feat(session): add lifecycle causality diagnostics

[Astro-Han]

Summary

Adds lifecycle causality diagnostics for interrupted runs: immutable lifecycle close snapshots, request context provenance on real instance/global lifecycle routes, renderer client-action wiring for lifecycle-triggering UI calls, config-origin attribution, structured request/client-action provenance in run incidents and incident chains, explicit load→reload context-mismatch reasons, lifecycle initiation-time ordering, and sanitized export incident chains.

Why

#802 asks for the local lifecycle causality slice of #808 so exported diagnostics can explain which local reload/dispose action interrupted a run and what provenance is complete or missing.

Related Issue

Closes #802. Part of #808.

Human Review Status

Pending

Review Focus

Please focus on whether lifecycle close provenance stays diagnostic/export-only, does not change recovery behavior, preserves lifecycle-vs-provider terminal cause ordering while retaining lifecycle provenance, carries safe request/client-action initiator fields from real renderer call paths into exports, records explicit load→reload context mismatch/config origins, and avoids leaking raw local paths or secret-like strings.

Risk Notes

Skipped conditional checks:

• Manual visible UI/copy check: no visible UI or copy changed.
• Docs/release/dependencies/permissions/generated content/local file changes: none of those surfaces were touched.

Platform impact was considered: the change hashes local paths before export and only adds diagnostic headers/snapshots, without changing runtime lifecycle behavior.

How To Verify

Baseline targeted tests: 86 passed before implementation from packages/opencode.
Opencode targeted tests after latest review fixes: 107 passed across instance-store, run-state, middleware, run-observability, and export.
App targeted tests after latest review fixes: 12 passed across server header helper and renderer client-action wiring source tests.
CodeRabbit follow-up verification: run-observability focused test passed 42 tests; server utils focused test passed 5 tests.
Typecheck: bun run typecheck completed successfully for 8 tasks.
Diff check: git diff --check completed with no whitespace errors.
Review fixes: real main-route/global request context coverage, lifecycle initiation-time terminal ordering, lifecycle provenance retention when provider failure records first, structured request/client-action initiator provenance, generated/precomputed-chain request sanitization, explicit load→reload context mismatch reasons, real renderer client-action wiring for global config update/provider connect/disconnect/workspace reset disposal calls, config update/invalidate/updateGlobal origin attribution, preserved lifecycle source provenance, broadened client-action header path leak assertions, Gemini path parsing, and CodeRabbit sanitization/immutability findings were fixed.

Screenshots or Recordings

Not applicable — no visible UI or copy changes.

Checklist

How to use this checklist:

• Tick a box by replacing [ ] with [x]. Do not edit, add, or remove items.
• The bot-applied label items can only be honestly ticked AFTER the PR is opened and the labeler / priority-triage bots have run — return to the PR description and tick them then.
• Most items are required. The few that are conditional are explicitly marked (conditional); for those, leave unticked if they truly do not apply and explain why in Risk Notes. All other items must be ticked before requesting human review.

• Type label — this PR carries exactly one of bug, enhancement, task, documentation. Type labels are author-added; the labeler bot does NOT assign them. Add the label in the GitHub UI, then tick this.
• Routing labels — this PR carries at least one of app, ui, platform, harness, ci. The labeler bot assigns these on PR open based on changed paths. Confirm the bot's choice (or override if wrong), then tick this.
• Priority label — this PR carries exactly one of P0, P1, P2, P3. The priority-triage bot suggests one on PR open. Confirm or override, then tick this.
• Human Review Status above is set to Pending, Approved by @<reviewer>, or Not required: <reason> (default is Pending; "not required" is restricted to bot-authored low-risk PRs).
• I linked the related issue, or stated in Summary why there is no issue.
• I described the review focus and any meaningful risks.
• I replaced the example block in How To Verify with the real verification steps and the key result for each.
• I did not introduce unrelated refactors, dependencies, generated files, or file changes beyond the stated scope.
• (conditional) I manually checked visible UI or copy changes when needed, with screenshots or recordings. Leave unticked only if no visible UI or copy changed.
• (conditional) I considered macOS and Windows impact for platform, packaging, updater, signing, paths, shell, or permissions changes. Leave unticked only if no platform/packaging surface was touched.
• (conditional) I called out docs, release notes, dependencies, permissions, credentials, deletion behavior, generated content, or local file changes when relevant. Leave unticked only if none of those surfaces was touched.
• I reviewed the final diff for unrelated changes and suspicious dependency changes.
• I am targeting dev, and my PR title and commit messages use Conventional Commits in English.

Summary by CodeRabbit

• New Features

  • Enhanced incident diagnostics with incident chain tracking and lifecycle context.
  • Improved tracking of user-initiated operations (provider management, config updates, workspace actions).

• Bug Fixes

  • Better sanitization of sensitive data in incident reports to prevent information leakage.

• Tests

  • Extended test coverage for lifecycle provenance, request context, and incident export functionality.

[github-actions]

Suggested priority: P2 (includes user-path files (packages/app/src/utils/server.test.ts, packages/app/src/utils/server.ts)).

P1/P0 are reserved for maintainer confirmation. Please relabel manually if this is a release blocker, security issue, data-loss risk, or updater/runtime failure.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds client-action header helpers and server request-context snapshots, enriches lifecycle close actions with timestamps/affected-directory keys/origin/request, threads provenance through instance-store disposal/reload and middleware, captures provenance in run-observability summaries, extends run-incident export/sanitization with incident-chains, and updates UI flows to use action-scoped SDK clients.

Changes

Lifecycle Causality Diagnostics for Interrupted Runs

Layer / File(s)	Summary
Client action headers & app wiring packages/app/src/utils/server.ts, packages/app/src/utils/server.test.ts, packages/app/src/context/*, packages/app/src/components/*, packages/app/src/pages/layout.tsx	Adds clientActionHeaders and updates UI flows (provider connect/disconnect, global config update, workspace reset) to create per-action SDK clients with action headers; adds tests asserting header shapes and usage sites.
Server request-context & header sanitization packages/opencode/src/server/request-context.ts, packages/opencode/src/server/routes/instance/middleware.ts, packages/opencode/src/server/instance/middleware.ts, packages/opencode/src/server/instance/global.ts	Implements requestContextFromHono, AsyncLocalStorage-backed RequestContextSnapshot, currentRequestContext() and withRequestContext(), and safe header token sanitizers; middleware wraps instance provisioning/global routes with request-scoped snapshots.
Lifecycle provenance schema & directory keys packages/opencode/src/session/lifecycle-provenance.ts	Expands LifecycleCloseAction with initiation timestamps, affectedDirectoryKeys, origin, and request; adds directoryKey() deterministic hashing, createLifecycleCloseAction(..., options?), lifecycleCloseActionMeta(), and async-context origin helpers.
InstanceStore lifecycle provenance packages/opencode/src/project/instance-store.ts	Computes lifecycleContext(operation, reason) from currentRequestContext(), derives ContextMismatchReason, and emits createLifecycleCloseAction with affectedDirectories and enriched provenance for reload/dispose/disposeDirectory/disposeAll paths.
Run-observability types & recorder packages/opencode/src/session/run-observability/types.ts, packages/opencode/src/session/run-observability/recorder.ts	Extends Summary.lifecycle and Recorder.recordScopeClosed with provenance fields; recorder captures lifecycle initiation/provenance (including cloning request) and prefers earlier lifecycle initiation when summarizing scope-closed failures.
Runner & session interrupt metadata packages/opencode/src/effect/runner.ts, packages/opencode/src/session/run-state.ts, packages/opencode/src/session/processor.ts	Extends InterruptMeta with lifecycle provenance fields; uses lifecycleCloseActionMeta() when building interrupt metadata and when cancelling runners; reformatting only for style in runner functions.
Run incident types, sanitization & export chains packages/opencode/src/session/run-incident/*.ts, packages/opencode/src/session/export.ts	Adds lifecycle fields to incident provenance types, sanitizeLifecycleRequest and provenance sanitizers, ExportIncidentChain type and RunIncident.toExportChain() conversion; Export.deriveSnapshotDiagnostics and sanitizeDiagnostics now produce sanitized incident_chains.
Comprehensive lifecycle provenance tests packages/opencode/test/*, packages/app/test/*	Adds tests validating lifecycle-close action immutability and safe directory-key derivation, middleware request-context redaction, instance-store reload/dispose reason recording (worktree_mismatch, project_row_missing), recorder/export incident-chains sanitization, and provenance propagation/cloning across components.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

• [Feature] Define Run Incident Framework for interrupted runs #808: The changes implement structured lifecycle provenance and request/client-action context pieces aligned with that issue.

Possibly related PRs

• Astro-Han/pawwork#812: Related incident-chain/export enhancements used by this PR.
• Astro-Han/pawwork#308: Overlaps in runner/interrupt handling and InterruptMeta extensions.
• Astro-Han/pawwork#563: Related interrupt/abort provenance plumbing extended here.

Poem

🐰 I stitched request headers into thread,

so lifecycle closings show what led.
Keys are hashed, requests scrubbed clean,
incidents trace the hidden scene.
Hopping off—proof, not guess, ahead.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(session): add lifecycle causality diagnostics' clearly and concisely summarizes the main change—adding lifecycle causality diagnostics to the session module. It follows Conventional Commits format and directly reflects the primary objective of the changeset.
Linked Issues check	✅ Passed	The changes comprehensively implement the objectives from #802: lifecycle close provenance tracking is added with request context, client-action wiring, and structured provenance in incidents; lifecycle initiation-time ordering is implemented; sanitized export chains are added; path redaction prevents leakage; and all major code paths (reload, dispose, disposeDirectory, disposeAll, config changes) are instrumented with origin attribution.
Out of Scope Changes check	✅ Passed	All changes are scoped to diagnostic/export-only functionality as intended: new lifecycle provenance structs, request context wrappers, incident chain exports, and path hashing for privacy. No behavior/recovery changes, telemetry sinks, UI redesign, or out-of-scope refactoring are present.
Description check	✅ Passed	The pull request description comprehensively covers all required template sections including summary, motivation, related issue, human review status, review focus, risk notes, verification steps, and completed checklist items.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pawwork/issue-802-lifecycle-causality

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a request context tracking system using AsyncLocalStorage to capture and propagate client action metadata throughout the session lifecycle. It enhances lifecycle provenance by adding timestamps, hashed directory keys for privacy, and origin information to interrupts and incidents. Additionally, it adds support for exporting incident chains in session diagnostics. Feedback was provided regarding the use of Hono's built-in request path property to improve reliability and efficiency when capturing the request path.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/opencode/src/session/export.ts`:
- Around line 1067-1071: The code currently returns diagnostics.incident_chains
as-is which lets fields like plain_summary/nearest_origin bypass sanitization;
always sanitize and export each incident in any chain regardless of whether
incident_chains already exists: when building incident_chains use a map over
(diagnostics.incident_chains ?? ...) and for each incident in each chain call
RunIncident.sanitize(...) then RunIncident.toExportChain(...) so every incident
passes through RunIncident.sanitize before toExportChain; update the logic that
produces incident_chains to perform this per-incident sanitization and export
using RunIncident.sanitize and RunIncident.toExportChain.

In `@packages/opencode/src/session/lifecycle-provenance.ts`:
- Around line 42-44: The lifecycle provenance payloads expose mutable
references; update createLifecycleCloseAction and lifecycleCloseActionMeta so
affectedDirectoryKeys and origin are frozen clones rather than direct
references: produce new copies (e.g., new array from Set for
affectedDirectoryKeys) and Object.freeze them, and for origin make a defensive
clone (shallow or deep as appropriate for origin's shape) then Object.freeze
that clone; ensure the returned payload uses these frozen values so downstream
mutation cannot alter prior provenance snapshots.

In `@packages/opencode/src/session/run-observability/recorder.ts`:
- Around line 395-398: When building lifecycle snapshots from the "next" object,
you are assigning references directly (next.lifecycleInitiatedAt,
next.lifecycleInitiatedMonotonicMs, next.lifecycleAffectedDirectoryKeys,
next.lifecycleOrigin) which allows later mutation to alter stored snapshots;
clone these payloads before storing/returning (e.g., copy primitive timestamps
directly, shallow-copy arrays like lifecycleAffectedDirectoryKeys with
[...next.lifecycleAffectedDirectoryKeys], and shallow/deep-clone objects like
lifecycleOrigin via {...next.lifecycleOrigin} or structuredClone/JSON roundtrip
as appropriate). Apply the same cloning change to the other occurrence that sets
those fields (the block around the second occurrence noted in the comment).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 4ca23af5-c5d2-4a32-ae6e-e0d2378b066c

📥 Commits

Reviewing files that changed from the base of the PR and between 7d020ba and 3e187f9.

📒 Files selected for processing (19)

• packages/app/src/utils/server.test.ts
• packages/app/src/utils/server.ts
• packages/opencode/src/effect/runner.ts
• packages/opencode/src/project/instance-store.ts
• packages/opencode/src/server/request-context.ts
• packages/opencode/src/server/routes/instance/middleware.ts
• packages/opencode/src/session/export.ts
• packages/opencode/src/session/lifecycle-provenance.ts
• packages/opencode/src/session/processor.ts
• packages/opencode/src/session/run-incident/derive.ts
• packages/opencode/src/session/run-incident/index.ts
• packages/opencode/src/session/run-incident/types.ts
• packages/opencode/src/session/run-observability/recorder.ts
• packages/opencode/src/session/run-observability/types.ts
• packages/opencode/src/session/run-state.ts
• packages/opencode/test/server/middleware.test.ts
• packages/opencode/test/session/export.test.ts
• packages/opencode/test/session/run-observability.test.ts
• packages/opencode/test/session/run-state.test.ts

[github-actions]

Perf delta summary

Comparator: pass

Profile / Scenario	interaction median	interaction worst	long task max	tbt	frame gap p95	frame gap max	jank count	cls	status
default / homepage-cold	32 -> 40 (+8)	48 -> 48 (0)	92 -> 85 (-7)	42 -> 35 (-7)	16.8 -> 16.8 (0)	150 -> 166.7 (+16.7)	4 -> 3 (-1)	0 -> 0 (0)	pass
default / long-session-input-lag	48 -> 48 (0)	64 -> 48 (-16)	0 -> 0 (0)	0 -> 0 (0)	16.7 -> 16.8 (+0.1)	16.7 -> 16.8 (+0.1)	0 -> 0 (0)	0 -> 0 (0)	pass
default / session-streaming-long	48 -> 48 (0)	72 -> 64 (-8)	0 -> 0 (0)	0 -> 0 (0)	16.7 -> 16.7 (0)	16.8 -> 33.3 (+16.5)	0 -> 0 (0)	0 -> 0 (0)	pass
default / tool-call-expand	16 -> 16 (0)	24 -> 24 (0)	0 -> 0 (0)	0 -> 0 (0)	16.7 -> 16.7 (0)	16.7 -> 16.7 (0)	0 -> 0 (0)	0 -> 0 (0)	pass
default / tool-default-open-heavy-bash	24 -> 24 (0)	40 -> 32 (-8)	66 -> 63 (-3)	16 -> 13 (-3)	33.4 -> 49.9 (+16.5)	166.6 -> 116.7 (-49.9)	2 -> 2 (0)	0 -> 0 (0)	pass
default / terminal-side-panel-open	64 -> 40 (-24)	64 -> 48 (-16)	0 -> 0 (0)	0 -> 0 (0)	33.3 -> 33.4 (+0.1)	33.4 -> 49.9 (+16.5)	0 -> 0 (0)	0 -> 0 (0)	pass
default / session-scroll-reading	32 -> 32 (0)	32 -> 32 (0)	0 -> 0 (0)	0 -> 0 (0)	33.3 -> 33.3 (0)	33.3 -> 33.3 (0)	0 -> 0 (0)	0 -> 0 (0)	pass

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/opencode/src/session/run-incident/derive.ts (1)

68-76: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Preserve lifecycle source when deriving incident provenance.

input.lifecycle.source is typed on input but currently dropped in the derived provenance.lifecycle, which can silently lose initiator context on paths that don’t populate origin.

💡 Proposed fix

             lifecycle: {
               action_id: input.lifecycle.action_id,
               kind: input.lifecycle.kind,
+              source: input.lifecycle.source,
               reason: input.lifecycle.reason,
               initiated_at: input.lifecycle.initiated_at,
               initiated_monotonic_ms: input.lifecycle.initiated_monotonic_ms,
               affected_directory_keys: input.lifecycle.affected_directory_keys,
               origin: input.lifecycle.origin,

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/opencode/src/session/run-incident/derive.ts` around lines 68 - 76,
The derived provenance lifecycle is dropping input.lifecycle.source; update the
lifecycle object construction (the block that builds provenance.lifecycle) to
include source: input.lifecycle.source so the initiator context is preserved
(e.g., add "source: input.lifecycle.source" alongside action_id, kind, reason,
etc., in the lifecycle literal). Ensure the provenance type accepts this field
or cast/extend types if necessary.

🧹 Nitpick comments (1)

packages/app/src/utils/server.test.ts (1)

39-39: ⚡ Quick win

Broaden path-leak assertions beyond macOS-only patterns.

The current check only catches "/Users/". Add Linux/Windows path markers so this privacy test stays effective across environments.

💡 Suggested test update

-    expect(JSON.stringify(headers)).not.toContain("/Users/")
+    const serialized = JSON.stringify(headers)
+    expect(serialized).not.toContain("/Users/")
+    expect(serialized).not.toContain("/home/")
+    expect(serialized).not.toContain("\\\\Users\\\\")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/app/src/utils/server.test.ts` at line 39, The test currently only
asserts expect(JSON.stringify(headers)).not.toContain("/Users/"); update this
assertion to block common absolute path patterns across OSes by checking for
macOS (/Users/), Linux (/home/), and Windows drive paths (e.g. a letter + colon
+ backslash or forward slash like C:\ or C:/); replace the single toContain
check with either a single regex-based check against JSON.stringify(headers)
that matches any of these patterns or with multiple not.toContain assertions for
"/Users/", "/home/", and a Windows drive-letter pattern so the privacy assertion
applies on all platforms.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/opencode/src/session/run-incident/derive.ts`:
- Around line 68-76: The derived provenance lifecycle is dropping
input.lifecycle.source; update the lifecycle object construction (the block that
builds provenance.lifecycle) to include source: input.lifecycle.source so the
initiator context is preserved (e.g., add "source: input.lifecycle.source"
alongside action_id, kind, reason, etc., in the lifecycle literal). Ensure the
provenance type accepts this field or cast/extend types if necessary.

---

Nitpick comments:
In `@packages/app/src/utils/server.test.ts`:
- Line 39: The test currently only asserts
expect(JSON.stringify(headers)).not.toContain("/Users/"); update this assertion
to block common absolute path patterns across OSes by checking for macOS
(/Users/), Linux (/home/), and Windows drive paths (e.g. a letter + colon +
backslash or forward slash like C:\ or C:/); replace the single toContain check
with either a single regex-based check against JSON.stringify(headers) that
matches any of these patterns or with multiple not.toContain assertions for
"/Users/", "/home/", and a Windows drive-letter pattern so the privacy assertion
applies on all platforms.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 8fa13c48-5b0b-414e-afcf-80b12b3a1bf4

📥 Commits

Reviewing files that changed from the base of the PR and between 3e187f9 and b9fbb13.

📒 Files selected for processing (30)

• packages/app/src/components/dialog-connect-provider-source.test.ts
• packages/app/src/components/dialog-connect-provider.tsx
• packages/app/src/components/settings-providers.tsx
• packages/app/src/context/global-sync.tsx
• packages/app/src/context/global-sync/client-action-source.test.ts
• packages/app/src/pages/layout.tsx
• packages/app/src/utils/server.test.ts
• packages/app/src/utils/server.ts
• packages/opencode/src/config/config.ts
• packages/opencode/src/effect/runner.ts
• packages/opencode/src/project/instance-store.ts
• packages/opencode/src/server/instance/global.ts
• packages/opencode/src/server/instance/middleware.ts
• packages/opencode/src/server/request-context.ts
• packages/opencode/src/server/routes/instance/middleware.ts
• packages/opencode/src/session/export.ts
• packages/opencode/src/session/lifecycle-provenance.ts
• packages/opencode/src/session/processor.ts
• packages/opencode/src/session/run-incident/derive.ts
• packages/opencode/src/session/run-incident/index.ts
• packages/opencode/src/session/run-incident/sanitize.ts
• packages/opencode/src/session/run-incident/types.ts
• packages/opencode/src/session/run-observability/recorder.ts
• packages/opencode/src/session/run-observability/types.ts
• packages/opencode/src/session/run-state.ts
• packages/opencode/test/project/instance-store.test.ts
• packages/opencode/test/server/middleware.test.ts
• packages/opencode/test/session/export.test.ts
• packages/opencode/test/session/run-observability.test.ts
• packages/opencode/test/session/run-state.test.ts