feat(auth): add error event publishing and Redis queue integration

- Introduced `publishErrorEvent` in `Manager` to publish error events to Redis.
- Implemented error event structure to capture authentication errors with detailed metadata.
- Added test cases for error event publishing, subscription, and Redis protocol handling.
- Enhanced error and usage queue handling with `SubscribeErrors` and `EnqueueError`.

Closes: router-for-me#3701

Author: luispater

internal/api/redis_queue_protocol.go

@@ -14,7 +14,10 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-const redisUsageChannel = "usage"
+const (
+	redisUsageChannel  = "usage"
+	redisErrorsChannel = "errors"
+)
 
 type redisSubscriptionCommand struct {
 	args []string
@@ -150,15 +153,15 @@ func (s *Server) handleRedisConnection(conn net.Conn, reader *bufio.Reader) {
 				}
 				continue
 			}
-			if !strings.EqualFold(channel, redisUsageChannel) {
+			messages, unsubscribe, ok := subscribeRedisChannel(channel)
+			if !ok {
 				_ = writeRedisError(writer, fmt.Sprintf("ERR unsupported channel '%s'", channel))
 				if !flush() {
 					return
 				}
 				continue
 			}
-			messages, unsubscribe := redisqueue.SubscribeUsage()
-			if errWrite := writeRedisPubSubSubscribe(writer, redisUsageChannel, 1); errWrite != nil {
+			if errWrite := writeRedisPubSubSubscribe(writer, channel, 1); errWrite != nil {
 				unsubscribe()
 				log.Errorf("redis protocol subscribe response error: %v", errWrite)
 				return
@@ -167,7 +170,7 @@ func (s *Server) handleRedisConnection(conn net.Conn, reader *bufio.Reader) {
 				unsubscribe()
 				return
 			}
-			s.streamRedisUsageSubscription(reader, writer, messages, unsubscribe)
+			s.streamRedisSubscription(reader, writer, channel, messages, unsubscribe)
 			return
 		case "LPOP", "RPOP":
 			count, hasCount, ok := parsePopCount(args)
@@ -185,7 +188,14 @@ func (s *Server) handleRedisConnection(conn net.Conn, reader *bufio.Reader) {
 				}
 				continue
 			}
-			items := redisqueue.PopOldest(count)
+			items, ok := popRedisQueueItems(args[1], count)
+			if !ok {
+				_ = writeRedisError(writer, fmt.Sprintf("ERR unsupported channel '%s'", strings.TrimSpace(args[1])))
+				if !flush() {
+					return
+				}
+				continue
+			}
 			if hasCount {
 				_ = writeRedisArrayOfBulkStrings(writer, items)
 				if !flush() {
@@ -213,7 +223,29 @@ func (s *Server) handleRedisConnection(conn net.Conn, reader *bufio.Reader) {
 	}
 }
 
-func (s *Server) streamRedisUsageSubscription(reader *bufio.Reader, writer *bufio.Writer, messages <-chan []byte, unsubscribe func()) {
+func subscribeRedisChannel(channel string) (<-chan []byte, func(), bool) {
+	switch strings.ToLower(strings.TrimSpace(channel)) {
+	case redisUsageChannel:
+		messages, unsubscribe := redisqueue.SubscribeUsage()
+		return messages, unsubscribe, true
+	case redisErrorsChannel:
+		messages, unsubscribe := redisqueue.SubscribeErrors()
+		return messages, unsubscribe, true
+	default:
+		return nil, nil, false
+	}
+}
+
+func popRedisQueueItems(channel string, count int) ([][]byte, bool) {
+	switch strings.ToLower(strings.TrimSpace(channel)) {
+	case redisUsageChannel:
+		return redisqueue.PopOldest(count), true
+	default:
+		return nil, false
+	}
+}
+
+func (s *Server) streamRedisSubscription(reader *bufio.Reader, writer *bufio.Writer, channel string, messages <-chan []byte, unsubscribe func()) {
 	if unsubscribe == nil {
 		return
 	}
@@ -231,7 +263,7 @@ func (s *Server) streamRedisUsageSubscription(reader *bufio.Reader, writer *bufi
 			if !ok {
 				return
 			}
-			if errWrite := writeRedisPubSubMessage(writer, redisUsageChannel, msg); errWrite != nil {
+			if errWrite := writeRedisPubSubMessage(writer, channel, msg); errWrite != nil {
 				log.Errorf("redis protocol publish message error: %v", errWrite)
 				return
 			}
@@ -243,7 +275,7 @@ func (s *Server) streamRedisUsageSubscription(reader *bufio.Reader, writer *bufi
 			if !ok {
 				return
 			}
-			keepOpen := handleRedisSubscriptionCommand(writer, command)
+			keepOpen := handleRedisSubscriptionCommand(writer, channel, command)
 			if errFlush := writer.Flush(); errFlush != nil {
 				log.Errorf("redis protocol flush error: %v", errFlush)
 				return
@@ -277,7 +309,7 @@ func readRedisSubscriptionCommands(reader *bufio.Reader, commands chan<- redisSu
 	}
 }
 
-func handleRedisSubscriptionCommand(writer *bufio.Writer, command redisSubscriptionCommand) bool {
+func handleRedisSubscriptionCommand(writer *bufio.Writer, channel string, command redisSubscriptionCommand) bool {
 	if command.err != nil {
 		_ = writeRedisError(writer, "ERR "+command.err.Error())
 		return false
@@ -297,7 +329,7 @@ func handleRedisSubscriptionCommand(writer *bufio.Writer, command redisSubscript
 		_ = writeRedisPubSubPong(writer, payload)
 		return true
 	case "UNSUBSCRIBE":
-		_ = writeRedisPubSubUnsubscribe(writer, redisUsageChannel, 0)
+		_ = writeRedisPubSubUnsubscribe(writer, channel, 0)
 		return false
 	case "QUIT":
 		_ = writeRedisSimpleString(writer, "OK")

internal/api/redis_queue_protocol_integration_test.go

@@ -359,6 +359,60 @@ func TestRedisProtocol_SUBSCRIBE_UsageSendsSupportRefresh(t *testing.T) {
 	}
 }
 
+func TestRedisProtocol_SUBSCRIBE_ErrorsReceivesErrorEvents(t *testing.T) {
+	const managementPassword = "test-management-password"
+
+	t.Setenv("MANAGEMENT_PASSWORD", managementPassword)
+	redisqueue.SetEnabled(false)
+	t.Cleanup(func() { redisqueue.SetEnabled(false) })
+
+	server := newTestServer(t)
+	if !server.managementRoutesEnabled.Load() {
+		t.Fatalf("expected managementRoutesEnabled to be true")
+	}
+
+	addr, stop := startRedisMuxListener(t, server)
+	t.Cleanup(stop)
+
+	conn, errDial := net.DialTimeout("tcp", addr, time.Second)
+	if errDial != nil {
+		t.Fatalf("failed to dial redis listener: %v", errDial)
+	}
+	t.Cleanup(func() { _ = conn.Close() })
+
+	reader := bufio.NewReader(conn)
+	_ = conn.SetDeadline(time.Now().Add(5 * time.Second))
+
+	if errWrite := writeTestRESPCommand(conn, "AUTH", managementPassword); errWrite != nil {
+		t.Fatalf("failed to write AUTH command: %v", errWrite)
+	}
+	if msg, errRead := readTestRESPSimpleString(reader); errRead != nil {
+		t.Fatalf("failed to read AUTH response: %v", errRead)
+	} else if msg != "OK" {
+		t.Fatalf("unexpected AUTH response: %q", msg)
+	}
+
+	if errWrite := writeTestRESPCommand(conn, "SUBSCRIBE", "errors"); errWrite != nil {
+		t.Fatalf("failed to write SUBSCRIBE command: %v", errWrite)
+	}
+	channel, subscriptions, errSubscribe := readTestRESPPubSubSubscribe(reader)
+	if errSubscribe != nil {
+		t.Fatalf("failed to read subscribe response: %v", errSubscribe)
+	}
+	if channel != "errors" || subscriptions != 1 {
+		t.Fatalf("unexpected subscribe response channel=%q subscriptions=%d", channel, subscriptions)
+	}
+
+	redisqueue.EnqueueError([]byte(`{"auth_index":"auth-1","status_code":401}`))
+	channel, payload, errMessage := readTestRESPPubSubMessage(reader)
+	if errMessage != nil {
+		t.Fatalf("failed to read error message: %v", errMessage)
+	}
+	if channel != "errors" || string(payload) != `{"auth_index":"auth-1","status_code":401}` {
+		t.Fatalf("unexpected error message channel=%q payload=%q", channel, string(payload))
+	}
+}
+
 func TestRedisProtocol_AUTH_And_PopContracts(t *testing.T) {
 	const managementPassword = "test-management-password"
 
@@ -450,4 +504,13 @@ func TestRedisProtocol_AUTH_And_PopContracts(t *testing.T) {
 	if len(emptyItems) != 0 {
 		t.Fatalf("expected empty array for empty queue with count, got %#v", emptyItems)
 	}
+
+	if errWrite := writeTestRESPCommand(conn, "RPOP", "errors", "2"); errWrite != nil {
+		t.Fatalf("failed to write RPOP errors count command: %v", errWrite)
+	}
+	if msg, errRead := readTestRESPError(reader); errRead != nil {
+		t.Fatalf("failed to read RPOP errors response: %v", errRead)
+	} else if msg != "ERR unsupported channel 'errors'" {
+		t.Fatalf("unexpected RPOP errors response: %q", msg)
+	}
 }

internal/redisqueue/queue.go

@@ -10,6 +10,7 @@ const (
 	defaultRetentionSeconds int64 = 60
 	maxRetentionSeconds     int64 = 3600
 	usageSubscriberBuffer         = 256
+	errorSubscriberBuffer         = 256
 
 	usageSupportRefreshPayload = `{"support_refresh":true}`
 	usageRefreshPayload        = `{"refresh":true}`
@@ -32,6 +33,7 @@ var (
 	enabled          atomic.Bool
 	retentionSeconds atomic.Int64
 	global           queue
+	errorGlobal      queue
 )
 
 func init() {
@@ -42,6 +44,7 @@ func SetEnabled(value bool) {
 	enabled.Store(value)
 	if !value {
 		global.clear()
+		errorGlobal.clear()
 	}
 }
 
@@ -72,6 +75,16 @@ func Enqueue(payload []byte) {
 	global.enqueue(payload)
 }
 
+func EnqueueError(payload []byte) {
+	if !Enabled() {
+		return
+	}
+	if len(payload) == 0 {
+		return
+	}
+	errorGlobal.publishToSubscribers(payload)
+}
+
 func PopOldest(count int) [][]byte {
 	if !Enabled() {
 		return nil
@@ -83,7 +96,11 @@ func PopOldest(count int) [][]byte {
 }
 
 func SubscribeUsage() (<-chan []byte, func()) {
-	return global.subscribeUsage()
+	return global.subscribe(usageSubscriberBuffer, []byte(usageSupportRefreshPayload))
+}
+
+func SubscribeErrors() (<-chan []byte, func()) {
+	return errorGlobal.subscribe(errorSubscriberBuffer, nil)
 }
 
 func NotifyUsageRefresh() {
@@ -142,9 +159,11 @@ func (q *queue) publishToSubscribers(payload []byte) bool {
 	return true
 }
 
-func (q *queue) subscribeUsage() (<-chan []byte, func()) {
-	subscriber := make(chan []byte, usageSubscriberBuffer)
-	subscriber <- []byte(usageSupportRefreshPayload)
+func (q *queue) subscribe(buffer int, initialPayload []byte) (<-chan []byte, func()) {
+	subscriber := make(chan []byte, buffer)
+	if len(initialPayload) > 0 {
+		subscriber <- append([]byte(nil), initialPayload...)
+	}
 
 	q.mu.Lock()
 	if q.subscribers == nil {
@@ -158,13 +177,13 @@ func (q *queue) subscribeUsage() (<-chan []byte, func()) {
 	var once sync.Once
 	unsubscribe := func() {
 		once.Do(func() {
-			q.unsubscribeUsage(id)
+			q.unsubscribe(id)
 		})
 	}
 	return subscriber, unsubscribe
 }
 
-func (q *queue) unsubscribeUsage(id uint64) {
+func (q *queue) unsubscribe(id uint64) {
 	q.mu.Lock()
 	subscriber, ok := q.subscribers[id]
 	if ok {

internal/redisqueue/queue_test.go

@@ -39,6 +39,8 @@ func TestSetEnabledFalseClosesUsageSubscribers(t *testing.T) {
 	withEnabledQueue(t, func() {
 		subscriber, unsubscribe := SubscribeUsage()
 		defer unsubscribe()
+		errorSubscriber, unsubscribeErrors := SubscribeErrors()
+		defer unsubscribeErrors()
 
 		requireUsageSubscriberPayload(t, subscriber, usageSupportRefreshPayload)
 
@@ -52,19 +54,51 @@ func TestSetEnabledFalseClosesUsageSubscribers(t *testing.T) {
 		case <-time.After(time.Second):
 			t.Fatalf("timeout waiting for subscriber close")
 		}
+
+		select {
+		case _, ok := <-errorSubscriber:
+			if ok {
+				t.Fatalf("error subscriber channel remained open after SetEnabled(false)")
+			}
+		case <-time.After(time.Second):
+			t.Fatalf("timeout waiting for error subscriber close")
+		}
+	})
+}
+
+func TestEnqueueErrorBroadcastsToErrorSubscribersAndDiscardsWithoutSubscribers(t *testing.T) {
+	withEnabledQueue(t, func() {
+		subscriber, unsubscribe := SubscribeErrors()
+		defer unsubscribe()
+
+		EnqueueError([]byte("error-record"))
+		requireUsageSubscriberPayload(t, subscriber, "error-record")
+
+		unsubscribe()
+
+		EnqueueError([]byte("discarded-error"))
+		requireErrorQueueEmpty(t)
 	})
 }
 
 func TestNotifyUsageRefreshBroadcastsOnlyToUsageSubscribers(t *testing.T) {
 	withEnabledQueue(t, func() {
 		subscriber, unsubscribe := SubscribeUsage()
 		defer unsubscribe()
+		errorSubscriber, unsubscribeErrors := SubscribeErrors()
+		defer unsubscribeErrors()
 
 		requireUsageSubscriberPayload(t, subscriber, usageSupportRefreshPayload)
 
 		NotifyUsageRefresh()
 		requireUsageSubscriberPayload(t, subscriber, usageRefreshPayload)
 
+		select {
+		case got := <-errorSubscriber:
+			t.Fatalf("error subscriber received usage refresh payload %q", string(got))
+		default:
+		}
+
 		unsubscribe()
 		NotifyUsageRefresh()
 		if items := PopOldest(1); len(items) != 0 {
@@ -88,3 +122,14 @@ func requireUsageSubscriberPayload(t *testing.T, subscriber <-chan []byte, want
 		t.Fatalf("timeout waiting for subscriber payload %q", want)
 	}
 }
+
+func requireErrorQueueEmpty(t *testing.T) {
+	t.Helper()
+
+	errorGlobal.mu.Lock()
+	defer errorGlobal.mu.Unlock()
+
+	if len(errorGlobal.items)-errorGlobal.head != 0 {
+		t.Fatalf("error queue retained %d item(s), want none", len(errorGlobal.items)-errorGlobal.head)
+	}
+}

sdk/cliproxy/auth/conductor.go

@@ -2523,6 +2523,7 @@ func (m *Manager) MarkResult(ctx context.Context, result Result) {
 	}
 
 	m.hook.OnResult(ctx, result)
+	m.publishErrorEvent(result, authSnapshot)
 }
 
 func ensureModelState(auth *Auth, model string) *ModelState {