fix(auth): classify permission_error as auth_permanent for profile fallback (#31324)

When an OAuth auth profile returns HTTP 403 with permission_error (e.g. expired plan), the error was not matched by the authPermanent patterns. This caused the profile to receive only a short cooldown instead of being disabled, so the gateway kept retrying the same broken profile indefinitely. Add "permission_error" and "not allowed for this organization" to the authPermanent error patterns so these errors trigger the longer billing/auth_permanent disable window and proper profile rotation. Closes #31306 Made-with: Cursor Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-05-11 20:13:43 +00:00 · 2026-03-02 14:26:05 +08:00
parent f2dbaf70fa
commit 40e078a567
2 changed files with 28 additions and 0 deletions
--- a/src/agents/pi-embedded-helpers/errors.ts
+++ b/src/agents/pi-embedded-helpers/errors.ts
@@ -660,6 +660,8 @@ const ERROR_PATTERNS = {
    "key has been revoked",
    "account has been deactivated",
    /could not (?:authenticate|validate).*(?:api[_ ]?key|credentials)/i,
+    "permission_error",
+    "not allowed for this organization",
  ],
  auth: [
    /invalid[_ ]?api[_ ]?key/,