[Task] Design run-level LLM stream diagnostics for recurring terminated failures

[Astro-Han]

Goal

Design and implement a first-class LLM run diagnostics architecture so recurring terminated failures can be debugged, classified, and eventually recovered without one-off string patches.

What should be true when this is done:

• Session exports answer where an LLM request failed: before connection, early stream, mid-generation, tool side-effect, local abort, watchdog, or provider error.
• The exported diagnostics distinguish user/PawWork aborts from upstream/provider/socket disconnects.
• The diagnostics include enough safe correlation data to compare PawWork behavior against Codex App and upstream OpenCode.
• Recovery policy can be derived from facts: safe auto-retry, user-confirmed retry, or no retry.
• Raw terminated / UND_ERR_SOCKET should no longer be treated as an opaque user-facing failure.

Scope

In scope:

• Revisit the diagnostics from [Task] Add LLM stream failure diagnostics v2 to session exports #760 / PR feat(session): add llm stream failure diagnostics #771 after repeated real-world terminated samples.
• Design a run-level diagnostics recorder for LLM requests, not just additional ad hoc fields on llm_trace.stream.error.
• Define a failure classifier and retry-safety classifier based on stream facts, tool side effects, abort provenance, watchdog state, and transport errors.
• Extend session exports with a human-readable summary plus a bounded engineering timeline.
• Add deterministic local harness coverage for early disconnect, mid-stream disconnect, local abort, watchdog timeout, and post-tool-call disconnect cases.
• Keep exported fields safe: no prompts, secrets, raw auth headers, or unbounded response bodies.

Out of scope for the first design pass:

• Changing provider credentials or OpenAI account routing.
• Blindly adding substring-specific UI translations for terminated.
• Auto-retrying all stream failures before retry-safety is explicit.
• Uploading session exports automatically.
• Replacing the whole LLM runtime in the same PR unless the design proves it is necessary.

Relevant files or context

Recent evidence:

• docs/debug-session-log/pawwork-session-hidden-mountain-2026-05-20-04-10-54-terminated.json
• docs/debug-session-log/pawwork-session-quiet-wizard-2026-05-20-08-25-08-terminated.json

Both show the same failure signature after PR #771 diagnostics:

• stream.error.constructor_name: TypeError
• stream.error.cause_name: SocketError
• stream.error.cause_code: UND_ERR_SOCKET
• stream.error.cause_message: other side closed
• stack_hint: Fetch.onAborted ... undici
• watchdog.fired: false
• abort.signal_aborted_at_error: false
• watchdog.provider_progressed: true
• no finish, no tool call, no tool result, no text output in the most recent sample

Related work:

• [Bug] Raw terminated from upstream stream close leaks to assistant message without translation #754 captured the earlier raw terminated leak but was intentionally conservative while waiting for more samples.
• [Task] Add LLM stream failure diagnostics v2 to session exports #760 / PR feat(session): add llm stream failure diagnostics #771 added nested LLM stream diagnostics, watchdog state, error fingerprints, and abort provenance.
• [Bug] First-turn tool execution aborted without recorded source — model stops, user must resend #721 and [Bug] 30s LLM connect timeout aborts OpenAI reasoning streams (post-#729 residual) #755 remain related session/harness reliability issues, but this task should not close them by itself.

Likely code areas:

• packages/opencode/src/session/llm.ts
• packages/opencode/src/session/llm-trace/*
• packages/opencode/src/session/export.ts
• packages/opencode/src/session/retry.ts
• packages/opencode/src/session/processor.ts
• packages/opencode/test/session/llm*.test.ts

Upstream context:

• Upstream OpenCode appears to rely mostly on logs / optional OpenTelemetry / AI SDK onError for this path.
• Upstream has an experimental native LLM runtime path, which may eventually help compare AI SDK transport behavior against a more controlled runtime.

Verification

A design is acceptable when it specifies:

• The diagnostic events and their bounded schema.
• The failure taxonomy and retry-safety taxonomy.
• How request/runtime/transport facts are captured without leaking secrets.
• How session export summary and timeline are structured.
• How deterministic tests simulate stream disconnects.
• Which part is minimum viable diagnostics, which part is architectural foundation, and which part is deferred.

Implementation verification should eventually include targeted tests for:

• Early provider progress followed by UND_ERR_SOCKET before text/tool output.
• Mid-generation disconnect after visible text.
• Disconnect after tool call / side effect started.
• Local abort with provenance.
• Watchdog connect timeout and silent stream timeout.
• Export sanitizer redaction of safe transport metadata.

Execution mode

Investigate and propose a plan first — the agent must post the plan as an issue comment and wait for explicit approval before writing code or opening a PR.

[Astro-Han]

Design draft has been written locally for GPT Pro review:

• docs/superpowers/specs/2026-05-20-llm-run-diagnostics-design.md

The draft recommends a narrow first slice of a first-class LLMRunDiagnostics architecture: record bounded run lifecycle events, classify failure kind and retry safety from facts, export a human summary plus engineering timeline, and defer auto-retry until the classification is reviewed and tested.

Waiting for GPT Pro / human review before implementation.

[Astro-Han]

Additional real-world sample for the diagnostics design:

• docs/debug-session-log/pawwork-session-misty-planet-2026-05-20-08-47-01-session-suspended.json

This is related to #783 as a diagnostics-completeness problem, but it is not the same failure boundary as the current terminated / UND_ERR_SOCKET samples.

What the new sample shows:

• The user-visible "已中断" state is backed by an assistant message with error.name = MessageAbortedError.
• The LLM stream did start and provider progress was observed:
  • watchdog.provider_progressed = true
  • watchdog.fired = false
  • stream abort provenance recorded under llm_trace.stream.abort as session.processor.onInterrupt / aborted
• The assistant had already emitted text and a tool call, then the read tool was marked interrupted:
  • tool: read
  • target: /Users/sting069/.pawwork/memory/MEMORY.md
  • state.status = error
  • state.error = Tool execution aborted
  • state.metadata.interrupted = true
• The higher-level abort diagnostic now says:
  • source = session.run_state.scope
  • reason = scope_closed_without_cancel_meta
  • propagation_point = session.prompt.loop.onInterrupt

So the current diagnostics successfully distinguish this from an upstream/socket disconnect: this looks like a local instance/session run-state scope being closed while a turn was in flight.

The remaining instrumentation gap is one level deeper: we still do not know who closed the run-state scope. For this class of incident, scope_closed_without_cancel_meta is helpful but not actionable enough. The next diagnostic slice should capture a bounded, safe lifecycle provenance for local scope closures, such as:

• Instance.dispose
• Instance.reload
• Config.update
• Config.invalidate
• instance-store / child-store eviction or reload paths
• API route or renderer action that initiated the lifecycle change, when available
• a sanitized caller/cause summary, not raw user prompts or secrets

Suggested acceptance addition for #783 Phase 1: local abort classification should not stop at local_abort; exported diagnostics should also classify local abort sub-boundaries, e.g. user_cancel, instance_dispose, instance_reload, config_invalidate, scope_finalizer, and unknown_scope_close, with evidence/timeline sufficient to identify the triggering lifecycle path.

This would make the current suspended sample debuggable in the same run-level diagnostics architecture without conflating it with the terminated / UND_ERR_SOCKET transport failures.