fix(source-twilio): treat HTTP 401 as transient error for sporadic CloudFront auth failures

[devin-ai-integration]

What

Sporadic HTTP 401 errors from Twilio's API have been observed in production, caused by transient CloudFront CDN edge failures (X-Cache: Error from cloudfront) rather than actual credential issues. These currently cause partition-level failures because the CDK's default error mapping treats 401 as a non-retryable config_error.

How

Added an HttpResponseFilter with action: RETRY and a predicate to the base_requester's error_handler in the declarative manifest. The predicate matches only when both conditions are true:

• The response body contains status: 401 (Twilio's error format)
• The X-Cache header equals Error from cloudfront (CloudFront CDN failure signature)

This ensures only transient CloudFront-originated 401s are retried. Genuine Twilio authentication failures (invalid credentials, revoked tokens) are not matched and continue to fail immediately via the CDK's default error mapping.

Review guide

1. manifest.yaml — the only functional change. New response filter at lines 30–34, placed between the 429 (rate limit) and 404 (ignore) filters.

Checklist for reviewer

• Verify the predicate AND semantics: the CDK's _matches_filter evaluates http_codes OR predicate OR error_message_contains — since no http_codes are set here, only the predicate is evaluated, and both conditions within it must be true.
• Verify the predicate doesn't accidentally match successful (200) responses: for non-error responses, response.get('status', 0) returns 0 (body is record data, not an error object), so the predicate evaluates to False. Safe.
• Confirm the exact X-Cache header value (Error from cloudfront) matches production logs — the original incident had this exact string.

User Impact

Syncs that previously failed on a partition due to transient Twilio/CloudFront 401 errors will now retry and succeed. Genuine authentication failures remain unaffected and still fail immediately.

Can this PR be safely reverted and rolled back?

• YES 💚

Link to Devin session: https://app.devin.ai/sessions/d2bdc8f33f1740f0a55d6ba23f7340d3

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

PR Slash Commands

Airbyte Maintainers (that's you!) can execute the following slash commands on your PR:

• 🛠️ Quick Fixes
  • /format-fix - Fixes most formatting issues.
  • /bump-version - Bumps connector versions, scraping changelog description from the PR title.
• ❇️ AI Testing and Review (internal link: AI-SDLC Docs):
  • /ai-prove-fix - Runs prerelease readiness checks, including testing against customer connections.
  • /ai-canary-prerelease - Rolls out prerelease to 5-10 connections for canary testing.
  • /ai-review - AI-powered PR review for connector safety and quality gates.
• 🚀 Connector Releases:
  • /publish-connectors-prerelease - Publishes pre-release connector builds (tagged as {version}-preview.{git-sha}) for all modified connectors in the PR.
  • /bump-progressive-rollout-version - Bumps connector version with an RC suffix (2.16.10-rc.1) for progressive rollouts (enableProgressiveRollout: true).
    • Example: /bump-progressive-rollout-version changelog="Add new feature for progressive rollout"
• ☕️ JVM connectors:
  • /update-connector-cdk-version connector=<CONNECTOR_NAME> - Updates the specified connector to the latest CDK version.
    Example: /update-connector-cdk-version connector=destination-bigquery
• 🐍 Python connectors:
  • /poe connector source-example lock - Run the Poe lock task on the source-example connector, committing the results back to the branch.
  • /poe source example lock - Alias for /poe connector source-example lock.
  • /poe source example use-cdk-branch my/branch - Pin the source-example CDK reference to the branch name specified.
  • /poe source example use-cdk-latest - Update the source-example CDK dependency to the latest available version.
• ⚙️ Admin commands:
  • /force-merge reason="<REASON>" - Force merges the PR using admin privileges, bypassing CI checks. Requires a reason.
    Example: /force-merge reason="CI is flaky, tests pass locally"

📚 Show Repo Guidance

Helpful Resources

• Breaking Changes Guide - Breaking changes, migration guides, and upgrade deadlines
• Developing Connectors Locally
• Managing Connector Secrets
• On-Demand Regression Tests
• #connector-ci-issues
• #connector-publish-updates
• #connector-build-statuses

📝 Edit this welcome message.

[github-actions]

Deploy preview for airbyte-docs ready!

✅ Preview
https://airbyte-docs-9m3x2p7uj-airbyte-growth.vercel.app

Built with commit 5458d82.
This pull request is being automatically deployed with vercel-action

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.

[Anatolii Yatsuk (tolik0)]

/publish-connectors-prerelease

Pre-release Connector Publish Started

Publishing pre-release build for connector source-twilio.
PR: #75214

Pre-release versions will be tagged as {version}-preview.5458d82
and are available for version pinning via the scoped_configuration API.

View workflow run
Pre-release Publish: SUCCESS ✅

Docker image (pre-release):
airbyte/source-twilio:0.17.5-preview.5458d82

Docker Hub: https://hub.docker.com/layers/airbyte/source-twilio/0.17.5-preview.5458d82

Registry JSON:

• OSS Registry
• Cloud Registry

[github-actions]

source-twilio Connector Test Results

21 tests   18 ✅  27s ⏱️
 2 suites   3 💤
 2 files     0 ❌

Results for commit 5458d82.