fix(session): unify transport error classification for stream disconnect recovery

[Astro-Han]

Summary

• Extract a shared StreamFailureClassifier module that centralizes transport error recognition (ECONNRESET, UND_ERR_SOCKET, ECONNREFUSED, ETIMEDOUT) in one place
• Replace the inline ECONNRESET case in fromError() with classifier delegation so all transport errors produce retryable APIErrors through the same path
• Support cause-chain traversal for undici's TypeError("terminated") wrapping pattern
• Update recovery interruption copy to short, actionable user messages

Why

A prod session hit a UND_ERR_SOCKET disconnect during reasoning-only generation. The safety gate correctly classified it as candidate_safe_auto_retry, but the technical retryability gate rejected it because fromError() only recognized ECONNRESET, not undici's TypeError("terminated") with cause.code === "UND_ERR_SOCKET". The two classification paths disagreed on the same transport error, so the session stopped instead of auto-recovering.

The root cause was duplicate classification logic: run observability and the processor retry path each classified transport errors independently. This PR eliminates that duplication with a shared classifier.

Related Issue

Closes #939

Human Review Status

Pending

Review Focus

1. The classifyStreamFailure function: does the cause-chain traversal (max depth 4) cover the real-world undici error wrapping patterns? Could it misclassify a non-transport error?
2. The fromError() change: the old code used a hardcoded "Connection reset by server" message; the new code passes through the original error message. Is this safe for all consumers?
3. The copy changes in recoveryInterruptionMessage: tool-related cases (partial_tool_input, tool_call_materialized, tool_execution_started, unsafe_side_effect_started, side_effect_facts_incomplete) are now consolidated into fewer messages. Verify the wording is appropriate for each case.

Risk Notes

• The fromError() change means ECONNRESET errors now carry the original error message instead of "Connection reset by server". This is more accurate but changes the message text that appears in diagnostics exports. No user-visible UI shows this raw message directly.
• The cause-chain depth limit (4) is arbitrary. Real undici errors typically nest 1-2 levels deep. 4 is conservative enough to handle unexpected wrapping without risking infinite traversal.

How To Verify

Typecheck: bun run typecheck — 0 errors
Classifier unit tests: 10 pass, 0 fail (stream-failure-classifier.test.ts)
fromError unit tests: 13 pass, 0 fail (message-v2.test.ts fromError suite)
Retry unit tests: 98 pass, 0 fail (retry.test.ts + retry-classification.test.ts)
Processor integration tests: 33 pass, 0 fail (processor-effect.test.ts)
Total: 131 pass, 0 fail across 5 test files

Screenshots or Recordings

No visible UI changes. Copy changes are in error messages shown after failed recovery — verified through integration test assertions.

Checklist

• Type label — this PR carries exactly one of bug, enhancement, task, documentation. Type labels are author-added; the labeler bot does NOT assign them. Add the label in the GitHub UI, then tick this.
• Routing labels — this PR carries at least one of app, ui, platform, harness, ci. The labeler bot assigns these on PR open based on changed paths. Confirm the bot's choice (or override if wrong), then tick this.
• Priority label — this PR carries exactly one of P0, P1, P2, P3. The priority-triage bot suggests one on PR open. Confirm or override, then tick this.
• Human Review Status above is set to Pending, Approved by @<reviewer>, or Not required: <reason> (default is Pending; "not required" is restricted to bot-authored low-risk PRs).
• I linked the related issue, or stated in Summary why there is no issue.
• I described the review focus and any meaningful risks.
• I replaced the example block in How To Verify with the real verification steps and the key result for each.
• I did not introduce unrelated refactors, dependencies, generated files, or file changes beyond the stated scope.
• (conditional) I manually checked visible UI or copy changes when needed, with screenshots or recordings. Leave unticked only if no visible UI or copy changed.
• (conditional) I considered macOS and Windows impact for platform, packaging, updater, signing, paths, shell, or permissions changes. Leave unticked only if no platform/packaging surface was touched.
• (conditional) I called out docs, release notes, dependencies, permissions, credentials, deletion behavior, generated content, or local file changes when relevant. Leave unticked only if none of those surfaces was touched.
• I reviewed the final diff for unrelated changes and suspicious dependency changes.
• I am targeting dev, and my PR title and commit messages use Conventional Commits in English.

[coderabbitai]

Warning

Review limit reached

@Astro-Han, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 11 minutes and 44 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: a0f03321-6d1f-423b-93d8-79abff3102a2

📥 Commits

Reviewing files that changed from the base of the PR and between 3bf9407 and 3c1b115.

📒 Files selected for processing (7)

• packages/opencode/src/session/message-v2.ts
• packages/opencode/src/session/processor.ts
• packages/opencode/src/session/stream-failure-classifier.test.ts
• packages/opencode/src/session/stream-failure-classifier.ts
• packages/opencode/test/session/message-v2.test.ts
• packages/opencode/test/session/processor-effect.test.ts
• packages/opencode/test/session/retry.test.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/939-transport-classifier

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Suggested priority: P2 (includes non-doc, non-test paths outside the low-risk bucket).

P1/P0 are reserved for maintainer confirmation. Please relabel manually if this is a release blocker, security issue, data-loss risk, or updater/runtime failure.

[gemini-code-assist]

Code Review

This pull request introduces a stream failure classifier to identify and handle retryable transport disconnects (such as ECONNRESET, ECONNREFUSED, ETIMEDOUT, and UND_ERR_SOCKET) during stream processing. It also refactors recovery interruption messages to be more concise and user-friendly, and adds comprehensive unit tests. The feedback suggests using the logical OR operator (||) instead of the nullish coalescing operator (??) to ensure empty error messages fall back to the default string, and wrapping the recursive cause-chain property accesses in a try-catch block to safely handle arbitrary objects.

[Astro-Han]

Re: P2 — processor-level UND_ERR_SOCKET regression test

Not adding a standalone processor-level UND_ERR_SOCKET test case. Bun's test harness cannot produce Node undici's client error shape; TestLLMServer.reset() covers the processor retry/replay chain via real TCP disconnect, and the UND_ERR_SOCKET → retryable APIError classification delta is verified by stream-failure-classifier and fromError unit tests.

Strengthened the existing TCP-reset integration test (reset reasoning state across retries) to explicitly assert the failed reasoning part is absent after recovery — not just that it wasn't concatenated. See 3c1b115.