fix(auth): distinguish revoked API keys from transient auth errors (#25754)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: 8f9c07a200 Co-authored-by: rrenamed <87486610+rrenamed@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras
2026-05-06 02:20:21 +00:00 · 2026-02-26 02:47:16 +02:00
parent f312222159
commit c0026274d9
15 changed files with 247 additions and 18 deletions
--- a/src/agents/failover-error.ts
+++ b/src/agents/failover-error.ts
@@ -1,4 +1,8 @@
-import { classifyFailoverReason, type FailoverReason } from "./pi-embedded-helpers.js";
+import {
+  classifyFailoverReason,
+  isAuthPermanentErrorMessage,
+  type FailoverReason,
+} from "./pi-embedded-helpers.js";

 const TIMEOUT_HINT_RE =
  /timeout|timed out|deadline exceeded|context deadline exceeded|stop reason:\s*abort|reason:\s*abort|unhandled stop reason:\s*abort/i;
@@ -47,6 +51,8 @@ export function resolveFailoverStatus(reason: FailoverReason): number | undefine
      return 429;
    case "auth":
      return 401;
+    case "auth_permanent":
+      return 403;
    case "timeout":
      return 408;
    case "format":
@@ -158,6 +164,10 @@ export function resolveFailoverReasonFromError(err: unknown): FailoverReason | n
    return "rate_limit";
  }
  if (status === 401 || status === 403) {
+    const msg = getErrorMessage(err);
+    if (msg && isAuthPermanentErrorMessage(msg)) {
+      return "auth_permanent";
+    }
    return "auth";
  }
  if (status === 408) {