fix(codex): harden OAuth refresh, auth resilience, 502 stream handling

- Legacy and managed Codex token refresh: retries for transient network
  errors, longer timeouts, clearer WARNING logs without traceback spam;
  ManagedOAuthRefreshError.from_transient_network for credential logging.
- Auth handler: do not permanently disable scoped instances when instance id
  contains codex but OAuth heuristics miss.
- Streaming: surface 500/502 pre-output BackendError like 503/504 so gateway
  failures are not misrouted to empty-stream recovery prompts.
- Tests for refresh paths, auth handler, and should_surface_pre_output_error.

Made-with: Cursor

Author: Mateusz

src/connectors/openai_codex/credentials.py

@@ -71,6 +71,11 @@
 
 logger = logging.getLogger(__name__)
 
+# Legacy OAuth token endpoint: transient network issues are common; retry before failing refresh.
+_LEGACY_OAUTH_REFRESH_MAX_ATTEMPTS = 3
+_LEGACY_OAUTH_REFRESH_BASE_DELAY_S = 0.5
+_LEGACY_OAUTH_TOKEN_TIMEOUT_S = 30.0
+
 
 class OpenAICredentialsFileHandler(FileSystemEventHandler):
     """File watcher handler for OpenAI Codex credentials."""
@@ -882,7 +887,13 @@ async def _refresh_managed_access_token(self) -> bool:
         try:
             updated = await self._managed_refresh.force_refresh(account)
         except ManagedOAuthRefreshError as exc:
-            if logger.isEnabledFor(logging.WARNING):
+            if exc.from_transient_network:
+                logger.warning(
+                    "Managed OAuth token refresh failed for account %s after retries: %s",
+                    exc.account_id,
+                    exc,
+                )
+            else:
                 logger.warning(
                     "Managed OAuth token refresh failed for account %s: %s",
                     exc.account_id,
@@ -933,17 +944,47 @@ async def _refresh_legacy_access_token(self) -> bool:
             "scope": "openid profile email",
         }
 
-        try:
-            response = await self._http_client.post(
-                OPENAI_OAUTH_TOKEN_URL,
-                json=payload,
-                headers={"Content-Type": "application/json"},
-                timeout=15.0,
-            )
-        except httpx.HTTPError as exc:
-            logger.warning(
-                "Failed to refresh OpenAI Codex token: %s", exc, exc_info=True
-            )
+        response: httpx.Response | None = None
+        for attempt in range(_LEGACY_OAUTH_REFRESH_MAX_ATTEMPTS):
+            try:
+                response = await self._http_client.post(
+                    OPENAI_OAUTH_TOKEN_URL,
+                    json=payload,
+                    headers={"Content-Type": "application/json"},
+                    timeout=_LEGACY_OAUTH_TOKEN_TIMEOUT_S,
+                )
+                break
+            except (
+                httpx.TimeoutException,
+                httpx.ConnectError,
+                httpx.ReadError,
+            ) as exc:
+                if attempt + 1 < _LEGACY_OAUTH_REFRESH_MAX_ATTEMPTS:
+                    delay = _LEGACY_OAUTH_REFRESH_BASE_DELAY_S * (2**attempt)
+                    logger.info(
+                        "Transient error during OpenAI Codex token refresh (%s, attempt %d/%d); "
+                        "retrying in %.1fs",
+                        exc.__class__.__name__,
+                        attempt + 1,
+                        _LEGACY_OAUTH_REFRESH_MAX_ATTEMPTS,
+                        delay,
+                    )
+                    await asyncio.sleep(delay)
+                    continue
+                logger.warning(
+                    "Failed to refresh OpenAI Codex token after %d attempts (%s): %s",
+                    _LEGACY_OAUTH_REFRESH_MAX_ATTEMPTS,
+                    exc.__class__.__name__,
+                    exc,
+                )
+                return False
+            except httpx.HTTPError as exc:
+                logger.warning(
+                    "Failed to refresh OpenAI Codex token: %s", exc, exc_info=True
+                )
+                return False
+
+        if response is None:
             return False
 
         if response.status_code >= 400:

src/connectors/openai_codex/managed_oauth_refresh.py

@@ -22,6 +22,17 @@
 
 logger = logging.getLogger(__name__)
 
+# Match legacy credential refresh: slow token endpoint + transient errors are common.
+_MANAGED_OAUTH_TOKEN_TIMEOUT_S = 30.0
+
+
+def _is_transient_network_error(exc: BaseException) -> bool:
+    """True for transport-level failures that are worth retrying (like legacy OAuth POST)."""
+    return isinstance(
+        exc,
+        httpx.TimeoutException | httpx.ConnectError | httpx.ReadError,
+    )
+
 
 class ManagedOAuthRefreshError(RuntimeError):
     """Raised when token refresh fails for a managed account."""
@@ -32,10 +43,12 @@ def __init__(
         *,
         account_id: str,
         needs_reauth: bool = False,
+        from_transient_network: bool = False,
     ) -> None:
         super().__init__(message)
         self.account_id = account_id
         self.needs_reauth = needs_reauth
+        self.from_transient_network = from_transient_network
 
 
 class ManagedOAuthRefreshService:
@@ -89,10 +102,20 @@ async def _refresh_with_retry(
                 raise
             except Exception as exc:
                 last_error = exc
-                if attempt >= self._max_retries - 1:
+                if attempt + 1 >= self._max_retries:
                     break
                 delay = self._base_delay_seconds * (2**attempt)
-                if logger.isEnabledFor(logging.DEBUG):
+                if _is_transient_network_error(exc):
+                    logger.info(
+                        "Transient error during managed OAuth token refresh (%s, attempt %d/%d) "
+                        "for account %s; retrying in %.1fs",
+                        exc.__class__.__name__,
+                        attempt + 1,
+                        self._max_retries,
+                        account.account_id,
+                        delay,
+                    )
+                elif logger.isEnabledFor(logging.DEBUG):
                     logger.debug(
                         "Managed OAuth refresh attempt %d/%d failed for %s; retrying in %.1fs",
                         attempt + 1,
@@ -103,9 +126,11 @@ async def _refresh_with_retry(
                     )
                 await asyncio.sleep(delay)
 
+        assert last_error is not None
         raise ManagedOAuthRefreshError(
             f"Managed OAuth refresh failed after {self._max_retries} attempts: {last_error}",
             account_id=account.account_id,
+            from_transient_network=_is_transient_network_error(last_error),
         )
 
     async def _refresh_once(self, account: ManagedOAuthAccount) -> ManagedOAuthAccount:
@@ -139,7 +164,7 @@ async def _execute_refresh(
             OPENAI_OAUTH_TOKEN_URL,
             json=payload,
             headers={"Content-Type": "application/json"},
-            timeout=15.0,
+            timeout=_MANAGED_OAUTH_TOKEN_TIMEOUT_S,
         )
 
         if response.status_code == 400:

src/core/services/backend_request_manager/streaming_response_handler.py

@@ -573,7 +573,9 @@ def _should_surface_pre_output_error(stream_error: Exception) -> bool:
             # Surface all 4xx client errors immediately, retrying them is useless
             if 400 <= status_code < 500:
                 return True
-            if status_code in {503, 504}:
+            # Common upstream / gateway failures: must not fall through to
+            # "empty model output" recovery (misleading user prompt append).
+            if status_code in {500, 502, 503, 504}:
                 return True
 
         details = getattr(stream_error, "details", None)
@@ -582,7 +584,7 @@ def _should_surface_pre_output_error(stream_error: Exception) -> bool:
             if isinstance(details_status, int):
                 if 400 <= details_status < 500:
                     return True
-                if details_status in {503, 504}:
+                if details_status in {500, 502, 503, 504}:
                     return True
 
         return False

src/core/services/resilience/handlers/auth_error_handler.py

@@ -121,6 +121,7 @@ def _do_handle(self, context: ErrorContext) -> ResilienceAction:
             context.extra.get("is_personal_backend") is True
             or "oauth" in backend_type
             or "oauth" in instance_id_lower
+            or "codex" in instance_id_lower
         ):
             return ResilienceAction(
                 type=ActionType.PROCEED,