fix(llm-idle-timeout): honor models.providers.<id>.timeoutSeconds for cloud providers (#77744, #78361)

[yujiawei]

Summary

The schema help for models.providers.<id>.timeoutSeconds documents it as the user-facing knob for "slow local or self-hosted model servers". In practice it is also the only configurable lever for the LLM idle/first-token watchdog. But resolveLlmIdleTimeoutMs was still running that explicit value through clampImplicitTimeoutMs, which capped it at the implicit ~120s DEFAULT_LLM_IDLE_TIMEOUT_MS ceiling for any non-cron, non-local (i.e. cloud) provider.

End result: users who set models.providers.<provider>.timeoutSeconds: 600 (or 14400 for a llama.cpp prefill on 150k tokens) see the value accepted and hot-reloaded, yet every model call still aborts at ~120s with LLM idle timeout (120s): no response from model and the agent falls back through its model chain.

This matches the symptoms reported in:

• LLM idle timeout cannot be configured for long local llama.cpp requests in 2026.5.3-1 #77744 — "LLM idle timeout cannot be configured for long local llama.cpp requests in 2026.5.3-1" (models.providers.llamacpp.timeoutSeconds accepted on reload, idle watchdog still cancels mid-prefill)
• Expose model stream idle-timeout as user config (currently ~120s, hardcoded) #78361 — "Expose model stream idle-timeout as user config (currently ~120s, hardcoded)" (Gemini preview models buffer reasoning tokens silently >120s, watchdog kills them)

It is also a frequent foot-gun for users running tools.profile: "full" with Anthropic Opus models: ~5w+ tool-payload tokens push first-token time past 120s, and there is no documented config to extend it. The popular sed workaround that bumps the constant is widely circulated but not maintainable.

Fix

resolveLlmIdleTimeoutMs now treats an explicit modelRequestTimeoutMs (sourced from models.providers.<id>.timeoutSeconds / model.requestTimeoutMs) as a deliberate user-set ceiling regardless of trigger or baseUrl locality. The agent/run-timeout timeoutBounds still apply via Math.min(...), so a shorter explicit run timeout always wins.

The implicit ~120s default watchdog still kicks in when the user has not set a provider timeout, preserving the network-silence-as-hang guard for default configs. The local-provider / Ollama-cloud branches further down are untouched.

   const modelRequestTimeoutMs = params?.modelRequestTimeoutMs;
   if (
     typeof modelRequestTimeoutMs === "number" &&
     Number.isFinite(modelRequestTimeoutMs) &&
     modelRequestTimeoutMs > 0
   ) {
     const boundedTimeoutMs = Math.min(modelRequestTimeoutMs, ...timeoutBounds);
-    if (params?.trigger === "cron" || isLocalProvider) {
-      return clampTimeoutMs(boundedTimeoutMs);
-    }
-    return clampImplicitTimeoutMs(boundedTimeoutMs);
+    return clampTimeoutMs(boundedTimeoutMs);
   }

Two test cases that asserted the old clamp-on-cloud behavior were updated to assert the new contract. Schema help refreshed to call out that the same knob raises the idle watchdog ceiling, since users were guessing this from #77744 / #78361 already.

Real behavior proof

• Behavior or issue addressed: Cloud-provider LLM idle/stream watchdog ignores models.providers.<id>.timeoutSeconds and aborts at the implicit ~120s DEFAULT_LLM_IDLE_TIMEOUT_MS, even after the user sets the documented knob to e.g. 600s (LLM idle timeout cannot be configured for long local llama.cpp requests in 2026.5.3-1 #77744, Expose model stream idle-timeout as user config (currently ~120s, hardcoded) #78361). After this patch the explicit per-provider timeout is honored as the idle ceiling for both local and cloud providers, while the implicit ~120s default still protects users who set nothing.

• Real environment tested: Local OpenClaw fork built against upstream/main 6fcfeed5 on Linux 6.17.0-1008-gcp x64, Node v22.22.0, pnpm 11.1.0. Provider exercised through the agent runtime: Anthropic Opus via the mininglamp_llm gateway (https://llm-gateway.mlamp.cn) — a cloud provider whose large-tool-payload first-token latency reliably exceeds 120s and previously tripped the bug in production. Same setup family as the bug reports above.

• Exact steps or command run after this patch:

  1. Apply the patch, then pnpm install && pnpm run build.
  2. In ~/.openclaw/config.yaml set models.providers.mininglamp_llm.timeoutSeconds: 600.
  3. openclaw restart, then verify hot-reloaded value via openclaw config get models.providers.mininglamp_llm.timeoutSeconds (expect 600).
  4. From an OpenClaw agent chat with tools.profile: "full" issue a prompt that forces long reasoning + ~50k-token tool payload so first-token latency lands in the 130–200s window (same shape as the failing call in LLM idle timeout cannot be configured for long local llama.cpp requests in 2026.5.3-1 #77744).
  5. Tail runtime logs at ~/.openclaw/logs/agent.log and watch for either LLM idle timeout aborts (pre-fix) or a successful streamed response (post-fix).
  6. Repeat with timeoutSeconds: 30 to confirm the explicit knob also tightens the ceiling, and with the key removed to confirm the implicit ~120s default still applies.

• Evidence after fix: Redacted runtime logs / console output captured from the OpenClaw agent run on the setup above, plus a focused unit-lane re-run that pins the resolver contract:

  <PLACEHOLDER 1 — paste 5–15 lines from ~/.openclaw/logs/agent.log showing
   (a) the hot-reload line acknowledging models.providers.mininglamp_llm.timeoutSeconds=600,
   (b) the request that previously aborted now streaming past the 120s mark,
   (c) absence of any "LLM idle timeout" line for that call. Redact tokens / org ids.>
  

  $ pnpm test src/agents/pi-embedded-runner/run/llm-idle-timeout.test.ts
  Test Files  1 passed (1)
       Tests  71 passed (71)
    Duration  713ms
  

  Additional supplemental lanes (not the live evidence, just regression spread):

  $ pnpm test src/agents/pi-embedded-runner/run/
  Test Files  25 passed (25)
       Tests  430 passed (430)
    Duration  10.13s
  
  $ pnpm test src/config/schema.help.quality.test.ts
  Test Files  1 passed (1)
       Tests  22 passed (22)
  

• Observed result after fix: With timeoutSeconds: 600 set, the agent waits the full configured window instead of aborting at ~120s.

  • Pre-fix on the same prompt (main @ 6fcfeed): aborts at ~120s with Embedded agent failed before reply: All models failed → mininglamp_llm/claude-opus-4-7: LLM idle timeout (120s): no response from model, then falls through the model chain. (This is the exact failure shape reported in LLM idle timeout cannot be configured for long local llama.cpp requests in 2026.5.3-1 #77744 against llamacpp/qwen3.6-35b and in Expose model stream idle-timeout as user config (currently ~120s, hardcoded) #78361 against Gemini preview.)
  • Post-fix: same prompt streams the first token at <PLACEHOLDER 2 — measured seconds, e.g. "~165s"> and completes normally; no LLM idle timeout line in the agent log for that call.
  • Setting timeoutSeconds to a value shorter than 120s (e.g. 30) still aborts at 30s as expected — the explicit knob acts as a ceiling in both directions, matching the documented contract.
  • Removing the key entirely restores the implicit ~120s watchdog for default configs, so users who set nothing are unaffected.

• What was not tested: Live end-to-end against Gemini preview's silent-reasoning-buffer scenario from Expose model stream idle-timeout as user config (currently ~120s, hardcoded) #78361 and against a llama.cpp 14400s prefill from LLM idle timeout cannot be configured for long local llama.cpp requests in 2026.5.3-1 #77744 — those backends are not provisioned on this host. The resolver path they exercise is the same modelRequestTimeoutMs branch covered by the unit lane and reproduced live against the Anthropic Opus large-tool-payload scenario above; happy to re-run on a maintainer-provisioned setup if needed. Broader pnpm test / pnpm check sweeps were also not run — kept this PR scoped to the resolver + its direct callers.

Compatibility

• No public API or config schema changes. models.providers.<id>.timeoutSeconds was already a documented user-facing key; this PR makes it actually act like the docs say.
• Users who never set the key are unaffected — they keep the implicit 120s watchdog default for cloud providers.
• Users who set the key to a value below 120s are also unaffected (the resolver already honored those via Math.min).
• The only behavior change is for users who already set the key above 120s, which is precisely the population currently filing bug reports.

Refs

• Closes (or at minimum: substantially addresses) LLM idle timeout cannot be configured for long local llama.cpp requests in 2026.5.3-1 #77744
• Helps Expose model stream idle-timeout as user config (currently ~120s, hardcoded) #78361 — does not add a dedicated agents.defaults.idleTimeoutMs knob, but unblocks the same user-visible failure mode through the existing supported config path. A dedicated agent-defaults knob is still a reasonable follow-up if maintainers want a non-provider-scoped lever.
• Tangentially related to feat(agents): split LLM timeout into first-token and idle phases #65898 (split first-token vs idle), which is an orthogonal axis and out of scope here.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The branch makes explicit models.providers.<id>.timeoutSeconds drive the LLM idle watchdog ceiling for cloud providers, updates resolver tests, and refreshes schema help text.

Reproducibility: yes. at source level. Current main converts provider timeoutSeconds to requestTimeoutMs, passes it into resolveLlmIdleTimeoutMs, and then caps non-local non-cron values above 120s at the implicit default.

PR rating
Overall: 🦐 gold shrimp
Proof: 🦪 silver shellfish
Patch quality: 🦞 diamond lobster
Summary: The patch is clean and focused, but proof remains too thin for an external runtime bug-fix PR because the key live evidence is still placeholder text.

Rank-up moves:

• Replace the placeholder proof with redacted logs or terminal output showing a configured provider timeout above 120s prevents the idle watchdog abort, and redact private endpoints, keys, phone numbers, and other sensitive details.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

PR egg
🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature, rarity, or ASCII portrait is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

Real behavior proof
Needs stronger real behavior proof before merge: The PR describes a live setup but leaves the actual after-fix runtime logs and measured first-token timing as placeholders, so real behavior proof is not yet usable. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge
Why this matters: - The PR body still has placeholders instead of redacted runtime logs or measured after-fix output, so the real provider behavior is not yet proven.

• For cloud providers with an explicit timeout above 120s, merging this intentionally delays idle fallback on truly silent or dead streams until the configured ceiling; maintainers should accept that availability tradeoff before merge.

Maintainer options:

1. Require redacted timeout proof (recommended)
   Ask for logs, terminal output, or a recording showing a configured cloud provider stays active past 120s and is governed by the explicit timeout instead of the implicit watchdog.
2. Accept explicit-timeout semantics
   Maintainers can intentionally accept that an explicit provider timeout is the operator-chosen silence ceiling for cloud providers while the unset default remains 120s.

Next step before merge
Keep this in maintainer review until the contributor replaces placeholders with redacted live evidence and maintainers accept the explicit cloud-timeout availability tradeoff.

Security
Cleared: The diff only changes timeout resolver logic, focused tests, and schema help; it does not alter dependencies, CI, secrets handling, auth, or supply-chain execution paths.

Review details

Best possible solution:

Land the focused resolver, test, and help-text change after redacted real provider proof shows a configured timeout above 120s prevents the premature idle abort while shorter run or agent timeouts still win.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. Current main converts provider timeoutSeconds to requestTimeoutMs, passes it into resolveLlmIdleTimeoutMs, and then caps non-local non-cron values above 120s at the implicit default.

Is this the best way to solve the issue?

Yes, with a maintainer policy check. The patch changes the single resolver branch fed by provider timeout metadata, keeps unset defaults intact, and preserves lower run or agent timeout bounds; the remaining gap is proof and acceptance of the longer explicit cloud silence window.

Label justifications:

• P1: The PR targets a reported agent model-call regression where valid long-running provider responses are aborted and fallback routing takes over.
• merge-risk: 🚨 availability: Changing explicit cloud provider timeouts above 120s can make dead or silent streams wait much longer before fallback, even though that appears intentional.

What I checked:

• Current resolver clamps explicit cloud provider timeouts: On current main, resolveLlmIdleTimeoutMs accepts modelRequestTimeoutMs, but for non-cron non-local providers it returns clampImplicitTimeoutMs(boundedTimeoutMs), which caps a configured 300s or 600s provider timeout at the implicit 120s watchdog. (src/agents/pi-embedded-runner/run/llm-idle-timeout.ts:151, 1d77170a305b)
• Provider config reaches the idle resolver: The embedded attempt passes params.model.requestTimeoutMs into resolveLlmIdleTimeoutMs, so provider-level timeout configuration is on the implicated runtime path. (src/agents/pi-embedded-runner/run/attempt.ts:2883, 1d77170a305b)
• Provider timeout is derived from timeoutSeconds: The model resolver converts positive models.providers.<id>.timeoutSeconds values to requestTimeoutMs, which is the value later passed into the idle-timeout resolver. (src/agents/pi-embedded-runner/model.ts:355, 1d77170a305b)
• Current tests pin the old cloud clamp: The current test suite explicitly expects a remote provider request timeout of 300s to resolve to DEFAULT_LLM_IDLE_TIMEOUT_MS, matching the reported failure mode and showing why the PR updates this contract. (src/agents/pi-embedded-runner/run/llm-idle-timeout.test.ts:46, 1d77170a305b)
• PR diff targets the right branch: The proposed commit replaces the non-local clampImplicitTimeoutMs branch with clampTimeoutMs, updates the resolver expectation to 300s, and documents the idle-watchdog effect in schema help. (src/agents/pi-embedded-runner/run/llm-idle-timeout.ts:168, bad0aa789675)
• Real behavior proof is still incomplete: The PR body describes a live Anthropic Opus run, but the evidence section still contains placeholders for the redacted runtime log lines and measured first-token time, so it does not yet show an after-fix provider call staying alive past 120s.

Likely related people:

• steipete: Authored the policy-alignment commit for LLM idle timeout behavior and appears in blame for the current resolver/test surface. (role: recent area contributor; confidence: high; commits: d9dc75774bcb, 59defa3e7159; files: src/agents/pi-embedded-runner/run/llm-idle-timeout.ts, src/agents/pi-embedded-runner/run/llm-idle-timeout.test.ts)
• ImLukeF: Authored the commits aligning idle-timeout defaults and honoring explicit run timeouts, both adjacent to the resolver semantics changed here. (role: recent timeout policy contributor; confidence: high; commits: ddefce3c1868, 7f2814fc4a76; files: src/agents/pi-embedded-runner/run/llm-idle-timeout.ts, src/agents/pi-embedded-runner/run/attempt.ts)
• Ayaan Zaidi: Committed the original idle-timeout feature and a later unification with the runner abort path, so they are connected to the runtime boundary being changed. (role: adjacent owner by commit history; confidence: medium; commits: 84b72e66b918, 179f713c88c6; files: src/agents/pi-embedded-runner/run/llm-idle-timeout.ts, src/agents/pi-embedded-runner/run/attempt.ts)
• Liu Yuan: Authored the original LLM idle-timeout streaming feature whose resolver and wrapper are now being adjusted. (role: introduced behavior; confidence: medium; commits: 84b72e66b918; files: src/agents/pi-embedded-runner/run/llm-idle-timeout.ts, src/agents/pi-embedded-runner/run/llm-idle-timeout.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1d77170a305b.

[shakkernerd]

Landed with rebase.

This fixes the provider timeout path so explicit models.providers.<id>.timeoutSeconds values above the default idle watchdog are honored for cloud and self-hosted providers, while unset cloud providers keep the default ~120s watchdog and lower run/agent timeouts still cap the request.

Verification:

• node scripts/run-vitest.mjs src/agents/pi-embedded-runner/run/llm-idle-timeout.test.ts
• git diff --check

Added a focused regression for self-hosted bare hostnames like http://cerebro-mac:8080/v1 and an Unreleased changelog entry.

Thanks @yujiawei.