fix(security-agent): add SANDBOX_FAILED classification and reduce Sentry noise (#934)

Author: jeanduplessis

src/lib/security-agent/core/error-classification.test.ts

@@ -75,6 +75,27 @@ describe('classifyAnalysisError', () => {
     });
   });
 
+  describe('SANDBOX_FAILED', () => {
+    it.each([
+      'ConfigInvalidError: bad file reference: "{file:.opencode/prompts/agents/planner.txt}"',
+      'Failed to create workspace directory /tmp/sandbox-123',
+      'Failed to create kilo CLI session for repo foo/bar',
+      'prepareSession call failed with HTTP 500',
+      'FileSystemError: mkdir operation failed with exit code NaN',
+    ])('classifies %j as SANDBOX_FAILED', message => {
+      expect(classifyAnalysisError(new Error(message)).code).toBe('SANDBOX_FAILED');
+    });
+
+    it('does not match generic filesystem or config errors without sandbox context', () => {
+      expect(classifyAnalysisError(new Error('Invalid config option')).code).not.toBe(
+        'SANDBOX_FAILED'
+      );
+      expect(classifyAnalysisError(new Error('ENOENT: no such file or directory')).code).not.toBe(
+        'SANDBOX_FAILED'
+      );
+    });
+  });
+
   describe('UNKNOWN', () => {
     it('returns UNKNOWN for unrecognized errors', () => {
       const result = classifyAnalysisError(new Error('something unexpected'));

src/lib/security-agent/core/error-classification.ts

@@ -31,6 +31,14 @@ const NOT_FOUND_PATTERNS = [
   /\bno such\b.*\brepository\b/i,
 ];
 
+const SANDBOX_PATTERNS = [
+  /\bConfigInvalidError\b/i,
+  /\bFailed to create.*workspace\b/i,
+  /\bFailed to create kilo CLI session\b/i,
+  /\bprepareSession\b.*\bfailed\b/i,
+  /\bFileSystemError\b/i,
+];
+
 /**
  * Classify a raw error into a structured code and user-friendly message.
  *
@@ -63,6 +71,13 @@ export function classifyAnalysisError(error: unknown): ClassifiedError {
     };
   }
 
+  if (SANDBOX_PATTERNS.some(p => p.test(raw))) {
+    return {
+      code: 'SANDBOX_FAILED',
+      userMessage: 'Sandbox analysis failed to start. Please try again later.',
+    };
+  }
+
   return {
     code: 'UNKNOWN',
     userMessage: 'An unexpected error occurred. Please try again.',

src/lib/security-agent/services/triage-service.ts

@@ -285,25 +285,41 @@ export async function triageSecurityFinding(options: {
             correlationId,
             findingId: finding.id,
             status: result.status,
+            model,
           });
-          captureException(new Error(`Triage API error: ${result.status}`), {
-            tags: { operation: 'triageSecurityFinding' },
-            extra: {
-              findingId: finding.id,
-              status: result.status,
-              error: result.error,
-              correlationId,
-            },
-          });
+
+          // Provider-side errors we expect when users pick models that are
+          // delisted (404), rate-limited (408/429), or when the provider is
+          // down (5xx). These are not actionable on our side.
+          // All other statuses (e.g. 400/401/403) may indicate bugs in our
+          // request or auth path and should still reach Sentry.
+          const isProviderError =
+            result.status === 404 ||
+            result.status === 408 ||
+            result.status === 429 ||
+            result.status >= 500;
+
+          if (!isProviderError) {
+            captureException(new Error(`Triage API error: ${result.status}`), {
+              tags: { operation: 'triageSecurityFinding' },
+              extra: {
+                findingId: finding.id,
+                status: result.status,
+                error: result.error,
+                model,
+                correlationId,
+              },
+            });
+          }
 
           span.setAttribute('security_agent.status', 'error');
           span.setAttribute('security_agent.is_fallback', true);
 
           addBreadcrumb({
             category: 'security-agent.triage',
-            message: 'Triage fallback used',
+            message: `Triage fallback used (model=${model}, status=${result.status})`,
             level: 'warning',
-            data: { correlationId, findingId: finding.id, isFallback: true },
+            data: { correlationId, findingId: finding.id, model, isFallback: true },
           });
 
           return createFallbackTriage(`API error: ${result.status}`);