallback, execution receives only the remaining fallback candidates, so the failed local primary is not reintroduced during the same run.
• fallbacks: [] remains strict for preflight and execution.
• Rebased onto current origin/main after the unrelated duplicate-key CI failure was fixed upstream.

Local validation:

• node scripts/run-vitest.mjs src/agents/model-fallback.test.ts src/cron/isolated-agent.model-preflight.test.ts src/cron/isolated-agent/run-fallback-policy.test.ts src/cron/isolated-agent/run.payload-fallbacks.test.ts src/cron/isolated-agent/run.live-session-model-switch.test.ts src/cron/isolated-agent/run.message-tool-policy.test.ts -> passed, 7 files / 210 tests.
• pnpm exec oxfmt --check --threads=1 src/agents/model-fallback.ts src/agents/model-fallback.test.ts src/cron/isolated-agent/run-fallback-policy.ts src/cron/isolated-agent/run-fallback-policy.test.ts src/cron/isolated-agent/run.ts src/cron/isolated-agent/run-executor.ts src/cron/isolated-agent.model-preflight.test.ts src/cron/isolated-agent/run.payload-fallbacks.test.ts src/cron/isolated-agent/run.live-session-model-switch.test.ts src/cron/isolated-agent/run.message-tool-policy.test.ts docs/cli/cron.md docs/automation/cron-jobs.md -> passed.
• node scripts/run-oxlint.mjs src/agents/model-fallback.ts src/agents/model-fallback.test.ts src/cron/isolated-agent/run-fallback-policy.ts src/cron/isolated-agent/run-fallback-policy.test.ts src/cron/isolated-agent/run.ts src/cron/isolated-agent/run-executor.ts src/cron/isolated-agent.model-preflight.test.ts src/cron/isolated-agent/run.payload-fallbacks.test.ts src/cron/isolated-agent/run.live-session-model-switch.test.ts src/cron/isolated-agent/run.message-tool-policy.test.ts -> passed.
• node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core.tsbuildinfo -> passed.
• git diff --check origin/main...HEAD -> passed.
• pnpm build -> passed.
• codex review --base origin/main -> no actionable regressions; targeted cron preflight/fallback-policy tests passed in review.

Real behavior proof:

• Temporary Gateway scheduled cron run with dead primary ollama/qwen3:32b at http://127.0.0.1:59998 and fallback fakecloud/fake-chat at http://127.0.0.1:43200/v1.
• Cron job 1eb9f68f-8ed7-497f-b956-e8b537dae514 logged: Local provider preflight failed ... continuing with fallback fakecloud/fake-chat.
• The embedded run started with provider=fakecloud model=fake-chat and completed with recorded cron status ok.
• The fake fallback server received both GET /v1/models and POST /v1/chat/completions.
• Not tested against a real OpenRouter model or live Ollama daemon; the synthetic OpenAI-compatible fallback covered scheduler, preflight, fallback selection, and model turn without external credentials.

CI:

• Main check run 26616053140: passed, including check-lint, check-test-types, build artifacts, and cron isolated-agent shards.
• Critical Quality run 26616053143: relevant selected shards passed.
• Security High run 26616053145: passed.
• Real behavior proof run 26616209313: passed.
• Dependency guard run 26616051724: passed.

[osolmaz]

Maintainer note on the provider/auth/billing behavior called out by review:

This is a real behavior change, but it is also the intended meaning of configured cron fallbacks. If a job is configured with a local primary plus a cloud fallback, for example ollama/qwen3 -> openrouter/model, then cron should be allowed to use the configured fallback when the local primary fails preflight. The old behavior skipped before the fallback policy could run, which made that fallback config ineffective for scheduled runs.

I would not add another opt-in here. That would make configured fallbacks surprising in the opposite direction: users would have configured a fallback, but cron would still skip unless a second policy was enabled.

The right guardrail is the one this PR keeps: fallbacks: [] remains strict and preserves the skip-only behavior for jobs that should never move to another provider. The docs/PR body now also make the fallback-before-skip behavior explicit.

[osolmaz]

Merged in 7a381b8.

Verification used for merge:

• GitHub CI on pinned PR head fe884da was green.
• Local focused cron/model fallback tests passed earlier for the touched surface.
• Local merge-wrapper build and check passed on the prepared candidate.
• Local full pnpm test had unrelated failures outside this PR's touched files, so this was merged based on the green PR-head CI plus focused/touched-surface proof.