fix(cron): inject cloud-context warning when prompt refs localhost (#468)

When a cron job runs on a cloud endpoint but its prompt references
local services (Ollama, localhost, etc.), inject a [SYSTEM NOTE]
warning so the agent reports the limitation instead of wasting
iterations on doomed connections.

Fixes #378, Closes #456.

## Changes
- cron/scheduler.py: Added import re, _LOCAL_SERVICE_PATTERNS (12 patterns),
  _detect_local_service_refs(), _inject_cloud_context(). Injection in run_job()
  after cloud endpoint detection.
- tests/cron/test_cron_cloud_context.py: 19 tests

## Detection patterns
localhost:PORT, 127.x.x.x:PORT, 0.0.0.0:PORT, ollama, curl localhost,
wget localhost, http://localhost, https://127.x, check ollama,
connect local, hermes gateway local

Closes #468.

cron/scheduler.py

@@ -13,6 +13,7 @@ import concurrent.futures
 import json
 import logging
 import os
+import re
 import subprocess
 import sys
 
@@ -156,6 +157,27 @@ _KNOWN_DELIVERY_PLATFORMS = frozenset({
 
 from cron.jobs import get_due_jobs, mark_job_run, save_job_output, advance_next_run
 
+# ---------------------------------------------------------------------------
+# Model context guard
+# ---------------------------------------------------------------------------
+
+CRON_MIN_CONTEXT_TOKENS = 4096
+
+
+class ModelContextError(ValueError):
+    """Raised when a job's model has insufficient context for cron execution."""
+    pass
+
+
+def _check_model_context_compat(model: str, context_length: int) -> None:
+    """Raise ModelContextError if the model context is below the cron minimum."""
+    if context_length < CRON_MIN_CONTEXT_TOKENS:
+        raise ModelContextError(
+            f"Model '{model}' context ({context_length} tokens) is below the "
+            f"minimum {CRON_MIN_CONTEXT_TOKENS} tokens required for cron jobs."
+        )
+
+
 # Sentinel: when a cron agent has nothing new to report, it can start its
 # response with this marker to suppress delivery.  Output is still saved
 # locally for audit.
@@ -544,6 +566,55 @@ def _run_job_script(script_path: str) -> tuple[bool, str]:
         return False, f"Script execution failed: {exc}"
 
 
+# ---------------------------------------------------------------------------
+# Cloud context warning — detect local service refs in cloud cron prompts
+# ---------------------------------------------------------------------------
+
+_LOCAL_SERVICE_PATTERNS = [
+    r'localhost:\d{2,5}',
+    r'127\.0\.0\.\d{1,3}:\d{2,5}',
+    r'0\.0\.0\.0:\d{2,5}',
+    r'\bollama\b',
+    r'curl\s+.*localhost',
+    r'wget\s+.*localhost',
+    r'http://localhost',
+    r'https?://127\.',
+    r'https?://0\.0\.0\.0',
+    r'check.*ollama',
+    r'connect.*local',
+    r'hermes.*gateway.*local',
+]
+
+_LOCAL_SERVICE_RE = [re.compile(p, re.IGNORECASE) for p in _LOCAL_SERVICE_PATTERNS]
+
+
+def _detect_local_service_refs(prompt: str) -> list[str]:
+    """Scan a prompt for references to local services (Ollama, localhost, etc.).
+
+    Returns list of matched patterns for logging.
+    """
+    matches = []
+    for pattern_re in _LOCAL_SERVICE_RE:
+        if pattern_re.search(prompt):
+            matches.append(pattern_re.pattern)
+    return matches
+
+
+def _inject_cloud_context(prompt: str, local_refs: list[str]) -> str:
+    """Prepend a warning when cron runs on cloud but prompt refs local services.
+
+    The agent reports the limitation instead of wasting iterations on doomed connections.
+    """
+    warning = (
+        "[SYSTEM NOTE: You are running on a cloud endpoint, but your prompt references "
+        "local services (localhost/Ollama). You cannot reach localhost from a cloud "
+        "endpoint. Report this limitation to the user and suggest running the job on "
+        "a local endpoint instead. Do NOT attempt to connect to localhost — it will "
+        "timeout and waste your iteration budget.]\n\n"
+    )
+    return warning + prompt
+
+
 def _build_job_prompt(job: dict) -> str:
     """Build the effective prompt for a cron job, optionally loading one or more skills first."""
     prompt = job.get("prompt", "")
@@ -762,6 +833,16 @@ def run_job(job: dict) -> tuple[bool, str, str, Optional[str]]:
             message = format_runtime_provider_error(exc)
             raise RuntimeError(message) from exc
 
+        # Cloud context warning: if running on cloud but prompt refs local services,
+        # inject a warning so the agent reports the limitation instead of wasting
+        # iterations on doomed connections. (Fixes #378, #456)
+        base_url = runtime.get("base_url") or ""
+        is_cloud = not any(h in base_url for h in ("localhost", "127.0.0.1", "0.0.0.0", "::1"))
+        local_refs = _detect_local_service_refs(prompt)
+        if is_cloud and local_refs:
+            logger.info("Job '%s': cloud endpoint + local service refs detected, injecting warning", job_name)
+            prompt = _inject_cloud_context(prompt, local_refs)
+
         from agent.smart_model_routing import resolve_turn_route
         turn_route = resolve_turn_route(
             prompt,

tests/cron/test_cron_cloud_context.py

@@ -0,0 +1,120 @@
+"""Tests for cron cloud context warning injection (fix #378, #456).
+
+When a cron job runs on a cloud endpoint but its prompt references local
+services (Ollama, localhost, etc.), inject a warning so the agent reports
+the limitation instead of wasting iterations on doomed connections.
+"""
+
+import pytest
+
+from cron.scheduler import (
+    _detect_local_service_refs,
+    _inject_cloud_context,
+    _LOCAL_SERVICE_PATTERNS,
+)
+
+
+# ---------------------------------------------------------------------------
+# Pattern detection
+# ---------------------------------------------------------------------------
+
+class TestDetectLocalServiceRefs:
+    def test_localhost_with_port(self):
+        refs = _detect_local_service_refs("Check http://localhost:8080/status")
+        assert len(refs) > 0
+        assert any("localhost" in r for r in refs)
+
+    def test_127_address(self):
+        refs = _detect_local_service_refs("Connect to 127.0.0.1:11434")
+        assert len(refs) > 0
+
+    def test_ollama_reference(self):
+        refs = _detect_local_service_refs("Run this on Ollama with gemma3")
+        assert len(refs) > 0
+        assert any("ollama" in r.lower() for r in refs)
+
+    def test_curl_localhost(self):
+        refs = _detect_local_service_refs("curl localhost:3000/api/data")
+        assert len(refs) > 0
+
+    def test_wget_localhost(self):
+        refs = _detect_local_service_refs("wget http://localhost/file.txt")
+        assert len(refs) > 0
+
+    def test_http_localhost(self):
+        refs = _detect_local_service_refs("http://localhost:8642/health")
+        assert len(refs) > 0
+
+    def test_https_127(self):
+        refs = _detect_local_service_refs("https://127.0.0.1:443/secure")
+        assert len(refs) > 0
+
+    def test_0000_address(self):
+        refs = _detect_local_service_refs("Bind to 0.0.0.0:9090")
+        assert len(refs) > 0
+
+    def test_no_match_for_remote(self):
+        refs = _detect_local_service_refs("Check https://api.openai.com/v1/models")
+        assert len(refs) == 0
+
+    def test_no_match_for_gitea(self):
+        refs = _detect_local_service_refs("Query forge.alexanderwhitestone.com for issues")
+        assert len(refs) == 0
+
+    def test_no_match_empty(self):
+        refs = _detect_local_service_refs("")
+        assert len(refs) == 0
+
+    def test_check_ollama_phrase(self):
+        refs = _detect_local_service_refs("First check Ollama is running")
+        assert len(refs) > 0
+
+    def test_connect_local_phrase(self):
+        refs = _detect_local_service_refs("Connect to local Ollama server")
+        assert len(refs) > 0
+
+
+# ---------------------------------------------------------------------------
+# Warning injection
+# ---------------------------------------------------------------------------
+
+class TestInjectCloudContext:
+    def test_prepends_warning(self):
+        original = "Run a health check on localhost:8080"
+        refs = _detect_local_service_refs(original)
+        result = _inject_cloud_context(original, refs)
+        assert "SYSTEM NOTE" in result
+        assert "cloud endpoint" in result
+        assert original in result
+
+    def test_warning_is_first(self):
+        original = "Check localhost:11434"
+        refs = _detect_local_service_refs(original)
+        result = _inject_cloud_context(original, refs)
+        assert result.startswith("[SYSTEM NOTE")
+
+    def test_preserves_original_prompt(self):
+        original = "Do something with Ollama and then report results"
+        refs = _detect_local_service_refs(original)
+        result = _inject_cloud_context(original, refs)
+        assert "Do something with Ollama" in result
+
+    def test_mentions_cannot_reach(self):
+        original = "curl localhost:8080"
+        refs = _detect_local_service_refs(original)
+        result = _inject_cloud_context(original, refs)
+        assert "cannot reach" in result.lower() or "cannot" in result.lower()
+
+
+# ---------------------------------------------------------------------------
+# Pattern coverage
+# ---------------------------------------------------------------------------
+
+class TestPatternCoverage:
+    def test_at_least_10_patterns(self):
+        assert len(_LOCAL_SERVICE_PATTERNS) >= 10
+
+    def test_patterns_are_strings(self):
+        for p in _LOCAL_SERVICE_PATTERNS:
+            assert isinstance(p, str)
+            assert len(p) > 0