Note

Add safe URL diagnostics to errors across the stack to prevent secret leakage

• Introduces getUrlDiagnostics and redactDpopRequestTarget utilities in @t3tools/shared that extract only safe URL fields (hostname, protocol, input length) without retaining credentials, query strings, or fragments.
• Replaces generic Error throws and Data.TaggedError classes throughout server, web, mobile, desktop, and relay packages with structured Schema.TaggedErrorClass types that include operation context, safe URL diagnostics, and preserved causes.
• Error messages across all affected modules are now standardized and non-leaky; sensitive URL data is omitted from message strings, logs, and tracing span attributes.
• Adds ConnectionStorageOperationError, IndexedDbUnavailableError, DesktopSecureStorageUnavailableError, and ConnectionPersistenceError structured types in the client-runtime to unify storage failure reporting with operation, backend, and resource context.
• Replaces SSH_PASSWORD_PROMPT_CANCELLED_RESULT with DesktopSshPasswordPromptCancellationError across desktop IPC, preload, and contract boundaries so SSH cancellations surface as typed structured errors.
• Risk: Many error _tag values, message strings, and field shapes are changed across public contracts — callers that pattern-match on old tags, messages, or fields (e.g. detail vs message, KeybindingsConfigParseError → KeybindingsConfigError) will need updates.

^{Macroscope summarized 761be94.}

Note

Medium Risk
Broad changes to error _tag values, field shapes, and message/detail strings across IPC, preload, and mobile UI; consumers matching old tags or reading raw messages may break, though behavior is largely preserved with safer diagnostics.

Overview
Standardizes failure handling across desktop, mobile, server, and shared clients by replacing swallowed booleans, generic Error throws, and stringly IPC payloads with Effect Schema.TaggedErrorClass types that carry operation context and a cause, while user-facing **message getters avoid echoing secrets or nested causes.

Safe URL context comes from shared helpers (getUrlDiagnostics, redactDpopRequestTarget): errors and logs keep length / protocol / hostname (or redacted DPoP request targets) instead of full URLs, paths, query strings, or credentials. Desktop ElectronShell now fails openExternal / copyText with typed errors; window IPC still returns false for failed opens but logs redacted structured fields. SSH password prompt cancellation moves from a string type to DesktopSshPasswordPromptCancellationError with reason, request id, and destination.

Mobile connection catalog, migration, and file-backed shell/thread cache map storage failures through ConnectionStorageOperationError / ConnectionPersistenceError with stage and resource metadata. Cloud link/DPoP paths split the old monolithic link error into discriminated types (operation, mismatch, relay/environment sub-errors) with redacted relay/HTTP diagnostics. UI surfaces connection discovery errors via detail where applicable. Server EnvironmentAuth narrows service error unions and enriches auth errors (scopes, session ids, DPoP replay keys, credential kind). Thread outbox delivery treats EnvironmentRpcUnavailableError as retryable.

^{Reviewed by Cursor Bugbot for commit 761be94. Bugbot is set up for automated code reviews on this repo. Configure here.}