test(auth): cover Composio upstream 401 session guard

[YOMXXX]

Summary

• Adds a Rust JSON-RPC regression test for the exact [Bug] Navigating to Integrations/Connections page triggers session expiry and auto-logout #2537 Composio upstream-401-in-backend-500 error shape.
• Adds a frontend classifyRpcError regression case proving that same shape is treated as provider_auth, not auth_expired.
• Documents the current main behavior: scoped Composio credential failures stay recoverable and do not publish SessionExpired.

Problem

• [Bug] Navigating to Integrations/Connections page triggers session expiry and auto-logout #2537 reports a v0.54.0 logout cascade when openhuman.composio_list_connections returns a backend 500 that wraps a Composio 401 Invalid API key.
• That upstream/service credential failure must not be interpreted as an OpenHuman app-session expiry.
• Current main already has the narrowed session-expiry classifier; this PR pins the reported wire shape so future broad 401 matching cannot regress it.

Solution

• Extends src/core/jsonrpc_tests.rs with the verbatim backend-wrapped Composio invalid-key shape and asserts it does not match is_session_expired_error.
• Extends app/src/services/__tests__/coreRpcClient.test.ts with the same shape and asserts it classifies as provider_auth.
• Leaves production logic unchanged because the current classifiers already satisfy the expected behavior.

Submission Checklist

If a section does not apply to this change, mark the item as N/A with a one-line reason. Do not delete items.

• Tests added or updated (happy path + at least one failure / edge case) per Testing Strategy
• Diff coverage ≥ 80% — N/A: test-only PR; no production lines changed, CI will still enforce the gate.
• Coverage matrix updated — N/A: regression-test-only change, no feature row changed.
• All affected feature IDs from the matrix are listed in the PR description under ## Related — N/A: no feature matrix row affected.
• No new external network dependencies introduced (mock backend used per Testing Strategy)
• Manual smoke checklist updated if this touches release-cut surfaces (docs/RELEASE-MANUAL-SMOKE.md) — N/A: test-only regression guard.
• Linked issue closed via Closes #NNN in the ## Related section

Impact

• Runtime/platform impact: none; test-only change.
• Security/session impact: protects the app-session boundary from broad downstream/upstream 401 matching regressions.
• Performance/migration impact: none.

Related

• Closes [Bug] Navigating to Integrations/Connections page triggers session expiry and auto-logout #2537
• Follow-up PR(s)/TODOs: none

---

AI Authored PR Metadata (required for Codex/Linear PRs)

Keep this section for AI-authored PRs. For human-only PRs, mark each field N/A.

Linear Issue

• Key: N/A
• URL: N/A

Commit & Branch

• Branch: fix/2537-upstream-401-session-expiry
• Commit SHA: 986013b9b89f803be2f789210802bba284ee626d

Validation Run

• pnpm --filter openhuman-app format:check via pnpm format:check and pre-push hook
• pnpm typecheck via pre-push pnpm compile (tsc --noEmit)
• Focused tests:
  • pnpm debug unit src/services/__tests__/coreRpcClient.test.ts -t classifyRpcError — 1 file passed, 27 tests passed / 57 skipped
  • GGML_NATIVE=OFF cargo test --manifest-path Cargo.toml is_session_expired_error_does_not_match_backend_wrapped_composio_invalid_api_key --lib — 1 passed
• Rust fmt/check (if changed): cargo fmt --manifest-path ../Cargo.toml --all --check via pnpm format:check; pre-push pnpm rust:check passed with GGML_NATIVE=OFF
• Tauri fmt/check (if changed): cargo fmt --manifest-path src-tauri/Cargo.toml --all --check via pnpm format:check; pre-push pnpm rust:check passed with GGML_NATIVE=OFF

Validation Blocked

• command: N/A
• error: N/A
• impact: N/A

Behavior Changes

• Intended behavior change: none in production code; locks the current desired behavior with regression coverage.
• User-visible effect: none directly; prevents future regressions where Composio upstream auth failures would log out the user.

Parity Contract

• Legacy behavior preserved: OpenHuman backend/session-expired markers still classify as auth_expired; downstream/provider 401s remain scoped errors.
• Guard/fallback/dispatch parity checks: Rust JSON-RPC session classifier and frontend RPC error classifier now share the [Bug] Navigating to Integrations/Connections page triggers session expiry and auto-logout #2537 wire-shape regression case.

Duplicate / Superseded PR Handling

• Duplicate PR(s): N/A
• Canonical PR: this PR
• Resolution (closed/superseded/updated): N/A

Summary by CodeRabbit

• Tests
  • Added regression tests to improve error handling and classification for authentication scenarios.
  • Enhanced test coverage for edge cases in error detection and logging logic.

Note: This release contains no end-user visible changes.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0a3a1480-7e1e-4f4e-9901-6128a9cc111c

📥 Commits

Reviewing files that changed from the base of the PR and between 7745d58 and 986013b.

📒 Files selected for processing (2)

• app/src/services/__tests__/coreRpcClient.test.ts
• src/core/jsonrpc_tests.rs

---

📝 Walkthrough

Walkthrough

This PR adds test coverage to distinguish Composio provider authentication failures from user session expiry. Client-side tests verify that Composio 401 Invalid API key errors classify as provider_auth, while backend-side regression tests confirm that backend-wrapped Composio 401s do not trigger session-expired conditions.

Changes

Error classification for Composio provider auth failures

Layer / File(s)	Summary
Composio 401 classification test cases app/src/services/__tests__/coreRpcClient.test.ts, src/core/jsonrpc_tests.rs	Client-side test extends classifyRpcError cases to classify Composio "list_connections" 401 Invalid API key as provider_auth. Backend-side regression test verifies the same backend-wrapped message does not match is_session_expired_error while matching is_unconfirmed_unauthorized_error.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• tinyhumansai/openhuman#1719: Focuses on is_session_expired/401 classification logic for backend-wrapped Composio authentication failures with session-expired classifier and Sentry suppression.
• tinyhumansai/openhuman#2356: Extends classifyRpcError provider_auth test coverage in coreRpcClient.test.ts to add Composio 401 "Invalid API key" classification cases.
• tinyhumansai/openhuman#2376: Extends regression coverage for JSON-RPC error classification to ensure upstream 401-style provider auth failures are not misclassified as session-expired.

Suggested labels

bug

Suggested reviewers

• graycyrus
• senamakel

Poem

🐰 A Composio key went wrong,
The backend's auth was not so strong,
The tests now catch what's false from real,
No more sad logouts—error reveal! 🔑

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'test(auth): cover Composio upstream 401 session guard' is specific and directly related to the main change: adding regression tests for Composio upstream 401 handling.
Linked Issues check	✅ Passed	The pull request adds regression tests that directly address the requirements in #2537 by covering the exact backend-wrapped Composio 401 scenario and asserting it is not classified as session expiry.
Out of Scope Changes check	✅ Passed	All changes are narrowly focused on test coverage for the Composio upstream 401 scenario; no unrelated alterations to production logic or other concerns are present.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[YOMXXX]

CI note: all other checks are green, and there are no unresolved review comments. The only failing check is , but it failed before running diff-cover: could not fetch the PR merge ref and ended with after retries. I do not have admin permission to rerun upstream Actions jobs from here, so please rerun the failed Coverage Gate job/check.

[YOMXXX]

CI note: all other checks are green, and there are no unresolved review comments.

The only failing check is Coverage Gate (diff-cover >= 80%), but it failed before running diff-cover: actions/checkout@v5 could not fetch the PR merge ref and ended with fatal: could not read Username for 'https://github.com': terminal prompts disabled after retries.

I do not have admin permission to rerun upstream Actions jobs from here, so please rerun the failed Coverage Gate job/check.