[codex] align server auth Effect services#3180
Merged
Merged
Conversation
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
github-actions
Bot
added
vouch:trusted
Contributor
|
🚀 Expo continuous deployment is ready!
|
Contributor
ApprovabilityEvaluating daba9c6… |
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
juliusmarminge
force-pushed
the
codex/effect-service-server-auth
branch
from
23fdab1 to
c41882b
Compare
macroscopeapp
Bot
dismissed
their stale review
Dismissing prior approval to re-evaluate c41882b
juliusmarminge
force-pushed
the
codex/effect-service-server-auth
branch
from
c41882b to
427e570
Compare
macroscopeapp
Bot
dismissed
their stale review
Dismissing prior approval to re-evaluate 427e570
juliusmarminge
force-pushed
the
codex/effect-service-server-auth
branch
from
427e570 to
ae3fc49
Compare
juliusmarminge
force-pushed
the
codex/effect-service-server-auth
branch
from
ae3fc49 to
eb61976
Compare
macroscopeapp
Bot
dismissed
their stale review
Dismissing prior approval to re-evaluate eb61976
github-actions
Bot
added
size:XXL
juliusmarminge
force-pushed
the
codex/effect-service-server-auth
branch
7 times, most recently
from
bccc051 to
87fac8a
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Cloud 500 messages regressed
- Restored operation-specific user-facing messages in ServerAuthOperationError via a lookup table keyed by operation discriminant, so cloud HTTP handlers that pass error.message into 500 response bodies now return the original strings (e.g. 'Could not verify the linked cloud account.') instead of the generic template.
Or push these changes by commenting:
@cursor push ccfda8eba9
Preview (ccfda8eba9)
diff --git a/apps/server/src/auth/EnvironmentAuth.ts b/apps/server/src/auth/EnvironmentAuth.ts
--- a/apps/server/src/auth/EnvironmentAuth.ts
+++ b/apps/server/src/auth/EnvironmentAuth.ts
@@ -90,6 +90,28 @@
]);
type ServerAuthInternalOperation = typeof ServerAuthInternalOperation.Type;
+const serverAuthOperationMessages: Record<ServerAuthInternalOperation, string> = {
+ validate_bootstrap_credential: "Failed to validate bootstrap credential.",
+ validate_session_credential: "Failed to validate session credential.",
+ issue_authenticated_session: "Failed to issue authenticated session.",
+ issue_authenticated_access_token: "Failed to issue authenticated access token.",
+ create_pairing_link: "Failed to create pairing link.",
+ list_pairing_links: "Failed to list pairing links.",
+ revoke_pairing_link: "Failed to revoke pairing link.",
+ issue_session_token: "Failed to issue session token.",
+ list_sessions: "Failed to list sessions.",
+ revoke_session: "Failed to revoke session.",
+ revoke_other_sessions: "Failed to revoke other sessions.",
+ issue_websocket_token: "Failed to issue websocket token.",
+ record_dpop_replay_state: "Failed to record DPoP proof replay state.",
+ calculate_dpop_replay_key: "Failed to calculate DPoP replay key.",
+ verify_linked_cloud_account: "Could not verify the linked cloud account.",
+ read_linked_cloud_account: "Could not read the linked cloud account.",
+ sign_cloud_link_jwt: "Failed to sign cloud link JWT.",
+ sign_cloud_health_jwt: "Failed to sign cloud health JWT.",
+ sign_cloud_mint_jwt: "Failed to sign cloud mint JWT.",
+};
+
export class ServerAuthOperationError extends Schema.TaggedErrorClass<ServerAuthOperationError>()(
"ServerAuthOperationError",
{
@@ -98,7 +120,7 @@
},
) {
override get message(): string {
- return `Server authentication operation '${this.operation}' failed.`;
+ return serverAuthOperationMessages[this.operation];
}
}You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 87fac8a. Configure here.
juliusmarminge
force-pushed
the
codex/effect-service-server-auth
branch
4 times, most recently
from
39fd49a to
896dfbe
Compare
juliusmarminge
force-pushed
the
codex/effect-service-server-auth
branch
from
896dfbe to
d898014
Compare
macroscopeapp
Bot
dismissed
their stale review
Dismissing prior approval to re-evaluate 7a0aa36
juliusmarminge
force-pushed
the
codex/effect-service-server-auth
branch
2 times, most recently
from
3a2857e to
763ecaa
Compare
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
juliusmarminge
force-pushed
the
codex/effect-service-server-auth
branch
from
763ecaa to
daba9c6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
EnvironmentAuth,EnvironmentAuthPolicy,PairingGrantStore,ServerSecretStore, andSessionStoreto the standard single-file Effect service layout.Context.Servicetag and replaced standalone shape references withService["Service"].Schema.TaggedErrorClassvariants; each variant retains usefulreason,operation,resource, andcauseattributes with a derived message.Schema.Union(...)schemas, TypeScript unions, and predicates for boundaries that handle a family of related failures.layervalues while keeping persistence/runtime composition explicit.Why
This aligns server authentication infrastructure with the Effect service conventions used by the relay stack while keeping materially different failures visible in the Effect error channel. Consumers can catch concrete tags or use the exported aggregate predicates without relying on a hidden
reasonoroperationswitch.Impact
Authentication behavior, HTTP mappings, and user-facing error messages are preserved. Error tags are now specific to the actual failure mode; aggregate schemas retain shared validation and predicate surfaces for existing category-level boundaries.
Checks
vp test apps/server(149 files: 1,224 passed, 7 skipped)vp checkvp run typecheckNote
Replace generic auth error classes with granular
Schema.TaggedErrorClasstypes across server auth servicesSecretStoreError,SessionCredentialInvalidError,BootstrapCredentialInvalidError,ServerAuthInternalError, etc.) with specificSchema.TaggedErrorClasssubtypes inSessionStore,ServerSecretStore,PairingGrantStore, andEnvironmentAuth.Schema.is-based type guards replace tag-stringcatchTagscalls throughout HTTP handlers, WebSocket routes, and cloud endpoints.Effect.fntoEffect.genand returns a typedService.of({...})instance; layers now pass the factory directly instead of invoking it._tagvalues (e.g.UnknownBootstrapCredentialError,SecretStorePersistError,MalformedSessionTokenError) rather than generic ones.Macroscope summarized daba9c6.
Note
High Risk
Large refactor across authentication, sessions, bootstrap pairing, DPoP, secrets, and cloud relay paths; behavior is intended to be preserved but any missed
catchIf/tag mapping could change HTTP status or messages.Overview
Refactors server authentication and secret/session persistence to match the relay-style Effect service layout: contracts live on each
Context.Servicetag, factories useEffect.genandService.of, and layers passmakewithout invoking it.Error model: Replaces broad
Data.TaggedErrortypes (andreason/messagestrings) with manySchema.TaggedErrorClassvariants inEnvironmentAuth,PairingGrantStore,SessionStore, andServerSecretStore, plusSchema.Unionaggregates andis*predicates. HTTP, WebSocket, DPoP, and cloud handlers switch fromcatchTagstocatchIfwith helpers likeserverAuthCredentialReasonandserverAuthInvalidRequestReasonso outward auth reasons stay the same while internal_tagvalues become specific.Call-site cleanup:
ServerConfigandServerSecretStoremove to namespace imports (ServerConfig.ServerConfig, etc.); desktop usesNodeOS.homedir(). Cloud code uses dedicated internal error classes for link/health/mint JWT failures andsetCliDesiredCloudLinkinstead of aCliStatenamespace import.Tests are updated for new error tags (e.g.
UnknownBootstrapCredentialError,ServerAuthScopeNotGrantedError, granular secret-store failures).Reviewed by Cursor Bugbot for commit daba9c6. Bugbot is set up for automated code reviews on this repo. Configure here.