[codex] structure server secret store errors

[juliusmarminge]

Summary

• replace free-form secret resource strings with structured secret name, path, operation, and byte-count fields
• preserve directory initialization failures as tagged errors with their original causes
• narrow each secret-store service method to the failures it can actually produce
• remove key-pair constructor aliases and use catchTags for concurrent-create recovery

Stack

• based on [codex] improve server auth error context #3240 so the DPoP error fixture uses the parent PR error shape; retarget to main after [codex] improve server auth error context #3240 merges

Validation

• vp check
• vp run typecheck
• vp test apps/server/src/auth/ServerSecretStore.test.ts apps/server/src/auth/dpop.test.ts apps/server/src/cloud/environmentKeys.test.ts apps/server/src/cloud/http.test.ts

---

Note

Medium Risk
Touches secret persistence and cloud link/auth HTTP surfaces with breaking error shapes for in-process matchers, though wire decoding stays compatible with legacy payloads.

Overview
This PR reshapes failure reporting across the environment server’s secret store, cloud HTTP layer, and shared HTTP contracts.

ServerSecretStore drops generic resource strings in favor of structured fields (secretName, secretPath, operation, byteCount, directoryPath). Directory init failures are explicit tagged errors; each store method’s Effect error union is narrowed. Concurrent-create recovery uses Effect.catchTags instead of broad isSecretStoreError checks.

Environment HTTP errors in @t3tools/contracts gain stable reason / operation (and relay relayOperation / relayPhase) codes with centralized user-facing messages. Wire encoding omits internal cause; decoders still accept legacy message-only bodies for rolling deploys.

Cloud relay calls map client failures to CloudRelayRequestError (phase, redacted URL diagnostics, no secrets in messages). Internal 500s log causeTag only; clients see stable relay failure text. Unauthorized link flows use cloud_cli_authorization_required (mobile test updated accordingly).

^{Reviewed by Cursor Bugbot for commit 050fbe6. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Structure server secret store and HTTP environment errors with typed, contextual fields

• Refactors all ServerSecretStore error classes in ServerSecretStore.ts to carry structured fields (e.g. secretName, secretPath, operation, cause) instead of plain messages, and narrows per-method error union types.
• Adds structured reason codes and canonical messages to HTTP error contracts in environmentHttp.ts for 400, 401, 409, 500, and 503 responses; legacy message-only payloads are preserved on decode.
• Rewrites cloud HTTP handlers in http.ts to emit typed errors with operation context (e.g. generate_link_proof, persist_relay_configuration) and redact sensitive details from logs and response bodies.
• Introduces CloudRelayRequestError and CloudRelayConfigurationError for relay-specific failures, classifying errors by phase (encode/send/status/decode) with sanitized URL diagnostics.
• Behavioral Change: error messages across all secret store operations and HTTP responses are now standardized; clients consuming raw message strings from these errors will see different text.

^{Macroscope summarized 050fbe6.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: b6ce9f26-5052-4573-a8ee-df5fd935deca

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/server-secret-store-errors

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Approved

This PR refactors error types in the secret store to provide more structured diagnostic information (specific field names, reason codes, operation context). The changes are mechanical restructuring of error classes and handlers without altering runtime behavior beyond error reporting.

^{You can customize Macroscope's approvability policy. Learn more.}