[codex] fix: surface Codex app-server exit diagnostics

[StiensWout]

Summary

• Capture a bounded 4 KiB tail of codex app-server child stderr while continuing to drain stderr for process health.
• Redact secret-shaped stderr before it enters CodexAppServerProcessExitedError, provider status text, or persisted provider status snapshots.
• Wait for process exit plus a bounded stderr drain opportunity before snapshotting exit diagnostics, and fix exact-limit stderr tails so they are not marked truncated.
• Add regression coverage for redaction, exact-limit truncation, and multi-chunk shutdown stderr.

Root cause

T3 Code drained child process stderr to avoid blocking protocol responses, but the exit diagnostic path reused that raw stderr tail directly in the process-exited error message. It also snapshotted stderr before awaiting the process exit status, so late stderr chunks could be missed, and the tail helper treated an exact-limit first chunk as truncated even when no bytes were omitted.

Impact

Windows Codex startup failures can still show actionable recent stderr, but secret-shaped values are redacted before the message can flow through provider status or the provider status cache. Shutdown diagnostics now include stderr captured through the process exit path more reliably, and exact-limit stderr tails no longer show a misleading truncation marker.

Validation

• PATH="$HOME/.vite-plus/bin:$PATH" vp test packages/effect-codex-app-server/src/client.test.ts packages/effect-codex-app-server/src/_internal/stdio.test.ts
• PATH="$HOME/.vite-plus/bin:$PATH" vp check
• PATH="$HOME/.vite-plus/bin:$PATH" vp run typecheck

vp check reported the repository's existing 20 unrelated warnings and no errors.

Refs #2486

---

Note

Medium Risk
Changes process lifecycle and error messaging on Codex startup failures; redaction reduces secret leakage risk but pattern-based scrubbing could miss or over-redact edge cases.

Overview
Improves Codex app-server child process exit diagnostics by keeping a bounded 4 KiB stderr tail while stderr is still fully drained so large output cannot block the protocol.

makeStderrTailCapture rolls up stderr bytes, redacts secret-shaped content (API keys, Bearer/JWT, URL credentials, etc.), and exposes stderrTail / stderrTruncated on CodexAppServerProcessExitedError, appended to the error message when present. Exact-limit first chunks are no longer labeled truncated.

makeTerminationError now reads exit status first, optionally waits up to 50ms for the stderr drain fiber, then snapshots diagnostics. The child-process client wires capture + drain into termination handling instead of only draining stderr.

Regression tests cover unit behavior, initialize-before-response exits, and multi-chunk delayed stderr via mock peer env hooks.

^{Reviewed by Cursor Bugbot for commit add72dd. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Surface stderr tail in Codex app-server child process exit errors

• Adds makeStderrTailCapture in stdio.ts to capture a bounded (4096-byte) tail of stderr, redacting secret-shaped key/value tokens before surfacing them.
• Extends makeTerminationError to accept stderr diagnostics, waiting up to 50ms for stderr to drain before composing the error.
• Extends CodexAppServerProcessExitedError with optional stderrTail and stderrTruncated fields; the error message appends a labeled 'recent stderr' section when content is present.
• Updates makeChildProcessClient to fork a scoped stderr drain fiber and pass its snapshot into makeTerminationError.
• Behavioral Change: process exit errors may now be delayed by up to ~50ms while waiting for stderr to drain.

^{Macroscope summarized add72dd.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 840bbba6-db51-4bdf-ba35-606b596eac9d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cursor]

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

Want reviews to match your repository better? Bugbot Learning can learn team-specific rules from PR activity. A team admin can enable Learning in the Cursor dashboard.

^{Reviewed by Cursor Bugbot for commit add72dd. Configure here.}

[macroscopeapp]

Approvability

Verdict: Needs human review

Unable to check for correctness in add72dd. This PR adds substantial new functionality: stderr capture with byte buffering, sensitive data redaction via multiple regex patterns, and new error schema fields. While well-tested and security-conscious, the complexity of the new diagnostic capability and changes to error handling paths warrant human review.

^{You can customize Macroscope's approvability policy. Learn more.}