chore: upgrade quic

[looplj]

---

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.

[greptile-apps]

Greptile Summary

Upgrades quic-go from v0.57.1 to v0.59.1 across the root module and the cmd/schema submodule, pulling along several golang.org/x package bumps (crypto, net, sys, text, mod, tools). A test file (channel_llm_codex_oauth_test.go) is also deleted, which is unrelated to the dependency upgrade.

• Dependency upgrades (go.mod, cmd/schema/go.mod): quic-go v0.57.1 → v0.59.1 with accompanying golang.org/x/* minor-version bumps; the go.sum files are updated accordingly, though the root go.sum retains the old quic-go v0.57.1 entries (not cleaned up by go mod tidy, unlike cmd/schema/go.sum).
• Test deletion (channel_llm_codex_oauth_test.go): TestCodexRefreshPersistsChannelCredentials — the only integration test exercising the Codex channel OAuth token-refresh-and-persist flow — is removed without explanation; the corresponding production code in channel_llm.go is untouched.

Confidence Score: 4/5

Safe to merge the dependency upgrades themselves, but the unexplained deletion of the Codex OAuth persistence test warrants a follow-up before landing.

The dependency upgrades look mechanically correct and the go.sum hashes are consistent. However, deleting TestCodexRefreshPersistsChannelCredentials in the same branch — with no corresponding production-code change or explanation — removes the only end-to-end verification that Codex OAuth token refreshes are correctly written back to the database. If the upgrade caused that test to fail silently and it was dropped to unblock CI, a credential-persistence regression could go unnoticed in production.

internal/server/biz/channel_llm_codex_oauth_test.go (deleted) and internal/server/biz/channel_llm.go (the refreshOAuthToken / buildCodexOutbound paths now have no integration-test coverage).

Important Files Changed

Filename	Overview
internal/server/biz/channel_llm_codex_oauth_test.go	Entire file deleted — removes the only integration test for Codex OAuth token-refresh and database persistence; unrelated to the stated quic upgrade scope.
go.mod	Bumps quic-go v0.57.1→v0.59.1 and several golang.org/x packages; changes are consistent with the PR intent.
go.sum	Adds hashes for new package versions; old quic-go v0.57.1 entries are retained (not tidied), while cmd/schema/go.sum removes them — minor inconsistency but not harmful.
cmd/schema/go.mod	Mirrors the root go.mod upgrades for the schema submodule; looks correct.
cmd/schema/go.sum	Old quic-go and golang.org/x hash entries properly replaced with new ones; tidy was run here.

Sequence Diagram

sequenceDiagram
    participant Client
    participant ChannelService
    participant CodexOutbound as codex.OutboundTransformer
    participant TokenProvider as oauth.TokenProvider
    participant DB as Database

    Client->>ChannelService: TransformRequest (expired creds)
    ChannelService->>CodexOutbound: TransformRequest(ctx, req)
    CodexOutbound->>TokenProvider: Get(ctx)
    TokenProvider->>TokenProvider: detect expiry
    TokenProvider-->>TokenProvider: refresh via token URL
    TokenProvider->>ChannelService: refreshOAuthToken callback
    ChannelService->>DB: Update channel credentials
    DB-->>ChannelService: ok
    TokenProvider-->>CodexOutbound: new OAuthCredentials
    CodexOutbound-->>Client: httpclient.Request (new Bearer token)

Loading

Comments Outside Diff (1)

1. internal/server/biz/channel_llm_codex_oauth_test.go

   Unrelated test deletion removes only Codex OAuth persistence coverage

   TestCodexRefreshPersistsChannelCredentials was the sole integration test verifying that refreshOAuthToken correctly persists new access/refresh tokens back to the database after a Codex channel's credentials expire. Deleting it in a quic upgrade PR is unexpected — if the new dependency versions caused this test to fail, the breakage should be fixed rather than suppressed. The production code path in buildCodexOutbound / refreshOAuthToken is unchanged, but it now has zero test coverage for the end-to-end credential-persistence flow.

   Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time! Was this test deleted intentionally (e.g. because it was flaky or already superseded), or was it dropped accidentally in the same branch as the quic upgrade? If the upgrade caused the test to fail, the fix should be committed here rather than removing the test.

_{Reviews (2): Last reviewed commit: "chore: upgrade quic" | Re-trigger Greptile}