use secrets_core::error::AppError; /// Map a structured `AppError` to an MCP protocol error. /// /// This replaces the previous pattern of swallowing all errors into `-32603`. pub fn app_error_to_mcp(err: &AppError) -> rmcp::ErrorData { match err { AppError::ConflictSecretName { secret_name } => rmcp::ErrorData::invalid_request( format!( "A secret with the name '{secret_name}' already exists for your account. \ Secret names must be unique per user." ), None, ), AppError::ConflictEntryName { folder, name } => rmcp::ErrorData::invalid_request( format!( "An entry with folder='{folder}' and name='{name}' already exists. \ The combination of folder and name must be unique." ), None, ), AppError::NotFoundEntry => rmcp::ErrorData::invalid_request( "Entry not found. Use secrets_find to discover existing entries.", None, ), AppError::NotFoundUser => rmcp::ErrorData::invalid_request("User not found.", None), AppError::NotFoundSecret => rmcp::ErrorData::invalid_request("Secret not found.", None), AppError::AuthenticationFailed => rmcp::ErrorData::invalid_request( "Authentication failed. Please check your API key or login credentials.", None, ), AppError::Unauthorized => rmcp::ErrorData::invalid_request( "Unauthorized: you do not have permission to access this resource.", None, ), AppError::Validation { message } => rmcp::ErrorData::invalid_request(message.clone(), None), AppError::ConcurrentModification => rmcp::ErrorData::invalid_request( "The entry was modified by another request. Please refresh and try again.", None, ), AppError::DecryptionFailed => rmcp::ErrorData::invalid_request( "Decryption failed — the encryption key may be incorrect or does not match the data.", None, ), AppError::EncryptionKeyNotSet => rmcp::ErrorData::invalid_request( "Encryption key not set. You must set a passphrase before using this feature.", None, ), AppError::Internal(_) => rmcp::ErrorData::internal_error( "Request failed due to a server error. Check service logs if you need details.", None, ), } }