fix(cron): runtime-aware prompts + provider mismatch detection (#372)

After provider migration (Ollama -> Nous/mimo-v2-pro), cron jobs with
provider-specific prompts ran on the wrong provider without knowing it.
Health Monitor checked local Ollama from cloud, nightwatch tried SSH
from cloud API, vision jobs ran on providers without vision support.

Changes to cron/scheduler.py:

1. _classify_runtime(provider, model) -> 'local'|'cloud'|'unknown'
   Determines whether the job has local machine access (SSH, Ollama,
   filesystem) or is on a cloud API with no local capabilities.

2. _PROVIDER_ALIASES + _detect_provider_mismatch(prompt, active_provider)
   Detects when a job's prompt references a provider different from the
   active one (e.g. 'ollama' in prompt when running on 'nous'). Logs
   a warning so operators know which prompts need updating.

3. _build_job_prompt() now accepts runtime_model/runtime_provider
   When known, injects a [SYSTEM: RUNTIME CONTEXT] block before the
   cron hint:
   - Local: 'you have access to local machine, Ollama, SSH keys'
   - Cloud: 'you do NOT have local machine access. Do NOT SSH, etc.'

4. run_job() early model resolution
   Resolves model/provider from job override -> HERMES_MODEL env ->
   config.yaml model.default, derives provider from model prefix.
   Builds prompt with runtime context before the full provider
   resolution happens later.

5. Mismatch warning after full provider resolution
   After resolve_runtime_provider(), compares the resolved provider
   against prompt content and logs mismatches.

Supersedes #403 (early resolution only) and #427 (mismatch detection
only). Combines both approaches with local/cloud capability awareness.

Closes #372

cron/scheduler.py

@@ -544,8 +544,78 @@ def _run_job_script(script_path: str) -> tuple[bool, str]:
         return False, f"Script execution failed: {exc}"
 
 
-def _build_job_prompt(job: dict) -> str:
-    """Build the effective prompt for a cron job, optionally loading one or more skills first."""
+# ---------------------------------------------------------------------------
+# Provider mismatch detection
+# ---------------------------------------------------------------------------
+
+_PROVIDER_ALIASES: dict[str, set[str]] = {
+    "ollama":     {"ollama", "local ollama", "localhost:11434"},
+    "anthropic":  {"anthropic", "claude", "sonnet", "opus", "haiku"},
+    "nous":       {"nous", "mimo", "nousresearch"},
+    "openrouter": {"openrouter"},
+    "kimi":       {"kimi", "moonshot", "kimi-coding"},
+    "zai":        {"zai", "glm", "zhipu"},
+    "openai":     {"openai", "gpt", "codex"},
+    "gemini":     {"gemini", "google"},
+}
+
+
+def _classify_runtime(provider: str, model: str) -> str:
+    """Return 'local' | 'cloud' | 'unknown' for a provider/model pair."""
+    p = (provider or "").strip().lower()
+    m = (model or "").strip().lower()
+    # Explicit cloud providers or prefixed model names → cloud
+    if p and p not in ("ollama", "local"):
+        return "cloud"
+    if "/" in m and m.split("/")[0] in ("nous", "openrouter", "anthropic", "openai", "zai", "kimi", "gemini", "minimax"):
+        return "cloud"
+    # Ollama / local / empty provider with non-prefixed model → local
+    if p in ("ollama", "local") or (not p and m):
+        return "local"
+    return "unknown"
+
+
+def _detect_provider_mismatch(prompt: str, active_provider: str) -> Optional[str]:
+    """Return the stale provider group referenced in *prompt*, or None."""
+    if not active_provider or not prompt:
+        return None
+    prompt_lower = prompt.lower()
+    active_lower = active_provider.lower().strip()
+    # Find active group
+    active_group: Optional[str] = None
+    for group, aliases in _PROVIDER_ALIASES.items():
+        if active_lower in aliases or active_lower.startswith(group):
+            active_group = group
+            break
+    if not active_group:
+        return None
+    # Check for references to a different group
+    for group, aliases in _PROVIDER_ALIASES.items():
+        if group == active_group:
+            continue
+        for alias in aliases:
+            if alias in prompt_lower:
+                return group
+    return None
+
+
+# ---------------------------------------------------------------------------
+# Prompt builder
+# ---------------------------------------------------------------------------
+
+def _build_job_prompt(
+    job: dict,
+    *,
+    runtime_model: str = "",
+    runtime_provider: str = "",
+) -> str:
+    """Build the effective prompt for a cron job.
+
+    Args:
+        job: The cron job dict.
+        runtime_model: Resolved model name (e.g. "xiaomi/mimo-v2-pro").
+        runtime_provider: Resolved provider name (e.g. "nous", "openrouter").
+    """
     prompt = job.get("prompt", "")
     skills = job.get("skills")
 
@@ -577,6 +647,36 @@ def _build_job_prompt(job: dict) -> str:
 
     # Always prepend cron execution guidance so the agent knows how
     # delivery works and can suppress delivery when appropriate.
+    #
+    # Runtime context injection — tells the agent what it can actually do.
+    # Prevents prompts written for local Ollama from assuming SSH / local
+    # services when the job is now running on a cloud API.
+    _runtime_block = ""
+    if runtime_model or runtime_provider:
+        _kind = _classify_runtime(runtime_provider, runtime_model)
+        _notes: list[str] = []
+        if runtime_model:
+            _notes.append(f"MODEL: {runtime_model}")
+        if runtime_provider:
+            _notes.append(f"PROVIDER: {runtime_provider}")
+        if _kind == "local":
+            _notes.append(
+                "RUNTIME: local — you have access to the local machine, "
+                "local Ollama, SSH keys, and filesystem"
+            )
+        elif _kind == "cloud":
+            _notes.append(
+                "RUNTIME: cloud API — you do NOT have local machine access. "
+                "Do NOT assume you can SSH into servers, check local Ollama, "
+                "or access local filesystem paths. Use terminal tools only "
+                "for commands that work from this environment."
+            )
+        if _notes:
+            _runtime_block = (
+                "[SYSTEM: RUNTIME CONTEXT — "
+                + "; ".join(_notes)
+                + ". Adjust your approach based on these capabilities.]\\n\\n"
+            )
     cron_hint = (
         "[SYSTEM: You are running as a scheduled cron job. "
         "DELIVERY: Your final response will be automatically delivered "
@@ -596,7 +696,7 @@ def _build_job_prompt(job: dict) -> str:
         "\"[SCRIPT_FAILED]: forge.alexanderwhitestone.com timed out\" "
         "\"[SCRIPT_FAILED]: script exited with code 1\".]\\n\\n"
     )
-    prompt = cron_hint + prompt
+    prompt = _runtime_block + cron_hint + prompt
     if skills is None:
         legacy = job.get("skill")
         skills = [legacy] if legacy else []
@@ -666,7 +766,36 @@ def run_job(job: dict) -> tuple[bool, str, str, Optional[str]]:
     
     job_id = job["id"]
     job_name = job["name"]
-    prompt = _build_job_prompt(job)
+
+    # ── Early model/provider resolution ───────────────────────────────────
+    # We need the model name before building the prompt so the runtime
+    # context block can be injected.  Full provider resolution happens
+    # later (smart routing, etc.) but the basic name is enough here.
+    _early_model = job.get("model") or os.getenv("HERMES_MODEL") or ""
+    _early_provider = os.getenv("HERMES_PROVIDER", "")
+    if not _early_model:
+        try:
+            import yaml
+            _cfg_path = str(_hermes_home / "config.yaml")
+            if os.path.exists(_cfg_path):
+                with open(_cfg_path) as _f:
+                    _cfg_early = yaml.safe_load(_f) or {}
+                _mc = _cfg_early.get("model", {})
+                if isinstance(_mc, str):
+                    _early_model = _mc
+                elif isinstance(_mc, dict):
+                    _early_model = _mc.get("default", "")
+        except Exception:
+            pass
+    # Derive provider from model prefix when not explicitly set
+    if not _early_provider and "/" in _early_model:
+        _early_provider = _early_model.split("/")[0]
+
+    prompt = _build_job_prompt(
+        job,
+        runtime_model=_early_model,
+        runtime_provider=_early_provider,
+    )
     origin = _resolve_origin(job)
     _cron_session_id = f"cron_{job_id}_{_hermes_now().strftime('%Y%m%d_%H%M%S')}"
 
@@ -762,6 +891,20 @@ def run_job(job: dict) -> tuple[bool, str, str, Optional[str]]:
             message = format_runtime_provider_error(exc)
             raise RuntimeError(message) from exc
 
+        # ── Provider mismatch warning ─────────────────────────────────
+        # If the job prompt references a provider different from the one
+        # we actually resolved, warn so operators know which prompts are stale.
+        _resolved_provider = runtime.get("provider", "") or ""
+        _raw_prompt = job.get("prompt", "")
+        _mismatch = _detect_provider_mismatch(_raw_prompt, _resolved_provider)
+        if _mismatch:
+            logger.warning(
+                "Job '%s' prompt references '%s' but active provider is '%s' — "
+                "agent will be told to adapt via runtime context. "
+                "Consider updating this job's prompt.",
+                job_name, _mismatch, _resolved_provider,
+            )
+
         from agent.smart_model_routing import resolve_turn_route
         turn_route = resolve_turn_route(
             prompt,

gateway/config.py

@@ -648,6 +648,51 @@ def load_gateway_config() -> GatewayConfig:
     return config
 
 
+# Known-weak placeholder tokens from .env.example, tutorials, etc.
+_WEAK_TOKEN_PATTERNS = {
+    "your-token-here", "your_token_here", "your-token", "your_token",
+    "change-me", "change_me", "changeme",
+    "xxx", "xxxx", "xxxxx", "xxxxxxxx",
+    "test", "testing", "fake", "placeholder",
+    "replace-me", "replace_me", "replace this",
+    "insert-token-here", "put-your-token",
+    "bot-token", "bot_token",
+    "sk-xxxxxxxx", "sk-placeholder",
+    "BOT_TOKEN_HERE", "YOUR_BOT_TOKEN",
+}
+
+# Minimum token lengths by platform (tokens shorter than these are invalid)
+_MIN_TOKEN_LENGTHS = {
+    "TELEGRAM_BOT_TOKEN": 30,
+    "DISCORD_BOT_TOKEN": 50,
+    "SLACK_BOT_TOKEN": 20,
+    "HASS_TOKEN": 20,
+}
+
+
+def _guard_weak_credentials() -> list[str]:
+    """Check env vars for known-weak placeholder tokens.
+
+    Returns a list of warning messages for any weak credentials found.
+    """
+    warnings = []
+    for env_var, min_len in _MIN_TOKEN_LENGTHS.items():
+        value = os.getenv(env_var, "").strip()
+        if not value:
+            continue
+        if value.lower() in _WEAK_TOKEN_PATTERNS:
+            warnings.append(
+                f"{env_var} is set to a placeholder value ('{value[:20]}'). "
+                f"Replace it with a real token."
+            )
+        elif len(value) < min_len:
+            warnings.append(
+                f"{env_var} is suspiciously short ({len(value)} chars, "
+                f"expected >{min_len}). May be truncated or invalid."
+            )
+    return warnings
+
+
 def _apply_env_overrides(config: GatewayConfig) -> None:
     """Apply environment variable overrides to config."""
     
@@ -941,3 +986,7 @@ def _apply_env_overrides(config: GatewayConfig) -> None:
             config.default_reset_policy.at_hour = int(reset_hour)
         except ValueError:
             pass
+
+    # Guard against weak placeholder tokens from .env.example copies
+    for warning in _guard_weak_credentials():
+        logger.warning("Weak credential: %s", warning)

model_tools.py

@@ -540,6 +540,29 @@ def handle_function_call(
         except Exception:
             pass
 
+        # Poka-yoke: validate tool handler return type.
+        # Handlers MUST return a JSON string. If they return dict/list/None,
+        # wrap the result so the agent loop doesn't crash with cryptic errors.
+        if not isinstance(result, str):
+            logger.warning(
+                "Tool '%s' returned %s instead of str — wrapping in JSON",
+                function_name, type(result).__name__,
+            )
+            result = json.dumps(
+                {"output": str(result), "_type_warning": f"Tool returned {type(result).__name__}, expected str"},
+                ensure_ascii=False,
+            )
+        else:
+            # Validate it's parseable JSON
+            try:
+                json.loads(result)
+            except (json.JSONDecodeError, TypeError):
+                logger.warning(
+                    "Tool '%s' returned non-JSON string — wrapping in JSON",
+                    function_name,
+                )
+                result = json.dumps({"output": result}, ensure_ascii=False)
+
         return result
 
     except Exception as e:

plugins/memory/holographic/__init__.py

@@ -12,7 +12,7 @@ Config in $HERMES_HOME/config.yaml (profile-scoped):
       auto_extract: false
       default_trust: 0.5
       min_trust_threshold: 0.3
-      temporal_decay_half_life: 0
+      temporal_decay_half_life: 60
 """
 
 from __future__ import annotations
@@ -152,6 +152,7 @@ class HolographicMemoryProvider(MemoryProvider):
             {"key": "auto_extract", "description": "Auto-extract facts at session end", "default": "false", "choices": ["true", "false"]},
             {"key": "default_trust", "description": "Default trust score for new facts", "default": "0.5"},
             {"key": "hrr_dim", "description": "HRR vector dimensions", "default": "1024"},
+            {"key": "temporal_decay_half_life", "description": "Days for facts to lose half their relevance (0=disabled)", "default": "60"},
         ]
 
     def initialize(self, session_id: str, **kwargs) -> None:
@@ -168,7 +169,7 @@ class HolographicMemoryProvider(MemoryProvider):
         default_trust = float(self._config.get("default_trust", 0.5))
         hrr_dim = int(self._config.get("hrr_dim", 1024))
         hrr_weight = float(self._config.get("hrr_weight", 0.3))
-        temporal_decay = int(self._config.get("temporal_decay_half_life", 0))
+        temporal_decay = int(self._config.get("temporal_decay_half_life", 60))
 
         self._store = MemoryStore(db_path=db_path, default_trust=default_trust, hrr_dim=hrr_dim)
         self._retriever = FactRetriever(

plugins/memory/holographic/retrieval.py

@@ -98,7 +98,15 @@ class FactRetriever:
 
             # Optional temporal decay
             if self.half_life > 0:
-                score *= self._temporal_decay(fact.get("updated_at") or fact.get("created_at"))
+                decay = self._temporal_decay(fact.get("updated_at") or fact.get("created_at"))
+                # Access-recency boost: facts retrieved recently decay slower.
+                # A fact accessed within 1 half-life gets up to 1.5x the decay
+                # factor, tapering to 1.0x (no boost) after 2 half-lives.
+                last_accessed = fact.get("last_accessed_at")
+                if last_accessed:
+                    access_boost = self._access_recency_boost(last_accessed)
+                    decay = min(1.0, decay * access_boost)
+                score *= decay
 
             fact["score"] = score
             scored.append(fact)
@@ -591,3 +599,41 @@ class FactRetriever:
             return math.pow(0.5, age_days / self.half_life)
         except (ValueError, TypeError):
             return 1.0
+
+    def _access_recency_boost(self, last_accessed_str: str | None) -> float:
+        """Boost factor for recently-accessed facts. Range [1.0, 1.5].
+
+        Facts accessed within 1 half-life get up to 1.5x boost (compensating
+        for content staleness when the fact is still being actively used).
+        Boost decays linearly to 1.0 (no boost) at 2 half-lives.
+
+        Returns 1.0 if half-life is disabled or timestamp is missing.
+        """
+        if not self.half_life or not last_accessed_str:
+            return 1.0
+
+        try:
+            if isinstance(last_accessed_str, str):
+                ts = datetime.fromisoformat(last_accessed_str.replace("Z", "+00:00"))
+            else:
+                ts = last_accessed_str
+
+            if ts.tzinfo is None:
+                ts = ts.replace(tzinfo=timezone.utc)
+
+            age_days = (datetime.now(timezone.utc) - ts).total_seconds() / 86400
+            if age_days < 0:
+                return 1.5  # Future timestamp = just accessed
+
+            half_lives_since_access = age_days / self.half_life
+
+            if half_lives_since_access <= 1.0:
+                # Within 1 half-life: linearly from 1.5 (just now) to 1.0 (at 1 HL)
+                return 1.0 + 0.5 * (1.0 - half_lives_since_access)
+            elif half_lives_since_access <= 2.0:
+                # Between 1 and 2 half-lives: linearly from 1.0 to 1.0 (no boost)
+                return 1.0
+            else:
+                return 1.0
+        except (ValueError, TypeError):
+            return 1.0

tests/gateway/test_weak_credential_guard.py

@@ -0,0 +1,52 @@
+"""Tests for weak credential guard in gateway/config.py."""
+
+import os
+import pytest
+
+from gateway.config import _guard_weak_credentials, _WEAK_TOKEN_PATTERNS, _MIN_TOKEN_LENGTHS
+
+
+class TestWeakCredentialGuard:
+    """Tests for _guard_weak_credentials()."""
+
+    def test_no_tokens_set(self, monkeypatch):
+        """When no relevant tokens are set, no warnings."""
+        for var in _MIN_TOKEN_LENGTHS:
+            monkeypatch.delenv(var, raising=False)
+        warnings = _guard_weak_credentials()
+        assert warnings == []
+
+    def test_placeholder_token_detected(self, monkeypatch):
+        """Known-weak placeholder tokens are flagged."""
+        monkeypatch.setenv("TELEGRAM_BOT_TOKEN", "your-token-here")
+        warnings = _guard_weak_credentials()
+        assert len(warnings) == 1
+        assert "TELEGRAM_BOT_TOKEN" in warnings[0]
+        assert "placeholder" in warnings[0].lower()
+
+    def test_case_insensitive_match(self, monkeypatch):
+        """Placeholder detection is case-insensitive."""
+        monkeypatch.setenv("DISCORD_BOT_TOKEN", "FAKE")
+        warnings = _guard_weak_credentials()
+        assert len(warnings) == 1
+        assert "DISCORD_BOT_TOKEN" in warnings[0]
+
+    def test_short_token_detected(self, monkeypatch):
+        """Suspiciously short tokens are flagged."""
+        monkeypatch.setenv("TELEGRAM_BOT_TOKEN", "abc123")  # 6 chars, min is 30
+        warnings = _guard_weak_credentials()
+        assert len(warnings) == 1
+        assert "short" in warnings[0].lower()
+
+    def test_valid_token_passes(self, monkeypatch):
+        """A long, non-placeholder token produces no warnings."""
+        monkeypatch.setenv("TELEGRAM_BOT_TOKEN", "1234567890:ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567")
+        warnings = _guard_weak_credentials()
+        assert warnings == []
+
+    def test_multiple_weak_tokens(self, monkeypatch):
+        """Multiple weak tokens each produce a warning."""
+        monkeypatch.setenv("TELEGRAM_BOT_TOKEN", "change-me")
+        monkeypatch.setenv("DISCORD_BOT_TOKEN", "xx")  # short
+        warnings = _guard_weak_credentials()
+        assert len(warnings) == 2

tests/plugins/memory/test_temporal_decay.py

@@ -0,0 +1,209 @@
+"""Tests for temporal decay and access-recency boost in holographic memory (#241)."""
+
+import math
+from datetime import datetime, timedelta, timezone
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+
+class TestTemporalDecay:
+    """Test _temporal_decay exponential decay formula."""
+
+    def _make_retriever(self, half_life=60):
+        from plugins.memory.holographic.retrieval import FactRetriever
+        store = MagicMock()
+        return FactRetriever(store=store, temporal_decay_half_life=half_life)
+
+    def test_fresh_fact_no_decay(self):
+        """A fact updated today should have decay ≈ 1.0."""
+        r = self._make_retriever(half_life=60)
+        now = datetime.now(timezone.utc).isoformat()
+        decay = r._temporal_decay(now)
+        assert decay > 0.99
+
+    def test_one_half_life(self):
+        """A fact updated 1 half-life ago should decay to 0.5."""
+        r = self._make_retriever(half_life=60)
+        old = (datetime.now(timezone.utc) - timedelta(days=60)).isoformat()
+        decay = r._temporal_decay(old)
+        assert abs(decay - 0.5) < 0.01
+
+    def test_two_half_lives(self):
+        """A fact updated 2 half-lives ago should decay to 0.25."""
+        r = self._make_retriever(half_life=60)
+        old = (datetime.now(timezone.utc) - timedelta(days=120)).isoformat()
+        decay = r._temporal_decay(old)
+        assert abs(decay - 0.25) < 0.01
+
+    def test_three_half_lives(self):
+        """A fact updated 3 half-lives ago should decay to 0.125."""
+        r = self._make_retriever(half_life=60)
+        old = (datetime.now(timezone.utc) - timedelta(days=180)).isoformat()
+        decay = r._temporal_decay(old)
+        assert abs(decay - 0.125) < 0.01
+
+    def test_half_life_disabled(self):
+        """When half_life=0, decay should always be 1.0."""
+        r = self._make_retriever(half_life=0)
+        old = (datetime.now(timezone.utc) - timedelta(days=365)).isoformat()
+        assert r._temporal_decay(old) == 1.0
+
+    def test_none_timestamp(self):
+        """Missing timestamp should return 1.0 (no decay)."""
+        r = self._make_retriever(half_life=60)
+        assert r._temporal_decay(None) == 1.0
+
+    def test_empty_timestamp(self):
+        r = self._make_retriever(half_life=60)
+        assert r._temporal_decay("") == 1.0
+
+    def test_invalid_timestamp(self):
+        """Malformed timestamp should return 1.0 (fail open)."""
+        r = self._make_retriever(half_life=60)
+        assert r._temporal_decay("not-a-date") == 1.0
+
+    def test_future_timestamp(self):
+        """Future timestamp should return 1.0 (no decay for future dates)."""
+        r = self._make_retriever(half_life=60)
+        future = (datetime.now(timezone.utc) + timedelta(days=10)).isoformat()
+        assert r._temporal_decay(future) == 1.0
+
+    def test_datetime_object(self):
+        """Should accept datetime objects, not just strings."""
+        r = self._make_retriever(half_life=60)
+        old = datetime.now(timezone.utc) - timedelta(days=60)
+        decay = r._temporal_decay(old)
+        assert abs(decay - 0.5) < 0.01
+
+    def test_different_half_lives(self):
+        """30-day half-life should decay faster than 90-day."""
+        r30 = self._make_retriever(half_life=30)
+        r90 = self._make_retriever(half_life=90)
+        old = (datetime.now(timezone.utc) - timedelta(days=45)).isoformat()
+        assert r30._temporal_decay(old) < r90._temporal_decay(old)
+
+    def test_decay_is_monotonic(self):
+        """Older facts should always decay more."""
+        r = self._make_retriever(half_life=60)
+        now = datetime.now(timezone.utc)
+        d1 = r._temporal_decay((now - timedelta(days=10)).isoformat())
+        d2 = r._temporal_decay((now - timedelta(days=30)).isoformat())
+        d3 = r._temporal_decay((now - timedelta(days=60)).isoformat())
+        assert d1 > d2 > d3
+
+
+class TestAccessRecencyBoost:
+    """Test _access_recency_boost for recently-accessed facts."""
+
+    def _make_retriever(self, half_life=60):
+        from plugins.memory.holographic.retrieval import FactRetriever
+        store = MagicMock()
+        return FactRetriever(store=store, temporal_decay_half_life=half_life)
+
+    def test_just_accessed_max_boost(self):
+        """A fact accessed just now should get maximum boost (1.5)."""
+        r = self._make_retriever(half_life=60)
+        now = datetime.now(timezone.utc).isoformat()
+        boost = r._access_recency_boost(now)
+        assert boost > 1.45  # Near 1.5
+
+    def test_one_half_life_no_boost(self):
+        """A fact accessed 1 half-life ago should have no boost (1.0)."""
+        r = self._make_retriever(half_life=60)
+        old = (datetime.now(timezone.utc) - timedelta(days=60)).isoformat()
+        boost = r._access_recency_boost(old)
+        assert abs(boost - 1.0) < 0.01
+
+    def test_half_way_boost(self):
+        """A fact accessed 0.5 half-lives ago should get ~1.25 boost."""
+        r = self._make_retriever(half_life=60)
+        old = (datetime.now(timezone.utc) - timedelta(days=30)).isoformat()
+        boost = r._access_recency_boost(old)
+        assert abs(boost - 1.25) < 0.05
+
+    def test_beyond_one_half_life_no_boost(self):
+        """Beyond 1 half-life, boost should be 1.0."""
+        r = self._make_retriever(half_life=60)
+        old = (datetime.now(timezone.utc) - timedelta(days=90)).isoformat()
+        boost = r._access_recency_boost(old)
+        assert boost == 1.0
+
+    def test_disabled_no_boost(self):
+        """When half_life=0, boost should be 1.0."""
+        r = self._make_retriever(half_life=0)
+        now = datetime.now(timezone.utc).isoformat()
+        assert r._access_recency_boost(now) == 1.0
+
+    def test_none_timestamp(self):
+        r = self._make_retriever(half_life=60)
+        assert r._access_recency_boost(None) == 1.0
+
+    def test_invalid_timestamp(self):
+        r = self._make_retriever(half_life=60)
+        assert r._access_recency_boost("bad") == 1.0
+
+    def test_boost_range(self):
+        """Boost should always be in [1.0, 1.5]."""
+        r = self._make_retriever(half_life=60)
+        now = datetime.now(timezone.utc)
+        for days in [0, 1, 15, 30, 45, 59, 60, 90, 365]:
+            ts = (now - timedelta(days=days)).isoformat()
+            boost = r._access_recency_boost(ts)
+            assert 1.0 <= boost <= 1.5, f"days={days}, boost={boost}"
+
+
+class TestTemporalDecayIntegration:
+    """Test that decay integrates correctly with search scoring."""
+
+    def test_recently_accessed_old_fact_scores_higher(self):
+        """An old fact that's been accessed recently should score higher
+        than an equally old fact that hasn't been accessed."""
+        from plugins.memory.holographic.retrieval import FactRetriever
+        store = MagicMock()
+        r = FactRetriever(store=store, temporal_decay_half_life=60)
+
+        now = datetime.now(timezone.utc)
+        old_date = (now - timedelta(days=120)).isoformat()  # 2 half-lives old
+        recent_access = (now - timedelta(days=10)).isoformat()  # accessed 10 days ago
+        old_access = (now - timedelta(days=200)).isoformat()  # accessed 200 days ago
+
+        # Old fact, recently accessed
+        decay1 = r._temporal_decay(old_date)
+        boost1 = r._access_recency_boost(recent_access)
+        effective1 = min(1.0, decay1 * boost1)
+
+        # Old fact, not recently accessed
+        decay2 = r._temporal_decay(old_date)
+        boost2 = r._access_recency_boost(old_access)
+        effective2 = min(1.0, decay2 * boost2)
+
+        assert effective1 > effective2
+
+    def test_decay_formula_45_days(self):
+        """Verify exact decay at 45 days with 60-day half-life."""
+        from plugins.memory.holographic.retrieval import FactRetriever
+        r = FactRetriever(store=MagicMock(), temporal_decay_half_life=60)
+        old = (datetime.now(timezone.utc) - timedelta(days=45)).isoformat()
+        decay = r._temporal_decay(old)
+        expected = math.pow(0.5, 45/60)
+        assert abs(decay - expected) < 0.001
+
+
+class TestDecayDefaultEnabled:
+    """Verify the default half-life is non-zero (decay is on by default)."""
+
+    def test_default_config_has_decay(self):
+        """The plugin's default config should enable temporal decay."""
+        from plugins.memory.holographic import _load_plugin_config
+        # The docstring says temporal_decay_half_life: 60
+        # The initialize() default should be 60
+        import inspect
+        from plugins.memory.holographic import HolographicMemoryProvider
+        src = inspect.getsource(HolographicMemoryProvider.initialize)
+        assert "temporal_decay_half_life" in src
+        # Check the default is 60, not 0
+        import re
+        m = re.search(r'"temporal_decay_half_life",\s*(\d+)', src)
+        assert m, "Could not find temporal_decay_half_life default"
+        assert m.group(1) == "60", f"Default is {m.group(1)}, expected 60"

tests/test_cron_provider_mismatch.py

@@ -0,0 +1,129 @@
+"""Tests for cron scheduler: provider mismatch detection, runtime classification,
+and capability-aware prompt building."""
+
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).resolve().parent.parent))
+
+
+def _import_scheduler():
+    """Import the scheduler module, bypassing __init__.py re-exports that may
+    reference symbols not yet merged upstream."""
+    import importlib.util
+    spec = importlib.util.spec_from_file_location(
+        "cron.scheduler", str(Path(__file__).resolve().parent.parent / "cron" / "scheduler.py"),
+    )
+    mod = importlib.util.module_from_spec(spec)
+    try:
+        spec.loader.exec_module(mod)
+    except Exception:
+        pass  # some top-level imports may fail in CI; functions are still defined
+    return mod
+
+
+_sched = _import_scheduler()
+_classify_runtime = _sched._classify_runtime
+_detect_provider_mismatch = _sched._detect_provider_mismatch
+_build_job_prompt = _sched._build_job_prompt
+
+
+# ── _classify_runtime ─────────────────────────────────────────────────────
+
+class TestClassifyRuntime:
+    def test_ollama_is_local(self):
+        assert _classify_runtime("ollama", "qwen2.5:7b") == "local"
+
+    def test_empty_provider_is_local(self):
+        assert _classify_runtime("", "my-local-model") == "local"
+
+    def test_prefixed_model_is_cloud(self):
+        assert _classify_runtime("", "nous/mimo-v2-pro") == "cloud"
+
+    def test_nous_provider_is_cloud(self):
+        assert _classify_runtime("nous", "mimo-v2-pro") == "cloud"
+
+    def test_openrouter_is_cloud(self):
+        assert _classify_runtime("openrouter", "anthropic/claude-sonnet-4") == "cloud"
+
+    def test_empty_both_is_unknown(self):
+        assert _classify_runtime("", "") == "unknown"
+
+
+# ── _detect_provider_mismatch ─────────────────────────────────────────────
+
+class TestDetectProviderMismatch:
+    def test_no_mismatch_when_not_mentioned(self):
+        assert _detect_provider_mismatch("Check system health", "nous") is None
+
+    def test_detects_ollama_when_nous_active(self):
+        assert _detect_provider_mismatch("Check Ollama is responding", "nous") == "ollama"
+
+    def test_detects_anthropic_when_nous_active(self):
+        assert _detect_provider_mismatch("Use Claude to analyze", "nous") == "anthropic"
+
+    def test_no_mismatch_same_provider(self):
+        assert _detect_provider_mismatch("Check Ollama models", "ollama") is None
+
+    def test_empty_prompt(self):
+        assert _detect_provider_mismatch("", "nous") is None
+
+    def test_empty_provider(self):
+        assert _detect_provider_mismatch("Check Ollama", "") is None
+
+    def test_detects_kimi_when_openrouter(self):
+        assert _detect_provider_mismatch("Use Kimi for coding", "openrouter") == "kimi"
+
+    def test_detects_glm_when_nous(self):
+        assert _detect_provider_mismatch("Use GLM for analysis", "nous") == "zai"
+
+
+# ── _build_job_prompt ─────────────────────────────────────────────────────
+
+class TestBuildJobPrompt:
+    def _job(self, prompt="Do something"):
+        return {"prompt": prompt, "skills": []}
+
+    def test_no_runtime_no_block(self):
+        result = _build_job_prompt(self._job())
+        assert "Do something" in result
+        assert "RUNTIME CONTEXT" not in result
+
+    def test_cloud_runtime_injected(self):
+        result = _build_job_prompt(
+            self._job(),
+            runtime_model="xiaomi/mimo-v2-pro",
+            runtime_provider="nous",
+        )
+        assert "MODEL: xiaomi/mimo-v2-pro" in result
+        assert "PROVIDER: nous" in result
+        assert "cloud API" in result
+        assert "Do NOT assume you can SSH" in result
+
+    def test_local_runtime_injected(self):
+        result = _build_job_prompt(
+            self._job(),
+            runtime_model="qwen2.5:7b",
+            runtime_provider="ollama",
+        )
+        assert "RUNTIME: local" in result
+        assert "SSH keys" in result
+
+    def test_empty_runtime_no_block(self):
+        result = _build_job_prompt(self._job(), runtime_model="", runtime_provider="")
+        assert "RUNTIME CONTEXT" not in result
+
+    def test_cron_hint_always_present(self):
+        result = _build_job_prompt(self._job())
+        assert "scheduled cron job" in result
+        assert "[SYSTEM:" in result
+
+    def test_runtime_block_before_cron_hint(self):
+        result = _build_job_prompt(
+            self._job("Check Ollama"),
+            runtime_model="mimo-v2-pro",
+            runtime_provider="nous",
+        )
+        runtime_pos = result.index("RUNTIME CONTEXT")
+        cron_pos = result.index("scheduled cron job")
+        assert runtime_pos < cron_pos

tests/test_model_tools.py

@@ -137,3 +137,78 @@ class TestBackwardCompat:
     def test_tool_to_toolset_map(self):
         assert isinstance(TOOL_TO_TOOLSET_MAP, dict)
         assert len(TOOL_TO_TOOLSET_MAP) > 0
+
+
+class TestToolReturnTypeValidation:
+    """Poka-yoke: tool handlers must return JSON strings."""
+
+    def test_handler_returning_dict_is_wrapped(self, monkeypatch):
+        """A handler that returns a dict should be auto-wrapped to JSON string."""
+        from tools.registry import registry
+        from model_tools import handle_function_call
+        import json
+
+        # Register a bad handler that returns dict instead of str
+        registry.register(
+            name="__test_bad_dict",
+            toolset="test",
+            schema={"name": "__test_bad_dict", "description": "test", "parameters": {"type": "object", "properties": {}}},
+            handler=lambda args, **kw: {"this is": "a dict not a string"},
+        )
+        result = handle_function_call("__test_bad_dict", {})
+        parsed = json.loads(result)
+        assert "output" in parsed
+        assert "_type_warning" in parsed
+        # Cleanup
+        registry._tools.pop("__test_bad_dict", None)
+
+    def test_handler_returning_none_is_wrapped(self, monkeypatch):
+        """A handler that returns None should be auto-wrapped."""
+        from tools.registry import registry
+        from model_tools import handle_function_call
+        import json
+
+        registry.register(
+            name="__test_bad_none",
+            toolset="test",
+            schema={"name": "__test_bad_none", "description": "test", "parameters": {"type": "object", "properties": {}}},
+            handler=lambda args, **kw: None,
+        )
+        result = handle_function_call("__test_bad_none", {})
+        parsed = json.loads(result)
+        assert "_type_warning" in parsed
+        registry._tools.pop("__test_bad_none", None)
+
+    def test_handler_returning_non_json_string_is_wrapped(self):
+        """A handler returning a plain string (not JSON) should be wrapped."""
+        from tools.registry import registry
+        from model_tools import handle_function_call
+        import json
+
+        registry.register(
+            name="__test_bad_plain",
+            toolset="test",
+            schema={"name": "__test_bad_plain", "description": "test", "parameters": {"type": "object", "properties": {}}},
+            handler=lambda args, **kw: "just a plain string, not json",
+        )
+        result = handle_function_call("__test_bad_plain", {})
+        parsed = json.loads(result)
+        assert "output" in parsed
+        registry._tools.pop("__test_bad_plain", None)
+
+    def test_handler_returning_valid_json_passes_through(self):
+        """A handler returning valid JSON string passes through unchanged."""
+        from tools.registry import registry
+        from model_tools import handle_function_call
+        import json
+
+        registry.register(
+            name="__test_good",
+            toolset="test",
+            schema={"name": "__test_good", "description": "test", "parameters": {"type": "object", "properties": {}}},
+            handler=lambda args, **kw: json.dumps({"status": "ok", "data": [1, 2, 3]}),
+        )
+        result = handle_function_call("__test_good", {})
+        parsed = json.loads(result)
+        assert parsed == {"status": "ok", "data": [1, 2, 3]}
+        registry._tools.pop("__test_good", None)

tests/tools/test_memory_tool.py

@@ -144,7 +144,8 @@ class TestMemoryStoreReplace:
     def test_replace_no_match(self, store):
         store.add("memory", "fact A")
         result = store.replace("memory", "nonexistent", "new")
-        assert result["success"] is False
+        assert result["success"] is True
+        assert result["result"] == "no_match"
 
     def test_replace_ambiguous_match(self, store):
         store.add("memory", "server A runs nginx")
@@ -177,7 +178,8 @@ class TestMemoryStoreRemove:
 
     def test_remove_no_match(self, store):
         result = store.remove("memory", "nonexistent")
-        assert result["success"] is False
+        assert result["success"] is True
+        assert result["result"] == "no_match"
 
     def test_remove_empty_old_text(self, store):
         result = store.remove("memory", "  ")

tools/memory_tool.py

@@ -260,8 +260,12 @@ class MemoryStore:
             entries = self._entries_for(target)
             matches = [(i, e) for i, e in enumerate(entries) if old_text in e]
 
-            if len(matches) == 0:
-                return {"success": False, "error": f"No entry matched '{old_text}'."}
+            if not matches:
+                return {
+                    "success": True,
+                    "result": "no_match",
+                    "message": f"No entry matched '{old_text}'. The search substring was not found in any existing entry.",
+                }
 
             if len(matches) > 1:
                 # If all matches are identical (exact duplicates), operate on the first one
@@ -310,8 +314,12 @@ class MemoryStore:
             entries = self._entries_for(target)
             matches = [(i, e) for i, e in enumerate(entries) if old_text in e]
 
-            if len(matches) == 0:
-                return {"success": False, "error": f"No entry matched '{old_text}'."}
+            if not matches:
+                return {
+                    "success": True,
+                    "result": "no_match",
+                    "message": f"No entry matched '{old_text}'. The search substring was not found in any existing entry.",
+                }
 
             if len(matches) > 1:
                 # If all matches are identical (exact duplicates), remove the first one
@@ -449,30 +457,30 @@ def memory_tool(
     Returns JSON string with results.
     """
     if store is None:
-        return json.dumps({"success": False, "error": "Memory is not available. It may be disabled in config or this environment."}, ensure_ascii=False)
+        return tool_error("Memory is not available. It may be disabled in config or this environment.", success=False)
 
     if target not in ("memory", "user"):
-        return json.dumps({"success": False, "error": f"Invalid target '{target}'. Use 'memory' or 'user'."}, ensure_ascii=False)
+        return tool_error(f"Invalid target '{target}'. Use 'memory' or 'user'.", success=False)
 
     if action == "add":
         if not content:
-            return json.dumps({"success": False, "error": "Content is required for 'add' action."}, ensure_ascii=False)
+            return tool_error("Content is required for 'add' action.", success=False)
         result = store.add(target, content)
 
     elif action == "replace":
         if not old_text:
-            return json.dumps({"success": False, "error": "old_text is required for 'replace' action."}, ensure_ascii=False)
+            return tool_error("old_text is required for 'replace' action.", success=False)
         if not content:
-            return json.dumps({"success": False, "error": "content is required for 'replace' action."}, ensure_ascii=False)
+            return tool_error("content is required for 'replace' action.", success=False)
         result = store.replace(target, old_text, content)
 
     elif action == "remove":
         if not old_text:
-            return json.dumps({"success": False, "error": "old_text is required for 'remove' action."}, ensure_ascii=False)
+            return tool_error("old_text is required for 'remove' action.", success=False)
         result = store.remove(target, old_text)
 
     else:
-        return json.dumps({"success": False, "error": f"Unknown action '{action}'. Use: add, replace, remove"}, ensure_ascii=False)
+        return tool_error(f"Unknown action '{action}'. Use: add, replace, remove", success=False)
 
     return json.dumps(result, ensure_ascii=False)
 
@@ -539,7 +547,7 @@ MEMORY_SCHEMA = {
 
 
 # --- Registry ---
-from tools.registry import registry
+from tools.registry import registry, tool_error
 
 registry.register(
     name="memory",