Return 403 for country_blocked so old CLIs back off instead of tight-polling

Author: jahooma

cli/src/hooks/use-freebuff-session.ts

@@ -50,6 +50,20 @@ async function callSession(
   if (resp.status === 404) {
     return { status: 'disabled' }
   }
+  // 403 with a country_blocked body is a terminal signal, not an error — the
+  // server rejects non-allowlist countries up front (see session _handlers.ts)
+  // so users don't wait through the queue only to be rejected at chat time.
+  // The 403 status (rather than 200) is deliberate: older CLIs that don't
+  // know this status treat it as a generic error and back off on the 10s
+  // error-retry cadence instead of tight-polling an unrecognized 200 body.
+  if (resp.status === 403) {
+    const body = (await resp.json().catch(() => null)) as
+      | FreebuffSessionResponse
+      | null
+    if (body && body.status === 'country_blocked') {
+      return body
+    }
+  }
   if (!resp.ok) {
     const text = await resp.text().catch(() => '')
     throw new Error(

web/src/app/api/v1/freebuff/session/__tests__/session.test.ts

@@ -110,7 +110,9 @@ describe('POST /api/v1/freebuff/session', () => {
       makeReq('ok', { cfCountry: 'FR' }),
       makeDeps(sessionDeps, 'u1'),
     )
-    expect(resp.status).toBe(200)
+    // 403 (not 200) so older CLIs that don't know `country_blocked` fall into
+    // their error-retry backoff instead of tight-polling.
+    expect(resp.status).toBe(403)
     const body = await resp.json()
     expect(body.status).toBe('country_blocked')
     expect(body.countryCode).toBe('FR')
@@ -143,7 +145,7 @@ describe('GET /api/v1/freebuff/session', () => {
       makeReq('ok', { cfCountry: 'FR' }),
       makeDeps(sessionDeps, 'u1'),
     )
-    expect(resp.status).toBe(200)
+    expect(resp.status).toBe(403)
     const body = await resp.json()
     expect(body.status).toBe('country_blocked')
     expect(body.countryCode).toBe('FR')

web/src/app/api/v1/freebuff/session/_handlers.ts

@@ -20,14 +20,19 @@ import type { NextRequest } from 'next/server'
  *  the caller's country and it's not on the allowlist, short-circuit with a
  *  terminal `country_blocked` response so the CLI can show the warning
  *  screen without ever joining the queue. Null country (VPN / localhost)
- *  fails open — chat/completions will catch it later if it matters. */
+ *  fails open — chat/completions will catch it later if it matters.
+ *
+ *  Returns HTTP 403 (not 200) so older CLIs — which don't know the
+ *  `country_blocked` status and would tight-poll on an unrecognized 200
+ *  body — fall into their existing `!resp.ok` error path and back off on
+ *  the 10s error retry cadence. The new CLI parses the 403 body directly. */
 function countryBlockedResponse(req: NextRequest): NextResponse | null {
   const countryCode = getCountryCode(req)
   if (!countryCode) return null
   if (FREE_MODE_ALLOWED_COUNTRIES.has(countryCode)) return null
   return NextResponse.json(
     { status: 'country_blocked', countryCode },
-    { status: 200 },
+    { status: 403 },
   )
 }