fix(cron): inject cloud-context warning when prompt refs localhost (#456)

Closes #378

When a cron job prompt references local services (localhost, Ollama,
RFC-1918 addresses) but the runtime endpoint is cloud, the agent
wastes iterations on doomed connection attempts. Now injects a
SYSTEM NOTE warning so the agent reports the limitation instead.

cron/scheduler.py:
  - _LOCAL_SERVICE_PATTERNS: regex patterns for localhost, 127.x,
    Ollama checks, curl localhost, RFC-1918 ranges
  - _detect_local_service_refs(): finds local service references
  - _inject_cloud_context(): prepends warning when cloud + local refs
  - Integrated into run_job() after resolve_turn_route()

The agent sees: 'You are running on a cloud endpoint that CANNOT
reach localhost. Do NOT attempt curl, ping, SSH... Report to user
that this job needs a local inference endpoint.'

15 tests added, all passing.

Closes #456

cron/scheduler.py

@@ -13,6 +13,7 @@ import concurrent.futures
 import json
 import logging
 import os
+import re
 import subprocess
 import sys
 
@@ -41,6 +42,76 @@ from agent.model_metadata import is_local_endpoint
 
 logger = logging.getLogger(__name__)
 
+# =====================================================================
+# Cloud Context Warning
+# =====================================================================
+# When a cron job prompt references local services (localhost, Ollama, etc.)
+# but the runtime endpoint is cloud, inject a warning so the agent knows
+# it cannot reach those services and reports the limitation instead of
+# wasting iterations on doomed connection attempts. (#378)
+
+_LOCAL_SERVICE_PATTERNS = [
+    re.compile(r'localhost:\d+', re.IGNORECASE),
+    re.compile(r'127\.0\.0\.1:\d+', re.IGNORECASE),
+    re.compile(r'\bollama\b.*\b(respond|check|ping|poll|alive|health)\b', re.IGNORECASE),
+    re.compile(r'\b(check|ping|curl|poll)\s+(the\s+)?(local|localhost|ollama)', re.IGNORECASE),
+    re.compile(r'\bcurl\s+(localhost|127\.)', re.IGNORECASE),
+    re.compile(r'RFC-?1918', re.IGNORECASE),
+    re.compile(r'10\.\d+\.\d+\.\d+:\d+'),
+    re.compile(r'192\.168\.\d+\.\d+:\d+'),
+    re.compile(r'172\.(1[6-9]|2\d|3[01])\.\d+\.\d+:\d+'),
+]
+
+_CLOUD_CONTEXT_NOTE = (
+    "[SYSTEM NOTE — CLOUD RUNTIME] You are running on a cloud inference "
+    "endpoint ({provider}) that CANNOT reach localhost or private network "
+    "addresses. The following local service references were detected in your "
+    "prompt but are UNREACHABLE from this runtime:\n"
+    "  {refs}\n"
+    "Do NOT attempt curl, ping, SSH, or any network calls to these services. "
+    "Instead, report to the user that this job needs a local inference "
+    "endpoint to check local services. This is a configuration issue, "
+    "not a task failure.]\n\n"
+)
+
+
+def _detect_local_service_refs(prompt: str) -> list[str]:
+    """Detect references to local services in a prompt.
+
+    Returns list of matched reference strings.
+    """
+    refs = []
+    for pattern in _LOCAL_SERVICE_PATTERNS:
+        matches = pattern.findall(prompt)
+        refs.extend(matches)
+    return refs
+
+
+def _inject_cloud_context(prompt: str, base_url: str, provider: str) -> str:
+    """Inject cloud-context warning if prompt refs localhost but endpoint is cloud.
+
+    Returns the prompt with a warning prepended if local service refs are
+    detected and the endpoint is not local. Otherwise returns prompt unchanged.
+    """
+    if is_local_endpoint(base_url):
+        return prompt  # local endpoint can reach localhost, no warning needed
+
+    refs = _detect_local_service_refs(prompt)
+    if not refs:
+        return prompt  # no local service references, no warning needed
+
+    # Deduplicate and format refs
+    unique_refs = list(dict.fromkeys(refs))  # preserve order, remove dupes
+    refs_str = "\n  ".join(f"- {r}" for r in unique_refs[:10])
+
+    warning = _CLOUD_CONTEXT_NOTE.format(
+        provider=provider or "cloud",
+        refs=refs_str,
+    )
+
+    # Inject after the cron hint but before the user prompt
+    return warning + prompt
+
 
 # =====================================================================
 # Deploy Sync Guard
@@ -810,6 +881,10 @@ def run_job(job: dict) -> tuple[bool, str, str, Optional[str]]:
                 job_name,
                 turn_route["runtime"].get("provider", "unknown"),
             )
+
+            # Inject cloud-context warning if prompt references localhost
+            _cloud_provider = turn_route["runtime"].get("provider", "cloud")
+            prompt = _inject_cloud_context(prompt, _runtime_base_url, _cloud_provider)
         if job.get("requires_local_infra") and _is_cloud:
             logger.warning(
                 "Job '%s': requires_local_infra=true but running on cloud provider — "

tests/test_cron_cloud_context.py

@@ -0,0 +1,113 @@
+"""Tests for cron cloud-context warning injection (#456/#378)."""
+
+import re
+import sys
+from unittest.mock import MagicMock
+from pathlib import Path
+
+import pytest
+
+# Import the functions directly from the file without going through cron/__init__.py
+import importlib.util
+spec = importlib.util.spec_from_file_location(
+    "cron.scheduler_test",
+    Path(__file__).parent.parent / "cron" / "scheduler.py",
+)
+_sched = importlib.util.module_from_spec(spec)
+
+# Stub out dependencies the scheduler imports
+sys.modules.setdefault("cron", MagicMock())
+sys.modules.setdefault("cron.jobs", MagicMock())
+
+try:
+    spec.loader.exec_module(_sched)
+except Exception:
+    # If the full scheduler can't load, at least test the standalone functions
+    pass
+
+# Extract the functions we need
+_detect_local_service_refs = _sched._detect_local_service_refs
+_inject_cloud_context = _sched._inject_cloud_context
+
+
+# ---------------------------------------------------------------------------
+# Detection
+# ---------------------------------------------------------------------------
+
+class TestDetectLocalRefs:
+    def test_localhost_port(self):
+        refs = _detect_local_service_refs("Check localhost:11434 is up")
+        assert any("localhost:11434" in r for r in refs)
+
+    def test_127_0_0_1(self):
+        refs = _detect_local_service_refs("curl 127.0.0.1:8080/health")
+        assert any("127.0.0.1:8080" in r for r in refs)
+
+    def test_ollama_check(self):
+        refs = _detect_local_service_refs("Check Ollama is responding")
+        assert len(refs) > 0
+
+    def test_curl_localhost(self):
+        refs = _detect_local_service_refs("curl localhost:3000/api")
+        assert any("localhost:3000" in r for r in refs)
+
+    def test_private_10_x(self):
+        refs = _detect_local_service_refs("ping 10.0.0.5:9090")
+        assert any("10.0.0.5:9090" in r for r in refs)
+
+    def test_private_192_168(self):
+        refs = _detect_local_service_refs("connect to 192.168.1.100:5432")
+        assert any("192.168.1.100:5432" in r for r in refs)
+
+    def test_rfc1918(self):
+        refs = _detect_local_service_refs("This is an RFC-1918 address")
+        assert any("RFC-1918" in r for r in refs)
+
+    def test_no_match(self):
+        refs = _detect_local_service_refs("Check forge.alexanderwhitestone.com is up")
+        assert len(refs) == 0
+
+    def test_multiple_matches(self):
+        refs = _detect_local_service_refs("Check localhost:11434 and curl 127.0.0.1:8080")
+        assert len(refs) >= 2
+
+
+# ---------------------------------------------------------------------------
+# Injection
+# ---------------------------------------------------------------------------
+
+class TestInjectCloudContext:
+    def test_skips_local_endpoint(self):
+        prompt = "Check localhost:11434"
+        result = _inject_cloud_context(prompt, "http://localhost:11434/v1", "ollama")
+        assert result == prompt  # no injection for local endpoint
+
+    def test_skips_no_refs(self):
+        prompt = "Check forge.alexanderwhitestone.com"
+        result = _inject_cloud_context(prompt, "https://openrouter.ai/api/v1", "openrouter")
+        assert result == prompt  # no local refs, no injection
+
+    def test_injects_on_cloud_with_refs(self):
+        prompt = "Check Ollama is responding on localhost:11434"
+        result = _inject_cloud_context(prompt, "https://openrouter.ai/api/v1", "openrouter")
+        assert "CLOUD RUNTIME" in result
+        assert "openrouter" in result
+        assert "localhost:11434" in result
+        assert "Do NOT attempt curl" in result
+        assert result.startswith("[SYSTEM NOTE")  # warning prepended
+
+    def test_preserves_original_prompt(self):
+        original = "Check localhost:11434 health endpoint"
+        result = _inject_cloud_context(original, "https://api.openai.com/v1", "openai")
+        assert original in result  # original prompt preserved in the output
+
+    def test_deduplicates_refs(self):
+        prompt = "Check localhost:11434 then curl localhost:11434 again"
+        result = _inject_cloud_context(prompt, "https://openrouter.ai/api/v1", "openrouter")
+        # Should not list the same ref twice
+        assert result.count("localhost:11434") >= 1  # at least once in refs
+
+    def test_includes_provider_name(self):
+        prompt = "Check localhost:11434"
+        result = _inject_cloud_context(prompt, "https://nous.ai/v1", "nous")
+        assert "nous" in result