fix: restore SdkError(ClientHttpAuthentication) for circuit-breaker case

The 401-after-re-auth case (circuit breaker trips) should throw a
distinct error from the normal 'token rejected' case:

- First 401 with no onUnauthorized → UnauthorizedError — caller
  re-auths externally and reconnects
- Second 401 after onUnauthorized succeeded → SdkError with
  ClientHttpAuthentication — server is misbehaving, don't blindly
  retry, escalate

The previous commit collapsed these into UnauthorizedError, which
risks callers catching it, re-authing, and looping. Restored the
SdkError throw at all three 401 sites when _authRetryInFlight is
already set. Reverted migration doc changes — ClientHttpAuthentication
is not dead code.

Author: felixweinberger

docs/migration-SKILL.md

@@ -107,19 +107,19 @@ Two error classes now exist:
 - **`ProtocolError`** (renamed from `McpError`): Protocol errors that cross the wire as JSON-RPC responses
 - **`SdkError`** (new): Local SDK errors that never cross the wire
 
-| Error scenario                   | v1 type                                      | v2 type                                                           |
-| -------------------------------- | -------------------------------------------- | ----------------------------------------------------------------- |
-| Request timeout                  | `McpError` with `ErrorCode.RequestTimeout`   | `SdkError` with `SdkErrorCode.RequestTimeout`                     |
-| Connection closed                | `McpError` with `ErrorCode.ConnectionClosed` | `SdkError` with `SdkErrorCode.ConnectionClosed`                   |
-| Capability not supported         | `new Error(...)`                             | `SdkError` with `SdkErrorCode.CapabilityNotSupported`             |
-| Not connected                    | `new Error('Not connected')`                 | `SdkError` with `SdkErrorCode.NotConnected`                       |
-| Invalid params (server response) | `McpError` with `ErrorCode.InvalidParams`    | `ProtocolError` with `ProtocolErrorCode.InvalidParams`            |
-| HTTP transport error             | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttp*`                        |
-| Failed to open SSE stream        | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpFailedToOpenStream`       |
-| 401 after auth flow              | `StreamableHTTPError`                        | `UnauthorizedError`                                               |
-| 403 after upscoping              | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpForbidden`                |
-| Unexpected content type          | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpUnexpectedContent`        |
-| Session termination failed       | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpFailedToTerminateSession` |
+| Error scenario                    | v1 type                                      | v2 type                                                           |
+| --------------------------------- | -------------------------------------------- | ----------------------------------------------------------------- |
+| Request timeout                   | `McpError` with `ErrorCode.RequestTimeout`   | `SdkError` with `SdkErrorCode.RequestTimeout`                     |
+| Connection closed                 | `McpError` with `ErrorCode.ConnectionClosed` | `SdkError` with `SdkErrorCode.ConnectionClosed`                   |
+| Capability not supported          | `new Error(...)`                             | `SdkError` with `SdkErrorCode.CapabilityNotSupported`             |
+| Not connected                     | `new Error('Not connected')`                 | `SdkError` with `SdkErrorCode.NotConnected`                       |
+| Invalid params (server response)  | `McpError` with `ErrorCode.InvalidParams`    | `ProtocolError` with `ProtocolErrorCode.InvalidParams`            |
+| HTTP transport error              | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttp*`                        |
+| Failed to open SSE stream         | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpFailedToOpenStream`       |
+| 401 after re-auth (circuit break) | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpAuthentication`           |
+| 403 after upscoping               | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpForbidden`                |
+| Unexpected content type           | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpUnexpectedContent`        |
+| Session termination failed        | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpFailedToTerminateSession` |
 
 New `SdkErrorCode` enum values:
 
@@ -131,6 +131,7 @@ New `SdkErrorCode` enum values:
 - `SdkErrorCode.ConnectionClosed` = `'CONNECTION_CLOSED'`
 - `SdkErrorCode.SendFailed` = `'SEND_FAILED'`
 - `SdkErrorCode.ClientHttpNotImplemented` = `'CLIENT_HTTP_NOT_IMPLEMENTED'`
+- `SdkErrorCode.ClientHttpAuthentication` = `'CLIENT_HTTP_AUTHENTICATION'`
 - `SdkErrorCode.ClientHttpForbidden` = `'CLIENT_HTTP_FORBIDDEN'`
 - `SdkErrorCode.ClientHttpUnexpectedContent` = `'CLIENT_HTTP_UNEXPECTED_CONTENT'`
 - `SdkErrorCode.ClientHttpFailedToOpenStream` = `'CLIENT_HTTP_FAILED_TO_OPEN_STREAM'`

docs/migration.md

@@ -575,21 +575,21 @@ try {
 
 The new `SdkErrorCode` enum contains string-valued codes for local SDK errors:
 
-| Code                                              | Description                                |
-| ------------------------------------------------- | ------------------------------------------ |
-| `SdkErrorCode.NotConnected`                       | Transport is not connected                 |
-| `SdkErrorCode.AlreadyConnected`                   | Transport is already connected             |
-| `SdkErrorCode.NotInitialized`                     | Protocol is not initialized                |
-| `SdkErrorCode.CapabilityNotSupported`             | Required capability is not supported       |
-| `SdkErrorCode.RequestTimeout`                     | Request timed out waiting for response     |
-| `SdkErrorCode.ConnectionClosed`                   | Connection was closed                      |
-| `SdkErrorCode.SendFailed`                         | Failed to send message                     |
-| `SdkErrorCode.ClientHttpNotImplemented`           | HTTP POST request failed                   |
-| `UnauthorizedError` (thrown, not `SdkError`)      | Server returned 401 after re-auth attempt  |
-| `SdkErrorCode.ClientHttpForbidden`                | Server returned 403 after trying upscoping |
-| `SdkErrorCode.ClientHttpUnexpectedContent`        | Unexpected content type in HTTP response   |
-| `SdkErrorCode.ClientHttpFailedToOpenStream`       | Failed to open SSE stream                  |
-| `SdkErrorCode.ClientHttpFailedToTerminateSession` | Failed to terminate session                |
+| Code                                              | Description                                 |
+| ------------------------------------------------- | ------------------------------------------- |
+| `SdkErrorCode.NotConnected`                       | Transport is not connected                  |
+| `SdkErrorCode.AlreadyConnected`                   | Transport is already connected              |
+| `SdkErrorCode.NotInitialized`                     | Protocol is not initialized                 |
+| `SdkErrorCode.CapabilityNotSupported`             | Required capability is not supported        |
+| `SdkErrorCode.RequestTimeout`                     | Request timed out waiting for response      |
+| `SdkErrorCode.ConnectionClosed`                   | Connection was closed                       |
+| `SdkErrorCode.SendFailed`                         | Failed to send message                      |
+| `SdkErrorCode.ClientHttpNotImplemented`           | HTTP POST request failed                    |
+| `SdkErrorCode.ClientHttpAuthentication`           | Server returned 401 after re-authentication |
+| `SdkErrorCode.ClientHttpForbidden`                | Server returned 403 after trying upscoping  |
+| `SdkErrorCode.ClientHttpUnexpectedContent`        | Unexpected content type in HTTP response    |
+| `SdkErrorCode.ClientHttpFailedToOpenStream`       | Failed to open SSE stream                   |
+| `SdkErrorCode.ClientHttpFailedToTerminateSession` | Failed to terminate session                 |
 
 #### `StreamableHTTPError` removed
 
@@ -617,10 +617,11 @@ import { SdkError, SdkErrorCode } from '@modelcontextprotocol/core';
 try {
     await transport.send(message);
 } catch (error) {
-    if (error instanceof UnauthorizedError) {
-        console.log('Token rejected — reconnect with fresh credentials');
-    } else if (error instanceof SdkError) {
+    if (error instanceof SdkError) {
         switch (error.code) {
+            case SdkErrorCode.ClientHttpAuthentication:
+                console.log('Auth failed — server rejected token after re-auth');
+                break;
             case SdkErrorCode.ClientHttpForbidden:
                 console.log('Forbidden after upscoping attempt');
                 break;

packages/client/src/client/sse.ts

@@ -279,8 +279,13 @@ export class SSEClientTransport implements Transport {
                         // Purposely _not_ awaited, so we don't call onerror twice
                         return this.send(message);
                     }
+                    await response.text?.().catch(() => {});
+                    if (this._authRetryInFlight) {
+                        throw new SdkError(SdkErrorCode.ClientHttpAuthentication, 'Server returned 401 after re-authentication', {
+                            status: 401
+                        });
+                    }
                     if (this._authProvider) {
-                        await response.text?.().catch(() => {});
                         throw new UnauthorizedError();
                     }
                 }

packages/client/src/client/streamableHttp.ts

@@ -229,8 +229,13 @@ export class StreamableHTTPClientTransport implements Transport {
                         // Purposely _not_ awaited, so we don't call onerror twice
                         return this._startOrAuthSse(options);
                     }
+                    await response.text?.().catch(() => {});
+                    if (this._authRetryInFlight) {
+                        throw new SdkError(SdkErrorCode.ClientHttpAuthentication, 'Server returned 401 after re-authentication', {
+                            status: 401
+                        });
+                    }
                     if (this._authProvider) {
-                        await response.text?.().catch(() => {});
                         throw new UnauthorizedError();
                     }
                 }
@@ -514,8 +519,13 @@ export class StreamableHTTPClientTransport implements Transport {
                         // Purposely _not_ awaited, so we don't call onerror twice
                         return this.send(message);
                     }
+                    await response.text?.().catch(() => {});
+                    if (this._authRetryInFlight) {
+                        throw new SdkError(SdkErrorCode.ClientHttpAuthentication, 'Server returned 401 after re-authentication', {
+                            status: 401
+                        });
+                    }
                     if (this._authProvider) {
-                        await response.text?.().catch(() => {});
                         throw new UnauthorizedError();
                     }
                 }

packages/client/test/client/sse.test.ts

@@ -3,7 +3,7 @@ import { createServer } from 'node:http';
 import type { AddressInfo } from 'node:net';
 
 import type { JSONRPCMessage, OAuthTokens } from '@modelcontextprotocol/core';
-import { OAuthError, OAuthErrorCode } from '@modelcontextprotocol/core';
+import { OAuthError, OAuthErrorCode, SdkError, SdkErrorCode } from '@modelcontextprotocol/core';
 import { listenOnRandomPort } from '@modelcontextprotocol/test-helpers';
 import type { Mock, Mocked, MockedFunction, MockInstance } from 'vitest';
 
@@ -1575,7 +1575,7 @@ describe('SSEClientTransport', () => {
             await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
         });
 
-        it('enforces circuit breaker on double-401: onUnauthorized called once, then throws', async () => {
+        it('enforces circuit breaker on double-401: onUnauthorized called once, then throws SdkError', async () => {
             postResponses = [401, 401];
             await setupServer();
 
@@ -1586,7 +1586,9 @@ describe('SSEClientTransport', () => {
             transport = new SSEClientTransport(resourceBaseUrl, { authProvider });
             await transport.start();
 
-            await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
+            const error = await transport.send(message).catch(e => e);
+            expect(error).toBeInstanceOf(SdkError);
+            expect((error as SdkError).code).toBe(SdkErrorCode.ClientHttpAuthentication);
             expect(authProvider.onUnauthorized).toHaveBeenCalledTimes(1);
             expect(postCount).toBe(2);
         });

packages/client/test/client/streamableHttp.test.ts

@@ -1678,7 +1678,9 @@ describe('StreamableHTTPClientTransport', () => {
                 // Retry the original request - still 401 (broken server)
                 .mockResolvedValueOnce(unauthedResponse);
 
-            await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
+            const error = await transport.send(message).catch(e => e);
+            expect(error).toBeInstanceOf(SdkError);
+            expect((error as SdkError).code).toBe(SdkErrorCode.ClientHttpAuthentication);
             expect(mockAuthProvider.saveTokens).toHaveBeenCalledWith({
                 access_token: 'new-access-token',
                 token_type: 'Bearer',

packages/client/test/client/tokenProvider.test.ts

@@ -1,4 +1,5 @@
 import type { JSONRPCMessage } from '@modelcontextprotocol/core';
+import { SdkError, SdkErrorCode } from '@modelcontextprotocol/core';
 import type { Mock } from 'vitest';
 
 import type { AuthProvider } from '../../src/client/auth.js';
@@ -81,7 +82,7 @@ describe('StreamableHTTPClientTransport with AuthProvider', () => {
         expect(retryInit.headers.get('Authorization')).toBe('Bearer new-token');
     });
 
-    it('should throw UnauthorizedError if retry after onUnauthorized also gets 401', async () => {
+    it('should throw SdkError(ClientHttpAuthentication) if retry after onUnauthorized also gets 401', async () => {
         const authProvider: AuthProvider = {
             token: vi.fn(async () => 'still-bad'),
             onUnauthorized: vi.fn(async () => {})
@@ -93,7 +94,9 @@ describe('StreamableHTTPClientTransport with AuthProvider', () => {
             .mockResolvedValueOnce({ ok: false, status: 401, headers: new Headers(), text: async () => 'unauthorized' })
             .mockResolvedValueOnce({ ok: false, status: 401, headers: new Headers(), text: async () => 'unauthorized' });
 
-        await expect(transport.send(message)).rejects.toThrow(UnauthorizedError);
+        const error = await transport.send(message).catch(e => e);
+        expect(error).toBeInstanceOf(SdkError);
+        expect((error as SdkError).code).toBe(SdkErrorCode.ClientHttpAuthentication);
         expect(authProvider.onUnauthorized).toHaveBeenCalledTimes(1);
     });