[codex] surface refresh auth and /data permission failures

[zachyzissou]

Summary

• make refresh failures explicit in WebUI:
  • parse API error details
  • show clear unauthorized guidance when /refresh returns 401
  • poll /status after refresh trigger so the UI reflects async generation instead of appearing as a no-op
  • display configured refresh_access_mode in quick stats
• improve health diagnostics for deployment issues:
  • add checks.data_dir_writable
  • include refresh_access_mode in /health and /status
  • add HEAD /health endpoint for probe compatibility
• add integration coverage for refresh_access_mode, data_dir_writable, and HEAD /health
• update troubleshooting docs for unauthorized refresh and /data permission-denied scenarios

Validation

• python3 -m black app/server.py test_integration.py
• python3 -m py_compile app/server.py test_integration.py
• npm run -s lint:js
• npm run -s lint:md

Notes

• local runtime tests were not executed here because this environment has Python 3.9 while the project targets 3.11+.

[Copilot]

Pull request overview

This PR improves operator and user-facing diagnostics around refresh authorization failures and /data permission issues, while making the WebUI reflect asynchronous refresh behavior more clearly via /status polling.

Changes:

• WebUI: poll /status after triggering /refresh, parse API error details, and display refresh_access_mode in quick stats.
• API/ops: add checks.data_dir_writable, include refresh_access_mode in /health and /status, and add HEAD /health for probe compatibility.
• Tests/docs: extend integration assertions for the new fields and HEAD endpoint; add troubleshooting guidance for unauthorized refresh and /data permission errors.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
web/assets/app.js	Adds refresh-status polling, better refresh error messaging, and displays refresh_access_mode in the UI.
app/server.py	Adds refresh_access_mode helper, checks.data_dir_writable, and HEAD /health.
test_integration.py	Adds assertions for refresh_access_mode, data_dir_writable, and HEAD /health.
README.md	Updates troubleshooting guidance for refresh auth and /data permission failures.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

data_dir_writable uses os.access(DATA_DIR, os.W_OK) which isn’t sufficient for directories (you typically need execute permission as well to create files, and os.access can still be a false-positive depending on filesystem semantics). To avoid reporting writable when the app can’t actually write, check for both W_OK | X_OK at minimum, or perform a lightweight create/delete probe in DATA_DIR (and treat failures as not writable).

[Copilot]

The refresh click handler captures originalText = btn.textContent and later restores it via btn.innerHTML = originalText. This drops the original <span aria-hidden="true">↻</span> markup from index.html and can make the icon text announced by screen readers (accessibility regression). Store/restore btn.innerHTML (or rebuild the original DOM structure) instead of using textContent for the reset path.

[Copilot]

fetchStatusSnapshot() is awaited before the button is disabled/loading state is set. If /status is slow/hung, the user can click multiple times and trigger multiple concurrent refresh handlers before the UI locks, potentially causing multiple /refresh calls. Consider disabling the button / setting aria-busy before awaiting the status snapshot (or reusing the last loaded status).

[Copilot]

_refresh_access_mode() can return an inaccurate mode when both ALLOW_ANONYMOUS_LOCAL_REFRESH and APP_REFRESH_TOKEN are set. In that configuration, /refresh is allowed from LAN without auth and allowed elsewhere with the token, but this function reports only lan_anonymous. Consider returning a distinct value for the combined case (or exposing both flags separately) so /status, /health, and the WebUI don’t mislead operators.