refactor(session): normalize retry recovery presentation

[Astro-Han]

Summary

Normalizes #925's final recovery presentation layer so automatic replay uses a user-facing recovery state instead of exposing the internal safe-retry mechanism.

This PR:

• changes the retry status presentation value from safe_recovery to recovery, while keeping legacy safe_recovery parsing/rendering compatible;
• updates the safe retry row and failure notice copy to say "recovering" / "recovery failed" in the visible UI;
• records recovery_decision diagnostics in run observability and sanitized exports, including technical retryability, safety gate result, recovery mode, attempt metadata, timeout policy, retry-attempted state, provider progress, and final recovery outcome;
• syncs the SDK generated SessionStatus types for the new presentation value.

Why

This is PR 4 for #925. PRs #928, #929, and #931 moved model execution retry mechanics toward one shared retry pipeline. The remaining work was to make UI and diagnostics consume stable recovery-oriented metadata rather than processor-local safe-retry naming.

Related Issue

Closes #925.

Human Review Status

Pending

Review Focus

Please focus on whether the new recovery_decision summary answers the intended diagnostics questions without implying broader #927 run-resume support, and whether keeping safe_retry_failed as the persisted notice kind is the right compatibility boundary.

Risk Notes

Behavior risk is intended to be low: retry scheduling, replay budget, #922 timeout behavior, SSE reconnect, and partial-output/tool recovery behavior are unchanged. The visible UI copy changes from "retrying" wording to "recovering" wording. The persisted notice kind remains safe_retry_failed to avoid a storage/schema migration.

Skipped conditional checklist items:

• Platform/packaging check: not applicable; no platform, packaging, updater, signing, native path, shell, or permission surface changed.
• Docs/release/dependency/local-file check: SDK generated types were updated for the status contract; no dependencies, release notes, permissions, credentials, deletion behavior, or local-only files were changed. The snap output PNG was generated locally under ignored docs/ for verification and was not staged.

How To Verify

TDD RED: bun test src/components/session-safe-retry-contract.test.ts in packages/ui failed on the old safe-retry presentation/copy expectations.
TDD RED: bun test test/session/run-observability.test.ts -t "records recovery decision diagnostics" in packages/opencode failed because recordRecoveryDecision did not exist.
UI contract: bun test src/components/session-safe-retry-contract.test.ts in packages/ui -> 3 passed.
Opencode focused recovery tests: bun test test/session/retry-decision.test.ts test/session/retry.test.ts src/session/status.test.ts test/session/run-observability.test.ts test/session/export.test.ts -t "recovery|retry|status|exports recovered stream incidents" in packages/opencode -> 65 passed, 0 failed.
Review follow-up: added recovery outcome/progress edge tests for retry-not-attempted and retry-attempt-failed cases; all included in the focused recovery test command above.
Processor safe recovery tests: bun test test/session/processor-effect.test.ts -t "safe retry|safe recovery|reasoning-only retry|connect timeout writes a safe retry notice" in packages/opencode -> 6 passed, 0 failed.
Safe retry snap: bun run snap safe-retry -> 1 passed; generated safe-retry grid at docs/design/preview/screenshots/safe-retry.png.
Lint: bun run lint -> passed.
Root typecheck: bun run typecheck -> 8 packages successful.
Diff check: git diff --check -> passed.

Screenshots or Recordings

Safe retry snap was generated and visually checked locally:

docs/design/preview/screenshots/safe-retry.png

It shows the running row as "正在恢复…" and the notice as "恢复失败。你可以稍后再试，或换一个模型。" without layout overlap.

Checklist

How to use this checklist:

• Tick a box by replacing [ ] with [x]. Do not edit, add, or remove items.
• The bot-applied label items can only be honestly ticked AFTER the PR is opened and the labeler / priority-triage bots have run — return to the PR description and tick them then.
• Most items are required. The few that are conditional are explicitly marked (conditional); for those, leave unticked if they truly do not apply and explain why in Risk Notes. All other items must be ticked before requesting human review.

• Type label — this PR carries exactly one of bug, enhancement, task, documentation. Type labels are author-added; the labeler bot does NOT assign them. Add the label in the GitHub UI, then tick this.
• Routing labels — this PR carries at least one of app, ui, platform, harness, ci. The labeler bot assigns these on PR open based on changed paths. Confirm the bot's choice (or override if wrong), then tick this.
• Priority label — this PR carries exactly one of P0, P1, P2, P3. The priority-triage bot suggests one on PR open. Confirm or override, then tick this.
• Human Review Status above is set to Pending, Approved by @<reviewer>, or Not required: <reason> (default is Pending; "not required" is restricted to bot-authored low-risk PRs).
• I linked the related issue, or stated in Summary why there is no issue.
• I described the review focus and any meaningful risks.
• I replaced the example block in How To Verify with the real verification steps and the key result for each.
• I did not introduce unrelated refactors, dependencies, generated files, or file changes beyond the stated scope.
• (conditional) I manually checked visible UI or copy changes when needed, with screenshots or recordings. Leave unticked only if no visible UI or copy changed.
• (conditional) I considered macOS and Windows impact for platform, packaging, updater, signing, paths, shell, or permissions changes. Leave unticked only if no platform/packaging surface was touched.
• (conditional) I called out docs, release notes, dependencies, permissions, credentials, deletion behavior, generated content, or local file changes when relevant. Leave unticked only if none of those surfaces was touched.
• I reviewed the final diff for unrelated changes and suspicious dependency changes.
• I am targeting dev, and my PR title and commit messages use Conventional Commits in English.

[coderabbitai]

Warning

Review limit reached

@Astro-Han, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 34 minutes and 39 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: b7eef848-f5f3-4e0c-88b4-596b63fbb3c4

📥 Commits

Reviewing files that changed from the base of the PR and between 0812f86 and ea6cc86.

⛔ Files ignored due to path filters (2)

• packages/sdk/js/src/gen/types.gen.ts is excluded by !**/gen/**
• packages/sdk/js/src/v2/gen/types.gen.ts is excluded by !**/gen/**

📒 Files selected for processing (33)

• packages/app/e2e/snap/fixtures/safe-retry-snap-fixture.tsx
• packages/app/e2e/snap/safe-retry.snap.ts
• packages/opencode/src/session/processor.ts
• packages/opencode/src/session/retry-decision.ts
• packages/opencode/src/session/retry.ts
• packages/opencode/src/session/run-observability/recorder.ts
• packages/opencode/src/session/run-observability/types.ts
• packages/opencode/src/session/status.test.ts
• packages/opencode/src/session/status.ts
• packages/opencode/test/session/export.test.ts
• packages/opencode/test/session/processor-effect.test.ts
• packages/opencode/test/session/retry-decision.test.ts
• packages/opencode/test/session/retry.test.ts
• packages/opencode/test/session/run-observability.test.ts
• packages/ui/src/components/session-retry.tsx
• packages/ui/src/components/session-safe-retry-contract.test.ts
• packages/ui/src/i18n/ar.ts
• packages/ui/src/i18n/br.ts
• packages/ui/src/i18n/bs.ts
• packages/ui/src/i18n/da.ts
• packages/ui/src/i18n/de.ts
• packages/ui/src/i18n/en.ts
• packages/ui/src/i18n/es.ts
• packages/ui/src/i18n/fr.ts
• packages/ui/src/i18n/ja.ts
• packages/ui/src/i18n/ko.ts
• packages/ui/src/i18n/no.ts
• packages/ui/src/i18n/pl.ts
• packages/ui/src/i18n/ru.ts
• packages/ui/src/i18n/th.ts
• packages/ui/src/i18n/tr.ts
• packages/ui/src/i18n/zh.ts
• packages/ui/src/i18n/zht.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/i925-recovery-presentation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Suggested priority: P2 (includes non-doc, non-test paths outside the low-risk bucket).

P1/P0 are reserved for maintainer confirmation. Please relabel manually if this is a release blocker, security issue, data-loss risk, or updater/runtime failure.

[gemini-code-assist]

Code Review

This pull request introduces recovery decision diagnostics tracking within the session processor and RunObservability, allowing detailed logging of recovery attempts and outcomes. Additionally, it renames the "safe_recovery" presentation type to "recovery" across various UI components, localization files, and tests, while maintaining backward compatibility for the legacy "safe_recovery" value. The review feedback suggests a minor improvement in packages/opencode/src/session/status.ts to use z.enum instead of z.union with z.literal for a more idiomatic and concise Zod schema definition.

[github-actions]

Perf delta summary

Comparator: pass

Profile / Scenario	interaction median	interaction worst	long task max	tbt	frame gap p95	frame gap max	jank count	cls	status
default / homepage-cold	24 -> 24 (0)	32 -> 24 (-8)	74 -> 0 (-74)	24 -> 0 (-24)	16.8 -> 16.8 (0)	66.7 -> 66.7 (0)	2 -> 2 (0)	0 -> 0 (0)	pass
default / long-session-input-lag	40 -> 40 (0)	48 -> 40 (-8)	0 -> 0 (0)	0 -> 0 (0)	16.7 -> 16.8 (+0.1)	16.7 -> 16.8 (+0.1)	0 -> 0 (0)	0 -> 0 (0)	pass
default / session-streaming-long	40 -> 40 (0)	40 -> 40 (0)	0 -> 0 (0)	0 -> 0 (0)	16.7 -> 16.7 (0)	16.7 -> 16.8 (+0.1)	0 -> 0 (0)	0 -> 0 (0)	pass
default / tool-call-expand	24 -> 40 (+16)	40 -> 40 (0)	0 -> 0 (0)	0 -> 0 (0)	16.8 -> 16.7 (-0.1)	16.8 -> 16.7 (-0.1)	0 -> 0 (0)	0 -> 0 (0)	pass
default / tool-default-open-heavy-bash	0 -> 0 (0)	0 -> 16 (+16)	0 -> 0 (0)	0 -> 0 (0)	33.3 -> 33.3 (0)	66.7 -> 50.1 (-16.6)	1 -> 1 (0)	0.004 -> 0.004 (0)	pass
default / terminal-side-panel-open	24 -> 32 (+8)	32 -> 32 (0)	0 -> 0 (0)	0 -> 0 (0)	16.7 -> 16.8 (+0.1)	16.8 -> 16.8 (0)	0 -> 0 (0)	0 -> 0 (0)	pass
default / session-scroll-reading	0 -> 0 (0)	0 -> 16 (+16)	0 -> 0 (0)	0 -> 0 (0)	16.7 -> 16.7 (0)	16.7 -> 16.7 (0)	0 -> 0 (0)	0 -> 0 (0)	pass