CLI backend: auth errors surface as misleading pydantic parse failure

[max-tet]

Bug

When the CLI backend encounters an authentication error, the failure manifests as a confusing pydantic validation error instead of a clear auth failure message.

Root Cause

CliBackend.invoke() in claude.py does not treat is_error=True with exit code 0 as a fatal error. The Claude CLI exits with code 0 but sets is_error: true in the JSON output, with result containing the error text:

"Failed to authenticate. API Error: 401 {\"type\":\"error\",\"error\":{\"type\":\"authentication_error\",\"message\":\"Invalid authentication credentials\"},...}"

This result string is returned as output_text. The caller passes it to parse_response(), which extracts the embedded API error JSON object via _extract_json(), then fails pydantic validation — producing a log like:

Failed to parse preliminary plan response: LLM response failed validation for PreliminaryPlanResponse: 3 validation errors
...
Data: {'type': 'error', 'error': {'type': 'authentication_error', 'message': 'Invalid authentication credentials'}, ...}

Expected Behavior

An auth error should surface as a clear log message like "Claude CLI authentication failed" and the issue should be marked failed (or the tick skipped), not produce a pydantic parse failure.

Fix

In CliBackend.invoke(), after parsing the JSON output, check for is_error=True and inspect the result text for known fatal error patterns (authentication errors, "not logged in", etc.). Raise an appropriate exception or log clearly and propagate the failure before reaching parse_response().

Additionally, is_claude_available() should return False on auth errors (currently it only catches "not logged in" text, missing the "Failed to authenticate" pattern).

[ClaydeCode]

Preliminary Plan

Overview

The bug is in CliBackend in src/clayde/claude.py. Two gaps exist:

1. CliBackend.invoke() (lines 604–615): when is_error=True, only usage/rate-limit patterns are checked. Auth errors fall through and return the error text as output_text, which then gets passed to parse_response() and fails pydantic validation with a confusing error. Fix: after the usage-limit check, detect auth error patterns in error_text and raise a clear RuntimeError (or a new AuthenticationError) so the orchestrator marks the issue failed with a meaningful log.

2. CliBackend.is_available() (lines 655–658): only catches "not logged in" for auth failures; misses the "Failed to authenticate" pattern emitted by newer CLI versions. Fix: expand the auth check to cover both patterns.

I'll add a small _AUTH_ERROR_PATTERNS list alongside _LIMIT_PATTERNS and reuse it in both places. No new exception class needed — a plain RuntimeError works since orchestrator.py already catches generic exceptions and marks issues failed.

Questions

None — the issue is clear and self-contained.

---

This looks like a small issue. React with 👍 to approve this preliminary plan and proceed directly to implementation.

[ClaydeCode]

Implementation complete — PR opened: #65