fix: use structured reason discriminant instead of fragile string comparison in credential consume flow

Replace exact message string comparison with a 'reason' discriminant field
on the ConsumeResult error variant ('not-found' | 'expired') to determine
whether to fall through from in-memory seeded grants to the database-backed
pairing link lookup. This prevents the database lookup from silently breaking
if the error message text is ever changed.

Author: cursoragent

apps/server/src/auth/Layers/BootstrapCredentialService.ts

@@ -21,6 +21,7 @@ interface StoredBootstrapGrant extends BootstrapGrant {
 type ConsumeResult =
   | {
       readonly _tag: "error";
+      readonly reason: "not-found" | "expired";
       readonly error: BootstrapCredentialError;
     }
   | {
@@ -178,6 +179,7 @@ export const makeBootstrapCredentialService = Effect.gen(function* () {
             return [
               {
                 _tag: "error",
+                reason: "not-found",
                 error: invalidBootstrapCredentialError("Unknown bootstrap credential."),
               },
               current,
@@ -190,6 +192,7 @@ export const makeBootstrapCredentialService = Effect.gen(function* () {
             return [
               {
                 _tag: "error",
+                reason: "expired",
                 error: invalidBootstrapCredentialError("Bootstrap credential expired."),
               },
               next,
@@ -227,7 +230,7 @@ export const makeBootstrapCredentialService = Effect.gen(function* () {
       if (seededResult._tag === "success") {
         return seededResult.grant;
       }
-      if (seededResult.error.message !== "Unknown bootstrap credential.") {
+      if (seededResult.reason !== "not-found") {
         return yield* seededResult.error;
       }