fix(proxy): fail over pre-visible refresh connect stalls

[Komzpa]

Summary

• fail over compact forced-refresh/connect stalls to another eligible account instead of surfacing before output
• fail over HTTP Responses stream refresh/connect and post-401 forced-refresh/connect stalls before visible output
• keep strict preferred-owner and file-pin paths fail-closed so pinned resources do not silently move accounts

Tests

• uv run pytest tests/unit/test_proxy_utils.py::test_stream_refresh_timeout_before_visible_output_fails_over tests/unit/test_proxy_utils.py::test_stream_forced_refresh_timeout_before_visible_output_fails_over tests/unit/test_proxy_utils.py::test_compact_responses_forced_refresh_connection_reset_fails_over tests/unit/test_proxy_utils.py::test_compact_responses_refresh_connection_reset_fails_over tests/unit/test_proxy_utils.py::test_compact_responses_refresh_non_transient_client_error_does_not_penalize_accounts -q
• uv run ruff check app/modules/proxy/service.py tests/unit/test_proxy_utils.py
• uv run ty check app/modules/proxy/service.py tests/unit/test_proxy_utils.py
• git diff --check

Follow-up

• thread-goal, codex-control, transcribe, and files still have unary refresh/connect no-failover gaps; those should use a shared unary retry helper rather than four copy-paste loops.

No linked issue; addresses the owner-review file-pinned compact failover blocker in this PR.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 453eedba27

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Komzpa]

@codex review

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

[Komzpa]

@codex review

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

[Soju06]

Merge blocker found in owner review: compact initial refresh/connect failover can break file-pinned account ownership.

The forced-refresh path now correctly fail-closes when file_preferred_account_id is set, but the initial compact freshness failure path still treats transient refresh/connect errors as eligible for account failover. If a compact request includes an input_file.file_id pinned to account A and account A hits a transient initial refresh/connect error, this PR can exclude A and send the compact request through account B.

That violates the same file-owner invariant the forced-refresh guard is trying to preserve. Please either fail-closed for file-pinned compact requests in the initial refresh/connect transient branch too, or add a convincing test/proof that cross-account compact retry is safe there.

Also note current merge gates are not clean: fresh Codex review attempts hit usage limits, and this observable failover behavior change has no OpenSpec/issue trace.

[Soju06]

@codex review

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

[Soju06]

@codex review

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

[Komzpa]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. You're on a roll.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Soju06]

Merge blocker: file-pinned compact requests can still cross accounts on the actual upstream compact connect path

The new guards cover _ensure_fresh_with_budget(...) refresh/connect failures and the 401 forced-refresh branch, but the ordinary _call_compact() path still has a gap. app/core/clients/proxy.py converts an upstream compact aiohttp.ClientError / timeout during session.post(...) into ProxyResponseError(..., failure_phase="connect", retryable_same_contract=True). In app/modules/proxy/service.py, that then goes through the generic compact ProxyResponseError handling: one same-contract retry, then _handle_stream_error(...), failover_decision(...), excluded_account_ids.add(account.id), and the next outer attempt can select another account. There is no file_preferred_account_id fail-closed guard on that branch.

I reproduced this locally with a pinned input_file.file_id: account A's compact connect raised a retryable upstream_unavailable, the service retried A once, excluded A, selected account B, and returned success from B:

seen_excluded [set(), {'acc_file_pin_connect_a'}]
compact_account_ids ['acc_file_pin_connect_a', 'acc_file_pin_connect_a', 'acc_file_pin_connect_b']
request_log_account_id acc_file_pin_connect_b
request_log_status success

That still violates the new OpenSpec requirement that a file-pinned compact request MUST surface upstream-unavailable instead of replaying on another account when the pinned account cannot open the upstream compact connection before output. Please add the same file-pin fail-closed guard/regression for the retryable_same_contract / failure_phase="connect" compact ProxyResponseError path, not only the freshness branches.