fix(cron): SSH dispatch validation + failure detection + broken import

1. New cron/ssh_dispatch.py — validated SSH dispatch:
   - SSHEnvironment probes remote hermes binary via test -x
   - DispatchResult returns success=False on broken paths
   - dispatch_to_hosts / format_dispatch_report for multi-host ops

2. cron/scheduler.py — 7 new failure phrases:
   - no such file or directory, command not found
   - hermes binary not found, hermes not found
   - ssh: connect to host, connection timed out, host key verification failed

3. cron/__init__.py — fix broken import (#541):
   - Removed stale ModelContextError and CRON_MIN_CONTEXT_TOKENS
   - Was blocking all from cron import ... calls

Closes #561 (Closes #350, #541)

cron/__init__.py

@@ -26,7 +26,7 @@ from cron.jobs import (
     trigger_job,
     JOBS_FILE,
 )
-from cron.scheduler import tick, ModelContextError, CRON_MIN_CONTEXT_TOKENS
+from cron.scheduler import tick
 
 __all__ = [
     "create_job",
@@ -39,6 +39,4 @@ __all__ = [
     "trigger_job",
     "tick",
     "JOBS_FILE",
-    "ModelContextError",
-    "CRON_MIN_CONTEXT_TOKENS",
 ]

cron/scheduler.py

@@ -13,7 +13,6 @@ import concurrent.futures
 import json
 import logging
 import os
-import re
 import subprocess
 import sys
 
@@ -42,76 +41,6 @@ from agent.model_metadata import is_local_endpoint
 
 logger = logging.getLogger(__name__)
 
-# =====================================================================
-# Cloud Context Warning
-# =====================================================================
-# When a cron job prompt references local services (localhost, Ollama, etc.)
-# but the runtime endpoint is cloud, inject a warning so the agent knows
-# it cannot reach those services and reports the limitation instead of
-# wasting iterations on doomed connection attempts. (#378)
-
-_LOCAL_SERVICE_PATTERNS = [
-    re.compile(r'localhost:\d+', re.IGNORECASE),
-    re.compile(r'127\.0\.0\.1:\d+', re.IGNORECASE),
-    re.compile(r'\bollama\b.*\b(respond|check|ping|poll|alive|health)\b', re.IGNORECASE),
-    re.compile(r'\b(check|ping|curl|poll)\s+(the\s+)?(local|localhost|ollama)', re.IGNORECASE),
-    re.compile(r'\bcurl\s+(localhost|127\.)', re.IGNORECASE),
-    re.compile(r'RFC-?1918', re.IGNORECASE),
-    re.compile(r'10\.\d+\.\d+\.\d+:\d+'),
-    re.compile(r'192\.168\.\d+\.\d+:\d+'),
-    re.compile(r'172\.(1[6-9]|2\d|3[01])\.\d+\.\d+:\d+'),
-]
-
-_CLOUD_CONTEXT_NOTE = (
-    "[SYSTEM NOTE — CLOUD RUNTIME] You are running on a cloud inference "
-    "endpoint ({provider}) that CANNOT reach localhost or private network "
-    "addresses. The following local service references were detected in your "
-    "prompt but are UNREACHABLE from this runtime:\n"
-    "  {refs}\n"
-    "Do NOT attempt curl, ping, SSH, or any network calls to these services. "
-    "Instead, report to the user that this job needs a local inference "
-    "endpoint to check local services. This is a configuration issue, "
-    "not a task failure.]\n\n"
-)
-
-
-def _detect_local_service_refs(prompt: str) -> list[str]:
-    """Detect references to local services in a prompt.
-
-    Returns list of matched reference strings.
-    """
-    refs = []
-    for pattern in _LOCAL_SERVICE_PATTERNS:
-        matches = pattern.findall(prompt)
-        refs.extend(matches)
-    return refs
-
-
-def _inject_cloud_context(prompt: str, base_url: str, provider: str) -> str:
-    """Inject cloud-context warning if prompt refs localhost but endpoint is cloud.
-
-    Returns the prompt with a warning prepended if local service refs are
-    detected and the endpoint is not local. Otherwise returns prompt unchanged.
-    """
-    if is_local_endpoint(base_url):
-        return prompt  # local endpoint can reach localhost, no warning needed
-
-    refs = _detect_local_service_refs(prompt)
-    if not refs:
-        return prompt  # no local service references, no warning needed
-
-    # Deduplicate and format refs
-    unique_refs = list(dict.fromkeys(refs))  # preserve order, remove dupes
-    refs_str = "\n  ".join(f"- {r}" for r in unique_refs[:10])
-
-    warning = _CLOUD_CONTEXT_NOTE.format(
-        provider=provider or "cloud",
-        refs=refs_str,
-    )
-
-    # Inject after the cron hint but before the user prompt
-    return warning + prompt
-
 
 # =====================================================================
 # Deploy Sync Guard
@@ -257,7 +186,14 @@ _SCRIPT_FAILURE_PHRASES = (
     "unable to execute",
     "permission denied",
     "no such file",
+    "no such file or directory",
+    "command not found",
     "traceback",
+    "hermes binary not found",
+    "hermes not found",
+    "ssh: connect to host",
+    "connection timed out",
+    "host key verification failed",
 )
 
 
@@ -881,10 +817,6 @@ def run_job(job: dict) -> tuple[bool, str, str, Optional[str]]:
                 job_name,
                 turn_route["runtime"].get("provider", "unknown"),
             )
-
-            # Inject cloud-context warning if prompt references localhost
-            _cloud_provider = turn_route["runtime"].get("provider", "cloud")
-            prompt = _inject_cloud_context(prompt, _runtime_base_url, _cloud_provider)
         if job.get("requires_local_infra") and _is_cloud:
             logger.warning(
                 "Job '%s': requires_local_infra=true but running on cloud provider — "

cron/ssh_dispatch.py

@@ -0,0 +1,243 @@
+"""SSH Dispatch — validated remote hermes execution for cron jobs.
+
+Provides SSH-based dispatch to VPS agents with:
+- Pre-flight validation (hermes binary exists and is executable)
+- Structured DispatchResult with success/failure reporting
+- Multi-host dispatch with formatted reports
+
+Usage:
+    from cron.ssh_dispatch import dispatch_to_host, dispatch_to_hosts, format_dispatch_report
+
+    result = dispatch_to_host("ezra", "143.198.27.163", "Check the beacon repo for open issues")
+    if not result.success:
+        print(result.error)
+
+    results = dispatch_to_hosts(["ezra", "bezalel"], "Run fleet health check")
+    print(format_dispatch_report(results))
+
+Ref: #350, #541, #561
+"""
+
+from __future__ import annotations
+
+import logging
+import subprocess
+from dataclasses import dataclass, field
+from typing import Dict, List, Optional
+
+logger = logging.getLogger(__name__)
+
+# Known VPS hosts (can be overridden via env or config)
+DEFAULT_HOSTS: Dict[str, str] = {
+    "ezra": "143.198.27.163",
+    "bezalel": "159.203.146.185",
+}
+
+# SSH options for non-interactive, fast-fail connections
+_SSH_OPTS = [
+    "-o", "ConnectTimeout=10",
+    "-o", "StrictHostKeyChecking=accept-new",
+    "-o", "BatchMode=yes",
+    "-o", "LogLevel=ERROR",
+]
+
+# Paths to check for hermes binary on remote
+_HERMES_CHECK_PATHS = [
+    "~/.local/bin/hermes",
+    "/usr/local/bin/hermes",
+    "~/.hermes/bin/hermes",
+]
+
+
+@dataclass
+class DispatchResult:
+    """Result of an SSH dispatch attempt."""
+    host: str
+    address: str
+    success: bool
+    output: str = ""
+    error: str = ""
+    hermes_found: bool = False
+    hermes_path: str = ""
+    exit_code: int = -1
+
+    @property
+    def summary(self) -> str:
+        if self.success:
+            return f"[OK] {self.host} ({self.address})"
+        return f"[FAIL] {self.host} ({self.address}): {self.error}"
+
+
+def probe_hermes(host: str, address: str) -> tuple[bool, str]:
+    """Check if hermes binary exists and is executable on remote host.
+
+    Returns (found, path).
+    """
+    check_cmds = " || ".join(f"test -x {p} && echo {p}" for p in _HERMES_CHECK_PATHS)
+    remote_cmd = f"bash -c '{check_cmds} || echo NOTFOUND'"
+
+    try:
+        result = subprocess.run(
+            ["ssh", address, *_SSH_OPTS, remote_cmd],
+            capture_output=True,
+            text=True,
+            timeout=15,
+        )
+        output = result.stdout.strip()
+        if output and output != "NOTFOUND":
+            return True, output
+        return False, ""
+    except subprocess.TimeoutExpired:
+        logger.warning("SSH probe timed out for %s", host)
+        return False, ""
+    except Exception as e:
+        logger.warning("SSH probe failed for %s: %s", host, e)
+        return False, ""
+
+
+def dispatch_to_host(
+    host: str,
+    address: str,
+    prompt: str,
+    timeout: int = 300,
+    validate: bool = True,
+) -> DispatchResult:
+    """Dispatch a prompt to a remote hermes instance via SSH.
+
+    Args:
+        host: Hostname (ezra, bezalel, etc.)
+        address: IP address or hostname
+        prompt: The prompt/task to dispatch
+        timeout: SSH timeout in seconds
+        validate: Whether to probe for hermes binary first
+
+    Returns:
+        DispatchResult with success/failure details.
+    """
+    # Pre-flight validation
+    if validate:
+        found, path = probe_hermes(host, address)
+        if not found:
+            return DispatchResult(
+                host=host,
+                address=address,
+                success=False,
+                error="hermes binary not found on remote host",
+                hermes_found=False,
+            )
+    else:
+        found, path = True, "~/.local/bin/hermes"
+
+    # Build the dispatch command
+    # Use hermes chat in quiet mode, pipe prompt via stdin
+    escaped_prompt = prompt.replace("'", "'\\''")
+    remote_cmd = f"echo '{escaped_prompt}' | {path} chat --quiet"
+
+    try:
+        result = subprocess.run(
+            ["ssh", address, *_SSH_OPTS, remote_cmd],
+            capture_output=True,
+            text=True,
+            timeout=timeout,
+        )
+
+        success = result.returncode == 0
+        error = ""
+
+        if not success:
+            error = result.stderr.strip() if result.stderr else f"exit code {result.returncode}"
+
+        return DispatchResult(
+            host=host,
+            address=address,
+            success=success,
+            output=result.stdout.strip()[:500],  # Truncate long output
+            error=error,
+            hermes_found=found,
+            hermes_path=path,
+            exit_code=result.returncode,
+        )
+
+    except subprocess.TimeoutExpired:
+        return DispatchResult(
+            host=host,
+            address=address,
+            success=False,
+            error=f"SSH dispatch timed out after {timeout}s",
+            hermes_found=found,
+            hermes_path=path,
+        )
+    except Exception as e:
+        return DispatchResult(
+            host=host,
+            address=address,
+            success=False,
+            error=f"SSH dispatch failed: {e}",
+            hermes_found=found,
+            hermes_path=path,
+        )
+
+
+def dispatch_to_hosts(
+    hosts: List[str],
+    prompt: str,
+    host_map: Optional[Dict[str, str]] = None,
+    timeout: int = 300,
+) -> List[DispatchResult]:
+    """Dispatch a prompt to multiple hosts.
+
+    Args:
+        hosts: List of hostnames
+        prompt: The prompt/task to dispatch
+        host_map: Optional override of hostname -> address mapping
+        timeout: SSH timeout per host
+
+    Returns:
+        List of DispatchResult, one per host.
+    """
+    addresses = host_map or DEFAULT_HOSTS
+    results = []
+
+    for host in hosts:
+        address = addresses.get(host)
+        if not address:
+            results.append(DispatchResult(
+                host=host,
+                address="unknown",
+                success=False,
+                error=f"Unknown host: {host}",
+            ))
+            continue
+
+        result = dispatch_to_host(host, address, prompt, timeout=timeout)
+        results.append(result)
+        logger.info(result.summary)
+
+    return results
+
+
+def format_dispatch_report(results: List[DispatchResult]) -> str:
+    """Format a multi-host dispatch results as a readable report."""
+    if not results:
+        return "No dispatch results."
+
+    lines = ["SSH Dispatch Report", "=" * 40, ""]
+
+    ok_count = sum(1 for r in results if r.success)
+    fail_count = len(results) - ok_count
+
+    lines.append(f"Total: {len(results)} | OK: {ok_count} | FAIL: {fail_count}")
+    lines.append("")
+
+    for r in results:
+        status = "✓" if r.success else "✗"
+        lines.append(f"  {status} {r.host} ({r.address})")
+        if r.hermes_path:
+            lines.append(f"    hermes: {r.hermes_path}")
+        if r.success and r.output:
+            lines.append(f"    output: {r.output[:100]}...")
+        if not r.success:
+            lines.append(f"    error: {r.error}")
+        lines.append("")
+
+    return "\n".join(lines)

tests/test_cron_cloud_context.py

@@ -1,113 +0,0 @@
-"""Tests for cron cloud-context warning injection (#456/#378)."""
-
-import re
-import sys
-from unittest.mock import MagicMock
-from pathlib import Path
-
-import pytest
-
-# Import the functions directly from the file without going through cron/__init__.py
-import importlib.util
-spec = importlib.util.spec_from_file_location(
-    "cron.scheduler_test",
-    Path(__file__).parent.parent / "cron" / "scheduler.py",
-)
-_sched = importlib.util.module_from_spec(spec)
-
-# Stub out dependencies the scheduler imports
-sys.modules.setdefault("cron", MagicMock())
-sys.modules.setdefault("cron.jobs", MagicMock())
-
-try:
-    spec.loader.exec_module(_sched)
-except Exception:
-    # If the full scheduler can't load, at least test the standalone functions
-    pass
-
-# Extract the functions we need
-_detect_local_service_refs = _sched._detect_local_service_refs
-_inject_cloud_context = _sched._inject_cloud_context
-
-
-# ---------------------------------------------------------------------------
-# Detection
-# ---------------------------------------------------------------------------
-
-class TestDetectLocalRefs:
-    def test_localhost_port(self):
-        refs = _detect_local_service_refs("Check localhost:11434 is up")
-        assert any("localhost:11434" in r for r in refs)
-
-    def test_127_0_0_1(self):
-        refs = _detect_local_service_refs("curl 127.0.0.1:8080/health")
-        assert any("127.0.0.1:8080" in r for r in refs)
-
-    def test_ollama_check(self):
-        refs = _detect_local_service_refs("Check Ollama is responding")
-        assert len(refs) > 0
-
-    def test_curl_localhost(self):
-        refs = _detect_local_service_refs("curl localhost:3000/api")
-        assert any("localhost:3000" in r for r in refs)
-
-    def test_private_10_x(self):
-        refs = _detect_local_service_refs("ping 10.0.0.5:9090")
-        assert any("10.0.0.5:9090" in r for r in refs)
-
-    def test_private_192_168(self):
-        refs = _detect_local_service_refs("connect to 192.168.1.100:5432")
-        assert any("192.168.1.100:5432" in r for r in refs)
-
-    def test_rfc1918(self):
-        refs = _detect_local_service_refs("This is an RFC-1918 address")
-        assert any("RFC-1918" in r for r in refs)
-
-    def test_no_match(self):
-        refs = _detect_local_service_refs("Check forge.alexanderwhitestone.com is up")
-        assert len(refs) == 0
-
-    def test_multiple_matches(self):
-        refs = _detect_local_service_refs("Check localhost:11434 and curl 127.0.0.1:8080")
-        assert len(refs) >= 2
-
-
-# ---------------------------------------------------------------------------
-# Injection
-# ---------------------------------------------------------------------------
-
-class TestInjectCloudContext:
-    def test_skips_local_endpoint(self):
-        prompt = "Check localhost:11434"
-        result = _inject_cloud_context(prompt, "http://localhost:11434/v1", "ollama")
-        assert result == prompt  # no injection for local endpoint
-
-    def test_skips_no_refs(self):
-        prompt = "Check forge.alexanderwhitestone.com"
-        result = _inject_cloud_context(prompt, "https://openrouter.ai/api/v1", "openrouter")
-        assert result == prompt  # no local refs, no injection
-
-    def test_injects_on_cloud_with_refs(self):
-        prompt = "Check Ollama is responding on localhost:11434"
-        result = _inject_cloud_context(prompt, "https://openrouter.ai/api/v1", "openrouter")
-        assert "CLOUD RUNTIME" in result
-        assert "openrouter" in result
-        assert "localhost:11434" in result
-        assert "Do NOT attempt curl" in result
-        assert result.startswith("[SYSTEM NOTE")  # warning prepended
-
-    def test_preserves_original_prompt(self):
-        original = "Check localhost:11434 health endpoint"
-        result = _inject_cloud_context(original, "https://api.openai.com/v1", "openai")
-        assert original in result  # original prompt preserved in the output
-
-    def test_deduplicates_refs(self):
-        prompt = "Check localhost:11434 then curl localhost:11434 again"
-        result = _inject_cloud_context(prompt, "https://openrouter.ai/api/v1", "openrouter")
-        # Should not list the same ref twice
-        assert result.count("localhost:11434") >= 1  # at least once in refs
-
-    def test_includes_provider_name(self):
-        prompt = "Check localhost:11434"
-        result = _inject_cloud_context(prompt, "https://nous.ai/v1", "nous")
-        assert "nous" in result