[codex] Preserve client connection error causes

[juliusmarminge]

Summary

• model remote fetch, invalid-response, and timeout failures with structured request context and messages that do not stringify their causes
• retain the immediate relay, remote authorization, DPoP, and RPC failure as cause when translating into connection classifications
• move relay HTTP failure mapping onto ManagedRelayRequestFailedError, use tag-directed retry handling, and inline a no-value proof-error field wrapper
• add focused coverage for classification metadata and complete cause chains

The undeclared-status conversion is intentionally left for the SSH follow-up because its current instanceof consumer is being changed by #3206.

Validation

• vp check
• vp run typecheck
• vp test packages/client-runtime/src/connection/errors.test.ts packages/client-runtime/src/authorization/remote.test.ts packages/client-runtime/src/authorization/layer.test.ts packages/client-runtime/src/rpc/session.test.ts packages/client-runtime/src/relay/managedRelay.test.ts packages/client-runtime/src/connection/onboarding.test.ts

---

Note

Medium Risk
Touches authentication and connection error paths across relay and remote environment flows; behavior is mostly additive (cause preservation) but changes error shapes and messaging used during connect.

Overview
Connection failures now keep a structured cause on ConnectionBlockedError and ConnectionTransientError, so relay, remote auth, DPoP, and RPC errors are not dropped when they are classified for the UI.

Remote HTTP auth errors (RemoteEnvironmentAuthFetchError, invalid JSON, timeout) are modeled with requestUrl (and related fields) and user-facing messages that do not embed the underlying transport error string.

Relay client HTTP failures go through ManagedRelayRequestFailedError.fromHttpRequest; DPoP proof mapping nests the signer error as cause. Invalid-bearer retry uses Effect.catchTags on ManagedRelayRequestFailedError instead of a broad catch.

Mappers in connection/errors.ts and DPoP paths in authorization/session set cause to the immediate failure (e.g. the relay request wrapper when a protected relay error is surfaced).

New connection/errors.test.ts asserts classification metadata and full cause chains, including that fetch messages stay free of sensitive transport text.

^{Reviewed by Cursor Bugbot for commit b7ae7f0. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Preserve original error causes in client connection errors

• Adds an optional cause field (typed as Schema.Defect) to ConnectionBlockedError and ConnectionTransientError in model.ts, so underlying errors are no longer silently discarded.
• Updates all error mapping functions (mapManagedRelayError, mapRemoteEnvironmentError, mapInitialConfigError, and DPoP authorization helpers) to attach the originating error as cause when constructing connection errors.
• Converts RemoteEnvironmentAuthFetchError, RemoteEnvironmentAuthInvalidJsonError, and RemoteEnvironmentAuthTimeoutError in http.ts to schema-based classes with structured fields; fetch error messages no longer embed the cause text.
• Adds ManagedRelayRequestFailedError.fromHttpRequest factory in managedRelay.ts to consistently populate relayError and traceId from HTTP request errors.
• Behavioral Change: error messages for fetch failures no longer include the underlying cause's message text (it is now available only via cause).

^{Macroscope summarized b7ae7f0.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 6f432f7e-1792-49aa-8dac-6734d2c8fdf5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/audit-relay-errors-wave1

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Approved

This PR adds cause fields to preserve error chain information throughout connection error handling, improving debugging observability without changing business logic or control flow. The changes are mechanical and well-tested.

^{You can customize Macroscope's approvability policy. Learn more.}