fix(shared): keep protect-check sdk_url out of the load-failure error

The dynamic-import failure message embeds the sdk_url in Chromium/Firefox; stop interpolating it into the user-facing ClerkRuntimeError, and make the test assert the invariant rather than relying on Node's URL-free import error.

Author: jacekradko

packages/shared/src/internal/clerk-js/__tests__/protectCheck.test.ts

@@ -153,14 +153,20 @@ describe('executeProtectCheck', () => {
       });
     });
 
-    it('does not leak the sdkUrl in the user-facing load-failure message', async () => {
+    it('does not append the underlying import error (which can embed the sdkUrl) to the message', async () => {
+      // Node's import error omits the URL, so the not-toContain checks below are vacuous on their own.
+      // The `Original error` guard is the real one: a browser embeds the sdk_url in the import failure,
+      // which must never reach the user-facing message.
       try {
         await executeProtectCheck(
           protectCheck({ sdkUrl: 'https://attacker-controlled.example/evil.js' }),
           fakeContainer(),
         );
         throw new Error('should have rejected');
       } catch (err: any) {
+        expect(err.code).toBe('protect_check_script_load_failed');
+        expect(err.message).toContain('invalid module.');
+        expect(err.message).not.toMatch(/original error/i);
         expect(err.message).not.toContain('attacker-controlled.example');
         expect(err.message).not.toContain('evil.js');
       }

packages/shared/src/internal/clerk-js/protectCheck.ts

@@ -100,17 +100,13 @@ export async function executeProtectCheck(
   let mod: Record<string, unknown>;
   try {
     mod = await import(/* webpackIgnore: true */ validated.toString());
-  } catch (err) {
-    // The browser surfaces CSP-blocked imports as the same error shape as a network error
-    // (typically a TypeError "Failed to fetch dynamically imported module"), so we can't
-    // reliably distinguish them. Surface a generic message to the UI — the URL is NOT
-    // included to avoid a phishing surface where a tampered response could place an
-    // attacker-chosen URL in the auth UI. Diagnostic detail goes to the original error.
-    const original = err instanceof Error ? err.message : String(err);
+  } catch {
+    // Surface a generic message and deliberately omit the original error: Chromium/Firefox embed
+    // the sdk_url in the dynamic-import failure text, which a tampered response could plant in the UI.
     throw new ClerkRuntimeError(
       'Protect check script failed to load. This is commonly caused by a Content Security ' +
         'Policy that blocks the script origin (add it to your script-src directive), a ' +
-        `network error, or an invalid module. (Original error: ${original})`,
+        'network error, or an invalid module.',
       { code: 'protect_check_script_load_failed' },
     );
   }