fix(auth): distinguish revoked API keys from transient auth errors (#25754)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: 8f9c07a200 Co-authored-by: rrenamed <87486610+rrenamed@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras
2026-05-08 16:38:27 +00:00 · 2026-02-26 02:47:16 +02:00
parent f312222159
commit c0026274d9
15 changed files with 247 additions and 18 deletions
--- a/src/agents/auth-profiles/types.ts
+++ b/src/agents/auth-profiles/types.ts
@@ -34,6 +34,7 @@ export type AuthProfileCredential = ApiKeyCredential | TokenCredential | OAuthCr

 export type AuthProfileFailureReason =
  | "auth"
+  | "auth_permanent"
  | "format"
  | "rate_limit"
  | "billing"
--- a/src/agents/auth-profiles/usage.test.ts
+++ b/src/agents/auth-profiles/usage.test.ts
@@ -141,6 +141,24 @@ describe("resolveProfilesUnavailableReason", () => {
    ).toBe("billing");
  });

+  it("returns auth_permanent for active permanent auth disables", () => {
+    const now = Date.now();
+    const store = makeStore({
+      "anthropic:default": {
+        disabledUntil: now + 60_000,
+        disabledReason: "auth_permanent",
+      },
+    });
+
+    expect(
+      resolveProfilesUnavailableReason({
+        store,
+        profileIds: ["anthropic:default"],
+        now,
+      }),
+    ).toBe("auth_permanent");
+  });
+
  it("uses recorded non-rate-limit failure counts for active cooldown windows", () => {
    const now = Date.now();
    const store = makeStore({
@@ -490,7 +508,7 @@ describe("markAuthProfileFailure — active windows do not extend on retry", ()
  async function markFailureAt(params: {
    store: ReturnType<typeof makeStore>;
    now: number;
-    reason: "rate_limit" | "billing";
+    reason: "rate_limit" | "billing" | "auth_permanent";
  }): Promise<void> {
    vi.useFakeTimers();
    vi.setSystemTime(params.now);
@@ -528,6 +546,18 @@ describe("markAuthProfileFailure — active windows do not extend on retry", ()
      }),
      readUntil: (stats: WindowStats | undefined) => stats?.disabledUntil,
    },
+    {
+      label: "disabledUntil(auth_permanent)",
+      reason: "auth_permanent" as const,
+      buildUsageStats: (now: number): WindowStats => ({
+        disabledUntil: now + 20 * 60 * 60 * 1000,
+        disabledReason: "auth_permanent",
+        errorCount: 5,
+        failureCounts: { auth_permanent: 5 },
+        lastFailureAt: now - 60_000,
+      }),
+      readUntil: (stats: WindowStats | undefined) => stats?.disabledUntil,
+    },
  ];

  for (const testCase of activeWindowCases) {
@@ -573,6 +603,19 @@ describe("markAuthProfileFailure — active windows do not extend on retry", ()
      expectedUntil: (now: number) => now + 20 * 60 * 60 * 1000,
      readUntil: (stats: WindowStats | undefined) => stats?.disabledUntil,
    },
+    {
+      label: "disabledUntil(auth_permanent)",
+      reason: "auth_permanent" as const,
+      buildUsageStats: (now: number): WindowStats => ({
+        disabledUntil: now - 60_000,
+        disabledReason: "auth_permanent",
+        errorCount: 5,
+        failureCounts: { auth_permanent: 2 },
+        lastFailureAt: now - 60_000,
+      }),
+      expectedUntil: (now: number) => now + 20 * 60 * 60 * 1000,
+      readUntil: (stats: WindowStats | undefined) => stats?.disabledUntil,
+    },
  ];

  for (const testCase of expiredWindowCases) {
--- a/src/agents/auth-profiles/usage.ts
+++ b/src/agents/auth-profiles/usage.ts
@@ -4,6 +4,7 @@ import { saveAuthProfileStore, updateAuthProfileStoreWithLock } from "./store.js
 import type { AuthProfileFailureReason, AuthProfileStore, ProfileUsageStats } from "./types.js";

 const FAILURE_REASON_PRIORITY: AuthProfileFailureReason[] = [
+  "auth_permanent",
  "auth",
  "billing",
  "format",
@@ -394,8 +395,8 @@ function computeNextProfileUsageStats(params: {
    lastFailureAt: params.now,
  };

-  if (params.reason === "billing") {
-    const billingCount = failureCounts.billing ?? 1;
+  if (params.reason === "billing" || params.reason === "auth_permanent") {
+    const billingCount = failureCounts[params.reason] ?? 1;
    const backoffMs = calculateAuthProfileBillingDisableMsWithConfig({
      errorCount: billingCount,
      baseMs: params.cfgResolved.billingBackoffMs,
@@ -408,7 +409,7 @@ function computeNextProfileUsageStats(params: {
      now: params.now,
      recomputedUntil: params.now + backoffMs,
    });
-    updatedStats.disabledReason = "billing";
+    updatedStats.disabledReason = params.reason;
  } else {
    const backoffMs = calculateAuthProfileCooldownMs(nextErrorCount);
    // Keep active cooldown windows immutable so retries within the window
@@ -424,8 +425,9 @@ function computeNextProfileUsageStats(params: {
 }

 /**
- * Mark a profile as failed for a specific reason. Billing failures are treated
- * as "disabled" (longer backoff) vs the regular cooldown window.
+ * Mark a profile as failed for a specific reason. Billing and permanent-auth
+ * failures are treated as "disabled" (longer backoff) vs the regular cooldown
+ * window.
 */
 export async function markAuthProfileFailure(params: {
  store: AuthProfileStore;