CLI: surface API detail on 403 in environment commands

[andhus]

Summary

stardag/_cli/environment.py::_handle_api_error hard-coded the 403 message to:

Error: Permission denied. Admin role or higher is required to modify {resource}.

That's only one of several 403 paths the API can hit. The most surprising one is the workspace env-count cap in routes/workspaces.create_environment:

raise HTTPException(
    status_code=status.HTTP_403_FORBIDDEN,
    detail=f"Workspace can have at most {Workspace.MAX_ENVIRONMENTS_PER_WORKSPACE} environments",
)

— so an admin who hits the cap gets "you're not admin", which is doubly confusing because the API's actual detail says exactly what's wrong.

Fix

Read response.json().get("detail") and surface it, like the 409 branch right below it does. Wrapped the .json() call in try/except ValueError to be defensive against non-JSON 403 bodies (e.g. proxy errors).

Before:

$ uv run stardag environment create my-env
Error: Permission denied. Admin role or higher is required to modify environment.

After (for the env-cap case):

$ uv run stardag environment create my-env
Error: Workspace can have at most 15 environments

After (for an actual role-shortage):

$ uv run stardag environment create my-env
Error: Requires admin role or higher

(That string comes from require_workspace_access in the API.)

Test plan

• CI green.
• Manual: as a non-admin member, stardag environment create x → shows "Requires admin role or higher".
• Manual: in a workspace at the env cap, as admin, stardag environment create x → shows "Workspace can have at most N environments".

Related

• Limit constant change: Make tenancy quotas (workspaces/user, environments/workspace) configurable via LIMITS_* env vars #144

🤖 Generated with Claude Code