Cron and automation
The harness runs on automation. Without scheduled scripts, you'd have to remember to generate the morning brief, run loop signal checks, audit cron health, back up the vault. Operators who try to remember these things forget half of them.
This chapter is how to set up the automation layer reliably.
The always-on machine
Cron requires a machine that's running when the cron fires. For an operator, that means an always-on machine — not your laptop, which closes the lid at 5pm.
Three options:
A base-model Mac Mini M4 is $599. It runs 24/7 on ~5W of power. Headless (no monitor needed), accessed via SSH or Screen Sharing. Encrypted with FileVault. Set to auto-restart on power loss.
Linode, DigitalOcean, Hetzner — all reliable. ~$10-40/mo depending on size. Trade-off: your vault would live on a remote server (or you'd sync to it), which adds complexity.
~$50-150 depending on model. Underpowered for AI workloads (Ollama struggles). Fine for lightweight cron.
The harness defaults to Option A. The cron entries in this chapter assume macOS conventions (date -v -1d, launchctl). Adapt for Linux if you go Option B.
Setting up the Mac Mini
If you're starting from scratch:
- Buy the Mac Mini. Base model is enough unless you'll run Ollama 8B+ continuously.
- First-boot setup: Standard macOS install. Create one user account. Set computer name (used in SSH).
- Energy Saver settings (System Settings → Energy):
- Sleep: Never (or set to "Never when plugged in")
- Display sleep: 10 min (the display turns off, machine stays awake)
- Start up automatically after a power failure: ON
- Wake for network access: ON
- FileVault: Turn on. Save the recovery key somewhere secure (not in the vault).
- SSH: System Settings → General → Sharing → Remote Login ON.
- Add your SSH key:
# From your laptop ssh-copy-id <username>@<mac-mini-ip>
- Tailscale or equivalent: install for stable remote access (your local IP can change; Tailscale MagicDNS gives you a stable name).
- External SSD: attach. Format with the filesystem you prefer (APFS for Mac-only, ExFAT for cross-platform).
- Mount discipline: the drive should auto-mount on boot. Set up a watchdog that alerts if it disappears.
The crontab
Edit your cron with crontab -e. Each line is:
Use * for "any." Examples:
Critical: macOS Full Disk Access (FDA)
On macOS Mojave and later, cron jobs need Full Disk Access granted explicitly. Without it, your scripts will fail with "Operation not permitted" — silently, in some cases.
Grant FDA to:
- Terminal.app — for ad-hoc runs
/usr/sbin/cron— for scheduled runs- The Python binary cron uses (often
/Library/Developer/CommandLineTools/usr/bin/python3or/usr/local/bin/python3)
System Settings → Privacy & Security → Full Disk Access → Add each of the above.
This is one of the most common sources of "my cron isn't running and I don't know why" — silent permission failures.
ExFAT quirks
If your external drive is ExFAT (cross-platform), cron cannot execute scripts directly from it. Workaround: prefix bash scripts with /bin/bash:
Python scripts use the full Python path:
The crontab.md document
Maintain a single document, _AI/Schedules/crontab.md, that mirrors what's actually in your crontab. This is the human-readable source of truth.
Update it in the same session you modify cron. If the two ever drift, the document is wrong (cron is what actually runs).
Format:
The Last Verified column matters. Stale entries (>30 days) are signal that the cron may have stopped working without you noticing.
The watchdog pattern
Every cron should report success or failure. The harness pattern: each script writes one row to an agent_timeline_events table (or JSONL log) at end of main().
The brain (or a daily audit) reads this and surfaces crons that haven't reported recently. Without watchdog reporting, crons fail silently — and the failure mode of silent-fail is usually "we discovered it weeks later."
The cron-doctor pattern
A meta-cron that watches the other crons. Runs every few hours:
This catches cron failures that watchdog reporting alone misses (e.g., a script that runs but doesn't reach its watchdog call because of an early exception).
Backup discipline
Cron-driven, daily. The vault itself should be backed up to at least one other location:
- Time Machine (macOS, attached external drive): set and forget
- Cloud backup: Backblaze, Arq, restic to S3 — pick one
- Manual snapshot:
rsync -avto a second drive once a week
The vault is the entire memory of your operation. Losing it would be expensive. Set up two backup channels before you put critical data inside.
Don't trust a single backup. Verify backups every quarter by restoring a random file to a test location.
Common failure modes
"Cron isn't running my script"
Almost always one of:
- Full Disk Access not granted
- Script path wrong in crontab
- Script not executable (
chmod +x) - Script using a binary not in cron's PATH (use full paths)
- ExFAT drive — needs
/bin/bashprefix
Test the script manually first: bash /path/to/script.sh. If it works manually but not via cron, it's almost always #1.
"Cron ran but no output"
Cron sends output to email by default, which on macOS goes nowhere visible. Redirect to a log file:
Now you can inspect /tmp/morning-brief.log to see what happened.
"Cron worked, then stopped"
Usually:
- Network change (script depended on local IP, IP changed)
- Mount point change (external drive remounted with different name)
- Dependency upgrade (Python package, model file, etc.)
- Permission revoked (FileVault relock, FDA revoked after macOS update)
The cron-doctor pattern catches these within hours.
How many cron jobs is reasonable?
10-15 is normal for a small operation. 25+ is a sign that you're over-automating and should consolidate.
If two crons fire 5 minutes apart and do similar things, combine them. If a cron hasn't actually been useful in the last quarter, kill it.
The cron list should be readable in one screen. If yours isn't, you've accumulated complexity that's no longer paying for itself.
Next chapter: document filing rules, especially around PII.