fix(core): chat UI fails silently when Claude OAuth refresh token is expired

[tbrandenburg]

Summary

• What broke: When the Claude OAuth refresh token is expired or already used, the chat UI shows no response at all — no error message, no indication of failure. The server logs the error, but the user is left staring at a blank response.
• When it started: Present since stream/batch mode was introduced (original implementation gap).
• Severity: major

Steps to Reproduce

1. Log in to Claude via claude /login (OAuth flow).
2. Make at least one request so the refresh token is used.
3. Invalidate the session on the Claude side (e.g. log out, revoke access, or let it expire naturally).
4. Send any message in the Archon Web UI.

Expected vs Actual

• Expected: An error message is shown in the chat UI — e.g. "AI error (auth). Check your Claude credentials or use /reset."
• Actual: No response is shown. The UI hangs silently. Server logs contain:

  Your access token could not be refreshed because your refresh token was already used. Please log out and sign in again.
  

User Flow

  User (Web UI)          Orchestrator              Claude SDK
  ─────────────          ────────────              ──────────
  sends message ────────► handleStreamMode
                           for-await loop
                                                   subprocess fails
                                                   auth error → stderr
                           yields result msg
                           { type: 'result',
                             is_error: true,
                             session_id: undefined }
                           [X] condition false:
                           msg.sessionId is undefined
                           → result chunk DROPPED
                           allMessages.length === 0
                           → early return (no send)
  (no response) ◄───────── sendMessage never called

Environment

• Platform: Web
• Database: SQLite
• Running in worktree?: No
• OS: Linux

Logs

subprocess_error: Your access token could not be refreshed because your refresh token was already used.
Please log out and sign in again.

(No assistant message is sent to the platform — that is the bug.)

Impact

• Affected workflows/commands: All workflows and direct messages using the Claude SDK
• Reproduction rate: Always (reproducible with an expired/invalidated OAuth token)
• Workaround available?: Restart Claude auth via claude /login in the terminal, but the user has no indication they need to do this.
• Data loss risk?: No

Scope

• Package(s) involved: @archon/core
• Modules:
  • orchestrator/orchestrator-agent.ts — primary bug (handleStreamMode:876, handleBatchMode:988)
  • clients/claude.ts — secondary bug (AUTH_PATTERNS:202-209 missing refresh-token patterns, causes needless retries)

Root Cause (for implementors)

Primary (orchestrator-agent.ts:876 and :988):

Both handleStreamMode and handleBatchMode guard the result handler with msg.sessionId:

} else if (msg.type === 'result' && msg.sessionId) {

When auth fails before a session is established, the SDK yields a result with is_error: true and no session_id (field is undefined). The condition evaluates to false, the entire result chunk is dropped, allMessages stays empty, and both modes hit the early-return guard — without ever calling platform.sendMessage.

Secondary (claude.ts:202-209):

AUTH_PATTERNS does not include 'refresh token', 'access token', 'could not be refreshed', or 'log out and sign in'. If the SDK throws for this reason rather than yielding an error result, it is misclassified as crash and retried 3 times unnecessarily.

Fix

1. In handleStreamMode (:876) and handleBatchMode (:988), remove && msg.sessionId from the result branch guard. Assign newSessionId only when msg.sessionId is defined. Add an explicit isError check that calls platform.sendMessage with a user-visible error and returns early.
2. In AUTH_PATTERNS (:202), add: 'refresh token', 'access token', 'could not be refreshed', 'log out and sign in'.

[tbrandenburg]

Codex — same root cause, different failure mode

The same AUTH_PATTERNS gap exists in packages/core/src/clients/codex.ts:124–131 (identical six-entry list, same missing patterns).

What happens for Codex when the refresh token is expired:

"Your access token could not be refreshed because your refresh token was already used..."
  → codex.ts:534  classifyCodexError(err.message)
  → none of AUTH_PATTERNS match
  → classified as 'unknown'
  → retried 3× at 2s / 4s / 8s  ← 24 seconds of silence
  → all retries exhausted
  → throws "Codex query failed: Your access token..."
  → orchestrator catch → classifyAndFormatError
  → hits error-formatter.ts:51 Codex-specific branch
  → user eventually sees: "⚠️ AI error: Your access token could not be refreshed..."

So Codex does eventually surface a message — but only after 24 seconds of unnecessary retries. If the message arrives via a slightly different code path (without the "Codex query failed: " prefix), error-formatter.ts:62 blocks the generic fallback because the message contains 'token', and the user gets the uninformative "⚠️ An unexpected error occurred. Try /reset to start a fresh session." instead.

Additional Codex-specific gap: turn.failed events (line 329–338 in codex.ts) break out of the event loop after yielding a system chunk, but never yield a result chunk. This means newSessionId is never set in the orchestrator for failed turns — the session ID is lost and the session cannot be resumed.

Fix (Codex)

Same fix as Claude — add the missing patterns to codex.ts:124:

const AUTH_PATTERNS = [
  'credit balance',
  'unauthorized',
  'authentication',
  'invalid token',
  'refresh token',        // ← add
  'access token',         // ← add
  'could not be refreshed', // ← add
  'log out and sign in',  // ← add
  '401',
  '403',
];

This makes Codex auth errors classify as 'auth' → immediate throw (no retries) → classifyAndFormatError → user sees the error promptly.

[coleam00]

🔍 Investigation: fix(core): chat UI fails silently when Claude OAuth refresh token is expired

Type: BUG

Assessment

Metric	Value	Reasoning
Severity	HIGH	Auth failures silently produce no UI response — user is left hanging with zero feedback and no actionable guidance, every time.
Complexity	LOW	5 targeted pattern additions and 2 condition fixes across 3 files; no architectural changes needed.
Confidence	HIGH	Root cause is directly visible at the specific lines cited; the code path is unambiguous.

---

Problem Statement

When the Claude OAuth refresh token is expired, the Claude SDK yields a result chunk with is_error: true and no session_id. Both handleStreamMode and handleBatchMode guard the result branch with && msg.sessionId — so the chunk is silently dropped, allMessages stays empty, and the orchestrator returns without ever calling platform.sendMessage. The user sees nothing.

Secondary gap: AUTH_PATTERNS in claude.ts and codex.ts does not include OAuth refresh-token strings, causing 3× unnecessary retries (24 s silence) before throwing. Additionally, error-formatter.ts doesn't recognize the "Claude Code auth error:" prefix, so even the thrown error surfaces as the opaque generic fallback.

---

Root Cause Analysis

Primary (orchestrator-agent.ts:876 and :988):

WHY: User sees no response
↓ BECAUSE: result chunk is dropped in the for-await loop
Evidence: orchestrator-agent.ts:876 — else if (msg.type === 'result' && msg.sessionId)
↓ BECAUSE: msg.sessionId is undefined when auth fails before session establishment
Evidence: packages/core/src/types/index.ts:202 — sessionId?: string
↓ ROOT CAUSE: The && msg.sessionId guard was written to capture the session ID, accidentally also filtering out all pre-session error results

Secondary A (claude.ts:202-209, codex.ts:124-131): Missing patterns 'refresh token', 'access token', 'could not be refreshed', 'log out and sign in' → misclassified as 'crash' → 3× retries

Secondary B (error-formatter.ts:22-29): "Claude Code auth error: Your access token…" matches neither 'API key', 'authentication', nor '401'. Message contains 'token' so generic fallback is blocked → opaque "unexpected error" shown instead of re-login guidance.

---

Implementation Plan

Step	File	Change
1	orchestrator-agent.ts:876	Remove && msg.sessionId guard in handleStreamMode, add isError → send error + return
2	orchestrator-agent.ts:988	Same fix in handleBatchMode
3	clients/claude.ts:202	Add 4 OAuth patterns to AUTH_PATTERNS
4	clients/codex.ts:124	Add same 4 patterns
5	utils/error-formatter.ts:22	Add OAuth refresh-token check with re-login guidance
6	orchestrator-agent.test.ts	Add test: isError result with no sessionId → message sent
7	error-formatter.test.ts	Add test: refresh-token errors → re-login message

📋 Detailed Implementation Steps

Step 1 — handleStreamMode result branch (orchestrator-agent.ts:876):

// BEFORE:
} else if (msg.type === 'result' && msg.sessionId) {
  newSessionId = msg.sessionId;
  if (!commandDetected && platform.sendStructuredEvent) {
    await platform.sendStructuredEvent(conversationId, msg);
  }
}

// AFTER:
} else if (msg.type === 'result') {
  if (msg.sessionId) {
    newSessionId = msg.sessionId;
  }
  if (msg.isError) {
    await platform.sendMessage(
      conversationId,
      '⚠️ AI error. Check your credentials or use /reset.'
    );
    return;
  }
  if (!commandDetected && platform.sendStructuredEvent) {
    await platform.sendStructuredEvent(conversationId, msg);
  }
}

Step 2 — handleBatchMode result branch (orchestrator-agent.ts:988):

// BEFORE:
} else if (msg.type === 'result' && msg.sessionId) {
  newSessionId = msg.sessionId;
}

// AFTER:
} else if (msg.type === 'result') {
  if (msg.sessionId) {
    newSessionId = msg.sessionId;
  }
  if (msg.isError) {
    await platform.sendMessage(
      conversationId,
      '⚠️ AI error. Check your credentials or use /reset.'
    );
    return;
  }
}

Steps 3 & 4 — AUTH_PATTERNS in both clients:

const AUTH_PATTERNS = [
  'credit balance',
  'unauthorized',
  'authentication',
  'invalid token',
  'refresh token',          // ← add
  'access token',           // ← add
  'could not be refreshed', // ← add
  'log out and sign in',    // ← add
  '401',
  '403',
];

Step 5 — error-formatter.ts (insert before existing auth check):

// OAuth credential refresh (e.g. "claude /login" token expired)
if (
  message.includes('refresh token') ||
  message.includes('could not be refreshed') ||
  message.includes('log out and sign in')
) {
  return '⚠️ AI authentication error. Please re-login (e.g. `claude /login`) and try again.';
}

// General auth — also add 'auth error' to catch "Claude Code auth error:" prefix
if (
  message.includes('API key') ||
  message.includes('authentication') ||
  message.includes('auth error') ||  // ← add
  message.includes('401')
) {
  return '⚠️ AI service authentication error. Please check configuration.';
}

---

Validation

bun run type-check && bun test packages/core && bun run lint

---

Next Step

To implement: /implement-issue 1076

---

Investigated by Claude • 2026-04-11

[coleam00]

✅ Issue Resolution Report

PR: #1089 (#1089)
Status: COMPLETE

---

Summary

The root cause was a guard condition && msg.sessionId in both handleStreamMode and handleBatchMode in orchestrator-agent.ts. When auth fails before session establishment, the Claude SDK yields { type: 'result', is_error: true, session_id: undefined } — the undefined sessionId made the condition falsy, so the entire error result chunk was silently dropped. The user saw nothing. Three supporting fixes were also applied: missing OAuth patterns in AUTH_PATTERNS (preventing 3× unnecessary retries on the throw path), improved error-formatter.ts handler for OAuth refresh errors (providing actionable re-login guidance), and post-review additions (structured logging on the isError path, removal of the overly broad 'access token' pattern).

---

Changes Made

File	Change
packages/core/src/orchestrator/orchestrator-agent.ts	Removed && msg.sessionId guard from both handleStreamMode and handleBatchMode; added isError early-exit with user message + structured warn log
packages/core/src/clients/claude.ts	Added 'refresh token', 'could not be refreshed', 'log out and sign in' to AUTH_PATTERNS
packages/core/src/clients/codex.ts	Same AUTH_PATTERNS changes
packages/core/src/utils/error-formatter.ts	Added OAuth refresh-token handler; added 'auth error' to general auth check
packages/core/src/utils/error-formatter.test.ts	Added 6 tests for new OAuth and auth-error-prefix branches

---

Validation

✅ Type check (all 9 packages) | ✅ Lint (0 warnings) | ✅ Tests (400+ core tests, all green)

---

Review & Self-Fix

• 3 review findings across code-review, error-handling, and test-coverage agents
• 2 fixed: structured logging added to isError path; overly broad 'access token' pattern removed
• 1 skipped (LOW): subtype-aware message routing (e.g. max_turns vs auth) — out of scope for this fix

---

Unaddressed Items

Finding	Severity	Reason
Generic isError message ignores errorSubtype (max_turns gets misleading credential hint)	LOW	Requires its own design pass for subtype-aware routing; out of scope

---

Suggested Follow-up Issues

1. "Add subtype-aware routing for isError result chunks" (P3) — When errorSubtype is max_turns or similar, the user currently sees a misleading credentials message. Route to a subtype-specific message instead.
2. "Add OAuth retry-classification tests to claude.test.ts and codex.test.ts" (P3) — Add a test for 'refresh token' / 'could not be refreshed' paths to confirm they are classified as fatal and not retried.
3. "Add orchestrator isError path tests when mock infrastructure supports per-test sendQuery overrides" (P3) — Deferred due to process-global mock.module() constraints.

---

Resolved by Archon workflow b1c43db8281e329539efaab1e5ad5a62