fix: harden remote cdp probes

src/node-host/invoke-browser.test.ts

@@ -109,6 +109,36 @@ describe("runBrowserProxyCommand", () => {
     );
   });
 
+  it("redacts sensitive cdpUrl details in timeout diagnostics", async () => {
+    dispatcherMocks.dispatch
+      .mockImplementationOnce(async () => {
+        await new Promise(() => {});
+      })
+      .mockResolvedValueOnce({
+        status: 200,
+        body: {
+          running: true,
+          cdpHttp: true,
+          cdpReady: false,
+          cdpUrl:
+            "https://alice:supersecretpasswordvalue1234@example.com/chrome?token=supersecrettokenvalue1234567890",
+        },
+      });
+
+    await expect(
+      runBrowserProxyCommand(
+        JSON.stringify({
+          method: "GET",
+          path: "/snapshot",
+          profile: "remote",
+          timeoutMs: 5,
+        }),
+      ),
+    ).rejects.toThrow(
+      /status\(running=true, cdpHttp=true, cdpReady=false, cdpUrl=https:\/\/example\.com\/chrome\?token=supers…7890\)/,
+    );
+  });
+
   it("keeps non-timeout browser errors intact", async () => {
     dispatcherMocks.dispatch.mockResolvedValue({
       status: 500,

src/node-host/invoke-browser.ts

@@ -1,4 +1,5 @@
 import fsPromises from "node:fs/promises";
+import { redactCdpUrl } from "../browser/cdp.helpers.js";
 import { resolveBrowserConfig } from "../browser/config.js";
 import {
   createBrowserControlContext,
@@ -199,7 +200,7 @@ function formatBrowserProxyTimeoutMessage(params: {
       statusParts.push(`transport=${params.status.transport}`);
     }
     if (typeof params.status.cdpUrl === "string" && params.status.cdpUrl.trim()) {
-      statusParts.push(`cdpUrl=${params.status.cdpUrl}`);
+      statusParts.push(`cdpUrl=${redactCdpUrl(params.status.cdpUrl)}`);
     }
     parts.push(`status(${statusParts.join(", ")})`);
   }