From 45034b746f8fea56e99bb5325c4bba3b31a5bbf1 Mon Sep 17 00:00:00 2001
From: Cocoon-Break <54054995+kuishou68@users.noreply.github.com>
Date: Fri, 10 Apr 2026 17:48:45 +0800
Subject: [PATCH] fix: set retryable=False for message-based auth errors in
 _classify_by_message() (#7027)

Auth errors matched by message pattern were incorrectly marked retryable=True, causing futile retry loops. Aligns with _classify_by_status() which already sets retryable=False for 401/403. Fixes #7026. Contributed by @kuishou68.
---
 agent/error_classifier.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/agent/error_classifier.py b/agent/error_classifier.py
index 1f6b48a0957..30a2ad4916c 100644
--- a/agent/error_classifier.py
+++ b/agent/error_classifier.py
@@ -725,10 +725,14 @@ def _classify_by_message(
         )
 
     # Auth patterns
+    # Auth errors should NOT be retried directly — the credential is invalid and
+    # retrying with the same key will always fail.  Set retryable=False so the
+    # caller triggers credential rotation (should_rotate_credential=True) or
+    # provider fallback rather than an immediate retry loop.
     if any(p in error_msg for p in _AUTH_PATTERNS):
         return result_fn(
             FailoverReason.auth,
-            retryable=True,
+            retryable=False,
             should_rotate_credential=True,
         )