[codex] Preserve auth HTTP failure diagnostics

[juliusmarminge]

Summary

• retain exact underlying causes on typed auth HTTP 500 errors while keeping public JSON schemas redacted
• log only bounded failure tags and reason counts, and suppress synthetic interruption failures
• replace the remaining broad cookie catch with exhaustive catchTags handling

Validation

• vp test apps/server/src/auth/http.test.ts apps/server/src/auth/EnvironmentAuth.test.ts
• vp check (passes with 20 pre-existing warnings)
• vp run typecheck

Stacked on #3240.

---

Note

Medium Risk
Touches auth HTTP error paths and logging on a security-sensitive surface; changes are defensive (redaction, interrupt handling) but affect how all internal failures are surfaced.

Overview
Auth environment HTTP failures now log summarized diagnostics (failureTag, reason/failure/defect/interruption counts) instead of dumping full Error/Cause objects, so secrets in error messages are less likely to leak into logs.

failEnvironmentInternal now requires a cause, returns EnvironmentHttpInternalError (keeps the original cause as a defect while public JSON still encodes as EnvironmentInternalError), and re-propagates interrupt-only causes without logging or turning them into synthetic 500s. Request finalizers skip failure logs for interrupt-only exits.

browserSession cookie handling uses catchTags for CookieError only instead of a broad catch. New http.test.ts covers redacted logging/encoding and interruption behavior.

^{Reviewed by Cursor Bugbot for commit 6d9fb38. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Preserve auth HTTP failure diagnostics by summarizing causes instead of serializing them

• Replaces raw cause/error serialization in auth HTTP logs with bounded diagnostics: a trimmed failureTag and counts of failures, defects, and interruptions via a new failureLogAttributes helper.
• Adds findInterruptCause to detect nested interruption causes and re-propagate them directly, avoiding conversion into synthetic internal errors and suppressing redundant logs.
• Introduces EnvironmentHttpInternalError with a bounded failureTag field and preserved original cause as a defect, replacing the generic internal error type.
• Limits annotateEnvironmentRequest finalizer so it skips logging entirely when the exit cause contains only interrupts.
• Narrows the browserSession cookie error catch to only handle CookieError, letting other errors fall through to upstream handling.

^{Macroscope summarized 6d9fb38.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ab7219af-1c03-4fe3-9010-d9f9df945d7c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/auth-http-diagnostics

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Needs human review

Changes to files in the auth directory (apps/server/src/auth/http.ts and new test file) require human review regardless of scope, as auth-related code is treated as sensitive. The changes also modify error handling and diagnostic logging behavior in authentication code paths.

No code changes detected at 6d9fb38. Prior analysis still applies.

^{You can customize Macroscope's approvability policy. Learn more.}