[codex] Structure OAuth scope encoding failures

[juliusmarminge]

Summary

• replace the opaque OAuth scope encoder exception with a schema-backed error carrying the original scopes plus invalid and duplicate entries
• validate the input scopes directly, fixing a case where an invalid scope containing a space could be accepted when deduplication happened to preserve the original array length
• keep the user-facing message generic and omit a synthetic cause for this pure validation failure

Validation

• pnpm vp test packages/shared/src/oauthScope.test.ts
• pnpm vp check (passes with 20 existing warnings)
• pnpm vp run typecheck

Overlap

• exact-file audit across all open PRs (--limit 1000) found no overlap

---

Note

Low Risk
Localized validation and error-shape change in shared OAuth scope helpers; successful encoding behavior is unchanged for valid inputs.

Overview
encodeOAuthScope no longer round-trips through parseOAuthScope and a generic Error. It validates each scope token directly and throws a schema-backed OAuthScopeEncodingError that carries the original scopes, invalidScopes, and duplicateScopes, with the same generic user-facing message.

This closes a validation gap where an invalid scope containing a space could be accepted when joining and re-parsing happened to leave the array length unchanged after deduplication. Tests now assert the structured error fields via Schema.is(OAuthScopeEncodingError).

^{Reviewed by Cursor Bugbot for commit 6bfc53e. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Structure OAuth scope encoding failures with OAuthScopeEncodingError

• Introduces OAuthScopeEncodingError, a tagged error class carrying structured fields: scopes, invalidScopes, and duplicateScopes.
• Rewrites encodeOAuthScope to explicitly validate tokens via OAUTH_SCOPE_TOKEN, detect duplicates with a Set, and reject empty input — replacing the previous round-trip through parseOAuthScope.
• Behavioral Change: encodeOAuthScope([]) now throws OAuthScopeEncodingError instead of returning an empty string; invalid or duplicate scope errors are now typed rather than generic Error.

^{Macroscope summarized 6bfc53e.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 235f8e14-da88-4e1d-8136-632426cae7ab

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/oauth-scope-errors

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Approved

This change replaces a generic Error with a structured OAuthScopeEncodingError class that provides detailed information about encoding failures. The validation logic and error scenarios remain the same - this is a low-risk improvement to error handling with accompanying tests.

^{You can customize Macroscope's approvability policy. Learn more.}