refactor(error display): use messageWithCauses from @socketsecurity/lib/errors

Replace the hand-rolled cause-chain walker with the socket-lib
re-export (originally pony-cause). Benefits:

- Single source of truth for cause formatting across CLI + lib.
- Proper cycle detection via a `seen` Set instead of a depth-5 cap
  that could silently truncate legitimate 5+ level chains.
- api.mts drops its direct `pony-cause` import for the same re-export.
- Removes `pony-cause` from root and cli devDependencies (it was
  imported in runtime code, a latent classification bug — socket-lib
  bundles it internally so direct dependence was never needed).

Test updated to assert cycle termination instead of depth cap.

Author: jdalton

package.json

@@ -121,7 +121,6 @@
     "oxfmt": "0.37.0",
     "oxlint": "1.52.0",
     "package-builder": "workspace:*",
-    "pony-cause": "catalog:",
     "postject": "catalog:",
     "registry-auth-token": "catalog:",
     "registry-url": "catalog:",

packages/cli/package.json

@@ -110,7 +110,6 @@
     "npm-package-arg": "catalog:",
     "open": "catalog:",
     "package-builder": "workspace:*",
-    "pony-cause": "catalog:",
     "registry-auth-token": "catalog:",
     "registry-url": "catalog:",
     "semver": "catalog:",

packages/cli/src/utils/error/display.mts

@@ -2,6 +2,7 @@
 
 import colors from 'yoctocolors-cjs'
 
+import { messageWithCauses } from '@socketsecurity/lib/errors'
 import { LOG_SYMBOLS } from '@socketsecurity/lib/logger'
 import { stripAnsi } from '@socketsecurity/lib/strings'
 
@@ -26,22 +27,18 @@ export type ErrorDisplayOptions = {
 }
 
 /**
- * Append the `.cause` chain (up to 5 levels) to a base message so
- * non-debug users see the diagnostic context from wrapped errors.
- * Typed errors (AuthError, NetworkError, …) can also carry causes.
+ * Append the `.cause` chain to a decorated base message. Typed errors
+ * build their message with suffixes (e.g. ` (HTTP 500)`) before this
+ * is called, so we can't just `messageWithCauses(error)` — we decorate
+ * first, then delegate cause walking to socket-lib.
  */
 function appendCauseChain(baseMessage: string, cause: unknown): string {
-  const plainCauses: string[] = []
-  let walk: unknown = cause
-  let walkDepth = 1
-  while (walk && walkDepth <= 5) {
-    plainCauses.push(walk instanceof Error ? walk.message : String(walk))
-    walk = walk instanceof Error ? walk.cause : undefined
-    walkDepth++
+  if (!cause) {
+    return baseMessage
   }
-  return plainCauses.length
-    ? `${baseMessage}: ${plainCauses.join(': ')}`
-    : baseMessage
+  const causeText =
+    cause instanceof Error ? messageWithCauses(cause) : String(cause)
+  return `${baseMessage}: ${causeText}`
 }
 
 /**

packages/cli/src/utils/socket/api.mts

@@ -19,10 +19,9 @@
  * - Falls back to configured apiBaseUrl or default API_V0_URL
  */
 
-import { messageWithCauses } from 'pony-cause'
-
 import { debug, debugDir } from '@socketsecurity/lib/debug'
 import { getSocketCliApiBaseUrl } from '@socketsecurity/lib/env/socket-cli'
+import { messageWithCauses } from '@socketsecurity/lib/errors'
 import { httpRequest } from '@socketsecurity/lib/http-request'
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 import { getDefaultSpinner } from '@socketsecurity/lib/spinner'

packages/cli/test/unit/utils/error/display.test.mts

@@ -162,17 +162,17 @@ describe('error/display', () => {
       expect(result.message).toContain('root DNS failure')
     })
 
-    it('stops walking causes at depth 5 to avoid runaway chains', () => {
-      let e: Error | undefined
-      for (let i = 0; i <= 10; i++) {
-        e = new Error(`level-${i}`, e ? { cause: e } : undefined)
-      }
+    it('terminates on cyclic cause chains', () => {
+      const a = new Error('a')
+      const b = new Error('b')
+      ;(a as Error & { cause?: unknown }).cause = b
+      ;(b as Error & { cause?: unknown }).cause = a
 
-      const result = formatErrorForDisplay(e!)
+      const result = formatErrorForDisplay(a)
 
-      expect(result.message).toContain('level-10')
-      expect(result.message).toContain('level-5')
-      expect(result.message).not.toContain('level-4')
+      expect(result.message).toContain('a')
+      expect(result.message).toContain('b')
+      expect(result.message).toContain('...')
     })
 
     it('uses custom title when provided', () => {

pnpm-lock.yaml

@@ -116,7 +116,6 @@ catalog:
   oxlint: 1.52.0
   packageurl-js: npm:@socketregistry/packageurl-js@^1.4.2
   path-parse: npm:@socketregistry/path-parse@^1.0.8
-  pony-cause: 2.1.11
   postject: 1.0.0-alpha.6
   react: 19.2.0
   react-reconciler: 0.33.0