refactor: harden runtime error contracts

Author: ndycode

index.ts

@@ -147,6 +147,12 @@ import {
 	shouldRefreshToken,
 	transformRequestForCodex,
 } from "./lib/request/fetch-helpers.js";
+import {
+	createDeactivatedWorkspaceError,
+	createUsageRequestTimeoutError,
+	DEACTIVATED_WORKSPACE_ERROR_CODE,
+	isDeactivatedWorkspaceErrorMessage,
+} from "./lib/runtime-contracts.js";
 import { applyFastSessionDefaults } from "./lib/request/request-transformer.js";
 import {
 	getRateLimitBackoff,
@@ -2088,7 +2094,7 @@ while (attempted.size < Math.max(1, accountCount)) {
 						...account,
 						flaggedAt: Date.now(),
 						flaggedReason: "workspace-deactivated",
-						lastError: "deactivated_workspace",
+						lastError: DEACTIVATED_WORKSPACE_ERROR_CODE,
 					};
 					await withFlaggedAccountStorageTransaction(async (current, persist) => {
 						const nextStorage: typeof current = {
@@ -2766,15 +2772,15 @@ while (attempted.size < Math.max(1, accountCount)) {
 													? (errorBody as { error?: { message?: string } }).error?.message
 													: bodyText) || `HTTP ${response.status}`;
 											if (isDeactivatedWorkspaceError(errorBody, response.status)) {
-												throw new Error("deactivated_workspace");
+												throw createDeactivatedWorkspaceError();
 											}
 											throw new Error(message);
 										}
 
 										lastError = new Error("Codex response did not include quota headers");
 									} catch (error) {
 										lastError = error instanceof Error ? error : new Error(String(error));
-										if (lastError.message === "deactivated_workspace") {
+										if (isDeactivatedWorkspaceErrorMessage(lastError.message)) {
 											throw lastError;
 										}
 									}
@@ -3000,7 +3006,7 @@ while (attempted.size < Math.max(1, accountCount)) {
 										} catch (error) {
 											errors += 1;
 											const message = error instanceof Error ? error.message : String(error);
-											if (message === "deactivated_workspace") {
+											if (isDeactivatedWorkspaceErrorMessage(message)) {
 												const flaggedRecord: FlaggedAccountMetadataV1 = {
 													...account,
 													flaggedAt: Date.now(),
@@ -4465,19 +4471,19 @@ while (attempted.size < Math.max(1, accountCount)) {
 									bodyText = (await response.text()).slice(0, usageErrorBodyMaxChars);
 								} catch (error) {
 									if (isAbortError(error) || controller.signal.aborted) {
-										throw new Error("Usage request timed out");
+										throw createUsageRequestTimeoutError();
 									}
 									throw error;
 								}
 								if (controller.signal.aborted) {
-									throw new Error("Usage request timed out");
+									throw createUsageRequestTimeoutError();
 								}
 								throw new Error(sanitizeUsageErrorMessage(response.status, bodyText));
 							}
 							return (await response.json()) as UsagePayload;
 						} catch (error) {
 							if (isAbortError(error)) {
-								throw new Error("Usage request timed out");
+								throw createUsageRequestTimeoutError();
 							}
 							throw error;
 						} finally {

lib/auth/auth.ts

@@ -2,13 +2,14 @@ import { generatePKCE } from "@openauthjs/openauth/pkce";
 import { randomBytes } from "node:crypto";
 import type { PKCEPair, AuthorizationFlow, TokenResult, ParsedAuthInput, JWTPayload } from "../types.js";
 import { logError } from "../logger.js";
+import { OAUTH_CALLBACK_PATH, OAUTH_CALLBACK_PORT } from "../runtime-contracts.js";
 import { safeParseOAuthTokenResponse } from "../schemas.js";
 
 // OAuth constants (from openai/codex)
 export const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
 export const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
 export const TOKEN_URL = "https://auth.openai.com/oauth/token";
-export const REDIRECT_URI = "http://localhost:1455/auth/callback";
+export const REDIRECT_URI = `http://localhost:${OAUTH_CALLBACK_PORT}${OAUTH_CALLBACK_PATH}`;
 export const SCOPE = "openid profile email offline_access";
 
 /**

lib/auth/server.ts

@@ -4,6 +4,12 @@ import path from "node:path";
 import { fileURLToPath } from "node:url";
 import type { OAuthServerInfo } from "../types.js";
 import { logError, logWarn } from "../logger.js";
+import {
+	OAUTH_CALLBACK_BIND_URL,
+	OAUTH_CALLBACK_LOOPBACK_HOST,
+	OAUTH_CALLBACK_PATH,
+	OAUTH_CALLBACK_PORT,
+} from "../runtime-contracts.js";
 
 // Resolve path to oauth-success.html (one level up from auth/ subfolder)
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
@@ -19,7 +25,7 @@ export function startLocalOAuthServer({ state }: { state: string }): Promise<OAu
 	const server = http.createServer((req, res) => {
 		try {
 			const url = new URL(req.url || "", "http://localhost");
-			if (url.pathname !== "/auth/callback") {
+			if (url.pathname !== OAUTH_CALLBACK_PATH) {
 				res.statusCode = 404;
 				res.end("Not found");
 				return;
@@ -53,9 +59,9 @@ export function startLocalOAuthServer({ state }: { state: string }): Promise<OAu
 
 	return new Promise((resolve) => {
 		server
-			.listen(1455, "127.0.0.1", () => {
+			.listen(OAUTH_CALLBACK_PORT, OAUTH_CALLBACK_LOOPBACK_HOST, () => {
 				resolve({
-					port: 1455,
+					port: OAUTH_CALLBACK_PORT,
 					ready: true,
 					close: () => {
 						pollAborted = true;
@@ -79,10 +85,10 @@ export function startLocalOAuthServer({ state }: { state: string }): Promise<OAu
 			})
 			.on("error", (err: NodeJS.ErrnoException) => {
 				logError(
-					`Failed to bind http://127.0.0.1:1455 (${err?.code}). Suggest device code or manual URL paste.`,
+					`Failed to bind ${OAUTH_CALLBACK_BIND_URL} (${err?.code}). Suggest device code or manual URL paste.`,
 				);
 				resolve({
-					port: 1455,
+					port: OAUTH_CALLBACK_PORT,
 					ready: false,
 				close: () => {
 					pollAborted = true;

lib/index.ts

@@ -2,6 +2,7 @@ export * from "./accounts.js";
 export * from "./storage.js";
 export * from "./config.js";
 export * from "./constants.js";
+export * from "./runtime-contracts.js";
 export * from "./types.js";
 export * from "./logger.js";
 export * from "./auth/auth.js";

lib/request/fetch-helpers.ts

@@ -11,6 +11,7 @@ import { transformRequestBody, normalizeModel } from "./request-transformer.js";
 import { convertSseToJson, ensureContentType } from "./response-handler.js";
 import type { UserConfig, RequestBody } from "../types.js";
 import { CodexAuthError } from "../errors.js";
+import { DEACTIVATED_WORKSPACE_ERROR_CODE } from "../runtime-contracts.js";
 import { isRecord } from "../utils.js";
 import {
         CODEX_BASE_URL,
@@ -279,8 +280,6 @@ export interface ErrorDiagnostics {
 	httpStatus?: number;
 }
 
-const DEACTIVATED_WORKSPACE_CODE = "deactivated_workspace";
-
 function getStructuredErrorCode(errorBody: unknown): string | undefined {
 	if (!isRecord(errorBody)) return undefined;
 
@@ -305,7 +304,7 @@ function getStructuredErrorCode(errorBody: unknown): string | undefined {
 export function isDeactivatedWorkspaceError(errorBody: unknown, status?: number): boolean {
 	if (status !== undefined && status !== 402) return false;
 	const code = getStructuredErrorCode(errorBody);
-	return code === DEACTIVATED_WORKSPACE_CODE;
+	return code === DEACTIVATED_WORKSPACE_ERROR_CODE;
 }
 
 /**
@@ -765,7 +764,7 @@ function normalizeErrorPayload(
 				message:
 					"The selected ChatGPT workspace is deactivated. This workspace entry should be removed from rotation or re-authorized before retrying.",
 				type: "workspace_deactivated",
-				code: DEACTIVATED_WORKSPACE_CODE,
+				code: DEACTIVATED_WORKSPACE_ERROR_CODE,
 			},
 		};
 		if (diagnostics && Object.keys(diagnostics).length > 0) {

lib/runtime-contracts.ts

@@ -0,0 +1,19 @@
+export const OAUTH_CALLBACK_LOOPBACK_HOST = "127.0.0.1";
+export const OAUTH_CALLBACK_PORT = 1455;
+export const OAUTH_CALLBACK_PATH = "/auth/callback";
+export const OAUTH_CALLBACK_BIND_URL = `http://${OAUTH_CALLBACK_LOOPBACK_HOST}:${OAUTH_CALLBACK_PORT}`;
+
+export const DEACTIVATED_WORKSPACE_ERROR_CODE = "deactivated_workspace";
+export const USAGE_REQUEST_TIMEOUT_MESSAGE = "Usage request timed out";
+
+export function createDeactivatedWorkspaceError(): Error {
+	return new Error(DEACTIVATED_WORKSPACE_ERROR_CODE);
+}
+
+export function isDeactivatedWorkspaceErrorMessage(message: string | undefined): boolean {
+	return message === DEACTIVATED_WORKSPACE_ERROR_CODE;
+}
+
+export function createUsageRequestTimeoutError(): Error {
+	return new Error(USAGE_REQUEST_TIMEOUT_MESSAGE);
+}

test/runtime-contracts.test.ts

@@ -0,0 +1,107 @@
+import { readFileSync } from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { describe, expect, it } from "vitest";
+import { REDIRECT_URI } from "../lib/auth/auth.js";
+import { transformRequestBody } from "../lib/request/request-transformer.js";
+import {
+	createDeactivatedWorkspaceError,
+	createUsageRequestTimeoutError,
+	DEACTIVATED_WORKSPACE_ERROR_CODE,
+	isDeactivatedWorkspaceErrorMessage,
+	OAUTH_CALLBACK_BIND_URL,
+	OAUTH_CALLBACK_PATH,
+	OAUTH_CALLBACK_PORT,
+	USAGE_REQUEST_TIMEOUT_MESSAGE,
+} from "../lib/runtime-contracts.js";
+import type { RequestBody, UserConfig } from "../lib/types.js";
+
+const testDir = path.dirname(fileURLToPath(import.meta.url));
+
+function readRepoFile(relativePath: string): string {
+	return readFileSync(path.resolve(testDir, "..", relativePath), "utf8");
+}
+
+describe("runtime contracts", () => {
+	it("creates stable sentinel errors for workspace deactivation and usage timeouts", () => {
+		const deactivatedWorkspaceError = createDeactivatedWorkspaceError();
+		const usageTimeoutError = createUsageRequestTimeoutError();
+
+		expect(deactivatedWorkspaceError.message).toBe(DEACTIVATED_WORKSPACE_ERROR_CODE);
+		expect(isDeactivatedWorkspaceErrorMessage(deactivatedWorkspaceError.message)).toBe(true);
+		expect(isDeactivatedWorkspaceErrorMessage("workspace-deactivated")).toBe(false);
+
+		expect(usageTimeoutError.message).toBe(USAGE_REQUEST_TIMEOUT_MESSAGE);
+	});
+
+	it("keeps the OAuth callback runtime values aligned", () => {
+		expect(OAUTH_CALLBACK_PORT).toBe(1455);
+		expect(OAUTH_CALLBACK_PATH).toBe("/auth/callback");
+		expect(OAUTH_CALLBACK_BIND_URL).toBe(`http://127.0.0.1:${OAUTH_CALLBACK_PORT}`);
+		expect(REDIRECT_URI).toBe(`http://localhost:${OAUTH_CALLBACK_PORT}${OAUTH_CALLBACK_PATH}`);
+	});
+
+	it("keeps the documented stateless request contract aligned with the runtime transform", async () => {
+		const requestBody: RequestBody = {
+			model: "gpt-5",
+			input: [
+				{
+					type: "message",
+					role: "user",
+					content: [{ type: "input_text", text: "quota ping" }],
+				},
+			],
+		};
+		const userConfig: UserConfig = { global: {}, models: {} };
+
+		const transformedBody = await transformRequestBody(requestBody, "test instructions", userConfig);
+
+		expect(transformedBody.store).toBe(false);
+		expect(transformedBody.include).toContain("reasoning.encrypted_content");
+
+		const docsExpectations: Array<[string, string[]]> = [
+			[
+				"docs/getting-started.md",
+				[
+					`http://127.0.0.1:${OAUTH_CALLBACK_PORT}${OAUTH_CALLBACK_PATH}`,
+					"`store: false`",
+					"`reasoning.encrypted_content`",
+				],
+			],
+			[
+				"docs/configuration.md",
+				[
+					"`reasoning.encrypted_content`",
+					"store\": false",
+				],
+			],
+			[
+				"docs/development/ARCHITECTURE.md",
+				[
+					"`store: false`",
+					"`reasoning.encrypted_content`",
+				],
+			],
+			[
+				"docs/troubleshooting.md",
+				[
+					"1455",
+					"`reasoning.encrypted_content`",
+				],
+			],
+			[
+				"docs/faq.md",
+				[
+					"`1455`",
+				],
+			],
+		];
+
+		for (const [relativePath, fragments] of docsExpectations) {
+			const fileContents = readRepoFile(relativePath);
+			for (const fragment of fragments) {
+				expect(fileContents).toContain(fragment);
+			}
+		}
+	});
+});