fix(skill-mcp): redact sensitive query params from URLs in error messages

API keys passed as query parameters (exaApiKey, tokens, secrets) were
exposed in thrown error messages. Now replaces them with ***REDACTED***.

src/features/skill-mcp-manager/http-client.ts

@@ -4,6 +4,24 @@ import { registerProcessCleanup, startCleanupTimer } from "./cleanup"
 import { buildHttpRequestInit } from "./oauth-handler"
 import type { ManagedClient, SkillMcpClientConnectionParams } from "./types"
 
+function redactUrl(urlStr: string): string {
+  try {
+    const u = new URL(urlStr)
+    for (const key of u.searchParams.keys()) {
+      if (
+        key.toLowerCase().includes("key") ||
+        key.toLowerCase().includes("token") ||
+        key.toLowerCase().includes("secret")
+      ) {
+        u.searchParams.set(key, "***REDACTED***")
+      }
+    }
+    return u.toString()
+  } catch {
+    return urlStr
+  }
+}
+
 export async function createHttpClient(params: SkillMcpClientConnectionParams): Promise<Client> {
   const { state, clientKey, info, config } = params
 
@@ -16,7 +34,7 @@ export async function createHttpClient(params: SkillMcpClientConnectionParams):
     url = new URL(config.url)
   } catch {
     throw new Error(
-      `MCP server "${info.serverName}" has invalid URL: ${config.url}\n\n` +
+      `MCP server "${info.serverName}" has invalid URL: ${redactUrl(config.url)}\n\n` +
       `Expected a valid URL like: https://mcp.example.com/mcp`
     )
   }
@@ -45,7 +63,7 @@ export async function createHttpClient(params: SkillMcpClientConnectionParams):
     const errorMessage = error instanceof Error ? error.message : String(error)
     throw new Error(
       `Failed to connect to MCP server "${info.serverName}".\n\n` +
-      `URL: ${config.url}\n` +
+      `URL: ${redactUrl(config.url)}\n` +
       `Reason: ${errorMessage}\n\n` +
       `Hints:\n` +
       `  - Verify the URL is correct and the server is running\n` +