Agent prompt: add "give up" guidance for repeated tool failures to prevent infrastructure rabbit holes

[dsyme]

Problem

Observed in ci-perf workflow run 26685032273 (agent job 78651725929, 2026-05-30).

The agent attempted to push a CI trigger commit to a PR using push_to_pull_request_branch. The tool returned the same error on every call:

Branch dsyme/ci-perf/... does not exist locally. Cannot generate incremental patch.

Root cause (identified by the agent in its own trace): findRepoCheckout in the safeoutputs implementation fails to locate a github/github worktree checkout that uses a .git FILE (not directory), so cwd falls back to the github-automation root where the PR branch does not exist.

Instead of calling report_incomplete after 2-3 failed attempts, the agent spent 38 minutes in an escalating investigation:

• Repeated git checkout with different flags
• Tried to bypass partial clone promisor settings via GIT_CONFIG_COUNT env vars (explicitly prohibited by ci-perf prompt)
• Set GIT_OBJECT_DIRECTORY and extensions.partialClone=""
• Inspected Docker socket (/var/run/docker.sock), overlay mounts (/proc/self/mounts), /proc/net/tcp6, /host filesystem
• Read through safe_outputs_append.cjs, safe_outputs_handlers.cjs, push_to_pull_request_branch.cjs source code
• Called push_to_pull_request_branch ~10+ times always getting the same error

The run consumed 29.7M tokens and ended without pushing the trigger commit.

Suggested generic prompt improvements

1. Add hard retry cap with report_incomplete fallback

Add to the system prompt / agent guidance:

Tool retry limit: If a safe-output tool (e.g. push_to_pull_request_branch, close_pull_request) returns an error, try at most 2 different approaches to resolve it. If still failing, call report_incomplete describing the error and the approaches you tried, then continue with other work. Do NOT attempt to debug the underlying infrastructure.

2. Prohibit container/infrastructure inspection

Add to the system prompt / prohibited actions:

Do not inspect infrastructure internals. When a tool or command fails, do not investigate Docker sockets (/var/run/docker.sock), filesystem mounts (/proc/self/mounts, overlay), container networking (/proc/net), /host paths, git object storage internals, or environment variables of the container runtime. These are outside your control and investigating them wastes budget without fixing anything. If a tool fails and you cannot resolve it within 2 attempts, use report_incomplete.

3. Improve push_to_pull_request_branch error message for repo-not-found case

The current error "Branch X does not exist locally. Make sure you have committed your changes" is misleading: the agent HAS committed, but the tool is looking in the wrong git repo (cwd fell back to the wrong directory). A more actionable error would be:

Branch X does not exist locally in any detectable checkout. 
Possible causes: (1) you haven't run 'git checkout -b X --track origin/X' yet; 
(2) the tool could not locate the correct git repo — ensure  points 
to the repo containing the PR. Cannot generate patch.

Or ideally, log which directory findRepoCheckout searched so the agent can verify.

Or indeed if it exists in some existing checkout, tell it which one.

[dsyme]

@pelikhan I'm going to set the agents doing more research on this, I think we can do better