fix(issue-comment): improve 403 error handling with actionable guidance

[rjmurillo-bot]

Pull Request

Summary

Improves Post-IssueComment.ps1 error handling to detect 403 permission errors specifically and provide actionable guidance for resolution. When 403 occurs, saves the comment payload to an artifact file for manual posting.

Specification References

Type	Reference	Description
Issue	Closes #643	bug(issue): Post-IssueComment fails with 403 (Resource not accessible by integration)

Changes

• Detect 403 permission errors specifically (status code and message patterns)
• Add Write-PermissionDeniedError helper function with detailed guidance
• Provide actionable guidance for common causes:
  • GitHub Apps: issues:write permission in app manifest
  • Workflow GITHUB_TOKEN: permissions: issues: write in YAML
  • Fine-grained PATs: Issues repository permission
  • Classic PATs: repo scope
• Save failed comment payload to .github/artifacts/failed-comment-{timestamp}.json
• Add structured JSON error output for programmatic consumption
• Add GitHub Actions outputs (success, error, status_code, artifact_path)
• New exit code 5 for permission denied errors

Type of Change

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update
• Infrastructure/CI change
• Refactoring (no functional changes)

Testing

• Tests added/updated
• Manual testing completed
• No testing required (documentation only)

Agent Review

Security Review

• No security-critical changes in this PR

Other Agent Reviews

• Reviewed for PowerShell patterns

Checklist

• Code follows project style guidelines
• Self-review completed
• Changes generate no new warnings (Write-Host warnings pre-existing)
• Tests pass locally

🤖 Generated with Claude Code

[coderabbitai]

Caution

Review failed

The pull request is closed.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

The changes introduce 403 permission-denied error handling to the Post-IssueComment script with structured diagnostics and artifact output. A new helper function detects 403 errors, generates debug payloads, and exits with code 4 per ADR-035. Exit code documentation is updated to reflect the consolidated mapping.

Changes

Cohort / File(s)	Summary
Exit Code Documentation .claude/skills/github/modules/GitHubCore.psm1	Updated exit code comment block to align with ADR-035: consolidated codes 0–4 with new semantics (0=success, 1=invalid params, 2=config error, 3=external error, 4=auth error). Replaced old codes 2–5 definitions. No functional changes.
403 Permission Error Handling .claude/skills/github/scripts/issue/Post-IssueComment.ps1	Added Write-PermissionDeniedError function to handle 403 permission-denied scenarios: generates structured JSON payload, writes artifact file, emits programmatic error, outputs GitHub Actions variables, and provides user guidance. Integrated 403 detection into main posting flow to route permission errors to exit code 4 instead of generic code 3. Enhanced artifact directory creation and error messaging.
Permission Error Tests tests/Post-IssueComment.Tests.ps1	Updated script/module path resolution to repo-root-relative locations. Added large new test context for 403 handling: validates Write-PermissionDeniedError function structure, tests 403 status code detection (case-insensitive), verifies exit code 4 behavior, confirms artifact JSON creation with git rev-parse fallback, validates GITHUB_OUTPUT fields (status, error, artifact_path, success), and tests multiple 403 error message formats.

Sequence Diagram

sequenceDiagram
    actor User
    participant Script as Post-IssueComment
    participant API as GitHub API
    participant FS as Filesystem
    participant Actions as GitHub Actions

    User->>Script: Call with comment body
    Script->>API: POST /repos/OWNER/REPO/issues/ISSUE/comments
    alt HTTP 403 Response
        API-->>Script: 403 Permission Denied
        rect rgb(255, 200, 200)
            Note over Script: Detect 403 error pattern
            Script->>FS: Resolve .github/artifacts directory
            Script->>FS: Write payload JSON file
            Script->>Actions: Set GITHUB_OUTPUT variables<br/>(status, error, artifact_path, success)
        end
        Script-->>User: Print guidance (token type, permissions)
        Script->>Script: Exit code 4 (auth error)
    else HTTP Other Error
        API-->>Script: Non-403 error
        Script->>Script: Exit code 3 (external error)
    else Success
        API-->>Script: 201 Created
        Script->>Script: Exit code 0 (success)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• rjmurillo

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/643-issue-comment-403

---

📜 Recent review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dbca374 and 3bf583a.

📒 Files selected for processing (3)

• .claude/skills/github/modules/GitHubCore.psm1
• .claude/skills/github/scripts/issue/Post-IssueComment.ps1
• tests/Post-IssueComment.Tests.ps1

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR Validation Report

Note

✅ Status: PASS

Description Validation

Check	Status
Description matches diff	PASS

QA Validation

Check	Status
Code changes detected	True
QA report exists	false

⚡ Warnings

• QA report not found for code changes (recommended before merge)

---

_{Powered by PR Validation workflow}

[gemini-code-assist]

Code Review

This pull request significantly improves error handling for 403 permission issues by providing actionable guidance and saving the comment payload, which is a valuable enhancement. My review focuses on aligning the new helper function with the repository's PowerShell style guide and improving the robustness of the artifact creation logic, incorporating relevant repository rules where applicable. I've provided specific suggestions to address these points.

[github-actions]

Spec-to-Implementation Validation

Tip

✅ Final Verdict: PASS

What is Spec Validation?

This validation ensures your implementation matches the specifications:

• Requirements Traceability: Verifies PR changes map to spec requirements
• Implementation Completeness: Checks all requirements are addressed

Validation Summary

Check	Verdict	Status
Requirements Traceability	PASS	✅
Implementation Completeness	PASS	✅

Spec References

Type	References
Specs	None
Issues	643

Requirements Traceability Details

Based on my analysis of Issue #643 and the implementation changes, here is the requirements traceability assessment:

Requirements Coverage Matrix

Requirement	Description	Status	Evidence
AC-1	Detect 403 errors	COVERED	Lines 223-227: Pattern matching for '403', 'Resource not accessible by integration', 'forbidden'
AC-2	Report 403 with actionable guidance	COVERED	Lines 155-166: Write-PermissionDeniedError outputs guidance for GitHub Apps, GITHUB_TOKEN, Fine-grained PATs, Classic PATs
AC-3	Provide structured error payload	COVERED	Lines 191-206: PSCustomObject with Success, Error, StatusCode, Issue, Owner, Repo, ArtifactPath, Guidance fields output as JSON
AC-4	Alternative action when comments not permitted	COVERED	Lines 170-188: Saves payload to .github/artifacts/failed-comment-{timestamp}.json
AC-5	Clear explanation of likely causes	COVERED	Lines 155-166: Lists token types and permission requirements
DOC-1	Document new exit code	COVERED	Lines 38-48: Exit code 5 documented with 403 error explanations

Summary

• Total Requirements: 6
• Covered: 6 (100%)
• Partially Covered: 0 (0%)
• Not Covered: 0 (0%)

Gaps

None identified. All acceptance criteria from Issue #643 are addressed:

1. 403 detection with multiple patterns (status code and message matching)
2. Actionable guidance covering all token types mentioned
3. Structured error payload (JSON output)
4. Artifact file for manual posting
5. GitHub Actions outputs for programmatic consumption

VERDICT: PASS
MESSAGE: All requirements from Issue #643 are fully covered. The implementation detects 403 errors, provides actionable guidance for all token types, outputs structured error payloads, and saves failed comment payloads to artifacts.

Implementation Completeness Details

Acceptance Criteria Checklist

Based on Issue #643, the acceptance criteria is:

"403 failures are reported with actionable guidance and a structured error payload."

• 403 failures are detected - SATISFIED

  • Evidence: Lines 223-227 detect 403 via status code pattern, "Resource not accessible by integration", and "forbidden" patterns

• Actionable guidance provided - SATISFIED

  • Evidence: Lines 155-166 provide guidance for GitHub Apps, GITHUB_TOKEN, Fine-grained PATs, Classic PATs, and repository rules

• Structured error payload - SATISFIED

  • Evidence: Lines 191-206 output structured JSON with Success, Error, StatusCode, Issue, Owner, Repo, ArtifactPath, and Guidance fields

• Alternative action when comments not permitted - SATISFIED

  • Evidence: Lines 170-188 save comment payload to .github/artifacts/failed-comment-{timestamp}.json for manual posting
  • Evidence: Line 185 includes gh api command for manual posting

• Token type explanations - SATISFIED

  • Evidence: Lines 159-163 explain GitHub App vs GITHUB_TOKEN vs PAT permissions

• Exit code 5 for permission denied - SATISFIED

  • Evidence: Line 226 exits with code 5; Line 39 documents exit codes

• GitHub Actions outputs - SATISFIED

  • Evidence: Lines 208-214 write success, error, status_code, artifact_path to GITHUB_OUTPUT

Missing Functionality

None identified. All requirements from Issue #643 are implemented.

Edge Cases Not Covered

1. Case-insensitive 403 matching: The regex '403' would match any string containing "403" including false positives (e.g., error messages mentioning issue [PR Maintenance] Blocked PRs Require Human Action #403). However, combined with the other patterns, this is acceptable.

2. Artifact directory creation failure: Line 174 uses -Force but does not check if directory creation succeeded. Minor risk.

Implementation Quality

• Completeness: 100% of acceptance criteria satisfied
• Quality: Implementation follows PowerShell patterns, provides multiple detection methods for 403, and includes both human-readable and programmatic output

VERDICT: PASS
MESSAGE: All acceptance criteria from Issue #643 satisfied. 403 errors are detected, actionable guidance is provided for all token types, structured JSON error payload is output, and failed comment payload is saved to artifact file for manual posting.

---

Run Details

Property	Value
Run ID	20623095712
Triggered by	pull_request on 698/merge

_{Powered by AI Spec Validator workflow}

[github-actions]

AI Quality Gate Review

Warning

⚠️ Final Verdict: WARN

Walkthrough

This PR was reviewed by six AI agents in parallel, analyzing different aspects of the changes:

• Security Agent: Scans for vulnerabilities, secrets exposure, and security anti-patterns
• QA Agent: Evaluates test coverage, error handling, and code quality
• Analyst Agent: Assesses code quality, impact analysis, and maintainability
• Architect Agent: Reviews design patterns, system boundaries, and architectural concerns
• DevOps Agent: Evaluates CI/CD, build pipelines, and infrastructure changes
• Roadmap Agent: Assesses strategic alignment, feature scope, and user value

Review Summary

Agent	Verdict	Category	Status
Security	PASS	N/A	✅
QA	PASS	N/A	✅
Analyst	WARN	N/A	⚠️
Architect	PASS	N/A	✅
DevOps	PASS	N/A	✅
Roadmap	PASS	N/A	✅

💡 Quick Access: Click on individual agent jobs (e.g., "🔒 security Review", "🧪 qa Review") in the workflow run to see detailed findings and step summaries.

QA Review Details

I cannot run PowerShell tests due to environment restrictions. I'll complete the QA review based on static analysis.

---

VERDICT: PASS
MESSAGE: Code has comprehensive test coverage for new 403 error handling with well-structured tests for all major scenarios.

PR TYPE: CODE
FILES:
  - CODE: .claude/skills/github/modules/GitHubCore.psm1, .claude/skills/github/scripts/issue/Post-IssueComment.ps1
  - CODE (tests): tests/Post-IssueComment.Tests.ps1

EVIDENCE:
- Tests found: 16 new tests for 1 new function (Write-PermissionDeniedError) and 403 detection logic
- Edge cases: Covered - 9 error format variations tested (lines 681-702), case-insensitive matching, fallback paths
- Error handling: Tested - git rev-parse fallback (line 662), file operation errors (lines 669-675), GITHUB_OUTPUT errors
- Blocking issues: 0

Test Coverage Assessment

Area	Status	Evidence	Files Checked
Unit tests	Adequate	Post-IssueComment.Tests.ps1:582-703 - 16 new tests	Post-IssueComment.ps1
Edge cases	Covered	Lines 681-702: 9 error format variations	Write-PermissionDeniedError
Error paths	Tested	Lines 662-675: fallback, file ops	403 handling code
Assertions	Present	All tests use Should -Match or Should -Be	tests/

Fail-Safe Pattern Verification

Pattern	Status	Evidence
Input validation	[PASS]	Lines 148-165: [ValidateNotNullOrEmpty()] on Owner, Repo; [Parameter(Mandatory)] on all params
Error handling	[PASS]	Lines 196-201, 217-228, 237-248: try-catch with Write-Warning and fallbacks
Timeout handling	[N/A]	No external network calls with custom timeouts (uses gh CLI)
Fallback behavior	[PASS]	Lines 185-188: git rev-parse fallback to Get-Location; Lines 245-248: console fallback when file write fails

Quality Concerns

Severity	Issue	Location	Evidence	Required Fix
LOW	Tests are source-code analysis only	Tests.ps1:584-675	Tests check script content with regex, not runtime behavior	Acceptable for this scenario

Regression Risk Assessment

• Risk Level: Low - Changes are additive (new error handling path) with no modification to existing success paths
• Affected Components: .claude/skills/github/scripts/issue/Post-IssueComment.ps1
• Breaking Changes: None - Exit code 4 was already documented for auth errors; 403 now routes there per ADR-035
• Required Testing: Manual 403 scenario testing completed per PR description

Architect Review Details

Now I have the full context. Let me provide my architecture review.

---

Design Quality Assessment

Aspect	Rating (1-5)	Notes
Pattern Adherence	4	Follows ADR-035 exit code standard; uses helper function pattern
Boundary Respect	4	Error handling stays within script scope; artifact storage uses established .github/ convention
Coupling	4	Minimal dependencies; uses git for repo detection with fallback
Cohesion	3	Write-PermissionDeniedError handles multiple concerns (logging, file IO, GITHUB_OUTPUT)
Extensibility	4	Pattern can be replicated to other scripts; artifact format is JSON for programmatic use

Overall Design Score: 3.8/5

Architectural Concerns

Severity	Concern	Location	Recommendation
Low	Function cohesion	Post-IssueComment.ps1:146-290	Consider splitting artifact saving from guidance output; acceptable for single-use helper
Low	Test file relocation	tests/Post-IssueComment.Tests.ps1	Moving from .claude/skills/github/tests/ to tests/ changes test organization pattern

Breaking Change Assessment

• Breaking Changes: No
• Impact Scope: Minor
• Migration Required: No
• Migration Path: N/A (exit code 4 is new for 403; previously would have exited 3)

The change from exit code 3 to 4 for 403 errors is a semantic correction, not a breaking change. ADR-035 specifies exit 4 for auth/authorization errors. No existing callers would rely on 403 returning exit 3 since the original behavior was undifferentiated API failure.

Technical Debt Analysis

• Debt Added: Low
• Debt Reduced: Medium (improves error diagnostics; aligns with ADR-035)
• Net Impact: Improved

ADR Assessment

• ADR Required: No
• Decisions Identified: Implementation of ADR-035 exit code standard for 403 handling
• Existing ADR: ADR-035 (Exit Code Standardization)
• Recommendation: N/A (correctly implements existing ADR)

The change correctly applies ADR-035 exit code semantics:

• Exit 4 for permission denied (auth error category)
• Exit 3 for generic API errors (external error category)
• Exit 0 for idempotency skip (success category)

Recommendations

1. The Write-PermissionDeniedError function outputs structured JSON to stdout (line 267) but does not capture or use the return value. Consider removing the orphaned $errorOutput | ConvertTo-Json statement or routing it to stderr to avoid polluting stdout.

2. The test file relocation from .claude/skills/github/tests/ to tests/ may indicate a broader test organization decision. Verify this aligns with project test location conventions.

Verdict

VERDICT: PASS
MESSAGE: Implementation correctly applies ADR-035 exit code standard. Error handling is well-structured with appropriate fallbacks.

Roadmap Review Details

Strategic Alignment Assessment

Criterion	Rating	Notes
Aligns with project goals	High	Improves skill scripts in .claude/skills/github/, directly supporting multi-agent workflows
Priority appropriate	Medium	Bug fix for issue #643; infrastructure reliability is P0 concern
User value clear	High	Actionable guidance reduces developer debugging time from hours to minutes
Investment justified	High	Small change (~200 lines) with high impact on developer experience

Feature Completeness

• Scope Assessment: Right-sized
• Ship Ready: Yes
• MVP Complete: Yes
• Enhancement Opportunities: Future work could add retry logic or token refresh hints

Impact Analysis

Dimension	Assessment	Notes
User Value	High	403 errors are common pain point; actionable guidance prevents support burden
Business Impact	Medium	Reduces friction for teams adopting workflow automation
Technical Leverage	Medium	Pattern reusable for other API error handling (401, 404)
Competitive Position	Neutral	Table-stakes error handling improvement

Concerns

Priority	Concern	Recommendation
Low	Tests marked [ ] Tests pass locally unchecked in PR checklist	Verify Pester tests pass in CI before merge
Low	Exit code semantics changed (ADR-035 referenced but exit code 5 removed)	Confirm ADR-035 is documented or create it

Recommendations

1. Merge as-is. The 403 error handling improvement addresses a real user pain point with minimal risk.
2. Update ADR-035 if it doesn't exist. The PR references exit code conventions but the ADR should be discoverable.
3. Consider adding similar handling for 401 (not authenticated) in a follow-up PR.

Verdict

VERDICT: PASS
MESSAGE: Bug fix aligns with infrastructure reliability goals. Actionable 403 guidance reduces support burden and improves developer experience. Right-sized scope with appropriate test coverage.

Analyst Review Details

Now let me check if there's an ADR-035 referenced and look at the related issue for context.

Now I have complete context. Let me analyze this PR.

---

PR Analysis: Post-IssueComment 403 Error Handling

Code Quality Score

Criterion	Score (1-5)	Notes
Readability	4	Clear function structure, good parameter naming, comprehensive comments
Maintainability	4	Helper function isolates 403 logic; error handling has proper try/catch blocks
Consistency	5	Follows ADR-035 exit codes, matches existing GitHubCore patterns
Simplicity	3	145 lines added for error handling is substantial; regex pattern is complex

Overall: 4/5

Impact Assessment

• Scope: Isolated (single script + module comment update + test file move)
• Risk Level: Low
• Affected Components: Post-IssueComment.ps1, GitHubCore.psm1 (comment only), Post-IssueComment.Tests.ps1

Findings

Priority	Category	Finding	Location
Medium	Code Smell	Overly broad 403 detection: $errorString -match '403' matches any string containing "403" (e.g., issue #1403)	Post-IssueComment.ps1:300
Low	Redundancy	JSON fallback string at lines 219-228 duplicates logic that ConvertTo-Json already handles	Post-IssueComment.ps1:219-228
Low	Best Practice	`$errorOutput	ConvertTo-Json` result is not captured or used (line 267)
Info	Test Location	Test file moved from .claude/skills/github/tests/ to tests/ - verify this aligns with project conventions	tests/Post-IssueComment.Tests.ps1
Info	Documentation	Exit code documentation updated in GitHubCore.psm1 aligns with ADR-035	GitHubCore.psm1:1065-1072

Recommendations

1. Remove redundant '403' check: The pattern $errorString -match '403' after $errorString -imatch 'HTTP 403' and $errorString -imatch 'status.*403' is overly broad and could match false positives. The existing specific patterns are sufficient.

2. Use ConvertTo-Json output: Line 267 calls ConvertTo-Json but discards the result. Either remove the call or assign to a variable for output.

3. Consider extracting 403 detection regex: The pattern is duplicated in tests and script. A constant or shared pattern would improve maintainability.

Positive Observations

• Correct ADR-035 compliance: exit code 4 for permission denied
• Comprehensive GitHub Actions outputs for CI/CD integration
• Defensive error handling with try/catch blocks
• Proper git rev-parse fallback with warning
• Well-structured test coverage (20+ new test cases)

Verdict

VERDICT: WARN
MESSAGE: Minor issues in 403 detection regex (overly broad pattern) and unused ConvertTo-Json call. Core functionality is solid and ADR-035 compliant.

DevOps Review Details

Based on my analysis, this PR modifies a PowerShell script and its tests. No workflow files, actions, or scripts in scripts/ are changed.

Pipeline Impact Assessment

Area	Impact	Notes
Build	None	No build configuration changes
Test	Low	Test file relocated from .claude/skills/github/tests/ to tests/
Deploy	None	No deployment changes
Cost	None	No CI cost impact

CI/CD Quality Checks

Check	Status	Location
YAML syntax valid	N/A	No workflow changes
Actions pinned	N/A	No action changes
Secrets secure	✅	No secret handling changes
Permissions minimal	N/A	No workflow changes
Shell scripts robust	✅	Post-IssueComment.ps1

Findings

Severity	Category	Finding	Location	Fix
Low	Best Practice	Test file relocation requires CI workflow to discover new path	tests/Post-IssueComment.Tests.ps1	Verify pester-tests.yml discovers tests/ directory

Template Assessment

• PR Template: N/A - not modified
• Issue Templates: N/A - not modified
• Template Issues: None

Automation Opportunities

Opportunity	Type	Benefit	Effort
None identified	N/A	N/A	N/A

Recommendations

1. The test file relocation to tests/ should work with the existing pester-tests.yml workflow if it scans tests/ directory.
2. The error handling improvements (403 detection, artifact saving) are well-structured with proper -ErrorAction Stop on file operations.

Verdict

VERDICT: PASS
MESSAGE: No CI/CD configuration changes. Script changes follow PowerShell best practices with proper error handling and GitHub Actions output integration.

Security Review Details

Security Review: PR #643 - 403 Error Handling

PR Type: CODE (PowerShell scripts)

Full OWASP review required.

Findings

Severity	Category	Finding	Location	CWE
Low	Input Validation	403 detection pattern $errorString -match '403' is overly broad - could match unrelated strings like "Issue 4033"	Post-IssueComment.ps1:300	N/A
Info	Error Handling	Artifact directory .github/artifacts/ created dynamically - acceptable pattern for debugging	Post-IssueComment.ps1:190-202	N/A

Analysis

Positive Security Patterns:

1. No secrets exposure: Failed comment payload saved locally, not transmitted externally
2. Proper parameter validation: [ValidateNotNullOrEmpty()] on Owner/Repo parameters
3. Error handling: Uses -ErrorAction Stop with try/catch for file operations
4. Git fallback: Falls back to Get-Location if git rev-parse fails, with warning logged
5. No command injection: Uses gh api with -f flag which properly escapes the body parameter
6. Structured outputs: GitHub Actions outputs use simple key=value format (no injection risk)

403 Detection Logic Review (Line 300):

$errorString -imatch 'HTTP 403' -or $errorString -imatch 'status.*403' -or $errorString -match '403' -or $errorString -imatch 'Resource not accessible by integration' -or $errorString -imatch '\bforbidden\b'

The pattern is intentionally broad to catch various GitHub API error formats. The \bforbidden\b uses word boundary. False positives would only result in more helpful error messages, not security issues.

Exit Code Change:

• Previous: Exit 5 for idempotency skip
• New: Exit 4 for auth/permission errors per ADR-035

This aligns with the documented exit code standard in GitHubCore.psm1.

Test File Relocation:
Test file moved from .claude/skills/github/tests/ to tests/ - path updates are correct and no security implications.

Recommendations

1. None blocking. The broad 403 pattern matching is acceptable as false positives only improve error messaging.

Verdict

VERDICT: PASS
MESSAGE: No security vulnerabilities. Code follows secure patterns for error handling and file operations.

---

Run Details

Property	Value
Run ID	20624024584
Triggered by	pull_request on 698/merge
Commit	b6edd4c93f2e50157b66c5bdea2e821a831b4fe6

_{Powered by AI Quality Gate workflow}

[rjmurillo]

Review Triage Required

Note

Priority: NORMAL - Human approval required before bot responds

Review Summary

Source	Reviews	Comments
Human	1	1
Bot	6	7

Next Steps

1. Review human feedback above
2. Address any CHANGES_REQUESTED from human reviewers
3. Add triage:approved label when ready for bot to respond to review comments

---

_{Powered by PR Maintenance workflow - Add triage:approved label}