pub fn classify_failure(
_exit_code: i32,
stdout: &str,
stderr: &str,
) -> Option<AuthErrorKind>Expand description
Inspect a failed claude invocation and decide whether it looks
auth-shaped. Returns Some(kind) only when the patterns are
confident enough to risk relabeling.
exit_code, stdout, and stderr come from the CLI’s exit; the
classifier matches against the lowercased concatenation. The
patterns are intentionally narrow:
- “may not exist” / “may not have access” / “not_found_error” /
“issue with the selected model” -> NOT auth (
None): a model-not-found / model-access failure is a bad--model, not a credential problem, even when it carries a 403/404 status. - “not authenticated” / “not logged in” / “claude login” /
“please run /login” / “run /login” / “no credentials” / “no auth”
->
AuthErrorKind::NotAuthenticated - “expired” / “session has expired” / “token expired” ->
AuthErrorKind::Expired - “invalid api key” / “invalid token” / “401” / “unauthorized” / “403”
/ “forbidden” ->
AuthErrorKind::InvalidCredentials - “rate limit” / “quota” / “too many requests” / “429” ->
AuthErrorKind::RateLimit - “bedrock” or “vertex” present alongside an auth signal ->
AuthErrorKind::ProviderError - bare “auth” / “credential” hit with nothing more specific ->
AuthErrorKind::Other