[codex] Fix provider stream auth failures

[Telli]

Summary

• Classify provider stream failures without changing the existing provider event contract.
• Treat expired preflight auth as unavailable before starting provider streams.
• Convert terminal provider failed events into classified turn failures, including auth failures during streaming.
• Preserve cancellation propagation when provider stream parsers or transports report an error after cancellation.

Root Cause

Provider auth preflight trusted AuthStatus.IsAuthenticated without considering ExpiresAtUtc, and the runtime collected terminal provider failed events without failing the turn. Streaming adapter exceptions also needed to re-check cancellation before emitting a synthetic failed provider event.

Runtime Impact

Expired auth before stream now fails as AuthenticationUnavailable before provider resolution or stream start. Expired or invalid auth during a stream now fails the turn instead of returning partial text or placeholder output. Malformed SSE/parser failures keep using the stable terminal failed event shape and are surfaced as provider stream failures.

Validation

• dotnet test SharpClawCode.sln
• Unit tests: 215 passed
• Integration tests: 42 passed
• Parity harness: 15 passed

[Copilot]

Pull request overview

This PR improves provider streaming failure handling by classifying auth- and stream-related failures without changing the provider event contract, ensuring turns fail deterministically (rather than returning partial/placeholder output) and preserving cancellation semantics when errors occur after cancellation.

Changes:

• Add ProviderStreamFailureClassifier to (a) detect expired AuthStatus and (b) classify terminal "failed" provider events / exceptions into ProviderFailureKind.
• Update OpenAI MEAI + Anthropic SDK stream adapters to emit stable "failed" terminal events for malformed SSE/parser/transport errors while re-checking cancellation before synthesizing failure events.
• Update runtime/provider execution flow to treat expired preflight auth as unavailable and to convert terminal provider "failed" events into turn-failing ProviderExecutionExceptions; add/extend unit + integration coverage.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
tests/SharpClaw.Code.UnitTests/Providers/ProviderStreamAdapterTests.cs	Adds unit coverage for malformed SSE → "failed" event and for cancellation preservation; validates classifier status-code reflection behavior.
tests/SharpClaw.Code.IntegrationTests/Runtime/ProviderRuntimeEventFlowTests.cs	Adds integration coverage for expired preflight auth failing early and streamed auth failure events failing the turn.
src/SharpClaw.Code.Providers/OpenAiCompatibleProvider.cs	Throws early on pre-canceled tokens before starting the stream.
src/SharpClaw.Code.Providers/Models/ProviderStreamFailureClassifier.cs	New classifier for expiry/auth failure detection and stable exception-to-failed-content formatting.
src/SharpClaw.Code.Providers/Internal/OpenAiMeaiStreamAdapter.cs	Uses classifier-based error descriptions and re-checks cancellation before emitting synthetic "failed" events.
src/SharpClaw.Code.Providers/Internal/AnthropicSdkStreamAdapter.cs	Same as above for Anthropic SDK streaming events.
src/SharpClaw.Code.Providers/AnthropicProvider.cs	Adds early cancellation check and maps auth failures during stream start to ProviderExecutionException(AuthenticationUnavailable).
src/SharpClaw.Code.Agents/Internal/ProviderBackedAgentKernel.cs	Treats expired auth as unavailable and converts terminal provider "failed" events into classified ProviderExecutionExceptions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.