[codex] Structure cloud CLI token errors

[juliusmarminge]

Summary

• replace the higher-order CLI token error wrapper with direct, contextual mappings
• retain original causes while recording credential, stage, endpoint, callback, and timeout context
• narrow each token-manager service method to its actual error channel and simplify the cloud boundary catch set
• add backend tests for removal, read, and persisted-token decode failures

Validation

• vp test apps/server/src/cloud (33 tests)
• vp check (passes with 20 pre-existing warnings)
• vp run typecheck

Stacked on #3246 so the cloud HTTP error boundary lands first.

---

Note

Medium Risk
Touches OAuth credential storage and refresh on the CLI link path; behavior is mostly error shaping and typing, but mis-handled failures could affect link/reconcile diagnostics or error propagation.

Overview
Cloud CLI token errors are reworked so failures keep the original cause while carrying secret name, pipeline stage, and optional OAuth/callback context (token endpoint, redirect URI, loopback host/port, timeout).

The generic wrapError helper is removed in favor of direct mapError mappings at each step (read/decode, refresh, login, persist, clear). Service methods now expose narrower error channels (clear → removal only, hasCredential → read only, etc.), and reconcileDesiredCloudLink in cloud HTTP only catches CloudCliCredentialRefreshError from getExisting (other CLI error tags drop out of that boundary).

Tests cover removal, credential read, and malformed persisted-token decode paths, asserting tags, preserved causes, and user-facing messages.

^{Reviewed by Cursor Bugbot for commit dfc32cd. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Structure cloud CLI token manager errors with lifecycle stage and context

• Enriches CloudCliTokenManager error types with lifecycle stage, secret name, token endpoint, and callback address fields to replace the previous generic CloudCliTokenManagerError.
• Adds static constructors (fromCredentialRead, fromCredentialPersist) on each error class to classify failures by stage during refresh, read, and authorization flows.
• Narrows the error union returned by each service method (get, getExisting, hasCredential, clear) to the specific error types relevant to that operation.
• Removes the wrapError helper and replaces it with explicit Effect.mapError/catchTags calls throughout CliTokenManager.ts.
• Updates http.ts to drop catch handlers for error tags that no longer appear in the error union of the affected methods.

^{Macroscope summarized dfc32cd.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: b63e104b-cca1-4c1a-9a8f-1d1ff324f662

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/cloud-cli-token-errors

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Approved

This PR adds structured context fields (stage, secretName, tokenEndpoint, etc.) to CLI token error classes for better debugging, adds corresponding unit tests, and removes error handlers that are no longer needed due to narrower type signatures. No runtime behavior changes.

^{You can customize Macroscope's approvability policy. Learn more.}