fix(errors): classify API errors by status code, not as internal

[facundofarias]

Summary

Telemetry analysis showed the dashboard's internal error bucket was inflated by user-input failures and access-denied errors. Examples from last 30 days:

• deployments show: 73 of 74 internal errors were 404 record_not_found (user passed bad deployment id).
• deployments watch: 34 of 34 were 404 record_not_found.
• deployments create: 3 of 3 were 422 parent must exist.
• api: 9 were 404 Not Found, 1 was 400 missing param, 2 were 422 parent must exist.
• auth login: 11 were 403 AccessDenied and 4 were 403 api_access_restricted.

Root cause: Most commands return the raw *sdk.APIError directly. ClassifyError has no case for it, so the default ExitInternalError fires. The dashboard therefore mixes real CLI bugs with user input errors and access denials.

Changes

• output.ClassifyError now uses errors.As to find a wrapped *sdk.APIError after the typed-error switch. Mapping:
  • 401, 403 → AuthError
  • other 4xx (404/409/422/…) → UserError
  • 5xx → InternalError
  • Typed errors that command code wraps explicitly still win — existing override paths are preserved.
• sdk.IsForbidden added as a package-level helper, mirroring IsUnauthorized.
• runAuthLogin classifies 403 as AuthError with a hint that covers the two observed causes (account API access disabled, user not in account).
• New tests cover all major status codes and wrapping via fmt.Errorf.

Expected dashboard impact

Roughly ~150 events that were classified as internal in the last 30 days should move to user (110+) or auth (15+), giving a much cleaner signal for real CLI bugs going forward.

Test plan

• go build ./..., go vet ./..., go test ./..., golangci-lint run
• TestClassifyError_APIErrorByStatus covers 401, 403, 404, 409, 422, 500, 503.
• TestClassifyError_APIErrorWrapped covers wrapping via fmt.Errorf (errors.As chain).
• TestClassifyError_TypedErrorWinsOverAPIError confirms typed errors still take precedence.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Enhanced authentication error handling to provide clearer distinction between access denied and unauthorized errors.
  • Improved error classification system to properly map API error codes to appropriate exit statuses.

• Tests

  • Added comprehensive test coverage for API error classification scenarios.

[coderabbitai]

Warning

Review limit reached

@facundofarias, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 2 minutes and 25 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 03daa6ef-f958-41b1-b3f8-6f89300387f4

📥 Commits

Reviewing files that changed from the base of the PR and between 630428b and 269dbc7.

📒 Files selected for processing (4)

• internal/output/breadcrumbs.go
• internal/output/breadcrumbs_test.go
• internal/output/errors.go
• internal/output/errors_test.go

Walkthrough

The PR adds HTTP 403 Forbidden error handling across the CLI stack. It introduces IsForbidden as an SDK error helper, extends the error classifier to map API status codes to exit codes, applies the helper in the auth login flow, and validates all behavior with comprehensive tests covering status mapping, error wrapping, and precedence rules.

Changes

Forbidden Response Recognition and Classification

Layer / File(s)	Summary
SDK IsForbidden status checker pkg/sdk/errors.go	Adds exported IsForbidden(err error) bool helper that detects *APIError with HTTP status 403, following the same pattern as existing status-check functions.
Error classification for API status codes internal/output/errors.go	Extends ClassifyError to recognize and classify *sdk.APIError by status code: 401/403 returns ExitAuthError, other 4xx returns ExitUserError, 5xx returns ExitInternalError. Adds net/http import and documents classification precedence.
Auth login forbidden response handler internal/commands/auth.go	Updates runAuthLogin credential validation to detect forbidden responses using sdk.IsForbidden and return an output.AuthError with "Access denied" message and API access/membership restriction hint.
Tests for API status-code classification internal/output/errors_test.go	Adds three test functions: TestClassifyError_APIErrorByStatus (verifies status-code mapping for 401/403/404/409/422/500/503), TestClassifyError_APIErrorWrapped (confirms unwrapping through error chains), and TestClassifyError_TypedErrorWinsOverAPIError (validates precedence when typed errors wrap API errors).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• deployhq/deployhq-cli#4: Both PRs extend ClassifyError and error handling in auth flow—this PR for forbidden (403) status mapping, the retrieved PR for network connectivity errors.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the primary objective: fixing error classification by mapping API errors to appropriate exit codes based on HTTP status, rather than defaulting all to internal errors.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/classify-api-errors-by-status

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 630428b752

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Return matching JSON error codes for API errors

When a command returns a raw *sdk.APIError in --json/piped mode, main builds the envelope with ErrorResponseFromErr, which only sets Data.Code for *UserError, *AuthError, and *InternalError and otherwise leaves it as the default "error" while taking exit_code from ClassifyError. This new status-code branch therefore produces inconsistent JSON such as code: "error", exit_code: 3 for 401/403 or code: "error", exit_code: 1 for 4xx API failures, so agents that follow the documented auth_error/user_error codes will miss these newly reclassified cases; please mirror the API status mapping in the JSON error response as well.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/output/errors_test.go`:
- Around line 166-171: The test currently only classifies a plain UserError;
instead construct a single error value that actually contains both types (e.g.,
wrap the *sdk.APIError inside the UserError or wrap the UserError around the
*sdk.APIError using fmt.Errorf("%w", ...) / errors.Wrap so both are present) and
then call ClassifyError on that combined error and assert it returns
ExitUserError; update TestClassifyError_TypedErrorWinsOverAPIError to build that
wrapped error (referencing UserError, *sdk.APIError and ClassifyError) and
assert precedence.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3bdbc3fc-d097-41ce-98f5-8edd55aa8175

📥 Commits

Reviewing files that changed from the base of the PR and between 0387838 and 630428b.

📒 Files selected for processing (4)

• internal/commands/auth.go
• internal/output/errors.go
• internal/output/errors_test.go
• pkg/sdk/errors.go