pub fn classify_failure(
_exit_code: i32,
stdout: &str,
stderr: &str,
) -> Option<AuthErrorKind>Expand description
Inspect a failed claude invocation and decide whether it looks
auth-shaped. Returns Some(kind) only when the patterns are
confident enough to risk relabeling.
exit_code, stdout, and stderr come from the CLI’s exit; the
classifier matches against the lowercased concatenation. The
patterns are intentionally narrow:
- “not authenticated” / “claude login” / “no credentials” / “no auth”
->
AuthErrorKind::NotAuthenticated - “expired” / “session has expired” / “token expired” ->
AuthErrorKind::Expired - “invalid api key” / “invalid token” / “401” / “unauthorized” / “403”
/ “forbidden” ->
AuthErrorKind::InvalidCredentials - “rate limit” / “quota” / “too many requests” / “429” ->
AuthErrorKind::RateLimit - “bedrock” or “vertex” present alongside an auth signal ->
AuthErrorKind::ProviderError - bare “auth” / “credential” hit with nothing more specific ->
AuthErrorKind::Other