[codex] add session context to credential errors

[juliusmarminge]

Summary

• attach session IDs and lifecycle timestamps to token/session expiry, revocation, and lookup errors
• preserve exact repository and encoding causes while mapping at points where correlation context is known
• keep raw tokens and signatures out of every error attribute

Verification

• vp test apps/server/src/auth/SessionStore.test.ts (8 tests)
• vp check (passes with 20 pre-existing warnings)
• vp run typecheck

---

Note

Medium Risk
Touches session and websocket token verification and revocation error paths in auth; behavior is mostly additive on error shape, but callers that matched on messages or assumed silent revoke success on DB errors may see different failures.

Overview
SessionStore credential and revocation errors now carry structured correlation fields (sessionId, expiresAt, observedAt, revokedAt, etc.) instead of empty tagged errors that relied on message strings.

Verification uses DateTime.now for expiry checks (replacing Clock.currentTimeMillis), and invalid exp claims surface InvalidSessionExpirationClaimError with sessionId and the raw claim. Repository, encoding, and UUID failures are mapped at the call site into typed wrappers (SessionCredentialIssueError, SessionCredentialVerificationError, SessionRevocationError, OtherSessionsRevocationError, and websocket equivalents) with nested causes and session IDs where known.

Tests assert on _tag and context fields (including revoke paths on repository failure) rather than substring messages.

^{Reviewed by Cursor Bugbot for commit d267a5e. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Add session context fields to credential and revocation errors in SessionStore

• Adds structured context fields (sessionId, expiresAt, observedAt, revokedAt, etc.) to all typed errors in SessionStore.ts, replacing bare string messages.
• Switches time resolution from Clock.currentTimeMillis to DateTime.now for expiry checks in both session and WebSocket token verification.
• Maps previously untyped repository and encoding failures into specific typed errors (SessionCredentialIssueError, SessionRevocationError, OtherSessionsRevocationError, etc.) with nested causes.
• Updates tests in SessionStore.test.ts to assert on typed error tags and contextual fields rather than message substrings.

^{Macroscope summarized d267a5e.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9ab9ef0a-c124-49e9-a8ea-82d1b9f5be4d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/structure-session-store-errors

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Needs human review

This PR modifies authentication session handling code (SessionStore.ts) to add context fields to error classes. Changes to auth-related code paths warrant human review regardless of the additive nature of the changes.

No code changes detected at d267a5e. Prior analysis still applies.

^{You can customize Macroscope's approvability policy. Learn more.}