refactor(agents): centralize auth error preview suppression

altaywtf · altaywtf · commit 1c5edafe2a56 · 2026-05-21T23:01:05.000+03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -52,7 +52,7 @@ Docs: https://docs.openclaw.ai
 - Codex/Lossless: keep context-engine history on the canonical run session when Telegram DMs use per-peer runtime policy keys. Fixes #84936. (#84954) Thanks @neeravmakwana.
 - Auth/OAuth: skip the refresh adapter when a stored OAuth credential has no refresh token so agent turns fail fast on missing-key instead of waiting on the 120s refresh timeout. Thanks @romneyda.
 - Codex/failover: classify `deactivated_workspace` as a permanent auth failure so configured fallback models can advance when a Codex workspace is deactivated. (#55893) Thanks @litang9.
-- Agents/embedded runner: classify HTML 401 provider responses as `auth_html_401` and return a re-authentication hint instead of the CDN-blocked copy that `upstream_html` returns. Cloudflare Access login pages, nginx basic-auth challenges, and gateway login walls all produce 401 HTML bodies that were previously misdiagnosed as transient CDN blocks. (#79900) Thanks @martingarramon.
+- Agents/embedded runner: classify HTML auth provider responses as `auth_html` and return a re-authentication hint instead of the CDN-blocked copy that `upstream_html` returns. Cloudflare Access login pages, nginx basic-auth challenges, and gateway login walls all produce HTML auth bodies that were previously misdiagnosed as transient CDN blocks. (#79900) Thanks @martingarramon.
 
 ## 2026.5.20
 
diff --git a/src/agents/pi-embedded-error-observation.test.ts b/src/agents/pi-embedded-error-observation.test.ts
@@ -4,6 +4,7 @@ import {
   buildApiErrorObservationFields,
   buildTextObservationFields,
   sanitizeForConsole,
+  shouldSuppressRawErrorConsoleSuffix,
 } from "./pi-embedded-error-observation.js";
 
 const OBSERVATION_BEARER_TOKEN = "sk-redact-test-token";
@@ -182,6 +183,14 @@ describe("buildApiErrorObservationFields", () => {
     expect(observed.httpCode).toBe("401");
     expect(observed.providerRuntimeFailureKind).toBe("unclassified");
   });
+
+  it("centralizes raw console suffix suppression for auth failures", () => {
+    expect(shouldSuppressRawErrorConsoleSuffix("auth_html")).toBe(true);
+    expect(shouldSuppressRawErrorConsoleSuffix("auth_scope")).toBe(true);
+    expect(shouldSuppressRawErrorConsoleSuffix("auth_refresh")).toBe(true);
+    expect(shouldSuppressRawErrorConsoleSuffix("timeout")).toBe(false);
+    expect(shouldSuppressRawErrorConsoleSuffix(undefined)).toBe(false);
+  });
 });
 
 describe("sanitizeForConsole", () => {
diff --git a/src/agents/pi-embedded-error-observation.ts b/src/agents/pi-embedded-error-observation.ts
@@ -22,6 +22,11 @@ const OBSERVATION_EXTRA_REDACT_PATTERNS = [
   String.raw`"(?:api[-_]?key|api_key)"\s*:\s*"([^"]+)"`,
   String.raw`(?:\bCookie\b\s*[:=]\s*[^;=\s]+=|;\s*[^;=\s]+=)([^;\s\r\n]+)`,
 ];
+const RAW_ERROR_CONSOLE_SUPPRESSED_FAILURE_KINDS = new Set<ProviderRuntimeFailureKind>([
+  "auth_html",
+  "auth_refresh",
+  "auth_scope",
+]);
 
 function resolveConfiguredRedactPatterns(): string[] {
   const configured = readLoggingConfig()?.redactPatterns;
@@ -76,6 +81,14 @@ function redactObservationText(text: string | undefined): string | undefined {
   });
 }
 
+export function shouldSuppressRawErrorConsoleSuffix(
+  providerRuntimeFailureKind?: ProviderRuntimeFailureKind,
+): boolean {
+  return providerRuntimeFailureKind
+    ? RAW_ERROR_CONSOLE_SUPPRESSED_FAILURE_KINDS.has(providerRuntimeFailureKind)
+    : false;
+}
+
 function buildObservationFingerprint(params: {
   raw: string;
   requestId?: string;
diff --git a/src/agents/pi-embedded-helpers.formatassistanterrortext.test.ts b/src/agents/pi-embedded-helpers.formatassistanterrortext.test.ts
@@ -342,27 +342,17 @@ describe("formatAssistantErrorText", () => {
     );
   });
 
-  it("returns an HTML-401 auth message for HTML provider 401 auth failures", () => {
-    // Cloudflare Access login pages, nginx basic-auth challenges, and
-    // gateway login walls all return 401 with an HTML body. Before this fix
-    // these were classified as `upstream_html` ("CDN blocked — retry"),
-    // sending the wrong remediation to the user.
+  it("returns re-authentication copy for HTML provider 401 auth failures", () => {
     const msg = makeAssistantError("401 <!DOCTYPE html><html><body>Unauthorized</body></html>");
     expect(formatAssistantErrorText(msg)).toBe(
-      "Authentication failed with an HTML 401 response from the provider. Re-authenticate and verify your provider credentials.",
+      "Authentication failed at the provider. Re-authenticate and verify your provider credentials and account access.",
     );
   });
 
-  it("does not return CDN-blocked copy for HTML 401 auth failures", () => {
-    const msg = makeAssistantError("401 <!DOCTYPE html><html><body>Unauthorized</body></html>");
-    expect(formatAssistantErrorText(msg)).not.toContain("CDN");
-    expect(formatAssistantErrorText(msg)).not.toContain("blocked the request");
-  });
-
   it("returns an HTML-403 auth message for HTML provider auth failures", () => {
     const msg = makeAssistantError("403 <!DOCTYPE html><html><body>Access denied</body></html>");
     expect(formatAssistantErrorText(msg)).toBe(
-      "Authentication failed with an HTML 403 response from the provider. Re-authenticate and verify your provider account access.",
+      "Authentication failed at the provider. Re-authenticate and verify your provider credentials and account access.",
     );
   });
 
diff --git a/src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts b/src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts
@@ -1510,7 +1510,15 @@ describe("classifyProviderRuntimeFailureKind", () => {
       classifyProviderRuntimeFailureKind(
         "403 <!DOCTYPE html><html><body>Access denied</body></html>",
       ),
-    ).toBe("auth_html_403");
+    ).toBe("auth_html");
+  });
+
+  it("classifies HTML 401 auth failures", () => {
+    expect(
+      classifyProviderRuntimeFailureKind(
+        "401 <!DOCTYPE html><html><body>Unauthorized</body></html>",
+      ),
+    ).toBe("auth_html");
   });
 
   it("classifies proxy, dns, timeout, schema, sandbox, and replay failures", () => {
diff --git a/src/agents/pi-embedded-helpers/errors.ts b/src/agents/pi-embedded-helpers/errors.ts
@@ -259,8 +259,7 @@ export type ProviderRuntimeFailureKind =
   | "refresh_contention"
   | "callback_timeout"
   | "callback_validation"
-  | "auth_html_403"
-  | "auth_html_401"
+  | "auth_html"
   | "upstream_html"
   | "proxy"
   | "rate_limit"
@@ -977,7 +976,7 @@ export function classifyProviderRuntimeFailureKind(
     return "proxy";
   }
   if (message && isHtmlErrorResponse(message, status)) {
-    return status === 401 ? "auth_html_401" : status === 403 ? "auth_html_403" : "upstream_html";
+    return status === 401 || status === 403 ? "auth_html" : "upstream_html";
   }
   const failoverClassification = classifyFailoverSignal({
     ...normalizedSignal,
@@ -1091,17 +1090,10 @@ export function formatAssistantErrorText(
     );
   }
 
-  if (providerRuntimeFailureKind === "auth_html_401") {
+  if (providerRuntimeFailureKind === "auth_html") {
     return (
-      "Authentication failed with an HTML 401 response from the provider. " +
-      "Re-authenticate and verify your provider credentials."
-    );
-  }
-
-  if (providerRuntimeFailureKind === "auth_html_403") {
-    return (
-      "Authentication failed with an HTML 403 response from the provider. " +
-      "Re-authenticate and verify your provider account access."
+      "Authentication failed at the provider. " +
+      "Re-authenticate and verify your provider credentials and account access."
     );
   }
 
diff --git a/src/agents/pi-embedded-helpers/provider-error-patterns.test.ts b/src/agents/pi-embedded-helpers/provider-error-patterns.test.ts
@@ -210,9 +210,9 @@ describe("Cloudflare / CDN HTML error page classification (#67517)", () => {
     );
   });
 
-  it("classifies 403 HTML runtime failures as auth_html_403", () => {
+  it("classifies 403 HTML runtime failures as auth_html", () => {
     expect(classifyProviderRuntimeFailureKind({ status: 403, message: html403 })).toBe(
-      "auth_html_403",
+      "auth_html",
     );
   });
 
diff --git a/src/agents/pi-embedded-runner/run/failover-observation.test.ts b/src/agents/pi-embedded-runner/run/failover-observation.test.ts
@@ -159,7 +159,7 @@ describe("createFailoverDecisionLogger", () => {
     logDecision("rotate_profile");
 
     const observation = firstWarnDetails(warnSpy);
-    expect(observation.providerRuntimeFailureKind).toBe("auth_html_401");
+    expect(observation.providerRuntimeFailureKind).toBe("auth_html");
     expect(observation.rawErrorPreview).toBe(
       "401 <!DOCTYPE html><html><body>Unauthorized</body></html>",
     );
diff --git a/src/agents/pi-embedded-runner/run/failover-observation.ts b/src/agents/pi-embedded-runner/run/failover-observation.ts
@@ -3,6 +3,7 @@ import type { AuthProfileFailureReason } from "../../auth-profiles.js";
 import {
   buildApiErrorObservationFields,
   sanitizeForConsole,
+  shouldSuppressRawErrorConsoleSuffix,
 } from "../../pi-embedded-error-observation.js";
 import type { FailoverReason } from "../../pi-embedded-helpers.js";
 import { log } from "../logger.js";
@@ -58,13 +59,9 @@ export function createFailoverDecisionLogger(
   return (decision, extra) => {
     const observedError = buildApiErrorObservationFields(normalizedBase.rawError);
     const safeRawErrorPreview = sanitizeForConsole(observedError.rawErrorPreview);
-    const shouldSuppressRawErrorConsoleSuffix =
-      observedError.providerRuntimeFailureKind === "auth_html_401" ||
-      observedError.providerRuntimeFailureKind === "auth_html_403" ||
-      observedError.providerRuntimeFailureKind === "auth_scope" ||
-      observedError.providerRuntimeFailureKind === "auth_refresh";
     const rawErrorConsoleSuffix =
-      safeRawErrorPreview && !shouldSuppressRawErrorConsoleSuffix
+      safeRawErrorPreview &&
+      !shouldSuppressRawErrorConsoleSuffix(observedError.providerRuntimeFailureKind)
         ? ` rawError=${safeRawErrorPreview}`
         : "";
     log.warn("embedded run failover decision", {
diff --git a/src/agents/pi-embedded-subscribe.handlers.lifecycle.test.ts b/src/agents/pi-embedded-subscribe.handlers.lifecycle.test.ts
@@ -206,53 +206,44 @@ describe("handleAgentEnd", () => {
     expect(meta.httpCode).toBe("401");
   });
 
-  it("omits raw HTML auth bodies from consoleMessage for HTML 403 auth failures", async () => {
-    const ctx = createContext({
-      role: "assistant",
-      stopReason: "error",
-      provider: "openai-codex",
-      model: "gpt-5.4",
+  it.each([
+    {
       errorMessage: "403 <!DOCTYPE html><html><body>Access denied</body></html>",
-      content: [{ type: "text", text: "" }],
-    });
-
-    await handleAgentEnd(ctx);
-
-    const meta = firstWarnMeta(ctx);
-    expect(meta.providerRuntimeFailureKind).toBe("auth_html_403");
-    expect(meta.rawErrorPreview).toBe("403 <!DOCTYPE html><html><body>Access denied</body></html>");
-    expect(meta.error).toBe(
-      "Authentication failed with an HTML 403 response from the provider. Re-authenticate and verify your provider account access.",
-    );
-    const consoleMsg = typeof meta.consoleMessage === "string" ? meta.consoleMessage : "";
-    expect(consoleMsg).not.toContain("rawError=");
-    expect(consoleMsg).not.toContain("<html>");
-  });
-
-  it("omits raw HTML auth bodies from consoleMessage for HTML 401 auth failures", async () => {
-    const ctx = createContext({
-      role: "assistant",
-      stopReason: "error",
-      provider: "openai-codex",
-      model: "gpt-5.4",
+      expectedError:
+        "Authentication failed at the provider. Re-authenticate and verify your provider credentials and account access.",
+      expectedKind: "auth_html",
+      expectedPreview: "403 <!DOCTYPE html><html><body>Access denied</body></html>",
+    },
+    {
       errorMessage: "401 <!DOCTYPE html><html><body>Unauthorized</body></html>",
-      content: [{ type: "text", text: "" }],
-    });
+      expectedError:
+        "Authentication failed at the provider. Re-authenticate and verify your provider credentials and account access.",
+      expectedKind: "auth_html",
+      expectedPreview: "401 <!DOCTYPE html><html><body>Unauthorized</body></html>",
+    },
+  ])(
+    "omits raw HTML auth bodies from consoleMessage for $expectedKind failures",
+    async ({ errorMessage, expectedError, expectedKind, expectedPreview }) => {
+      const ctx = createContext({
+        role: "assistant",
+        stopReason: "error",
+        provider: "openai-codex",
+        model: "gpt-5.4",
+        errorMessage,
+        content: [{ type: "text", text: "" }],
+      });
 
-    await handleAgentEnd(ctx);
+      await handleAgentEnd(ctx);
 
-    const meta = firstWarnMeta(ctx);
-    expect(meta.providerRuntimeFailureKind).toBe("auth_html_401");
-    expect(meta.rawErrorPreview).toBe(
-      "401 <!DOCTYPE html><html><body>Unauthorized</body></html>",
-    );
-    expect(meta.error).toBe(
-      "Authentication failed with an HTML 401 response from the provider. Re-authenticate and verify your provider credentials.",
-    );
-    const consoleMsg = typeof meta.consoleMessage === "string" ? meta.consoleMessage : "";
-    expect(consoleMsg).not.toContain("rawError=");
-    expect(consoleMsg).not.toContain("<html>");
-  });
+      const meta = firstWarnMeta(ctx);
+      expect(meta.providerRuntimeFailureKind).toBe(expectedKind);
+      expect(meta.rawErrorPreview).toBe(expectedPreview);
+      expect(meta.error).toBe(expectedError);
+      const consoleMsg = typeof meta.consoleMessage === "string" ? meta.consoleMessage : "";
+      expect(consoleMsg).not.toContain("rawError=");
+      expect(consoleMsg).not.toContain("<html>");
+    },
+  );
 
   it("keeps non-error run-end logging on debug only", async () => {
     const ctx = createContext(undefined);
diff --git a/src/agents/pi-embedded-subscribe.handlers.lifecycle.ts b/src/agents/pi-embedded-subscribe.handlers.lifecycle.ts
@@ -4,6 +4,7 @@ import {
   buildApiErrorObservationFields,
   buildTextObservationFields,
   sanitizeForConsole,
+  shouldSuppressRawErrorConsoleSuffix,
 } from "./pi-embedded-error-observation.js";
 import { classifyFailoverReason, formatAssistantErrorText } from "./pi-embedded-helpers.js";
 import { hasCommittedMessagingToolDeliveryEvidence } from "./pi-embedded-runner/delivery-evidence.js";
@@ -92,13 +93,9 @@ export function handleAgentEnd(ctx: EmbeddedPiSubscribeContext): void | Promise<
     const safeModel = sanitizeForConsole(lastAssistant.model) ?? "unknown";
     const safeProvider = sanitizeForConsole(lastAssistant.provider) ?? "unknown";
     const safeRawErrorPreview = sanitizeForConsole(observedError.rawErrorPreview);
-    const shouldSuppressRawErrorConsoleSuffix =
-      observedError.providerRuntimeFailureKind === "auth_html_401" ||
-      observedError.providerRuntimeFailureKind === "auth_html_403" ||
-      observedError.providerRuntimeFailureKind === "auth_scope" ||
-      observedError.providerRuntimeFailureKind === "auth_refresh";
     const rawErrorConsoleSuffix =
-      safeRawErrorPreview && !shouldSuppressRawErrorConsoleSuffix
+      safeRawErrorPreview &&
+      !shouldSuppressRawErrorConsoleSuffix(observedError.providerRuntimeFailureKind)
         ? ` rawError=${safeRawErrorPreview}`
         : "";
     ctx.log.warn("embedded run agent end", {
