Wire value of code on Response::Error when the deepest UCAN’s
aud does not match the connection’s client_id (or the bearer’s
caller). Prevents intercepted-token replay by a third party.
retryable: false. SP-capability-v2.
Wire value of code on Response::Error when a configured
TokenBroker returns Err(_) while resolving secrets for the
caller. Server-side only; SDKs may surface this code but won’t
generate it. retryable: true because broker failures may be
transient (network blip, secret manager hiccup).
SP-token-broker-phase1.
Wire value of code on Response::Error when dispatch refuses a call
whose required_capabilities are not a subset of the connection’s
granted capability set. SP-12 Task 2.
Wire value of code on Response::Error when a Request::RunToolContinue
presents a cursor whose issued_at_unix is older than the server’s
cursor_ttl_seconds (default 300s) or whose server_session does not
match the current server-process random nonce (server-restart invalidation).
retryable: false — the cursor is permanently dead; the client must
re-issue the original RunTool to get a fresh cursor. SP-pagination-v1.
Wire value of code on Response::Error when a cursor fails HMAC
verification, has malformed framing, references a non-matching
tool_id, or carries an args_fingerprint that doesn’t match the
continuation’s intended args. Distinct from ERR_CURSOR_EXPIRED
because an invalid cursor suggests a bug or attack (forge attempt)
while expiry is a normal lifecycle event — ops alert differently.
retryable: false. SP-pagination-v1.
Wire value of code on Response::Error when a Hello.ucan_tokens
entry fails structural / signature validation: malformed JWT,
unsupported alg, unsupported DID method, bad signature, missing
required field, or chain-attenuation widening.
retryable: false — deterministic; retry without changing the token
is pointless. SP-capability-v2.