Fix authentication error exit codes and add comprehensive integration testing

- Fix authentication required errors to return exit code 4 (ExitAuthenticationError) instead of default exit code 1
- Update all service commands (list, describe, create, update-password, delete) to use proper exit codes for auth failures
- Update db commands (connection-string, connect) to use proper exit codes for auth failures
- Maintain db test-connection exit code 3 per pg_isready conventions
- Add comprehensive integration test TestAuthenticationErrorsIntegration that verifies all commands return correct exit codes with invalid API keys
- Add unit tests for ExitAuthenticationError and ExitPermissionDenied exit code handling
- Update TODO.md to mark authentication error exit codes task as complete

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: cevian

TODO.md

@@ -5,9 +5,6 @@ Blocked:
 - need to add JWT/OATH2 support so that users don't handle API keys
 
 Active List:
-- update exit codes for authentication and permission errors
-- test the --password-storage flag with none option and PGPASSWORD env var
-- add integration test for service 404s
 - add release tooling
    - goreleaser?
    - platforms:
@@ -16,6 +13,9 @@ Active List:
         - curl .sh script
 
 Done:
+ - ✅ update exit codes for authentication and permission errors
+ - ✅ test the --password-storage flag with none option and PGPASSWORD env var
+ - ✅ add integration test for service 404s
  - ✅ api key stuff right now is messy. we require setting the api key from the public key and private key as public_key:private_key. should be a single string instead.
  - ✅ change service operations to use --wait-timeout instead of --timeout
  - ✅ implement --wait-timeout flag to accept time.ParseDuration format (e.g., "30m", "1h30m", "90s")

internal/tiger/cmd/db.go

@@ -291,7 +291,7 @@ func getServiceDetails(cmd *cobra.Command, args []string) (api.Service, error) {
 	// Get API key for authentication
 	apiKey, err := getAPIKeyForDB()
 	if err != nil {
-		return api.Service{}, fmt.Errorf("authentication required: %w", err)
+		return api.Service{}, exitWithCode(ExitAuthenticationError, fmt.Errorf("authentication required: %w", err))
 	}
 
 	// Create API client
@@ -318,8 +318,10 @@ func getServiceDetails(cmd *cobra.Command, args []string) (api.Service, error) {
 
 		return *resp.JSON200, nil
 
-	case 401, 403:
-		return api.Service{}, fmt.Errorf("authentication failed: invalid API key")
+	case 401:
+		return api.Service{}, exitWithCode(ExitAuthenticationError, fmt.Errorf("authentication failed: invalid API key"))
+	case 403:
+		return api.Service{}, exitWithCode(ExitPermissionDenied, fmt.Errorf("permission denied: insufficient access to service"))
 	case 404:
 		return api.Service{}, exitWithCode(ExitServiceNotFound, fmt.Errorf("service '%s' not found in project '%s'", serviceID, projectID))
 	default:
@@ -363,7 +365,7 @@ func buildPsqlCommand(connectionString, psqlPath string, additionalFlags []strin
 	args = append(args, additionalFlags...)
 
 	psqlCmd := exec.Command(psqlPath, args...)
-	
+
 	// Use cmd's input/output streams for testability while maintaining CLI behavior
 	psqlCmd.Stdin = cmd.InOrStdin()
 	psqlCmd.Stdout = cmd.OutOrStdout()

internal/tiger/cmd/errors.go

@@ -2,13 +2,13 @@ package cmd
 
 // Exit codes as defined in the CLI specification
 const (
-	ExitSuccess            = 0 // Success
-	ExitGeneralError       = 1 // General error
-	ExitTimeout            = 2 // Operation timeout (wait-timeout exceeded) or connection timeout
-	ExitInvalidParameters  = 3 // Invalid parameters
+	ExitSuccess             = 0 // Success
+	ExitGeneralError        = 1 // General error
+	ExitTimeout             = 2 // Operation timeout (wait-timeout exceeded) or connection timeout
+	ExitInvalidParameters   = 3 // Invalid parameters
 	ExitAuthenticationError = 4 // Authentication error
-	ExitPermissionDenied   = 5 // Permission denied
-	ExitServiceNotFound    = 6 // Service not found
+	ExitPermissionDenied    = 5 // Permission denied
+	ExitServiceNotFound     = 6 // Service not found
 )
 
 // exitCodeError creates an error that will cause the program to exit with the specified code

internal/tiger/cmd/errors_test.go

@@ -38,3 +38,43 @@ func TestExitCodeError_NilError(t *testing.T) {
 		t.Error("exitWithCode should return exitCodeError")
 	}
 }
+
+func TestExitAuthenticationError(t *testing.T) {
+	originalErr := fmt.Errorf("authentication failed: invalid API key")
+	exitErr := exitWithCode(ExitAuthenticationError, originalErr)
+
+	if exitErr.Error() != "authentication failed: invalid API key" {
+		t.Errorf("Expected error message 'authentication failed: invalid API key', got '%s'", exitErr.Error())
+	}
+
+	if exitCodeErr, ok := exitErr.(interface{ ExitCode() int }); ok {
+		if exitCodeErr.ExitCode() != ExitAuthenticationError {
+			t.Errorf("Expected exit code %d (ExitAuthenticationError), got %d", ExitAuthenticationError, exitCodeErr.ExitCode())
+		}
+		if exitCodeErr.ExitCode() != 4 {
+			t.Errorf("Expected exit code 4 for authentication error, got %d", exitCodeErr.ExitCode())
+		}
+	} else {
+		t.Error("exitWithCode should return exitCodeError with ExitCode method")
+	}
+}
+
+func TestExitPermissionDenied(t *testing.T) {
+	originalErr := fmt.Errorf("permission denied: insufficient access to service")
+	exitErr := exitWithCode(ExitPermissionDenied, originalErr)
+
+	if exitErr.Error() != "permission denied: insufficient access to service" {
+		t.Errorf("Expected error message 'permission denied: insufficient access to service', got '%s'", exitErr.Error())
+	}
+
+	if exitCodeErr, ok := exitErr.(interface{ ExitCode() int }); ok {
+		if exitCodeErr.ExitCode() != ExitPermissionDenied {
+			t.Errorf("Expected exit code %d (ExitPermissionDenied), got %d", ExitPermissionDenied, exitCodeErr.ExitCode())
+		}
+		if exitCodeErr.ExitCode() != 5 {
+			t.Errorf("Expected exit code 5 for permission denied, got %d", exitCodeErr.ExitCode())
+		}
+	} else {
+		t.Error("exitWithCode should return exitCodeError with ExitCode method")
+	}
+}