fix(agents): re-probe single-provider primary during cooldown

[849261680]

Summary

Fixes #90702

When fallbacks: [], a rate/subscription-limited primary stayed suspended until the provider-reported blockedUntil timestamp literally arrived — which can be days out for subscription caps (e.g. "Next reset in 6 days"). The root cause: shouldProbePrimaryDuringCooldown returned false on !hasFallbackCandidates before checking any recovery condition, so a single-provider agent went silent for days even after the rolling cap recovered.

What changed

• Split the early-return guard in shouldProbePrimaryDuringCooldown (src/agents/model-fallback.ts): a non-primary candidate still returns false immediately, but a single-provider primary (!hasFallbackCandidates) now returns true (probe allowed) while the 30-second throttle slot is open. A single-provider primary has no fallback chain to prefer, so "is the primary callable yet?" is a recovery question independent of fallback configuration.
• Simplified the billing branch in resolveCooldownDecision: removed the duplicated single-provider probe check (shouldProbeSingleProviderBilling); the unified shouldProbe now covers single-provider recovery for all reasons including billing. Net: one fewer special-case branch.
• Updated the existing case that asserted the primary was never invoked with fallbacks: [] + rate-limit cooldown — it now expects the primary to be probed and succeed.
• Added a regression case proving a far-future subscription_limit block with fallbacks: [] yields a probe attempt rather than suspend_lanes, while the 30-second probe throttle is still honored.

Multi-fallback setups are unchanged: they keep preferring the fallback chain and only probe the primary near cooldown expiry.

Verification

Focused suites (src/agents/model-fallback.probe.test.ts 14, model-fallback.test.ts 76, auth-profiles.cooldown-auto-expiry.test.ts 6) pass; tsgo -p tsconfig.core.json exits 0; oxfmt --check clean. These are supplemental to the runtime proof below.

Real behavior proof

Behavior addressed: With a single configured provider (fallbacks: []) whose only auth profile carries a far-future subscription_limit block, the model-fallback layer now re-probes the primary and serves the recovered call, instead of suspending lanes until blockedUntil.

Real environment tested: Local OpenClaw runtime, Node 22.22.2, isolated OPENCLAW_HOME, driving the production runWithModelFallback path. A real on-disk auth-profile store was seeded with the exact reported state (blockedUntil = now + 6 days, blockedReason: "subscription_limit", blockedSource: "wham", fallbacks: []); the real auth runtime loaded it (isProfileInCooldown(openai:acct-123)=true).

Exact steps or command run after this patch: on the fixed branch, OPENCLAW_HOME=$(mktemp -d) node --import tsx repro-90702.mts; then for contrast git checkout origin/main -- src/agents/model-fallback.ts and rerun, then git checkout HEAD -- src/agents/model-fallback.ts.

Evidence after fix: console output / redacted runtime log captured from the local node OpenClaw runtime on the fixed branch — the primary is probed and serves the call:

[model-fallback/decision] decision=probe_cooldown_candidate requested=openai/gpt-4.1-mini candidate=openai/gpt-4.1-mini reason=rate_limit next=none
>>> upstream invoked: openai/gpt-4.1-mini (rolling cap recovered) -> OK
[model-fallback/decision] decision=candidate_succeeded requested=openai/gpt-4.1-mini candidate=openai/gpt-4.1-mini next=none
>>> runWithModelFallback result = "RECOVERED-OK"

Same seeded state on current main (before the change) — the primary is never called, matching the reporter's logs:

[model-fallback/decision] decision=skip_candidate requested=openai/gpt-4.1-mini candidate=openai/gpt-4.1-mini reason=rate_limit next=none detail=Provider openai is in cooldown (suspending lanes)
FallbackSummaryError: All models failed (1): openai/gpt-4.1-mini: Provider openai is in cooldown (suspending lanes) (rate_limit)

Observed result after fix: the cooldown decision flips from skip_candidate / suspend_lanes (the bug: indefinite silence and All models failed) to probe_cooldown_candidate; the primary is actually invoked and the recovered rolling cap resumes serving (RECOVERED-OK). The 30-second probe throttle is still honored, so recovery probing cannot hammer the upstream.

What was not tested: a fully live OAuth/WHAM run against a real ChatGPT subscription in a hard-capped state. The decision pipeline and auth-profile cooldown reads exercised here are the production code paths; only the auth-profile store contents were seeded to reproduce the reported block.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 5, 2026, 1:29 PM ET / 17:29 UTC.

Summary
The PR lets a primary model with no fallback candidates re-probe during an open cooldown throttle slot and updates model-fallback regression tests for rate-limit and subscription-limit cooldowns.

PR surface: Source +6, Tests +42. Total +48 across 2 files.

Reproducibility: yes. The current-main source and latest release both show the !hasFallbackCandidates early return before the probe logic, and the PR body supplies before/after terminal output for the production fallback path with seeded auth-profile state.

Review metrics: none identified.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• none.

Risk before merge

• [P2] A fully live hard-capped ChatGPT subscription recovery cycle was not exercised; the supplied proof covers the production fallback decision path with seeded on-disk auth-profile state and redacted terminal output.

Maintainer options:

1. Decide the mitigation before merge
   Land the narrow fallback decision change with its regression coverage after normal CI, keeping the existing per-provider 30-second throttle and multi-fallback reset-window behavior intact.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• No automated repair is needed; the patch is reviewable as-is and the remaining action is maintainer acceptance plus normal merge gates.

Security
Cleared: The diff only changes fallback cooldown control flow and tests; it does not add dependencies, workflows, secret handling, or new code-execution paths.

Review details

Best possible solution:

Land the narrow fallback decision change with its regression coverage after normal CI, keeping the existing per-provider 30-second throttle and multi-fallback reset-window behavior intact.

Do we have a high-confidence way to reproduce the issue?

Yes. The current-main source and latest release both show the !hasFallbackCandidates early return before the probe logic, and the PR body supplies before/after terminal output for the production fallback path with seeded auth-profile state.

Is this the best way to solve the issue?

Yes. Reusing the existing cooldown throttle for no-fallback primaries is narrower than changing stored provider reset timestamps or adding a config knob, and it preserves the multi-fallback preference logic.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 21aa297434e4.

Label changes

Label changes:

• add P1: The linked bug can keep single-provider agents silent for days after a subscription cap, blocking scheduled and channel replies for real users.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix terminal runtime output from the production fallback path with a seeded on-disk auth-profile store, plus contrasting current-main output.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🦞 diamond lobster.
• remove rating: 🦐 gold shrimp: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.

Label justifications:

• P1: The linked bug can keep single-provider agents silent for days after a subscription cap, blocking scheduled and channel replies for real users.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body includes after-fix terminal runtime output from the production fallback path with a seeded on-disk auth-profile store, plus contrasting current-main output.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix terminal runtime output from the production fallback path with a seeded on-disk auth-profile store, plus contrasting current-main output.

Evidence reviewed

PR surface:

Source +6, Tests +42. Total +48 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	15	9	+6
Tests	1	56	14	+42
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	71	23	+48

What I checked:

• Current-main bug still present: On current main, shouldProbePrimaryDuringCooldown returns false when !params.hasFallbackCandidates before checking the throttle or recovery conditions, so a single-provider primary cannot re-probe while its profile has an active cooldown. (src/agents/model-fallback.ts:1063, 21aa297434e4)
• Latest release has the same behavior: The latest release tag still has the !params.hasFallbackCandidates early return, so the central bug is not already shipped-fixed. (src/agents/model-fallback.ts:1060, 2e08f0f4221f)
• PR merge result fixes the gate narrowly: In the PR merge result, non-primary candidates still return false, but a primary with no fallback candidates returns true after the existing probe throttle opens; multi-fallback logic still proceeds to the existing soonest-cooldown checks. (src/agents/model-fallback.ts:1063, 93a76ad466df)
• Regression coverage covers the reported shape: The added regression case seeds a far-future subscription_limit block with fallbacks: [], expects an attempt with markProbe: true, and verifies the recent-probe throttle still suspends. (src/agents/model-fallback.probe.test.ts:363, 93a76ad466df)
• Runtime-path coverage checks the actual fallback call: The updated runWithModelFallback case uses a single configured primary, far-future cooldown, and fallbacksOverride: [], then expects the primary run to be called with allowTransientCooldownProbe: true. (src/agents/model-fallback.probe.test.ts:727, 93a76ad466df)
• OpenClaw auth-store contract supports the repro: OpenClaw reads WHAM usage data, stores active WHAM reset windows as blockedUntil with blockedReason: "subscription_limit", and resolves active blockedUntil windows as rate_limit, matching the linked bug's stored state. (src/agents/auth-profiles/usage.ts:82, 21aa297434e4)

Likely related people:

• steipete: git shortlog shows the heaviest recent authorship on src/agents/model-fallback.ts and the probe tests, with recent adjacent refactors and test maintenance in this area. (role: recent area contributor; confidence: high; commits: cb5bb9b936bb, 6a87d6e81426, dcc3392a1a40; files: src/agents/model-fallback.ts, src/agents/model-fallback.probe.test.ts)
• altaywtf: The single-provider billing cooldown probe path was introduced in commit 0669b0d, and later same-provider cooldown probe work lists the same handle as co-author/reviewer. (role: adjacent behavior owner; confidence: medium; commits: 0669b0ddc265, 048e25c2b21d; files: src/agents/model-fallback.ts, src/agents/model-fallback.probe.test.ts)
• sebslight: The shouldProbePrimaryDuringCooldown helper was extracted in commit d224776, and the original primary cooldown recovery PR lists this handle as reviewer/co-author. (role: helper extraction and reviewer; confidence: medium; commits: d224776ffbb1, 39bb1b33222e; files: src/agents/model-fallback.ts, src/agents/model-fallback.probe.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[849261680]

Source-level behavior proof

This fix is a pure control-flow change in shouldProbePrimaryDuringCooldown. The bug and fix are source-reproducible per ClawSweeper review. No live environment can easily reproduce a multi-day Codex subscription cap exhaust + recovery cycle.

Before (origin/main, src/agents/model-fallback.ts:1063):

if (!params.isPrimary || !params.hasFallbackCandidates) {
  return false;
}

→ fallbacks:[] → hasFallbackCandidates=false → returns false → primary never re-probed → agent silent for days.

After (this PR):

if (!params.isPrimary) {
  return false;
}
// Single-provider recovery probe — #90702
if (!params.hasFallbackCandidates) {
  return true;  // probe allowed when throttle slot is open
}

→ fallbacks:[] → returns true → primary re-probed on 30s throttle → recovers when upstream is callable.

Unchanged paths verified:

• Non-primary (isPrimary=false): still returns false immediately.
• Multi-fallback (hasFallbackCandidates=true): still goes through soonest / PROBE_MARGIN_MS logic unchanged.
• Billing branch: simplified but equivalent — shouldProbe now handles single-provider recovery for all reasons.

Test coverage (14 passed):

• re-probes a single-provider primary blocked by a far-future subscription_limit (#90702) — unit-level resolveCooldownDecision returns { type: "attempt" } not { type: "suspend_lanes" }.
• re-probes a single-provider rate-limited primary instead of suspending — integration-level runWithModelFallback calls model run with allowTransientCooldownProbe: true.
• 30s throttle honored: test confirms a recent probe key results in suspend_lanes.

This is a proof: override case — maintainer verification requested.

[sallyom]

Land-ready maintainer review:

• Reviewed PR 90717 for [Bug]: blockedUntil for subscription_limit set far in the future never re-probes when no fallback is configured #90702 as a narrow agent fallback/auth cooldown fix.
• No review findings found.
• Verified current checks are green, including Real behavior proof and agent-runtime-boundary.
• Local proof run on PR head: node scripts/run-vitest.mjs src/agents/model-fallback.probe.test.ts.
• Local whitespace proof: git diff --check.
• Stale-base proof: cherry-picked 6fa95d6143dc217eea6d0db950030788098d8303 cleanly onto current origin/main (c965141d67) and reran node scripts/run-vitest.mjs src/agents/model-fallback.probe.test.ts there.
• Dependency contract checked directly in sibling Codex source: ../codex/codex-rs/protocol/src/protocol.rs, ../codex/codex-rs/backend-client/src/client.rs, and ../codex/codex-rs/app-server/README.md for rate-limit reset/window semantics.

Known gap: I did not personally run a live OAuth/WHAM exhausted account; the PR’s seeded on-disk proof plus focused tests and CI are sufficient for this narrow merge.