Release v0.50.297 — 3-PR batch (Docker regression fix + OAuth cancel race + persistent-host health hardening)

3 PRs from 3 contributors. Closes #1658; refs #1458, #1652, #1362.

What ships

#1659 by @bergeouss — Docker container crash-loop fix (closes #1658) [P0 regression]

PR #1635 (v0.50.295) added a writability guard that ALWAYS fired on normal Docker setups because the script runs as the non-root hermeswebuitoo user — /etc/group is owned by root, so [ ! -w /etc/group ] is always true. Every standard Docker user upgrading to v0.50.295 hit a container crash loop. This PR fixes it by using sudo sh -c 'test -w /etc/group && test -w /etc/passwd' to match the actual semantic (groupmod/usermod use sudo a few lines below). 3-LOC docker_init.bash change.

#1653 by @nesquena — OAuth cancel race fix (follow-up to #1652)

User clicks Cancel mid-Codex-OAuth-flow → the worker thread proceeds to persist credentials anyway and overrides the cancelled status with success. Net effect: cancel button stops doing what it says, credentials persist, UI reports success. Fix re-checks _OAUTH_FLOWS[flow_id].status under lock immediately after the network call and before persisting auth.json. Threading.Event-gated behavioral test deterministically reproduces the race.

#1657 by @Michaelyklam — persistent-host health hardening (refs #1458)

Three signals to distinguish "process exists" from "request handling is still advancing":

• Accept-loop heartbeat in /health (accept_loop.requests_total + last_request_at)
• /health?deep=1 readiness probe with bounded streams-lock + sessions + projects + state.db checks (returns 503 + status: degraded on failure)
• RLIMIT_NOFILE raise to 4096 at startup (defense in depth for macOS launchd jobs starting at 256)
• docs/supervisor.md watchdog recipe for launchd/systemd

PR #1656 (same author, smaller approach) closed as superseded.

Tests

4284 → 4288 passing (+4). 0 regressions. Full suite ~118s.

Pre-release verification

• Opus advisor on stage-297 combined diff: SHIP verdict. All 9 verification questions cleared. Two minor follow-ups absorbed in-release:
  • _deep_health_checks(stream_check=...) reuses pre-computed lock probe (saves redundant STREAMS_LOCK acquire on every /health?deep=1)
  • _handle_request_noblock docstring documents single-thread safety of the un-locked +=
• Self-built #1653 uses threading.Event to deterministically reproduce the OAuth cancel race
• Browser API sanity: 11/11 endpoints OK
• Conflict resolution: zero file overlap across all 3 PRs

Authors

• @bergeouss — 1 PR (#1659, AI-assisted) — fixing their own v0.50.295 #1635 regression
• @nesquena (self-built) — 1 PR (#1653)
• @Michaelyklam — 1 PR (#1657, persistent-host hardening)