[codex] improve server auth error context#3240
Merged
juliusmarminge merged 8 commits intoJun 21, 2026
Merged
Conversation
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
github-actions
Bot
added
size:L
Contributor
ApprovabilityVerdict: Approved Refactoring PR that adds diagnostic context to error classes and improves type safety by replacing generic error catching with explicit tag-based patterns. No runtime behavior changes — only improved error messages and observability for debugging. You can customize Macroscope's approvability policy. Learn more. |
juliusmarminge
force-pushed
the
codex/server-auth-error-boundaries
branch
from
a92067e to
93072ff
Compare
juliusmarminge
changed the base branch from
main
to
codex/redact-dpop-request-target
github-actions
Bot
added
size:XXL
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
Autofix Details
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Auth stream RPC lacks compatibility
- Restored
message: Schema.Stringto the wire schema, madeoperationoptional for decode, and removedcause: Schema.Defect()from the schema to ensure backward-compatible decoding across mismatched client/server versions.
- Restored
Or push these changes by commenting:
@cursor push 9bf0ab9608
Preview (9bf0ab9608)
diff --git a/packages/contracts/src/auth.ts b/packages/contracts/src/auth.ts
--- a/packages/contracts/src/auth.ts
+++ b/packages/contracts/src/auth.ts
@@ -285,15 +285,29 @@
export class AuthAccessStreamError extends Schema.TaggedErrorClass<AuthAccessStreamError>()(
"AuthAccessStreamError",
{
- operation: AuthAccessStreamOperation,
+ operation: Schema.optional(AuthAccessStreamOperation),
currentSessionId: Schema.optional(AuthSessionId),
- cause: Schema.Defect(),
+ message: Schema.String,
},
) {
- override get message(): string {
+ // @effect-diagnostics-next-line overriddenSchemaConstructor:off
+ constructor(props: {
+ readonly operation: AuthAccessStreamOperation;
+ readonly currentSessionId?: string | undefined;
+ readonly cause?: unknown;
+ }) {
const session =
- this.currentSessionId === undefined ? "" : ` for session ${this.currentSessionId}`;
- return `Authentication access stream operation ${this.operation} failed${session}.`;
+ props.currentSessionId === undefined ? "" : ` for session ${props.currentSessionId}`;
+ const message =
+ "message" in props && typeof (props as any).message === "string"
+ ? (props as any).message
+ : `Authentication access stream operation ${props.operation} failed${session}.`;
+ super({
+ operation: props.operation,
+ ...(props.currentSessionId === undefined ? {} : { currentSessionId: props.currentSessionId }),
+ message,
+ ...(props.cause === undefined ? {} : { cause: props.cause }),
+ } as any);
}
}You can send follow-ups to the cloud agent here.
juliusmarminge
force-pushed
the
codex/redact-dpop-request-target
branch
2 times, most recently
from
6eba786 to
aacb560
Compare
juliusmarminge
force-pushed
the
codex/server-auth-error-boundaries
branch
from
0f8b837 to
edf63a7
Compare
juliusmarminge
force-pushed
the
codex/redact-dpop-request-target
branch
from
aacb560 to
77e5b36
Compare
juliusmarminge
force-pushed
the
codex/server-auth-error-boundaries
branch
from
edf63a7 to
d430f59
Compare
Contributor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
Autofix Details
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: WebSocket RPC leaks auth causes
- Sanitized the cause passed to AuthAccessStreamError by wrapping internal errors in a plain Error with only the message string, preventing full internal error chains from being serialized to WebSocket clients via Schema.Defect().
Or push these changes by commenting:
@cursor push 0b147a7013
Preview (0b147a7013)
diff --git a/apps/server/src/ws.ts b/apps/server/src/ws.ts
--- a/apps/server/src/ws.ts
+++ b/apps/server/src/ws.ts
@@ -514,7 +514,7 @@
(cause) =>
new AuthAccessStreamError({
operation: "list-pairing-links",
- cause,
+ cause: new Error(cause.message),
}),
),
),
@@ -524,7 +524,7 @@
new AuthAccessStreamError({
operation: "list-client-sessions",
currentSessionId,
- cause,
+ cause: new Error(cause.message),
}),
),
),You can send follow-ups to the cloud agent here.
juliusmarminge
force-pushed
the
codex/redact-dpop-request-target
branch
from
77e5b36 to
6bc2561
Compare
juliusmarminge
force-pushed
the
codex/server-auth-error-boundaries
branch
from
d430f59 to
fae19ef
Compare
juliusmarminge
force-pushed
the
codex/redact-dpop-request-target
branch
from
6bc2561 to
71f9ff5
Compare
juliusmarminge
force-pushed
the
codex/server-auth-error-boundaries
branch
from
fae19ef to
2b5e1cf
Compare
Contributor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Wrong reconcile operation labels
- Moved error handlers into per-operation inner catchTags so makeCloudLinkProof errors are labeled 'generate_link_proof' and applyCloudRelayConfig errors are labeled 'persist_relay_configuration', leaving only setCliDesiredCloudLink errors mapped to 'persist_desired_link_state' in the outer handler.
Or push these changes by commenting:
@cursor push 51e27c9846
Preview (51e27c9846)
diff --git a/apps/server/src/cloud/http.ts b/apps/server/src/cloud/http.ts
--- a/apps/server/src/cloud/http.ts
+++ b/apps/server/src/cloud/http.ts
@@ -723,6 +723,17 @@
},
},
localOrigin,
+ ).pipe(
+ Effect.catchTags({
+ ServerAuthCloudLinkJwtSigningError: (error) =>
+ failEnvironmentCloudInternalError("sign_cloud_link_jwt")(error),
+ SecretStoreReadError: failEnvironmentCloudInternalError("generate_link_proof"),
+ SecretStoreDecodeError: failEnvironmentCloudInternalError("generate_link_proof"),
+ SecretStoreEncodeError: failEnvironmentCloudInternalError("generate_link_proof"),
+ SecretStorePersistError: failEnvironmentCloudInternalError("generate_link_proof"),
+ SecretStoreConcurrentReadError: failEnvironmentCloudInternalError("generate_link_proof"),
+ PlatformError: failEnvironmentCloudInternalError("generate_link_proof"),
+ }),
);
const link = yield* relayClientRequest(dependencies, {
operation: "create-environment-link",
@@ -744,24 +755,25 @@
environmentCredential: link.environmentCredential,
cloudMintPublicKey: link.cloudMintPublicKey,
endpointRuntime: link.endpointRuntime,
- });
+ }).pipe(
+ Effect.catchTags({
+ ServerAuthLinkedCloudAccountVerificationError: (error) =>
+ failEnvironmentCloudInternalError("verify_linked_cloud_account")(error),
+ SecretStoreTemporaryPathGenerationError: failEnvironmentCloudInternalError(
+ "persist_relay_configuration",
+ ),
+ SecretStorePersistError: failEnvironmentCloudInternalError("persist_relay_configuration"),
+ SecretStoreRemoveError: failEnvironmentCloudInternalError("persist_relay_configuration"),
+ SchemaError: failEnvironmentCloudInternalError("persist_relay_configuration"),
+ }),
+ );
},
Effect.catchTags({
- ServerAuthLinkedCloudAccountVerificationError: (error) =>
- failEnvironmentCloudInternalError("verify_linked_cloud_account")(error),
- ServerAuthCloudLinkJwtSigningError: (error) =>
- failEnvironmentCloudInternalError("sign_cloud_link_jwt")(error),
- SecretStoreReadError: failEnvironmentCloudInternalError("persist_desired_link_state"),
SecretStoreTemporaryPathGenerationError: failEnvironmentCloudInternalError(
"persist_desired_link_state",
),
SecretStorePersistError: failEnvironmentCloudInternalError("persist_desired_link_state"),
SecretStoreRemoveError: failEnvironmentCloudInternalError("persist_desired_link_state"),
- SecretStoreDecodeError: failEnvironmentCloudInternalError("persist_desired_link_state"),
- SecretStoreEncodeError: failEnvironmentCloudInternalError("persist_desired_link_state"),
- SecretStoreConcurrentReadError: failEnvironmentCloudInternalError("persist_desired_link_state"),
- SchemaError: failEnvironmentCloudInternalError("persist_desired_link_state"),
- PlatformError: failEnvironmentCloudInternalError("persist_desired_link_state"),
CloudRelayConfigurationError: (error) =>
failEnvironmentCloudInternalError("read_relay_url_configuration")(error),
CloudRelayRequestError: (error) =>You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 2b5e1cf. Configure here.
juliusmarminge
force-pushed
the
codex/redact-dpop-request-target
branch
from
71f9ff5 to
8bc20f2
Compare
juliusmarminge
force-pushed
the
codex/server-auth-error-boundaries
branch
from
2b5e1cf to
8728ebf
Compare
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
juliusmarminge
force-pushed
the
codex/redact-dpop-request-target
branch
from
8bc20f2 to
3f67e2b
Compare
juliusmarminge
force-pushed
the
codex/server-auth-error-boundaries
branch
from
8728ebf to
55e9cd5
Compare
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
juliusmarminge
merged commit 70fdb85
into
codex/redact-dpop-request-target
16 checks passed
juliusmarminge
added a commit
that referenced
this pull request
Jun 21, 2026
Co-authored-by: codex <codex@users.noreply.github.com>
juliusmarminge
added a commit
that referenced
this pull request
Jun 21, 2026
Co-authored-by: codex <codex@users.noreply.github.com>
juliusmarminge
added a commit
that referenced
this pull request
Jun 21, 2026
Co-authored-by: codex <codex@users.noreply.github.com>
juliusmarminge
added a commit
that referenced
this pull request
Jun 21, 2026
Co-authored-by: codex <codex@users.noreply.github.com>
juliusmarminge
added a commit
that referenced
this pull request
Jun 21, 2026
Co-authored-by: codex <codex@users.noreply.github.com>
juliusmarminge
added a commit
that referenced
this pull request
Jun 21, 2026
Co-authored-by: codex <codex@users.noreply.github.com>
juliusmarminge
added a commit
that referenced
this pull request
Jun 21, 2026
Co-authored-by: codex <codex@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Validation
Note
Medium Risk
Touches authentication, token exchange, DPoP replay, and cross-version HTTP error shapes; behavior is mostly additive but any client that strictly validates error JSON may need to tolerate new optional fields.
Overview
This PR replaces broad auth/internal error handling with tag-specific Effect error channels and
catchTagsmappings at HTTP, WebSocket, and cloud boundaries, and enriches failures with operation, reason, session, scope, and secret-path context while keeping original causes on in-process errors.Contracts and wire behavior: Environment and cloud HTTP errors gain stable
reason/operationcodes (plus relay phase metadata). User-facingmessagestrings are derived from those codes;causeis kept server-side where encoded responses omit it. Decoders still accept legacy message-only payloads for rolling deploys. Unauthorized cloud link flows now exposecloud_cli_authorization_requiredwith thet3 connect linkguidance.Implementation areas:
EnvironmentAuthnarrows per-method error unions and drops predicate helpers likeisServerAuthCredentialErrorin favor of explicit tags.ServerSecretStoreerrors namesecretName,secretPath, and persistoperation.CliTokenManagerand relay client code classify OAuth/relay failures by stage/phase and log redacted URL diagnostics (no credentials in messages or JSON). NewCloudRelayRequestErrorand sharedcatchEnvironmentAuthenticationErrorscentralize mapping to API errors.AuthAccessStreamErrorand related tests assert structural fields instead of echoing upstream text.Reviewed by Cursor Bugbot for commit 55e9cd5. Bugbot is set up for automated code reviews on this repo. Configure here.
Note
Add structured error context to server auth and cloud HTTP error classes
CloudRelayConfigurationError,CloudRelayRequestError) and expands existing ones (ServerAuthDpopReplayStateRecordError,CloudCliCredentialRefreshError, etc.) with typed fields and computedmessagegetters.catchIf/catchTagerror handling throughout handlers withcatchTagsmappings to specific error classes, ensuring unmatched tags propagate rather than being swallowed.invalid_relay_url,cloud_cli_authorization_required) across validation helpers and HTTP error constructors in place of freeform message strings.Macroscope summarized 55e9cd5.