[codex] structure server secret store errors

[juliusmarminge]

Summary

• replace free-form secret resource strings with structured secret name, path, operation, and byte-count fields
• preserve directory initialization failures as tagged errors with their original causes
• narrow each secret-store service method to the failures it can actually produce
• remove key-pair constructor aliases and use catchTags for concurrent-create recovery

Stack

• based on [codex] improve server auth error context #3240 so the DPoP error fixture uses the parent PR error shape; retarget to main after [codex] improve server auth error context #3240 merges

Validation

• vp check
• vp run typecheck
• vp test apps/server/src/auth/ServerSecretStore.test.ts apps/server/src/auth/dpop.test.ts apps/server/src/cloud/environmentKeys.test.ts apps/server/src/cloud/http.test.ts

---

Note

Medium Risk
Touches filesystem-backed secret storage and auth/cloud code paths, but changes are largely structural with preserved behavior and expanded test coverage.

Overview
ServerSecretStore errors move from a single free-form resource string to structured fields (secretName, secretPath, operation, byteCount, directoryPath) so callers and tests can assert on concrete data instead of message substrings.

Directory setup failures are split into SecretStoreDirectoryCreateError (replacing the old secure error for makeDirectory) and SecretStoreDirectorySecureError for chmod, each carrying directoryPath and the original cause. Persist/read/remove/temp-path/random/decode/encode errors follow the same pattern; SecretStorePersistError now records whether the failure was create or set.

The ServerSecretStore service interface narrows each method’s error union to the failures that path can actually emit. Concurrent-create recovery in getOrCreateRandom and environmentKeys switches from broad catchIf(isSecretStoreError) to catchTags({ SecretStorePersistError: ... }), with environment key helpers inlining decode/encode/concurrent errors using the real secret name constant.

Tests add directory-create failure coverage and update fixtures/assertions across auth, DPoP, cloud HTTP, and environment keys.

^{Reviewed by Cursor Bugbot for commit 47c0424. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Structure ServerSecretStore errors with contextual fields per operation

Replaces broad SecretStoreError types with specific, field-rich error classes for each ServerSecretStore operation. Each error now carries relevant context such as secretName, secretPath, operation ('create' | 'set'), byteCount, and cause.

• Adds SecretStoreDirectoryCreateError and SecretStoreDirectorySecureError for failures during store initialization (directory creation and chmod).
• Refactors SecretStoreReadError, SecretStorePersistError, SecretStoreRemoveError, SecretStoreDecodeError, SecretStoreEncodeError, SecretStoreRandomGenerationError, and SecretStoreConcurrentReadError to include structured fields instead of generic message strings.
• Renames SecretStoreTemporaryPathError to SecretStoreTemporaryPathGenerationError and adds secretName/secretPath fields.
• Updates callers in environmentKeys.ts and tests across dpop, http, and environmentKeys to construct errors with the new fields.
• Behavioral Change: error shapes for all ServerSecretStore methods have changed; any code pattern-matching on error messages or the old field names will break.

^{Macroscope summarized 47c0424.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 1f6819cc-6cc3-44bc-8ee5-3365c5bc6dbf

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/server-secret-store-errors

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

Approvability

Verdict: Needs human review

Changes modify files in the auth/ directory (ServerSecretStore.ts, dpop.test.ts), which requires human review regardless of the structural nature of the error refactoring.

^{You can customize Macroscope's approvability policy. Learn more.}