Autonomous AI Agents on Cron: A Zombie-Task Postmortem

What actually breaks when you run AI agents on cron 24/7 — zombie tasks, subagent black holes, and the architectural patterns that make autonomous pipelines reliable.

S
Senior Software Developer · Jakarta
12 min read

Two weeks ago I woke up to a green dashboard. Every cron job had fired, every task reported status: completed, every heartbeat was healthy. The content pipeline I run — research, draft, fact-check, design, publish — had apparently done its job overnight while I slept.

The blog had nothing new on it.

The research agent had marked its work complete. The drafting agent had picked up an empty input, “written” nothing of substance, and reported success. The fact-checker had verified nothing because there was nothing to verify. The publisher found nothing to publish and exited 0. Four agents, four clean exits, one intact chain of nothing. Every process was alive by every metric I tracked — except the one that mattered.

That morning cost me a day of debugging and a lot of trust in my own system. This is the postmortem.

A pipeline queue full of hollow zombie tasks alongside a few healthy completed blocks

The Silent Killer

Traditional software fails loudly — exceptions propagate, logs fill with stack traces, pagers go off. You know immediately that something is wrong, and usually where.

Autonomous agents do not fail that way. They get stuck in loops, hit rate limits and pause indefinitely, or just stop reasoning — while the process stays alive and the heartbeat keeps ticking. The OS reports a healthy PID. Your monitoring says “still running.” Your queue says “in progress.” Nothing is wrong, technically, and that is exactly the problem.

I call these zombie tasks: alive by every metric except the one that matters. The process is up. The work is dead.

This is the hardest problem in autonomous agent operations, and the one almost nobody mentions when they sell you on “agents that work while you sleep.” Cron does not care whether your agent is making progress — it fires the next job on schedule regardless. If your pipeline cannot distinguish “running” from “producing,” you will eventually ship silence and call it success.

The fix starts with one admission: “process exists” is not a health signal. You need wall-clock budgets, output verification, and an independent watchdog. First, the diagnosis.

The Four Ways Tasks Stall

After enough late-night postmortems, my stalls cluster into four patterns. These are the ones that bite in production:

Infinite Wait. A tool call hangs — a network request with no timeout, an MCP server that stopped responding. No error fires, so no recovery triggers. The agent waits forever for a response that is never coming.

Compaction Loop. The context window fills, the system tries to compact it, and the compaction misbehaves. The task enters a tight loop — compacting, failing, retrying — neither completing nor erroring. CPU burns, nothing ships.

Subagent Black Hole. You spawn a subagent for parallel work — the fact-checker, the image researcher, the citation verifier. It dies silently in its isolated session. The parent waits for a completion signal that never arrives; its heartbeat stays healthy, so your monitoring sees nothing wrong.

Rate Limit Sleep. The agent hits an API limit. The backoff logic says “wait five minutes,” the wait extends, and the task never wakes up. Sometimes the scheduler is the culprit, sometimes a library that swallows the retry. Either way, the task is parked and nobody is coming to move it.

Notice what these share: the process is alive in all four. ps shows it, the heartbeat shows it, the queue shows it. The only honest signal is that the task is producing no output — and that is the signal most pipelines never check.

Externalize Your State

The first architectural change that mattered: stop trusting the agent’s in-memory session state. A fresh cron start is a cold process with no memory of the previous run. If your coordination depends on what an agent “remembers” from last time, you are building on sand.

Nathaniel Hamlett runs 23 autonomous cron jobs covering discovery, research, and submission without human intervention, and externalizes all of it into a database. That is the right instinct: the agent reasons, the system remembers.

I use SQLite as the coordination layer. It is a single file, transactional, crash-safe, and with the right pragmas it handles concurrent sessions without locking up. The setup is short:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

import sqlite3

db = sqlite3.connect('/var/lib/agent/state.db', timeout=5.0)
db.execute('PRAGMA journal_mode=WAL')      # readers never block the writer
db.execute('PRAGMA busy_timeout=5000')     # wait up to 5s on a contended db
db.execute('PRAGMA synchronous=NORMAL')    # safe under WAL, fast enough

# Every row is idempotent by design — re-running a task is a no-op.
db.execute('''
    CREATE TABLE IF NOT EXISTS tasks (
        task_id     TEXT PRIMARY KEY,
        stage       TEXT NOT NULL,          -- scan | research | packets | submit | review
        status      TEXT NOT NULL,          -- pending | running | done | failed
        updated_at  TEXT NOT NULL,          -- the field the watchdog watches
        run_count   INTEGER NOT NULL DEFAULT 0
    )
''')

WAL mode is the important part. In the default journal mode a reader blocks the writer and concurrent jobs serialize into a mess; in WAL they coexist. busy_timeout=5000 means a colliding write waits five seconds instead of throwing database is locked on the first contention. Five seconds is forever in agent terms — if two jobs are still fighting after that, something is wrong and you want the error.

The second piece is a file-based lock in /tmp/agent-locks. The database handles cross-job coordination; the lock handles “only one instance of this job runs at a time.” The lock file holds a PID, and the acquire logic checks whether that PID is still alive before claiming it — so a stale lock from a killed process gets reclaimed instead of blocking the queue forever.

The schedule itself is a flat cron file. Each stage reads the database, does its work, and writes the next stage’s input back to it. Nothing passes state through memory:

1
2
3
4
5
6

# 7am scan → 8am research → 9am packets → 11am submit → 11pm review
0 7  * * * /usr/local/bin/agent scan
0 8  * * * /usr/local/bin/agent research
0 9  * * * /usr/local/bin/agent packets
0 11 * * * /usr/local/bin/agent submit
0 23 * * * /usr/local/bin/agent review

The gaps between stages — two hours from research to packets, two hours to submit, twelve hours before review — are not sloppiness. They are the budget for a stall to be caught and recovered before the next stage fires. A pipeline with no slack is a pipeline that ships zombies.

One pitfall worth naming: do not batch-write your outputs. I lost a full research run once because a single API failure near the end of a bulk insert wiped the batch. Commit after every item — item-level commits turn a total data-loss event into a single skipped row.

Deterministic Routing Beats “Smart” Routing

My first pipeline had an LLM deciding what ran next. The orchestrator would look at the current state and “intelligently” pick the next stage. It felt clever. It was a disaster.

Every routing decision cost tokens, added latency, and was nondeterministic — the same input could route three different ways across three runs, which made stalls impossible to reproduce and bugs impossible to chase. I was spending money to add randomness to the one part of the system that should be the most boring.

Microsoft’s Conductor solves this correctly. It is an open-source CLI under the MIT license that defines multi-agent workflows in YAML, and routing is deterministic: each transition is a Jinja2 template plus an expression evaluation, first matching condition wins. No LLM sits in the orchestration loop. No tokens are spent deciding what runs next. The workflow is a state machine you can read top to bottom, test in isolation, and trust to run identically on the hundredth try.

The LLM belongs inside the task — researching, drafting, fact-checking, designing. Routing between tasks should be code. Once I moved routing into YAML with explicit first-match conditions, my token bill dropped and the orchestrator itself stopped showing up as the root cause in postmortems. If your orchestrator calls a model to decide whether to call a model, you have built a fragile system.

Deterministic YAML routing as a clean branching state machine versus fuzzy LLM routing

Timeouts, Heartbeats, and Idempotency

Once routing is deterministic, the remaining job is bounding failure. Three primitives do almost all of the work.

Wall-clock timeouts. Every task gets a maximum duration — enforced, not estimated. My default is 60 seconds; tasks that legitimately need longer opt in explicitly and carry their own budget. A 60-second default sounds aggressive, and it is meant to: if your research agent cannot decide in a minute, something is wrong and you want to kill it, not wait.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

import signal
import functools

class WallClockTimeout(Exception):
    pass

def wall_clock_timeout(seconds: int = 60):
    """Hard wall-clock budget. Default 60s; long tasks opt in explicitly.
    Unix, main thread only — exactly where a cron job runs."""
    def decorator(fn):
        @functools.wraps(fn)
        def wrapper(*args, **kwargs):
            def _fire(signum, frame):
                raise WallClockTimeout(f'{fn.__name__} exceeded {seconds}s')
            previous = signal.signal(signal.SIGALRM, _fire)
            signal.alarm(seconds)
            try:
                return fn(*args, **kwargs)
            finally:
                signal.alarm(0)
                signal.signal(signal.SIGALRM, previous)
        return wrapper
    return decorator


@wall_clock_timeout(seconds=90)   # research opts into a longer explicit budget
def run_research(task_id: str):
    ...

Checkpoint heartbeats. Long-running tasks must report progress. The rule is simple: no database update in ten minutes means stalled, regardless of what the process table says. The watchdog checks updated_at, not PID existence. A zombie keeps a healthy heartbeat and produces no updates; the monitor catches it where ps cannot.

Idempotency. Everything that touches state must be safe to run twice — it is what makes kill-and-retry viable. When the watchdog kills a stalled task, the re-enqueued run picks up from the last checkpoint instead of starting over or double-writing. If a task is not idempotent, you cannot safely kill it, and if you cannot safely kill it, you cannot operate it autonomously.

These three primitives compose into one recovery loop: detect via heartbeat, kill within the wall-clock budget, re-enqueue safely, and resume from the last checkpoint. Together they turn “it ran” into “it completed.”

The Six Failure Modes to Watch

Zombie tasks are the operational layer. Underneath them is a deeper set of failure modes that affect how the agent reasons — these produce wrong output instead of no output. MindStudio catalogues six. I have hit all of them.

  1. Context degradation. As a task grows longer, the agent loses track of earlier instructions. The cause is architectural: attention mechanisms weight recent tokens more heavily than old ones, so the system prompt carries less and less weight as the context fills. Re-inject critical instructions at intervals.

  2. Specification drift. The agent does not forget the instruction — it reinterprets it. “Summarize concisely” becomes “summarize at length” over a long session. Vague instructions drift; measurable criteria do not.

  3. Sycophantic confirmation. The agent tells you what you want to hear instead of what is true. This is a documented artifact of RLHF: training rewards agreeable responses, so the model learns a systematic bias toward validation over accuracy (Anthropic’s sycophancy research is the canonical reference). In a fact-checking agent, that is catastrophic. Red-team it with wrong premises and watch whether it corrects you or caves.

  4. Tool call failures. An API errors and the agent treats it as success, or returns empty results and the agent treats “empty” as “the answer.” Log every tool call and its response separately from what the agent did next. The discrepancy is the diagnostic signal.

  5. Cascading failure. A small error early compounds through every downstream agent, because each treats the previous output as ground truth. Add validation at handoff points — especially before irreversible actions like publish.

  6. Silent failure. The task completes, the output is wrong, and nothing flags it. This is the reasoning-layer zombie: it looks done, it isn’t. Ground-truth test sets and second-agent validation are the only reliable defenses. Better prompting will not save you here.

The operational patterns from earlier do not fix these failure modes — they contain them, turning an undetected reasoning failure into a bounded, observable event you can act on.

What This Looks Like in Practice

I will not pretend my own numbers are clean — most of these patterns came from studying other operators’ postmortems and adopting what survived. The clearest before-and-after I have found is from Bob Renze, who documented his autonomous task system after implementing these same primitives. In the first month:

  • 12 stalled tasks detected, all caught within 15 minutes. Previously a stall could sit for hours — nothing checked updated_at, and the process was “healthy.”
  • Silent failures dropped to zero, down from an average of 2–3 per week. Output verification did most of the work — a task now has to produce the expected file, in the expected format, with non-empty content, not just exit 0.
  • Average task completion time fell to 4.2 minutes, down from 8+. The old figure was inflated by stalled tasks burning toward a timeout that was never enforced; a hard budget on every task killed the long tail.
  • 3 false-positive timeout kills in the first week. Renze tuned the thresholds and they stopped. Start aggressive, relax the limits based on what you observe, and do not be afraid to kill a healthy task once or twice while calibrating.

The headline number is the silent-failure one. Going from 2–3 a week to zero is the difference between a pipeline you trust and a pipeline you babysit — and it is exactly the gap my own green-dashboard morning was hiding.

Externalized state guarded by file-based locks, the foundation of a reliable loop

The Checklist

If you are running autonomous agents on cron, verify each of these before you trust the system overnight:

  1. Every task has a hard wall-clock timeout. Default 60 seconds. Enforced, not estimated. Long tasks opt in explicitly.
  2. State lives outside the process. SQLite with WAL and busy_timeout for coordination; file-based PID locks in /tmp for single-instance enforcement. Commit after every item.
  3. Routing is deterministic. YAML plus Jinja2, first match wins, no LLM in the orchestration loop. The orchestrator should be the most boring code in your system.
  4. A watchdog checks updated_at, not PID existence. No checkpoint update in ten minutes means stalled. Run it as an independent process with its own failure modes.
  5. Everything is idempotent. If you cannot safely kill and re-run a task, you cannot operate it autonomously.
  6. Output is verified before “complete.” The right file, the right format, non-empty, matching the spec. Exit 0 is not completion.

Autonomous pipelines fail quietly, confidently, and on schedule — which means the system around them has to be loud, skeptical, and willing to kill. Build the watchdog before you need it. The morning you wake up to a green dashboard and an empty blog is the morning you wish you had.