fix(auth): classify missing OAuth scopes as auth failures (#24761)

src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts

@@ -393,6 +393,10 @@ describe("classifyFailoverReason", () => {
     expect(classifyFailoverReason("invalid api key")).toBe("auth");
     expect(classifyFailoverReason("no credentials found")).toBe("auth");
     expect(classifyFailoverReason("no api key found")).toBe("auth");
+    expect(classifyFailoverReason("You have insufficient permissions for this operation.")).toBe(
+      "auth",
+    );
+    expect(classifyFailoverReason("Missing scopes: model.request")).toBe("auth");
     expect(classifyFailoverReason("429 too many requests")).toBe("rate_limit");
     expect(classifyFailoverReason("resource has been exhausted")).toBe("rate_limit");
     expect(

src/agents/pi-embedded-helpers/errors.ts

@@ -655,6 +655,9 @@ const ERROR_PATTERNS = {
     "unauthorized",
     "forbidden",
     "access denied",
+    "insufficient permissions",
+    "insufficient permission",
+    /missing scopes?:/i,
     "expired",
     "token has expired",
     /\b401\b/,