[codex] Structure browser DPoP failures

[juliusmarminge]

Summary

• replace message-only browser DPoP failures with schema-tagged storage, key, and proof error variants
• attach operation and request/storage context while preserving the exact browser, URL parser, schema, and signing causes
• remove the valueless error constructor wrapper and expose a union predicate for boundary handling
• record only a shared redacted request target (scheme/host/path) plus URL length, never credentials, query parameters, or fragments

Stack dependency

• Based on [codex] Share safe URL diagnostics #3403, which provides the shared redactDpopRequestTarget helper used by this PR.

Validation

• vp test run apps/web/src/cloud/dpop.test.ts (4 tests)
• vp check (passes with 20 pre-existing warnings)
• vp run typecheck

---

Note

Medium Risk
Touches cloud auth DPoP error shapes and messages; callers using instanceof on the old class or matching message strings may need updates, though behavior on success paths is unchanged.

Overview
Replaces the single message-based BrowserDpopError with three schema-tagged variants: BrowserDpopStorageError (IndexedDB open/read/write), BrowserDpopKeyError (generate/export/import), and BrowserDpopProofError (normalize URL, JTI, sign). Each carries an operation, preserves the original cause, and uses fixed user-facing messages that do not echo cause text.

Proof failures attach redacted request context via shared redactDpopRequestTarget (scheme/host/path only, plus urlLength and thumbprint)—never raw URLs with credentials, query, or fragments. A BrowserDpopError schema union and isBrowserDpopError guard replace the old Data.TaggedError class for boundary handling.

Tests cover happy-path signing, invalid URL handling, redaction on sign failure, and key-generation cause preservation.

^{Reviewed by Cursor Bugbot for commit d8a8df1. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Structure browser DPoP failures into typed error classes with redacted context

• Replaces the generic BrowserDpopError class with three structured Schema.TaggedErrorClass types: BrowserDpopStorageError, BrowserDpopKeyError, and BrowserDpopProofError, each carrying operation-specific fields and a cause.
• BrowserDpopProofError redacts credentials, query parameters, and URL fragments from requestTarget in error messages to avoid leaking sensitive data.
• Exports isBrowserDpopError as a type guard for the union of all three error types.
• Risk: Error shape, class identity, and message content have changed — any code relying on instanceof BrowserDpopError or specific message strings will break.

^{Macroscope summarized d8a8df1.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 24a678c8-b30a-47b0-90df-b7c2baa32fad

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/browser-dpop-error-context

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Approved

Refactors browser DPoP errors from a generic class into three structured, schema-validated error classes with explicit fields. No changes to runtime behavior - just improved error structure and metadata for debugging.

No code changes detected at d8a8df1. Prior analysis still applies.

^{You can customize Macroscope's approvability policy. Learn more.}

Dismissing prior approval to re-evaluate 037f54f

Dismissing prior approval to re-evaluate 41df172