fix(cortex-exec): disable automatic retries by default to prevent duplicate side effects

factorydroid · Factory Bot · commit 03c07c929798 · 2026-01-26T20:50:13.000+04:00
Fixes bounty issue #1519

The ExecRunner's send_request function had automatic retry logic (MAX_RETRIES=3)
for transient LLM errors. This could cause non-idempotent operations like tool
calls with side effects to be executed multiple times during retries.

Changes:
- Add max_retries field to ExecOptions, defaulting to 0 (no retries)
- Update send_request to use configurable max_retries instead of hardcoded value
- Only retry when max_retries &gt; 0 and error is retriable
- Add test coverage for max_retries configuration

Users who want retry behavior for idempotent prompts can explicitly set
max_retries to a positive value.
diff --git a/cortex-exec/src/runner.rs b/cortex-exec/src/runner.rs
@@ -64,6 +64,11 @@ pub struct ExecOptions {
     pub enabled_tools: Option<Vec<String>>,
     /// Tools to disable.
     pub disabled_tools: Vec<String>,
+    /// Maximum number of retries for transient LLM request errors.
+    /// Defaults to 0 (no retries) to prevent duplicate execution of
+    /// non-idempotent operations like tool calls with side effects.
+    /// Set to a positive value (e.g., 3) only for read-only prompts.
+    pub max_retries: usize,
 }
 
 impl Default for ExecOptions {
@@ -82,6 +87,8 @@ impl Default for ExecOptions {
             streaming: true,
             enabled_tools: None,
             disabled_tools: Vec::new(),
+            // Default to 0 retries to prevent duplicate execution of non-idempotent operations
+            max_retries: 0,
         }
     }
 }
@@ -465,7 +472,11 @@ impl ExecRunner {
         })
     }
 
-    /// Send a request to the LLM with retry logic.
+    /// Send a request to the LLM with optional retry logic.
+    ///
+    /// The number of retries is controlled by `self.options.max_retries`.
+    /// When set to 0 (the default), no retries are attempted to prevent
+    /// duplicate execution of non-idempotent operations like tool calls.
     async fn send_request(
         &self,
         conversation: &ConversationManager,
@@ -491,14 +502,19 @@ impl ExecRunner {
                 .unwrap_or(DEFAULT_REQUEST_TIMEOUT_SECS),
         );
 
-        // Retry loop for transient errors
+        // Total attempts = 1 (initial) + max_retries
+        // When max_retries is 0, we make exactly 1 attempt with no retries
+        let max_attempts = self.options.max_retries + 1;
+
+        // Retry loop for transient errors (disabled by default to prevent
+        // duplicate execution of non-idempotent operations)
         let mut last_error = None;
-        for attempt in 0..MAX_RETRIES {
+        for attempt in 0..max_attempts {
             if attempt > 0 {
                 self.output.write_info(&format!(
                     "Retrying request (attempt {}/{})",
                     attempt + 1,
-                    MAX_RETRIES
+                    max_attempts
                 ));
                 // Exponential backoff
                 tokio::time::sleep(Duration::from_millis(500 * 2u64.pow(attempt as u32))).await;
@@ -517,7 +533,8 @@ impl ExecRunner {
             match result {
                 Ok(Ok(response)) => return Ok(response),
                 Ok(Err(e)) => {
-                    if e.is_retriable() {
+                    // Only retry if retries are enabled and error is retriable
+                    if self.options.max_retries > 0 && e.is_retriable() {
                         last_error = Some(e);
                         continue;
                     }
@@ -528,8 +545,12 @@ impl ExecRunner {
                         "Request timed out after {} seconds",
                         request_timeout.as_secs()
                     ));
-                    last_error = Some(CortexError::Timeout);
-                    continue;
+                    // Only retry on timeout if retries are enabled
+                    if self.options.max_retries > 0 {
+                        last_error = Some(CortexError::Timeout);
+                        continue;
+                    }
+                    return Err(CortexError::Timeout);
                 }
             }
         }
@@ -768,6 +789,22 @@ mod tests {
         assert_eq!(opts.timeout_secs, Some(DEFAULT_TIMEOUT_SECS));
         assert!(!opts.full_auto);
         assert!(opts.streaming);
+        // max_retries defaults to 0 to prevent duplicate execution of non-idempotent operations
+        assert_eq!(opts.max_retries, 0);
+    }
+
+    #[test]
+    fn test_max_retries_configuration() {
+        // Default should be 0 (no retries) to protect against duplicate side effects
+        let default_opts = ExecOptions::default();
+        assert_eq!(default_opts.max_retries, 0);
+
+        // Users can explicitly enable retries if they know their prompt is idempotent
+        let opts_with_retries = ExecOptions {
+            max_retries: 3,
+            ..Default::default()
+        };
+        assert_eq!(opts_with_retries.max_retries, 3);
     }
 
     #[test]
