feat(server): detect and surface Buildkite API 401 errors

When the Buildkite API returns HTTP 401, tool handlers now propagate a
structured ErrUnauthorized (a *jsonrpc.Error with code 401) instead of
swallowing it as a generic tool result error.

- handleBuildkiteError centralises error conversion across all tool
  handlers: 401 → ErrUnauthorized, other ErrorResponse → tool result
  error with raw body or message, everything else → tool result error
- unauthorizedMiddleware intercepts ErrUnauthorized in the MCP
  middleware chain, logs a warning, signals the HTTP layer, and fires
  an optional OnUnauthorized callback for library consumers
- NewHTTPUnauthorizedHandler wraps the streamable HTTP handler to
  return a real HTTP 401 (with WWW-Authenticate header and no body)
  instead of a 200 with a JSON-RPC error body; stale inner-handler
  headers are cleared before the 401 is written
- WithOnUnauthorized option allows library consumers to register a
  reauth callback
- All three log reader tools (search_logs, tail_logs, read_logs) now
  use handleBuildkiteError so 401s from the buildkite-logs library
  propagate correctly

Author: wolfeidau

internal/commands/http.go

@@ -55,9 +55,11 @@ func (c *HTTPCmd) Run(ctx context.Context, globals *Globals) error {
 
 	mux.HandleFunc("/health", healthHandler)
 
-	handler := mcp.NewStreamableHTTPHandler(factory, &mcp.StreamableHTTPOptions{
-		Stateless: true,
-	})
+	handler := server.NewHTTPUnauthorizedHandler(
+		mcp.NewStreamableHTTPHandler(factory, &mcp.StreamableHTTPOptions{
+			Stateless: true,
+		}),
+	)
 	mux.Handle("/mcp", handler)
 
 	log.Ctx(ctx).Info().

pkg/buildkite/access_token.go

@@ -4,7 +4,6 @@ import (
 	"context"
 
 	"github.com/buildkite/buildkite-mcp-server/pkg/trace"
-	"github.com/buildkite/buildkite-mcp-server/pkg/utils"
 	"github.com/buildkite/go-buildkite/v4"
 	"github.com/modelcontextprotocol/go-sdk/mcp"
 )
@@ -30,7 +29,7 @@ func AccessToken() (mcp.Tool, mcp.ToolHandlerFor[AccessTokenArgs, any], []string
 			deps := DepsFromContext(ctx)
 			token, _, err := deps.AccessTokensClient.Get(ctx)
 			if err != nil {
-				return utils.NewToolResultError(err.Error()), nil, nil
+				return handleBuildkiteError(err)
 			}
 
 			return mcpTextResult(span, &token)

pkg/buildkite/annotations.go

@@ -4,7 +4,6 @@ import (
 	"context"
 
 	"github.com/buildkite/buildkite-mcp-server/pkg/trace"
-	"github.com/buildkite/buildkite-mcp-server/pkg/utils"
 	"github.com/buildkite/go-buildkite/v4"
 	"github.com/modelcontextprotocol/go-sdk/mcp"
 	"go.opentelemetry.io/otel/attribute"
@@ -51,7 +50,7 @@ func ListAnnotations() (mcp.Tool, mcp.ToolHandlerFor[ListAnnotationsArgs, any],
 				ListOptions: paginationParams,
 			})
 			if err != nil {
-				return utils.NewToolResultError(err.Error()), nil, nil
+				return handleBuildkiteError(err)
 			}
 
 			result := PaginatedResult[buildkite.Annotation]{

pkg/buildkite/artifacts.go

@@ -127,7 +127,7 @@ func ListArtifactsForBuild() (mcp.Tool, mcp.ToolHandlerFor[ListArtifactsForBuild
 				ListOptions: paginationParams,
 			})
 			if err != nil {
-				return utils.NewToolResultError(err.Error()), nil, nil
+				return handleBuildkiteError(err)
 			}
 
 			result := PaginatedResult[buildkite.Artifact]{
@@ -174,7 +174,7 @@ func ListArtifactsForJob() (mcp.Tool, mcp.ToolHandlerFor[ListArtifactsForJobArgs
 				ListOptions: paginationParams,
 			})
 			if err != nil {
-				return utils.NewToolResultError(err.Error()), nil, nil
+				return handleBuildkiteError(err)
 			}
 
 			result := PaginatedResult[buildkite.Artifact]{

pkg/buildkite/builds.go

@@ -2,7 +2,6 @@ package buildkite
 
 import (
 	"context"
-	"errors"
 	"strings"
 
 	"github.com/buildkite/buildkite-mcp-server/pkg/trace"
@@ -234,14 +233,7 @@ func ListBuilds() (mcp.Tool, mcp.ToolHandlerFor[ListBuildsArgs, any], []string)
 				builds, resp, err = deps.BuildsClient.ListByOrg(ctx, args.OrgSlug, options)
 			}
 			if err != nil {
-				var errResp *buildkite.ErrorResponse
-				if errors.As(err, &errResp) {
-					if errResp.RawBody != nil {
-						return utils.NewToolResultError(string(errResp.RawBody)), nil, nil
-					}
-				}
-
-				return utils.NewToolResultError(err.Error()), nil, nil
+				return handleBuildkiteError(err)
 			}
 
 			headers := map[string]string{
@@ -292,14 +284,7 @@ func GetBuildTestEngineRuns() (mcp.Tool, mcp.ToolHandlerFor[GetBuildTestEngineRu
 				IncludeTestEngine: true,
 			})
 			if err != nil {
-				var errResp *buildkite.ErrorResponse
-				if errors.As(err, &errResp) {
-					if errResp.RawBody != nil {
-						return utils.NewToolResultError(string(errResp.RawBody)), nil, nil
-					}
-				}
-
-				return utils.NewToolResultError(err.Error()), nil, nil
+				return handleBuildkiteError(err)
 			}
 
 			// Extract just the test engine runs data
@@ -348,14 +333,7 @@ func GetBuild() (mcp.Tool, mcp.ToolHandlerFor[GetBuildArgs, any], []string) {
 			deps := DepsFromContext(ctx)
 			build, _, err := deps.BuildsClient.Get(ctx, args.OrgSlug, args.PipelineSlug, args.BuildNumber, options)
 			if err != nil {
-				var errResp *buildkite.ErrorResponse
-				if errors.As(err, &errResp) {
-					if errResp.RawBody != nil {
-						return utils.NewToolResultError(string(errResp.RawBody)), nil, nil
-					}
-				}
-
-				return utils.NewToolResultError(err.Error()), nil, nil
+				return handleBuildkiteError(err)
 			}
 
 			// Parse job states filter
@@ -470,14 +448,7 @@ func CreateBuild() (mcp.Tool, mcp.ToolHandlerFor[CreateBuildArgs, any], []string
 			deps := DepsFromContext(ctx)
 			build, _, err := deps.BuildsClient.Create(ctx, args.OrgSlug, args.PipelineSlug, createBuild)
 			if err != nil {
-				var errResp *buildkite.ErrorResponse
-				if errors.As(err, &errResp) {
-					if errResp.RawBody != nil {
-						return utils.NewToolResultError(string(errResp.RawBody)), nil, nil
-					}
-				}
-
-				return utils.NewToolResultError(err.Error()), nil, nil
+				return handleBuildkiteError(err)
 			}
 
 			return mcpTextResult(span, &build)

pkg/buildkite/cluster_queue.go

@@ -4,7 +4,6 @@ import (
 	"context"
 
 	"github.com/buildkite/buildkite-mcp-server/pkg/trace"
-	"github.com/buildkite/buildkite-mcp-server/pkg/utils"
 	"github.com/buildkite/go-buildkite/v4"
 	"github.com/modelcontextprotocol/go-sdk/mcp"
 	"go.opentelemetry.io/otel/attribute"
@@ -54,7 +53,7 @@ func ListClusterQueues() (mcp.Tool, mcp.ToolHandlerFor[ListClusterQueuesArgs, an
 				ListOptions: paginationParams,
 			})
 			if err != nil {
-				return utils.NewToolResultError(err.Error()), nil, nil
+				return handleBuildkiteError(err)
 			}
 
 			result := PaginatedResult[buildkite.ClusterQueue]{
@@ -93,7 +92,7 @@ func GetClusterQueue() (mcp.Tool, mcp.ToolHandlerFor[GetClusterQueueArgs, any],
 			deps := DepsFromContext(ctx)
 			queue, _, err := deps.ClusterQueuesClient.Get(ctx, args.OrgSlug, args.ClusterID, args.QueueID)
 			if err != nil {
-				return utils.NewToolResultError(err.Error()), nil, nil
+				return handleBuildkiteError(err)
 			}
 
 			return mcpTextResult(span, &queue)

pkg/buildkite/clusters.go

@@ -4,7 +4,6 @@ import (
 	"context"
 
 	"github.com/buildkite/buildkite-mcp-server/pkg/trace"
-	"github.com/buildkite/buildkite-mcp-server/pkg/utils"
 	"github.com/buildkite/go-buildkite/v4"
 	"github.com/modelcontextprotocol/go-sdk/mcp"
 	"go.opentelemetry.io/otel/attribute"
@@ -51,7 +50,7 @@ func ListClusters() (mcp.Tool, mcp.ToolHandlerFor[ListClustersArgs, any], []stri
 				ListOptions: paginationParams,
 			})
 			if err != nil {
-				return utils.NewToolResultError(err.Error()), nil, nil
+				return handleBuildkiteError(err)
 			}
 
 			result := PaginatedResult[buildkite.Cluster]{
@@ -89,7 +88,7 @@ func GetCluster() (mcp.Tool, mcp.ToolHandlerFor[GetClusterArgs, any], []string)
 			deps := DepsFromContext(ctx)
 			cluster, _, err := deps.ClustersClient.Get(ctx, args.OrgSlug, args.ClusterID)
 			if err != nil {
-				return utils.NewToolResultError(err.Error()), nil, nil
+				return handleBuildkiteError(err)
 			}
 
 			return mcpTextResult(span, &cluster)

pkg/buildkite/errors.go

@@ -0,0 +1,48 @@
+package buildkite
+
+import (
+	"errors"
+	"net/http"
+
+	"github.com/buildkite/buildkite-mcp-server/pkg/utils"
+	"github.com/buildkite/go-buildkite/v4"
+	"github.com/modelcontextprotocol/go-sdk/jsonrpc"
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+)
+
+// ErrUnauthorized is returned when the Buildkite API responds with HTTP 401.
+// It is a *jsonrpc.Error so the MCP SDK passes it through the middleware chain
+// rather than converting it to a tool result body. Library consumers can use
+// errors.Is to detect this and trigger a reauth flow.
+//
+// The error code 401 is a positive, non-standard JSON-RPC code (conventional
+// codes are negative). It is chosen deliberately for HTTP semantic alignment;
+// jsonrpc.Error.Is compares by code value only, so detection via errors.Is is
+// unaffected by the sign.
+//
+// Do not modify the fields of this value; treat it as a read-only sentinel.
+var ErrUnauthorized = &jsonrpc.Error{
+	Code:    http.StatusUnauthorized,
+	Message: "buildkite: unauthorized",
+}
+
+// handleBuildkiteError converts a Buildkite API error into tool handler return values.
+// On a 401 it returns (nil, nil, ErrUnauthorized) so the error propagates as a
+// JSON-RPC error and can be intercepted by middleware. On other errors it returns
+// a tool result error so the tool call succeeds at the JSON-RPC level but with an
+// error body.
+func handleBuildkiteError(err error) (*mcp.CallToolResult, any, error) {
+	var errResp *buildkite.ErrorResponse
+	if errors.As(err, &errResp) {
+		if errResp.Response != nil && errResp.Response.StatusCode == http.StatusUnauthorized {
+			return nil, nil, ErrUnauthorized
+		}
+		if errResp.RawBody != nil {
+			return utils.NewToolResultError(string(errResp.RawBody)), nil, nil
+		}
+		if errResp.Message != "" {
+			return utils.NewToolResultError(errResp.Message), nil, nil
+		}
+	}
+	return utils.NewToolResultError(err.Error()), nil, nil
+}

pkg/buildkite/errors_test.go

@@ -0,0 +1,91 @@
+package buildkite
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/buildkite/go-buildkite/v4"
+	"github.com/stretchr/testify/require"
+)
+
+func TestHandleBuildkiteError_Unauthorized(t *testing.T) {
+	errResp := &buildkite.ErrorResponse{
+		Response: &http.Response{StatusCode: http.StatusUnauthorized},
+	}
+
+	result, data, err := handleBuildkiteError(errResp)
+
+	require.Nil(t, result)
+	require.Nil(t, data)
+	require.ErrorIs(t, err, ErrUnauthorized)
+}
+
+func TestHandleBuildkiteError_WithRawBody(t *testing.T) {
+	errResp := &buildkite.ErrorResponse{
+		Response: &http.Response{StatusCode: http.StatusUnprocessableEntity},
+		RawBody:  []byte(`{"message":"validation failed"}`),
+	}
+
+	result, data, err := handleBuildkiteError(errResp)
+
+	require.NoError(t, err)
+	require.Nil(t, data)
+	require.NotNil(t, result)
+	require.True(t, result.IsError)
+	require.Len(t, result.Content, 1)
+	textContent := getTextResult(t, result)
+	require.JSONEq(t, `{"message":"validation failed"}`, textContent.Text)
+}
+
+func TestHandleBuildkiteError_GenericError(t *testing.T) {
+	genericErr := fmt.Errorf("connection refused")
+
+	result, data, err := handleBuildkiteError(genericErr)
+
+	require.NoError(t, err)
+	require.Nil(t, data)
+	require.NotNil(t, result)
+	require.True(t, result.IsError)
+	textContent := getTextResult(t, result)
+	require.Equal(t, "connection refused", textContent.Text)
+}
+
+func TestHandleBuildkiteError_NonUnauthorizedWithMessage(t *testing.T) {
+	errResp := &buildkite.ErrorResponse{
+		Response: &http.Response{StatusCode: http.StatusNotFound},
+		Message:  "pipeline not found",
+	}
+
+	result, data, err := handleBuildkiteError(errResp)
+
+	require.NoError(t, err)
+	require.Nil(t, data)
+	require.NotNil(t, result)
+	require.True(t, result.IsError)
+	textContent := getTextResult(t, result)
+	require.Equal(t, "pipeline not found", textContent.Text)
+}
+
+func TestHandleBuildkiteError_NilResponse(t *testing.T) {
+	// ErrorResponse with no underlying HTTP response (e.g. a network-level failure
+	// that still produces an ErrorResponse). Must not be treated as a 401.
+	errResp := &buildkite.ErrorResponse{
+		Response: nil,
+		Message:  "connection reset",
+	}
+
+	result, data, err := handleBuildkiteError(errResp)
+
+	require.NoError(t, err)
+	require.Nil(t, data)
+	require.NotNil(t, result)
+	require.True(t, result.IsError)
+	textContent := getTextResult(t, result)
+	require.Equal(t, "connection reset", textContent.Text)
+}
+
+func TestErrUnauthorized_IsWrappable(t *testing.T) {
+	wrapped := fmt.Errorf("wrapped: %w", ErrUnauthorized)
+	require.ErrorIs(t, wrapped, ErrUnauthorized)
+}

pkg/buildkite/joblogs.go

@@ -158,7 +158,7 @@ func SearchLogs() (mcp.Tool, mcp.ToolHandlerFor[SearchLogsParams, any], []string
 			deps := DepsFromContext(ctx)
 			reader, err := newParquetReader(ctx, deps.BuildkiteLogsClient, params.JobLogsBaseParams)
 			if err != nil {
-				return utils.NewToolResultError(fmt.Sprintf("Failed to create log reader: %v", err)), nil, nil
+				return handleBuildkiteError(err)
 			}
 			defer reader.Close()
 
@@ -236,7 +236,7 @@ func TailLogs() (mcp.Tool, mcp.ToolHandlerFor[TailLogsParams, any], []string) {
 			deps := DepsFromContext(ctx)
 			reader, err := newParquetReader(ctx, deps.BuildkiteLogsClient, params.JobLogsBaseParams)
 			if err != nil {
-				return utils.NewToolResultError(fmt.Sprintf("Failed to create log reader: %v", err)), nil, nil
+				return handleBuildkiteError(err)
 			}
 			defer reader.Close()
 
@@ -301,7 +301,7 @@ func ReadLogs() (mcp.Tool, mcp.ToolHandlerFor[ReadLogsParams, any], []string) {
 			deps := DepsFromContext(ctx)
 			reader, err := newParquetReader(ctx, deps.BuildkiteLogsClient, params.JobLogsBaseParams)
 			if err != nil {
-				return utils.NewToolResultError(fmt.Sprintf("Failed to create log reader: %v", err)), nil, nil
+				return handleBuildkiteError(err)
 			}
 			defer reader.Close()