fix(selfhost): surface the CLI's structured stdout error before the exit code (#1612)#1613
Merged
Merged
Conversation
…xit code (#1612) claude --output-format json reports API/auth/model errors in its stdout envelope ({is_error,api_error_status}) even on a non-zero exit, with empty stderr. createClaudeCodeAi threw on the exit code BEFORE checking that envelope, so the failure surfaced as an opaque "claude_code_exit_1: " (blank) and the precise status was discarded — exactly why #1610's 404 was undiagnosable from logs/Sentry. Check claudeErrorStatus(stdout) before the exit-code throw so a structured error surfaces as claude_code_error_<status> (e.g. _404). A genuine crash with no structured stdout envelope still falls through to the exit code + redacted stderr. Regression test pins the non-zero-exit + stdout-envelope case.
Contributor
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1613 +/- ##
=======================================
Coverage 95.51% 95.51%
=======================================
Files 204 204
Lines 22041 22041
Branches 7963 7963
=======================================
Hits 21052 21052
Misses 413 413
Partials 576 576
🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
claude --output-format jsonreports API/auth/model errors in its stdout JSON envelope ({is_error:true, api_error_status:404, result:"…"}) — including on a non-zero exit, with empty stderr.createClaudeCodeAi.runthrew on the exit code before checking that envelope, so such failures surfaced as an opaqueclaude_code_exit_1:(blank — stderr is empty), discarding the precise status.This is exactly why #1610 (a
claude --model claude-code404 from the single-provider routing bug) was undiagnosable from logs/Sentry and needed in-container reproduction to root-cause. #1605 added stderr capture, but stderr is empty for this whole class of failure — the signal is in stdout.Fix: check
claudeErrorStatus(stdout)before the exit-code throw, so the structured error surfaces asclaude_code_error_404(precise, bounded, secret-free) and reaches the central Sentry forwarder. A genuine crash (non-zero exit with no structured stdout envelope) still falls through to the existing exit-code + redacted-stderr path. Two moved lines + a regression test; no public behavior, schema, binding, or migration change.Closes #1612.
Scope
type(scope): short summaryConventional Commit format.CONTRIBUTING.mdand does not reintroduce GitHub Pages, VitePress,site/, orCNAME.Validation
git diff --checknpm run actionlintnpm run typechecknpm run test:coveragelocally;codecov/patch≥97% of changed lines AND branches — both branches of the movedclaudeErrorStatus/exit-code checks are covered (exit-0 envelope, exit-1 envelope, exit-1 no-envelope, success).npm run test:workersnpm run build:mcpnpm run test:mcp-packnpm run ui:openapi:checknpm run ui:lintnpm run ui:typechecknpm run ui:buildnpm audit --audit-level=moderateIf any required check was skipped, explain why:
wrangler.jsoncchange, no DB change.Safety
api_error_status(e.g.404); the stderr fallback keeps the existingredactSecrets.UI Evidencesection. — N/A: no visible UI change.Notes
claude_code_exit_1. Open PR fix(security): avoid logging raw AI CLI stderr #1608 (summarizeCliStderr) targets the stderr fallback path and is complementary/superseded — to be reconciled separately.