fix(providers/codex): fresh AbortController per retry attempt (#1266)

[truffle-dev]

Summary

• Problem: CodexProvider.sendQuery's retry loop reuses the caller's AbortSignal across every attempt. When attempt N's Codex subprocess crashes, Node's spawn({ signal }) linkage aborts the linked signal during SIGTERM, and attempt N+1 inherits an already-aborted signal — SIGTERMing the freshly-spawned child before it reads its stdin.
• Why it matters: Class A of bug(codex): retry loop reuses caller AbortSignal; crash on attempt N poisons attempt N+1 #1266. Any user-visible "Reading prompt from stdin..." error after a subprocess crash is a phantom — the retry CLI is being killed at spawn time, not failing at read time. Operators chasing the Codex CLI find nothing because Codex CLI itself was healthy. Retries appear to fail consistently after the first crash, breaking the whole point of the retry loop.
• What changed: Signal assignment moves out of buildTurnOptions into the retry loop in packages/providers/src/codex/provider.ts. Each attempt builds a fresh AbortController, chains the caller's signal in via a once-listener, and tears the listener back down in try/finally.
• What did NOT change (scope boundary): buildTurnOptions produces the same shape minus the signal field. Class B of bug(codex): retry loop reuses caller AbortSignal; crash on attempt N poisons attempt N+1 #1266 (the internal binary HTTP timeout that fires before the provider layer runs) is left out of scope — different surface, different fix. No other provider's retry loop is touched.

UX Journey

Before

Operator                       Archon                              Codex CLI subprocess
────────                       ──────                              ────────────────────
runs codex workflow ───────▶   sendQuery attempt 0
                               spawn({ signal: caller }) ──────▶   starts, crashes
                                                                   ◀── SIGTERM linked signal
                               attempt 0 fails, retry loop wakes
                               spawn({ signal: caller }) ──────▶   spawned, signal already aborted
                                                                   ◀── SIGTERM at spawn time
                                                                       "Reading prompt from stdin..." (banner)
sees attempt-1 error       ◀── attempt 1 fails identically
"Reading prompt from stdin"    retries exhausted, error returned

After

Operator                       Archon                              Codex CLI subprocess
────────                       ──────                              ────────────────────
runs codex workflow ───────▶   sendQuery attempt 0
                               [+] new AbortController per attempt
                               [+] caller signal chained once
                               spawn({ signal: per-attempt }) ─▶   starts, crashes
                                                                   ◀── SIGTERM per-attempt only
                                                                       caller signal untouched
                               attempt 0 fails, retry loop wakes
                               [+] new AbortController per attempt
                               [+] caller signal chained once
                               spawn({ signal: per-attempt }) ─▶   starts, runs to completion
                                                                   ◀── stream events
sees clean retry result    ◀── attempt 1 succeeds, returned

Architecture Diagram

Before

sendQuery
  └─ buildTurnOptions(requestOptions)
       └─ turnOptions.signal = requestOptions.abortSignal     [caller signal, reused]
  └─ for (attempt of attempts):
       └─ thread.runStreamed(..., turnOptions)                [signal === caller, mutated by spawn lifecycle]
       └─ streamCodexEvents(..., turnOptions.signal)          [observes mutation]

After

sendQuery
  └─ buildTurnOptions(requestOptions)
       └─ turnOptions = { ... } without signal
  └─ for (attempt of attempts):
       └─ [+] new AbortController()
       └─ [+] caller?.addEventListener('abort', forward, { once: true })
       └─ try {
            turnOptions.signal = perAttempt.signal            [+] per-attempt signal
            └─ thread.runStreamed(..., turnOptions)
            └─ streamCodexEvents(..., perAttempt.signal)      [observes per-attempt only]
          } finally {
            caller?.removeEventListener('abort', forward)     [+] cleanup
            perAttempt.abort()                                [+] cleanup
          }

Connection inventory:

From	To	Status	Notes
buildTurnOptions	turnOptions.signal	removed	no longer assigned in this function
retry loop (per attempt)	new AbortController()	new	per-attempt fresh controller
caller abortSignal	per-attempt controller	new	once-listener forwards abort
retry loop (per attempt)	listener cleanup	new	try/finally symmetry
streamCodexEvents	per-attempt signal	modified	observes per-attempt, not caller

Label Snapshot

• Risk: risk: low
• Size: size: S
• Scope: adapters
• Module: providers:codex

Change Metadata

• Change type: bug
• Primary scope: adapters

Linked Issue

• Fixes bug(codex): retry loop reuses caller AbortSignal; crash on attempt N poisons attempt N+1 #1266 (class A: codex subprocess retry)
• Out of scope: class B in bug(codex): retry loop reuses caller AbortSignal; crash on attempt N poisons attempt N+1 #1266 (binary HTTP timeout pre-provider layer)

Validation Evidence (required)

bun test packages/providers/src/codex/provider.test.ts        # 51 pass, 0 fail (was 47/4 with fix stashed)
bun x eslint packages/providers/src/codex/ --max-warnings 0   # clean
bun x tsc --noEmit (in packages/providers)                    # clean
bun x prettier --check (on both changed files)                # clean

• Evidence provided: stash-bisect verified — fix stashed → 47 pass / 4 fail / 108 expects, fix restored → 51 pass / 0 fail / 111 expects.
• The four failures with the fix stashed are exactly the four regression tests added/updated in this PR (per-attempt-signal, caller-forwarding, per-attempt-with-caller-signal rename, per-attempt-without-caller-signal rename).

Security Impact (required)

• New permissions/capabilities? No
• New external network calls? No
• Secrets/tokens handling changed? No
• File system access scope changed? No

Compatibility / Migration

• Backward compatible? Yes — caller-visible sendQuery API and abort semantics are unchanged. Caller-supplied abortSignal still aborts the active attempt; the only behavioural change is that the retry loop's internal signal lifecycle is isolated from the caller's.
• Config/env changes? No
• Database migration needed? No

Human Verification (required)

• Verified scenarios:
  • Crash on attempt 0 → attempt 1 receives a fresh, non-aborted signal. Regression test asserts on the signal captured at runStreamed call-time via mockImplementation (since mock.calls[i].signal would read the post-mutation reference).
  • Caller abort mid-attempt → per-attempt signal observes the abort via the once-listener.
  • No-caller-signal path → turnOptions.signal is still always an AbortSignal (the per-attempt one), so downstream runStreamed call-shape is preserved.
  • try/finally tear-down → per-attempt controller is aborted on every exit (success or throw); listener removed.
• Edge cases checked:
  • Caller signal already aborted at sendQuery entry — per-attempt controller forwards immediately; behaviour matches pre-fix for this case.
  • Caller never aborts — once-listener never fires, removed in finally; no leaked listeners.
  • Long retry chain on a long-lived caller signal — listener attached and removed per attempt, so listener count never accumulates.
• What was not verified: real Codex CLI subprocess crash — reproducing the original SIGTERM-during-spawn requires a flaky Codex binary and a specific OS/spawn race. The four regression tests assert the abstract invariant (per-attempt signal isolation + caller forwarding); the integration evidence is the comment thread on bug(codex): retry loop reuses caller AbortSignal; crash on attempt N poisons attempt N+1 #1266 with operators reporting the "Reading prompt from stdin..." retry-floor failure shape.

Side Effects / Blast Radius (required)

• Affected subsystems/workflows: codex provider only. Other providers (Claude SDK, Pi, etc.) have their own retry loops and are not touched.
• Potential unintended effects: if any caller was relying on turnOptions.signal === requestOptions.abortSignal (identity equality) downstream, that assumption no longer holds. The existing test suite did not assert it, and no in-tree caller does.
• Guardrails/monitoring: the four regression tests cover the per-attempt isolation invariant. A regression that re-introduces caller-signal reuse fails CI.

Rollback Plan (required)

• Fast rollback command/path: git revert <merge-commit-sha> — two files: provider.ts (signal-handling block) and provider.test.ts (regression coverage).
• Feature flags or config toggles: none — the change is invariant in the retry loop.
• Observable failure symptoms: post-crash retry attempts fail with "Reading prompt from stdin..." in the user-visible error, despite Codex CLI being healthy (the original symptom from bug(codex): retry loop reuses caller AbortSignal; crash on attempt N poisons attempt N+1 #1266).

Risks and Mitigations

• Risk: try/finally aborting the per-attempt controller on success could surprise downstream code that holds a reference to turnOptions.signal past the attempt's resolution.
  • Mitigation: runStreamed's consumption of the signal is bounded by the attempt; streamCodexEvents already disposes of its signal observation when the stream ends. No in-tree consumer holds the signal past the attempt boundary.
• Risk: identity-equality breakage as noted in Blast Radius.
  • Mitigation: the existing identity-assertion tests were renamed (not removed) to assert the new invariant — turnOptions.signal is an AbortSignal but not identity-equal to the caller's. The new contract is explicit and grep-able.
• Risk: race between caller abort and per-attempt completion firing the once-listener after removeEventListener.
  • Mitigation: listener is registered with { once: true } and removed in finally; the only window for a stale fire is between the abort dispatch and the finally block, both on the same tick. Cleanup is idempotent (controller.abort() on an already-aborted controller is a no-op).

Summary by CodeRabbit

• Bug Fixes

  • Improved abort-signal handling for retries so each attempt is isolated and aborted state is cleaned up
  • More robust Pi shim setup with clearer error reporting on filesystem failures

• Documentation

  • Clarified binary path autodetection and when explicit paths are optional for supported providers

• Tests

  • Added and strengthened regression tests for retry/abort behavior and binary autodetection (POSIX/Windows)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: eab0874d-bd5e-4356-ab5b-e793b66733c3

📥 Commits

Reviewing files that changed from the base of the PR and between 3308df1 and d1645b7.

📒 Files selected for processing (7)

• packages/docs-web/src/content/docs/getting-started/ai-assistants.md
• packages/docs-web/src/content/docs/getting-started/configuration.md
• packages/providers/src/codex/binary-resolver.test.ts
• packages/providers/src/codex/provider.test.ts
• packages/providers/src/codex/provider.ts
• packages/providers/src/community/pi/provider.test.ts
• packages/providers/src/community/pi/provider.ts

✅ Files skipped from review due to trivial changes (1)

• packages/docs-web/src/content/docs/getting-started/configuration.md

🚧 Files skipped from review as they are similar to previous changes (3)

• packages/docs-web/src/content/docs/getting-started/ai-assistants.md
• packages/providers/src/codex/provider.ts
• packages/providers/src/codex/provider.test.ts

---

📝 Walkthrough

Walkthrough

Per-attempt AbortController chaining was added to Codex sendQuery with upfront aborted checks; tests and resolver tests updated; PiProvider shim creation was hardened and tests added; docs updated to document compiled-binary autodetect and CLAUDE_BIN_PATH fallback behavior.

Changes

Codex Provider Per-Attempt Cancellation

Layer / File(s)	Summary
Per-attempt abort in sendQuery packages/providers/src/codex/provider.ts	sendQuery now creates a new AbortController per retry, chains the caller's abort via a once-listener, assigns the attempt signal to turnOptions, moves thread recreation into the per-attempt try, checks already-aborted signals before streaming, uses attempt signal for streamCodexEvents, and cleans up (removes listener and aborts attempt controller) in finally.
streamCodexEvents pre-check packages/providers/src/codex/provider.ts	streamCodexEvents now checks abortSignal.aborted up-front and throws Query aborted if already aborted.
Codex provider tests packages/providers/src/codex/provider.test.ts	Tests assert that TurnOptions.signal is a per-attempt AbortSignal, strengthen the no-signal case, and add regression tests verifying fresh signal per retry and caller-initiated mid-stream abort yields Query aborted.
Codex binary resolver tests packages/providers/src/codex/binary-resolver.test.ts	Adds homedir import, updates POSIX expectation to use homedir(), and adds Windows/npm-global and config-precedence autodetect tests.

Pi shim, tests, and docs

Layer / File(s)	Summary
Pi package-dir shim helper & invocation packages/providers/src/community/pi/provider.ts	Shim creation wrapped in try/catch with clearer "Pi shim setup failed at " message; PI_PACKAGE_DIR still set to tmpdir-based archon-pi-shim.
Pi provider shim test packages/providers/src/community/pi/provider.test.ts	Test adds stdlib imports and asserts PI_PACKAGE_DIR === join(tmpdir(), 'archon-pi-shim') and that generated package.json contains expected name, version, and piConfig fields.
Docs: compiled-binary autodetect & CLAUDE_BIN_PATH packages/docs-web/src/content/docs/getting-started/ai-assistants.md, packages/docs-web/src/content/docs/getting-started/configuration.md	Clarifies when claude needs an explicit path, enumerates autodetect probe paths for compiled Claude/Codex binaries, and marks CLAUDE_BIN_PATH optional with fallback/override behavior documented.

Sequence Diagram(s)

sequenceDiagram
  actor Caller
  participant Provider as CodexProvider
  participant AttemptCtrl as AttemptController
  participant Stream as streamCodexEvents
  participant Codex as Codex CLI/SDK

  Caller->>Provider: sendQuery(prompt, options.abortSignal)
  loop retry attempts
    Provider->>AttemptCtrl: new AbortController()
    Provider->>AttemptCtrl: addEventListener once (caller.abort -> attemptCtrl.abort)
    Provider->>Stream: streamCodexEvents(turnOptions with attemptCtrl.signal)
    Stream->>Codex: spawn({ signal: attemptCtrl.signal })
    alt caller aborts
      Caller->>Provider: abort()
      AttemptCtrl->>Codex: signal abort -> terminate child
      Codex-->>Stream: error
      Stream-->>Provider: catch -> throw "Query aborted"
    else SDK crash/error
      Codex-->>Stream: error
      Stream-->>Provider: catch -> classify/retry
    end
    Provider->>AttemptCtrl: finally: remove listener + attemptCtrl.abort()
  end
  Provider-->>Caller: final result or error

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• coleam00/Archon#1162: Overlapping Codex sendQuery/streamCodexEvents refactor and abort/error classification changes.
• coleam00/Archon#1361: Related changes to Codex binary-path resolution and tests.
• coleam00/Archon#1360: Related Pi provider shim updates and tests.

Poem

🐰 Fresh signals hop in line,
Each retry gets its own sign,
Crashes no longer poison the next,
Shim writes safe, resolver checks,
Hopping cleanly—one run at a time.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the primary fix: introducing fresh AbortController per retry attempt to resolve signal poisoning.
Description check	✅ Passed	The description comprehensively covers all required template sections: summary with problem/why/what changed, UX journey before/after, architecture diagrams with connection inventory, labels, validation evidence, security impact, compatibility, human verification, side effects, rollback plan, and risks with mitigations.
Linked Issues check	✅ Passed	The PR successfully addresses class A of #1266 by implementing per-attempt AbortController isolation in the retry loop and adding regression tests for signal forwarding, per-attempt lifecycle, and crash-recovery scenarios.
Out of Scope Changes check	✅ Passed	All code changes align with the stated scope: Codex provider signal handling (per-attempt AbortController), related test coverage, documentation clarifications, and minor Pi provider error-handling improvements. Class B investigation and other provider modifications are explicitly deferred.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

packages/providers/src/codex/provider.ts (1)

579-585: Consider AbortSignal.any() for cleaner signal chaining.

The current addEventListener / removeEventListener pattern works correctly, but AbortSignal.any([attemptController.signal, requestOptions.abortSignal]) is more idiomatic for combining abort signals. Since each retry iteration creates a fresh AbortController, you can chain it via AbortSignal.any() and pass the result to runStreamed—no manual listener bookkeeping needed.

This is an optional improvement; the current implementation is correct and handles the retry logic (issue #1266) appropriately.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/providers/src/codex/provider.ts` around lines 579 - 585, Replace the
manual addEventListener/removeEventListener chaining with AbortSignal.any by
creating the per-attempt AbortController (attemptController) as before, then
compose a combined signal using AbortSignal.any([attemptController.signal,
requestOptions?.abortSignal]) and pass that combined signal into runStreamed
(instead of wiring onCallerAbort). Remove onCallerAbort and the event listener
cleanup; keep attemptController.abort() usage for per-attempt aborts so retries
still work the same.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/providers/src/codex/provider.ts`:
- Around line 579-585: Replace the manual addEventListener/removeEventListener
chaining with AbortSignal.any by creating the per-attempt AbortController
(attemptController) as before, then compose a combined signal using
AbortSignal.any([attemptController.signal, requestOptions?.abortSignal]) and
pass that combined signal into runStreamed (instead of wiring onCallerAbort).
Remove onCallerAbort and the event listener cleanup; keep
attemptController.abort() usage for per-attempt aborts so retries still work the
same.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d9c198b9-6ee1-4eff-abd5-84063276c8c9

📥 Commits

Reviewing files that changed from the base of the PR and between b99cee4 and 442a117.

📒 Files selected for processing (2)

• packages/providers/src/codex/provider.test.ts
• packages/providers/src/codex/provider.ts

[Wirasm]

Hi @truffle-dev — thanks for opening this PR.

This repository uses a PR template at .github/pull_request_template.md with several required sections. A few of them appear to be empty or placeholder here:

• UX Journey
• Architecture Diagram
• Label Snapshot
• Change Metadata
• Security Impact
• Compatibility / Migration
• Side Effects / Blast Radius
• Rollback Plan
• Risks and Mitigations

Could you fill those out (even briefly)? The template helps reviewers understand scope, risk, and rollback — it speeds up review significantly.

If a section genuinely doesn't apply, just write "N/A" in it rather than leaving it blank.

[truffle-dev]

Filled in. UX Journey + before/after Architecture Diagrams trace the per-attempt signal lifecycle (the fix's whole point), Label Snapshot, Change Metadata, Security (no/no/no/no), Compatibility, Human Verification, Side Effects, Rollback, Risks all populated. Existing Problem/Change/Regression-tests detail kept and slotted into Summary + Validation Evidence + Risks.

[truffle-dev]

Friendly check-in. 18 days since the PR template was filled in per the review request. The per-attempt AbortController fix still stands — happy to rebase against dev if it's drifted.

[Wirasm]

Review Summary

Verdict: minor-fixes-needed

Good set of changes. The Codex retry-signal fix for #1266 is the headline — the finally block pattern correctly creates a fresh AbortController per attempt. Binary autodetection for Claude (~/.local/bin/claude) and the PI package-dir shim are clean, targeted improvements. Two issues need attention before merge: the abort-signal latency gap in streamCodexEvents and stale docs that claim Claude can't be auto-discovered (it now can be).

Blocking issues

• packages/providers/src/codex/provider.ts:781 — streamCodexEvents abort-signal check runs only between for await events, not at generator entry. A mid-stream caller abort won't be observed until the next event or stream-end, adding latency.

  Fix: Add a synchronous check immediately after entering the generator, before the for await:

  if (abortSignal?.aborted) {
    getLog().info('query_aborted_before_stream');
    throw new Error('Query aborted');
  }
  for await (const event of events) { ... }

Suggested fixes

• packages/providers/src/codex/provider.ts:607 — The removeEventListener in the finally block has no effect when the signal fires inline (already auto-removed by { once: true }). Add removeEventListener unconditionally after addEventListener:

  requestOptions.abortSignal.addEventListener('abort', onCallerAbort, { once: true });
  requestOptions.abortSignal.removeEventListener('abort', onCallerAbort); // unconditional

• ai-assistants.md (lines 47–63) + configuration.md (line 17) — Both pages say compiled Archon binaries "cannot auto-discover Claude Code" and require CLAUDE_BIN_PATH. This PR adds ~/.local/bin/claude auto-detection (step 3). Update both pages to reflect this.

• ai-assistants.md — Codex autodetect docs mention only env/config/vendor paths. Three new probes (~/.npm-global/bin/codex, /opt/homebrew/bin/codex, /usr/local/bin/codex) are not documented. Add a note describing these paths.

Minor / nice-to-have

• packages/providers/src/community/pi/provider.ts — ensurePiPackageDirShim wraps mkdirSync/writeFileSync without try/catch. A permissions or disk-full error surfaces as a raw EACCES/ENOSPC from node:fs. Wrap in try/catch and re-throw as a classified error ("Pi shim setup failed: ${e.message}").

• packages/providers/src/codex/provider.ts:575 — Model-access errors on retry attempts are not logged. Add a getLog().debug inside the isModelAccessError branch before the throw.

• packages/providers/src/codex/binary-resolver.test.ts:94 — Use homedir() instead of process.env.HOME ?? '/Users/test' to match the implementation (already done correctly in the Claude test at line 83).

• packages/providers/src/codex/binary-resolver.test.ts — Two test gaps: Windows autodetect branch untested, and config precedence over autodetect not covered (analogous test exists for Claude).

• packages/providers/src/community/pi/provider.test.ts — Regression test verifies PI_PACKAGE_DIR is set but doesn't assert on the stub package.json content (name, version, piConfig fields).

Compliments

• The finally block pattern for the bug(codex): retry loop reuses caller AbortSignal; crash on attempt N poisons attempt N+1 #1266 regression fix is well-structured — the once-listener chaining and explicit cleanup are exactly right.
• The executor.ts comments on the orphan-release race condition and stale-pending window are excellent — the WHY is captured clearly for future readers.

---

Reviewed via maintainer-review-pr workflow (Pi/Minimax). Aspects run: code-review, error-handling, test-coverage, comment-quality, docs-impact.

[truffle-dev]

Blocking

1. streamCodexEvents now checks abortSignal?.aborted before entering the for await, logging query_aborted_before_stream and throwing Query aborted. The between-events check is retained. 3308df1

Suggested fixes

2. Declining this one. Calling removeEventListener('abort', onCallerAbort) immediately after addEventListener('abort', onCallerAbort, { once: true }) unsubscribes the listener before the abort can fire, which defeats the per-attempt wiring that bug(codex): retry loop reuses caller AbortSignal; crash on attempt N poisons attempt N+1 #1266's fix depends on. The finally block does the cleanup on the path where the signal never fires; on the path where it did fire, the removeEventListener call is a no-op (already removed by { once: true }) so it's harmless rather than wasteful. The if (requestOptions?.abortSignal) guard there is to avoid TypeError on undefined, not to suppress a no-op. Happy to move to a try/finally shape if that reads cleaner, but the order needs to stay add → await → remove.

3. ai-assistants.md and configuration.md both updated. The Claude binary-path section now describes the ~/.local/bin/claude (POSIX) and %USERPROFILE%\.local\bin\claude.exe (Windows) autodetect probe, and CLAUDE_BIN_PATH is no longer marked Required for binary builds. 3308df1

4. ai-assistants.md Codex section gains a 4th bullet enumerating all five autodetect probe paths: ~/.npm-global/bin/codex, /opt/homebrew/bin/codex, /usr/local/bin/codex, %APPDATA%\npm\codex.cmd, %USERPROFILE%\.npm-global\codex.cmd. 3308df1

Minor / nice-to-have

5. ensurePiPackageDirShim now wraps mkdirSync / writeFileSync in try/catch and re-throws as Pi shim setup failed at <dir>: <message>. 3308df1

6. getLog().debug({ attempt, errorClass: 'model_access' }, 'query_error_pre_retry') added inside the retry-attempt isModelAccessError branch at provider.ts:601. The three pre-loop sites already log via their callers; the retry-attempt site was the one that short-circuited before the outer query_error log, which is the gap you flagged. 3308df1

7. binary-resolver.test.ts now imports homedir from node:os and uses it for the npm-global probe path. 3308df1

8. Added two tests: a Windows-only %APPDATA%\npm\codex.cmd autodetect test mirroring the existing POSIX-only test, and config codexBinaryPath takes precedence over autodetect to round out the four-tier precedence (env → config → vendor → autodetect). 3308df1

9. pi/provider.test.ts shim test now reads the on-disk package.json after sendQuery and asserts name === 'archon-pi-shim', version === '0.0.0', piConfig === {}. 3308df1

All 120 affected tests pass; bun x tsc --noEmit clean.

[Wirasm]

Thanks for the abort-pre-check and abort-before-stream logging in `3308df155` @truffle-dev — that addresses the blocking feedback.

The PR went CONFLICTING after #1651, #1658, and #1459 landed on dev with overlapping changes in `packages/providers/src/codex/provider.ts`. The local simulation shows it's a single-file conflict (the others auto-merge cleanly), so the rebase should be quick. Could you rebase onto current dev when you have a minute?

[truffle-dev]

Rebased onto current dev at d1645b7. The provider.ts conflict was with #1459's MCP additions to streamCodexEvents — resolution kept both the per-attempt AbortController retry pattern and the new surfaceMcpClientErrors parameter, passing Boolean(requestOptions?.nodeConfig?.mcp) at the call site so MCP-configured nodes still surface client errors as system warnings.

Tests green (pnpm test src/codex/ — 79 pass), lint clean, prettier clean. The two pre-existing tsc errors in claude/provider.ts are unrelated to this PR (present on upstream/dev baseline).