Harden secret store and resolve catalog overrides (#1891)

Co-authored-by: codex <codex@users.noreply.github.com>

Author: juliusmarminge

apps/server/scripts/cli.ts

@@ -14,6 +14,22 @@ import { resolveCatalogDependencies } from "../../../scripts/lib/resolve-catalog
 import rootPackageJson from "../../../package.json" with { type: "json" };
 import serverPackageJson from "../package.json" with { type: "json" };
 
+interface PackageJson {
+  name: string;
+  repository: {
+    type: string;
+    url: string;
+    directory: string;
+  };
+  bin: Record<string, string>;
+  type: string;
+  version: string;
+  engines: Record<string, string>;
+  files: string[];
+  dependencies: Record<string, string>;
+  overrides: Record<string, string>;
+}
+
 class CliError extends Data.TaggedError("CliError")<{
   readonly message: string;
   readonly cause?: unknown;
@@ -192,22 +208,28 @@ const publishCmd = Command.make(
           // Resolve catalog dependencies before any file mutations. If this throws,
           // acquire fails and no release hook runs, so filesystem must still be untouched.
           const version = Option.getOrElse(config.appVersion, () => serverPackageJson.version);
-          const pkg = {
+          const pkg: PackageJson = {
             name: serverPackageJson.name,
             repository: serverPackageJson.repository,
             bin: serverPackageJson.bin,
             type: serverPackageJson.type,
             version,
             engines: serverPackageJson.engines,
             files: serverPackageJson.files,
-            dependencies: serverPackageJson.dependencies as Record<string, unknown>,
+            dependencies: serverPackageJson.dependencies,
+            overrides: rootPackageJson.overrides,
           };
 
           pkg.dependencies = resolveCatalogDependencies(
             pkg.dependencies,
             rootPackageJson.workspaces.catalog,
             "apps/server dependencies",
           );
+          pkg.overrides = resolveCatalogDependencies(
+            pkg.overrides,
+            rootPackageJson.workspaces.catalog,
+            "root overrides",
+          );
 
           const original = yield* fs.readFileString(packageJsonPath);
           yield* fs.writeFileString(backupPath, original);

apps/server/src/auth/Layers/ServerSecretStore.ts

@@ -1,6 +1,6 @@
 import * as Crypto from "node:crypto";
 
-import { Effect, FileSystem, Layer, Path } from "effect";
+import { Effect, FileSystem, Layer, Path, Predicate } from "effect";
 import * as PlatformError from "effect/PlatformError";
 
 import { ServerConfig } from "../../config.ts";
@@ -28,17 +28,14 @@ export const makeServerSecretStore = Effect.gen(function* () {
 
   const resolveSecretPath = (name: string) => path.join(serverConfig.secretsDir, `${name}.bin`);
 
-  const isMissingSecretFileError = (cause: unknown): cause is PlatformError.PlatformError =>
-    cause instanceof PlatformError.PlatformError && cause.reason._tag === "NotFound";
-
-  const isAlreadyExistsSecretFileError = (cause: unknown): cause is PlatformError.PlatformError =>
-    cause instanceof PlatformError.PlatformError && cause.reason._tag === "AlreadyExists";
+  const isPlatformError = (u: unknown): u is PlatformError.PlatformError =>
+    Predicate.isTagged(u, "PlatformError");
 
   const get: ServerSecretStoreShape["get"] = (name) =>
     fileSystem.readFile(resolveSecretPath(name)).pipe(
       Effect.map((bytes) => Uint8Array.from(bytes)),
       Effect.catch((cause) =>
-        isMissingSecretFileError(cause)
+        cause.reason._tag === "NotFound"
           ? Effect.succeed(null)
           : Effect.fail(
               new SecretStoreError({
@@ -108,7 +105,7 @@ export const makeServerSecretStore = Effect.gen(function* () {
         return create(name, generated).pipe(
           Effect.as(Uint8Array.from(generated)),
           Effect.catchTag("SecretStoreError", (error) =>
-            isAlreadyExistsSecretFileError(error.cause)
+            isPlatformError(error.cause) && error.cause.reason._tag === "AlreadyExists"
               ? get(name).pipe(
                   Effect.flatMap((created) =>
                     created !== null
@@ -129,7 +126,7 @@ export const makeServerSecretStore = Effect.gen(function* () {
   const remove: ServerSecretStoreShape["remove"] = (name) =>
     fileSystem.remove(resolveSecretPath(name)).pipe(
       Effect.catch((cause) =>
-        isMissingSecretFileError(cause)
+        cause.reason._tag === "NotFound"
           ? Effect.void
           : Effect.fail(
               new SecretStoreError({

apps/server/src/git/Layers/GitCore.ts

@@ -2001,7 +2001,7 @@ export const makeGitCore = Effect.fn("makeGitCore")(function* (options?: {
             "GitCore.removeWorktree",
             input.cwd,
             args,
-            `${commandLabel(args)} failed (cwd: ${input.cwd}): ${error instanceof Error ? error.message : String(error)}`,
+            `${commandLabel(args)} failed (cwd: ${input.cwd}): ${error.message}`,
             error,
           ),
         ),

apps/server/src/git/Layers/GitHubCli.ts

@@ -1,4 +1,4 @@
-import { Effect, Layer, Schema } from "effect";
+import { Effect, Layer, Schema, SchemaIssue } from "effect";
 import { PositiveInt, TrimmedNonEmptyString } from "@t3tools/contracts";
 
 import { runProcess } from "../../processRunner";
@@ -154,7 +154,7 @@ function decodeGitHubJson<S extends Schema.Top>(
       (error) =>
         new GitHubCliError({
           operation,
-          detail: error instanceof Error ? `${invalidDetail}: ${error.message}` : invalidDetail,
+          detail: `${invalidDetail}: ${SchemaIssue.makeFormatterDefault()(error.issue)}`,
           cause: error,
         }),
     ),

apps/server/src/provider/Layers/CodexAdapter.test.ts

@@ -238,14 +238,7 @@ sessionErrorLayer("CodexAdapterLive session errors", (it) => {
         .pipe(Effect.result);
 
       assert.equal(result._tag, "Failure");
-      if (result._tag !== "Failure") {
-        return;
-      }
-
       assert.equal(result.failure._tag, "ProviderAdapterSessionNotFoundError");
-      if (result.failure._tag !== "ProviderAdapterSessionNotFoundError") {
-        return;
-      }
       assert.equal(result.failure.provider, "codex");
       assert.equal(result.failure.threadId, "sess-missing");
       assert.equal(result.failure.cause instanceof Error, true);

apps/server/src/provider/Layers/CodexAdapter.ts

@@ -51,18 +51,11 @@ export interface CodexAdapterLiveOptions {
   readonly nativeEventLogger?: EventNdjsonLogger;
 }
 
-function toMessage(cause: unknown, fallback: string): string {
-  if (cause instanceof Error && cause.message.length > 0) {
-    return cause.message;
-  }
-  return fallback;
-}
-
 function toSessionError(
   threadId: ThreadId,
   cause: unknown,
 ): ProviderAdapterSessionNotFoundError | ProviderAdapterSessionClosedError | undefined {
-  const normalized = toMessage(cause, "").toLowerCase();
+  const normalized = cause instanceof Error ? cause.message.toLowerCase() : "";
   if (normalized.includes("unknown session") || normalized.includes("unknown provider session")) {
     return new ProviderAdapterSessionNotFoundError({
       provider: PROVIDER,
@@ -88,7 +81,7 @@ function toRequestError(threadId: ThreadId, method: string, cause: unknown): Pro
   return new ProviderAdapterRequestError({
     provider: PROVIDER,
     method,
-    detail: toMessage(cause, `${method} failed`),
+    detail: cause instanceof Error ? `${method} failed: ${cause.message}` : `${method} failed`,
     cause,
   });
 }
@@ -1427,7 +1420,7 @@ const makeCodexAdapter = Effect.fn("makeCodexAdapter")(function* (
           new ProviderAdapterProcessError({
             provider: PROVIDER,
             threadId: input.threadId,
-            detail: toMessage(cause, "Failed to start Codex adapter session."),
+            detail: `Failed to start Codex adapter session: ${cause instanceof Error ? cause.message : String(cause)}.`,
             cause,
           }),
       });
@@ -1455,7 +1448,7 @@ const makeCodexAdapter = Effect.fn("makeCodexAdapter")(function* (
           new ProviderAdapterRequestError({
             provider: PROVIDER,
             method: "turn/start",
-            detail: toMessage(cause, "Failed to read attachment file."),
+            detail: `Failed to read attachment file: ${cause.message}.`,
             cause,
           }),
       ),

apps/server/src/provider/Layers/CodexProvider.ts

@@ -389,7 +389,7 @@ export const checkCodexProviderStatus = Effect.fn("checkCodexProviderStatus")(fu
         auth: { status: "unknown" },
         message: isCommandMissingCause(error)
           ? "Codex CLI (`codex`) is not installed or not on PATH."
-          : `Failed to execute Codex CLI health check: ${error instanceof Error ? error.message : String(error)}.`,
+          : `Failed to execute Codex CLI health check: ${error.message}.`,
       },
     });
   }
@@ -489,10 +489,7 @@ export const checkCodexProviderStatus = Effect.fn("checkCodexProviderStatus")(fu
         version: parsedVersion,
         status: "warning",
         auth: { status: "unknown" },
-        message:
-          error instanceof Error
-            ? `Could not verify Codex authentication status: ${error.message}.`
-            : "Could not verify Codex authentication status.",
+        message: `Could not verify Codex authentication status: ${error.message}.`,
       },
     });
   }

apps/server/src/provider/providerSnapshot.ts

@@ -32,8 +32,7 @@ export function nonEmptyTrimmed(value: string | undefined): string | undefined {
   return trimmed.length > 0 ? trimmed : undefined;
 }
 
-export function isCommandMissingCause(error: unknown): boolean {
-  if (!(error instanceof Error)) return false;
+export function isCommandMissingCause(error: Error): boolean {
   const lower = error.message.toLowerCase();
   return lower.includes("enoent") || lower.includes("notfound");
 }

apps/server/src/terminal/Layers/Manager.ts

@@ -8,7 +8,6 @@ import {
 } from "@t3tools/contracts";
 import { makeKeyedCoalescingWorker } from "@t3tools/shared/KeyedCoalescingWorker";
 import {
-  Data,
   Effect,
   Encoding,
   Equal,
@@ -17,6 +16,7 @@ import {
   FileSystem,
   Layer,
   Option,
+  Schema,
   Scope,
   Semaphore,
   SynchronizedRef,
@@ -54,22 +54,28 @@ const DEFAULT_OPEN_COLS = 120;
 const DEFAULT_OPEN_ROWS = 30;
 const TERMINAL_ENV_BLOCKLIST = new Set(["PORT", "ELECTRON_RENDERER_PORT", "ELECTRON_RUN_AS_NODE"]);
 
-type TerminalSubprocessChecker = (
-  terminalPid: number,
-) => Effect.Effect<boolean, TerminalSubprocessCheckError>;
-
-class TerminalSubprocessCheckError extends Data.TaggedError("TerminalSubprocessCheckError")<{
-  readonly message: string;
-  readonly cause?: unknown;
-  readonly terminalPid: number;
-  readonly command: "powershell" | "pgrep" | "ps";
-}> {}
+class TerminalSubprocessCheckError extends Schema.TaggedErrorClass<TerminalSubprocessCheckError>()(
+  "TerminalSubprocessCheckError",
+  {
+    message: Schema.String,
+    cause: Schema.optional(Schema.Defect),
+    terminalPid: Schema.Number,
+    command: Schema.Literals(["powershell", "pgrep", "ps"]),
+  },
+) {}
+
+class TerminalProcessSignalError extends Schema.TaggedErrorClass<TerminalProcessSignalError>()(
+  "TerminalProcessSignalError",
+  {
+    message: Schema.String,
+    cause: Schema.optional(Schema.Defect),
+    signal: Schema.Literals(["SIGTERM", "SIGKILL"]),
+  },
+) {}
 
-class TerminalProcessSignalError extends Data.TaggedError("TerminalProcessSignalError")<{
-  readonly message: string;
-  readonly cause?: unknown;
-  readonly signal: "SIGTERM" | "SIGKILL";
-}> {}
+interface TerminalSubprocessChecker {
+  (terminalPid: number): Effect.Effect<boolean, TerminalSubprocessCheckError>;
+}
 
 interface ShellCandidate {
   shell: string;
@@ -271,9 +277,8 @@ function isRetryableShellSpawnError(error: PtySpawnError): boolean {
 
     if (current instanceof Error) {
       messages.push(current.message);
-      const cause = (current as { cause?: unknown }).cause;
-      if (cause) {
-        queue.push(cause);
+      if (current.cause) {
+        queue.push(current.cause);
       }
       continue;
     }
@@ -876,7 +881,7 @@ export const makeTerminalManagerWithOptions = Effect.fn("makeTerminalManagerWith
             Effect.logWarning("failed to persist terminal history", {
               threadId,
               terminalId,
-              error: error instanceof Error ? error.message : String(error),
+              error,
             }),
           ),
         );
@@ -959,7 +964,7 @@ export const makeTerminalManagerWithOptions = Effect.fn("makeTerminalManagerWith
         Effect.catch((cleanupError) =>
           Effect.logWarning("failed to remove legacy terminal history", {
             threadId,
-            error: cleanupError instanceof Error ? cleanupError.message : String(cleanupError),
+            error: cleanupError,
           }),
         ),
       );
@@ -975,7 +980,7 @@ export const makeTerminalManagerWithOptions = Effect.fn("makeTerminalManagerWith
           Effect.logWarning("failed to delete terminal history", {
             threadId,
             terminalId,
-            error: error instanceof Error ? error.message : String(error),
+            error,
           }),
         ),
       );
@@ -985,7 +990,7 @@ export const makeTerminalManagerWithOptions = Effect.fn("makeTerminalManagerWith
             Effect.logWarning("failed to delete terminal history", {
               threadId,
               terminalId,
-              error: error instanceof Error ? error.message : String(error),
+              error,
             }),
           ),
         );
@@ -1011,7 +1016,7 @@ export const makeTerminalManagerWithOptions = Effect.fn("makeTerminalManagerWith
             Effect.catch((error) =>
               Effect.logWarning("failed to delete terminal histories for thread", {
                 threadId,
-                error: error instanceof Error ? error.message : String(error),
+                error,
               }),
             ),
           ),
@@ -1463,12 +1468,12 @@ export const makeTerminalManagerWithOptions = Effect.fn("makeTerminalManagerWith
         const terminalPid = session.pid;
         const hasRunningSubprocess = yield* subprocessChecker(terminalPid).pipe(
           Effect.map(Option.some),
-          Effect.catch((error) =>
+          Effect.catch((reason) =>
             Effect.logWarning("failed to check terminal subprocess activity", {
               threadId: session.threadId,
               terminalId: session.terminalId,
               terminalPid,
-              error: error instanceof Error ? error.message : String(error),
+              reason,
             }).pipe(Effect.as(Option.none<boolean>())),
           ),
         );

apps/server/src/workspace/Layers/WorkspaceEntries.ts

@@ -214,9 +214,6 @@ function directoryAncestorsOf(relativePath: string): string[] {
   return directories;
 }
 
-const processErrorDetail = (cause: unknown): string =>
-  cause instanceof Error ? cause.message : String(cause);
-
 export const makeWorkspaceEntries = Effect.gen(function* () {
   const path = yield* Path.Path;
   const gitOption = yield* Effect.serviceOption(GitCore);
@@ -319,7 +316,7 @@ export const makeWorkspaceEntries = Effect.gen(function* () {
         new WorkspaceEntriesError({
           cwd,
           operation: "workspaceEntries.readDirectoryEntries",
-          detail: processErrorDetail(cause),
+          detail: cause instanceof Error ? cause.message : String(cause),
           cause,
         }),
     }).pipe(