From 9ced64054f2b1de5ee6b2189faaf778febcb2ed4 Mon Sep 17 00:00:00 2001
From: Peter Machona <chilu.machona@icloud.com>
Date: Tue, 24 Feb 2026 03:33:44 +0000
Subject: [PATCH] fix(auth): classify missing OAuth scopes as auth failures
 (#24761)

---
 src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts | 4 ++++
 src/agents/pi-embedded-helpers/errors.ts                     | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts b/src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts
index f4ae781e8..278c2d30b 100644
--- a/src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts
+++ b/src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts
@@ -393,6 +393,10 @@ describe("classifyFailoverReason", () => {
     expect(classifyFailoverReason("invalid api key")).toBe("auth");
     expect(classifyFailoverReason("no credentials found")).toBe("auth");
     expect(classifyFailoverReason("no api key found")).toBe("auth");
+    expect(classifyFailoverReason("You have insufficient permissions for this operation.")).toBe(
+      "auth",
+    );
+    expect(classifyFailoverReason("Missing scopes: model.request")).toBe("auth");
     expect(classifyFailoverReason("429 too many requests")).toBe("rate_limit");
     expect(classifyFailoverReason("resource has been exhausted")).toBe("rate_limit");
     expect(
diff --git a/src/agents/pi-embedded-helpers/errors.ts b/src/agents/pi-embedded-helpers/errors.ts
index 80ba22198..e0c7bf4c8 100644
--- a/src/agents/pi-embedded-helpers/errors.ts
+++ b/src/agents/pi-embedded-helpers/errors.ts
@@ -655,6 +655,9 @@ const ERROR_PATTERNS = {
     "unauthorized",
     "forbidden",
     "access denied",
+    "insufficient permissions",
+    "insufficient permission",
+    /missing scopes?:/i,
     "expired",
     "token has expired",
     /\b401\b/,