_{Comment @coderabbitai help to get the list of available commands.}

@coderabbitai review

@coderabbitai review

Adversarial review notes

Reviewed this as a money-path silent-failure surface (per-account "failed" row dropping silently leaves a re-approval / re-fire window). Findings:

Fixed in f0eccb8

• UNSTABLE was a real PR-caused gocyclo trip, not a flake. The new if saveErr != nil audit-loss branch pushed executeForAccount from cyclomatic complexity 10 to 11, tripping pre-commit's gocyclo -over 10 hook on all three retries. Lint / Integration / Security failures on this run match the same suite on origin/main@451a70f7 and are pre-existing (errcheck in cmd/, TestPostgresStore_* integration tests on main is red). Extracted the audit-loss save into persistFailedAccountExecution(ctx, acctExec, account, cause) so the function is back at 10 and the semantics (errors.Join, AUDIT LOSS prefix, errors.Is preservation, cause-unmasked-on-save-success) are identical. Confirmed the new regression test still passes.

Considered, no change needed

• Sibling save sites (grep SavePurchaseExecution across internal/purchase/ + internal/api/):
  • execution.go:277 post-purchase save: already returns AUDIT LOSS: ... (this PR's reference site).
  • manager.go:235 root-row finalize in executeAndFinalize: already wraps with ErrAuditLoss.
  • approvals.go:164 ApproveAndExecute ApprovedBy stamp: AUDIT GAP log-only by design - the atomic TransitionExecutionStatus to approved already landed, only attribution is lost (documented).
  • manager.go:421 safeFail explanatory-error save: AUDIT GAP log-only by design - TransitionExecutionStatus(approved → failed) already landed, only the human-readable error string is lost (documented).
  • handler_purchases.go:692 scheduleApprovedExecution: returns the save error.
  • handler_purchases.go:2004 direct-execute audit-fields stamp: AUDIT GAP log-only - pre-flight attribution, not status.
  • reaper.go:218 canonical-error annotation: log + bump Errored, status flip already landed (documented).
• Reaper interaction. The credential-failure save creates a brand-new row for the per-account fan-out unit. On save failure there is no DB row at all (not "stuck approved"), so the reaper has nothing to re-drive and the allRecsSafeToRedrive idempotency path is not triggered. No SDK call has fired (credential resolution was the failure), so no money has moved. The aggregate root row still gets finalized by executeAndFinalize (manager.go:235).
• Save-vs-SDK ordering. The fix is on the credential-failure branch, which runs before processPurchaseRecommendations (and therefore before any provider SDK call). No double-charge surface.
• Goroutine/error-return shape. executeForAccount is invoked synchronously by execution.RunForAccountsWithConcurrency, which collects (Value, Err) per account into results. The returned err is consumed by executeMultiAccount and surfaces as multiAccountPartialError or errAllAccountsFailed - no goroutine swallows it.
• Test invariant. TestExecuteForAccount_CredentialFailure_SaveErrorSurfaced asserts (a) errors.Is(err, saveErr) (would fail pre-fix - saveErr was discarded via _ =); (b) Contains(err.Error(), "AUDIT LOSS: ...") (would fail pre-fix - no such substring); (c) the credential cause still surfaces. Pinned the bug-replication invariant per feedback_go_ctx_aware_patterns.md.

Out-of-scope follow-ups

• finalizePurchaseStatus (handler_purchases.go:1594) mirrors the anti-pattern this PR fixes. When email-send fails, it tries to flip status=failed and on save-failure logs + returns "pending" to the API caller, masking the failed-failed state. Not on the money path (the row is still in pending so it won't fire), but identical shape. Worth a follow-up issue tracking the sweep.

CR re-requested.

@coderabbitai review