[codex] Preserve auth HTTP failure diagnostics

[juliusmarminge]

Summary

• retain exact underlying causes on typed auth HTTP 500 errors while keeping public JSON schemas redacted
• log only bounded failure tags and reason counts, and suppress synthetic interruption failures
• replace the remaining broad cookie catch with exhaustive catchTags handling

Validation

• vp test apps/server/src/auth/http.test.ts apps/server/src/auth/EnvironmentAuth.test.ts
• vp check (passes with 20 pre-existing warnings)
• vp run typecheck

Stacked on #3240.

---

Note

Medium Risk
Touches auth HTTP 500 and logging paths where mishandling could hide real failures or leak data; changes are guarded by new tests and redacted API encoding.

Overview
Auth HTTP internal failures now keep the full underlying cause on a typed EnvironmentHttpInternalError, while public JSON still encodes only code, reason, and traceId (no raw errors in responses).

Logging no longer dumps full Cause/error objects. Request and operation failures log a bounded failureTag plus reason/failure/defect/interruption counts. Request finalizers skip logging when the exit is interrupt-only.

failEnvironmentInternal re-propagates nested interruption causes instead of turning them into synthetic 500s. browserSession cookie handling uses catchTags for CookieError only, passing the cause into internal failure handling.

^{Reviewed by Cursor Bugbot for commit f0537a8. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Preserve auth HTTP failure diagnostics by summarizing causes instead of serializing them

• Replaces raw cause/error serialization in auth HTTP logs with bounded diagnostics: a trimmed failureTag and counts of failures, defects, and interruptions via a new failureLogAttributes helper.
• Adds findInterruptCause to detect nested interruption causes and re-propagate them directly, avoiding conversion into synthetic internal errors and suppressing redundant logs.
• Introduces EnvironmentHttpInternalError with a bounded failureTag field and preserved original cause as a defect, replacing the generic internal error type.
• Limits annotateEnvironmentRequest finalizer so it skips logging entirely when the exit cause contains only interrupts.
• Narrows the browserSession cookie error catch to only handle CookieError, letting other errors fall through to upstream handling.

^{Macroscope summarized f0537a8.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: a45a65f5-35b3-4d38-a1ea-48d64d1ce31c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/auth-http-diagnostics

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Needs human review

Changes modify files in the auth directory (apps/server/src/auth/http.ts), which requires human review regardless of change complexity per security guidelines.

No code changes detected at f0537a8. Prior analysis still applies.

^{You can customize Macroscope's approvability policy. Learn more.}

[cursor]

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

Autofix Details

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Interrupt missed in Cause
  • Extracted the loop body into a recursive walkForInterrupt helper that, upon encountering a non-interrupt-only Cause, iterates its Fail reasons and continues walking each error's .cause chain to find nested interrupt causes.

Or push these changes by commenting:

@cursor push 5780d93e6f

Preview (5780d93e6f)

diff --git a/apps/server/src/auth/http.ts b/apps/server/src/auth/http.ts
--- a/apps/server/src/auth/http.ts
+++ b/apps/server/src/auth/http.ts
@@ -83,10 +83,27 @@
 
 function findInterruptCause(input: unknown): Cause.Cause<never> | undefined {
   const seen = new Set<object>();
+  return walkForInterrupt(input, seen, 0);
+}
+
+function walkForInterrupt(
+  input: unknown,
+  seen: Set<object>,
+  depth: number,
+): Cause.Cause<never> | undefined {
   let current = input;
-  for (let depth = 0; depth < MAX_CAUSE_CHAIN_DEPTH; depth += 1) {
+  for (let d = depth; d < MAX_CAUSE_CHAIN_DEPTH; d += 1) {
     if (Cause.isCause(current)) {
-      return Cause.hasInterruptsOnly(current) ? (current as Cause.Cause<never>) : undefined;
+      if (Cause.hasInterruptsOnly(current)) {
+        return current as Cause.Cause<never>;
+      }
+      for (const reason of current.reasons) {
+        if (Cause.isFailReason(reason)) {
+          const found = walkForInterrupt(reason.error, seen, d + 1);
+          if (found !== undefined) return found;
+        }
+      }
+      return undefined;
     }
     if (typeof current !== "object" || current === null || seen.has(current)) {
       return undefined;

_{You can send follow-ups to the cloud agent here.}

[cursor]

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: IPC openExternal breaks boolean contract
  • Added Effect.orElseSucceed(() => false) to the IPC handler so that ElectronShellOpenExternalError is caught and returns false instead of rejecting the IPC call, preserving the boolean contract for renderer callers.

Or push these changes by commenting:

@cursor push f71e08ecb0

Preview (f71e08ecb0)

diff --git a/apps/desktop/src/ipc/methods/window.ts b/apps/desktop/src/ipc/methods/window.ts
--- a/apps/desktop/src/ipc/methods/window.ts
+++ b/apps/desktop/src/ipc/methods/window.ts
@@ -141,6 +141,6 @@
   result: Schema.Boolean,
   handler: Effect.fn("desktop.ipc.window.openExternal")(function* (url) {
     const shell = yield* ElectronShell.ElectronShell;
-    return yield* shell.openExternal(url);
+    return yield* shell.openExternal(url).pipe(Effect.orElseSucceed(() => false));
   }),
 });

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit f5fe411. Configure here.}