refactor(session): add unified retry decision metadata

[Astro-Han]

Summary

Adds a small retry-decision metadata layer for model retry decisions and lightly wires session.processor to consume it for the existing safe-recovery replay path.

This is PR 1 for #925. It does not move retry scheduling into SessionRetry.policy yet and does not broaden automatic replay behavior.

Why

#925 needs a shared representation that keeps these facts separate before the larger retry-pipeline migration:

• technical retryability,
• safety-gate decision,
• provider retry attempt count,
• safe-recovery replay attempt count,
• timeout policy,
• user-facing retry presentation.

This PR introduces that metadata without changing the #922 runtime behavior. Review follow-up also renames the aggregate stream counter to modelStreamAttempt and records blocked-boundary reasoning attempts as reasoning_global_protected so the metadata matches the actual timeout path.

Related Issue

Closes none. Part of #925.

Human Review Status

Pending

Review Focus

Please focus on whether the metadata names and boundaries are future-proof enough for #925 without implying full Run Recovery from #927. In particular, check that shared decision metadata still keeps provider retry attempt count and safe-recovery replay attempt count separate.

Risk Notes

Low behavior risk: the processor still uses the existing retry loop, backoff, timeout behavior, and safe-retry notice behavior. The main risk is naming drift if the metadata is too narrow for the next #925 slices.

Skipped conditional checklist items:

• Visible UI/manual screenshot: not applicable; no visible UI or copy changed.
• Platform/packaging/manual platform check: not applicable; no platform, packaging, updater, signing, path, shell, or permission surface changed.
• Docs/release/dependency/generated/local-file check: not applicable; no docs, release notes, dependencies, generated files, permissions, credentials, deletion behavior, or local-only files changed.

How To Verify

TDD RED: bun test test/session/retry-decision.test.ts failed because ../../src/session/retry-decision did not exist.
Focused decision test: bun test test/session/retry-decision.test.ts -> 3 passed, 0 failed.
Retry tests: bun test test/session/retry.test.ts -> 32 passed, 0 failed.
Processor safe-recovery tests: bun test test/session/processor-effect.test.ts -> 33 passed, 0 failed.
Typecheck: bun run typecheck in packages/opencode -> passed.
Diff check: git diff --check -> passed.

Screenshots or Recordings

Not applicable; no visible UI changed.

Checklist

How to use this checklist:

• Tick a box by replacing [ ] with [x]. Do not edit, add, or remove items.
• The bot-applied label items can only be honestly ticked AFTER the PR is opened and the labeler / priority-triage bots have run — return to the PR description and tick them then.
• Most items are required. The few that are conditional are explicitly marked (conditional); for those, leave unticked if they truly do not apply and explain why in Risk Notes. All other items must be ticked before requesting human review.

• Type label — this PR carries exactly one of bug, enhancement, task, documentation. Type labels are author-added; the labeler bot does NOT assign them. Add the label in the GitHub UI, then tick this.
• Routing labels — this PR carries at least one of app, ui, platform, harness, ci. The labeler bot assigns these on PR open based on changed paths. Confirm the bot's choice (or override if wrong), then tick this.
• Priority label — this PR carries exactly one of P0, P1, P2, P3. The priority-triage bot suggests one on PR open. Confirm or override, then tick this.
• Human Review Status above is set to Pending, Approved by @<reviewer>, or Not required: <reason> (default is Pending; "not required" is restricted to bot-authored low-risk PRs).
• I linked the related issue, or stated in Summary why there is no issue.
• I described the review focus and any meaningful risks.
• I replaced the example block in How To Verify with the real verification steps and the key result for each.
• I did not introduce unrelated refactors, dependencies, generated files, or file changes beyond the stated scope.
• (conditional) I manually checked visible UI or copy changes when needed, with screenshots or recordings. Leave unticked only if no visible UI or copy changed.
• (conditional) I considered macOS and Windows impact for platform, packaging, updater, signing, paths, shell, or permissions changes. Leave unticked only if no platform/packaging surface was touched.
• (conditional) I called out docs, release notes, dependencies, permissions, credentials, deletion behavior, generated content, or local file changes when relevant. Leave unticked only if none of those surfaces was touched.
• I reviewed the final diff for unrelated changes and suspicious dependency changes.
• I am targeting dev, and my PR title and commit messages use Conventional Commits in English.

[coderabbitai]

Warning

Review limit reached

@Astro-Han, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 38 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 6d4c5393-9ea6-4e3b-8806-f57fa82114a9

📥 Commits

Reviewing files that changed from the base of the PR and between 9d1b7a8 and d398aa2.

📒 Files selected for processing (3)

• packages/opencode/src/session/processor.ts
• packages/opencode/src/session/retry-decision.ts
• packages/opencode/test/session/retry-decision.test.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/i925-retry-metadata

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Suggested priority: P2 (includes non-doc, non-test paths outside the low-risk bucket).

P1/P0 are reserved for maintainer confirmation. Please relabel manually if this is a release blocker, security issue, data-loss risk, or updater/runtime failure.

[gemini-code-assist]

Code Review

This pull request refactors the stream retry decision logic in processor.ts by extracting it into a dedicated module retry-decision.ts. It introduces the buildModelRetryDecision function to structure retry decisions based on technical retryability, safety gate decisions, and timeout policies, and adds accompanying unit tests. The feedback suggests expanding the unit tests to cover other safety gate recommendations, such as offer_continue and ask_user_before_retry, to ensure robust branch coverage.