fix(oc-docs): contextual error messages for failed try-it requests (BRU-3408)

[sundram-bruno]

Problem

A failed try-it request in the collection docs showed only an opaque "Request Failed / Failed to fetch", and the runner hardcoded every network failure as a "CORS error" — including connection-refused, same-origin, and timeouts (see opencollection #24). Timeouts were also missed: the catch checked for AbortError, but AbortSignal.timeout() throws a TimeoutError, so real timeouts leaked the raw "signal timed out".

JIRA : https://usebruno.atlassian.net/browse/BRU-3408

Approach

Browser fetch collapses CORS, DNS, connection-refused, offline, and TLS into one opaque failure with no detail — the real cause lives only in devtools. So we classify from the request context the browser does expose (timeout, page vs target scheme, same-origin vs cross-origin / file), not the error text.

Five cases

Case	Detected by	Message
timeout	abort/timeout signal	"Request timed out. The server didn't respond in time."
mixed-content	page https, target http	"Request blocked: this page is secure (https) but the URL is insecure (http). Use an https URL, or run it from the Bruno desktop app."
browser-blocked	cross-origin, or docs opened from a file	"Request blocked by your browser, usually CORS: the API didn't allow requests from this page. Try it in the Bruno desktop app."
unreachable	same-origin	"Couldn't reach the server. It may be down, or the URL may be wrong."
unknown	non-network error / unparseable URL	the underlying error message

Same-vs-different is compared by origin (scheme+host+port), not site, because CORS is enforced per-origin (https://docs.example.com → https://api.example.com is cross-origin even though both are example.com). CORS is suggested only for cross-origin or opened-from-file failures, never same-origin (AC #2).

Changes

• classifyRequestError — pure classifier returning { type, title, message }; takes the resolved request URL + the page URL (window.location.href, passed in to stay pure). Unparseable URL → underlying message.
• RequestExecutor — catch delegates to the classifier; removed the hardcoded CORS string and the dead network/ssl branches fetch can never produce.
• ErrorBanner — small reusable UI (bold title + monospace message) mirroring Bruno desktop's response error banner.
• ResponsePane — banner renders inside the Response tab (consistent with a success response); status bar hidden on failure (no HTTP status exists).
• 4xx/5xx remain normal responses. Response display, default timeout, and OAuth2 handling are unchanged.

Tests

• Unit (classifyRequestError.spec.ts): all five cases + edges (cross-origin, file origin, same-origin never-CORS, unparseable URL, non-Error throw).
• E2E (request-errors.spec.ts): cross-origin → browser-blocked (inside Response tab), same-origin → unreachable (never mentions CORS), 4xx → renders normally. First e2e to actually drive Try → Send; uses page.route for deterministic failures.

All existing e2e (63) and unit tests pass; new code is lint-clean.

Acceptance criteria

• Failure classified from request context (timeout; scheme; same-origin vs cross-origin; file)
• Blanket "CORS error" removed; CORS only for cross-origin / file, never same-origin
• timeout / mixed-content / browser-blocked / unreachable each show their message; anything else shows the underlying error
• Only the failure message changes; response display, default timeout, OAuth2 unchanged
• A test per classified case

[sundram-bruno]

Updated: rebased onto current main (picks up the centralized theming from #42) and squashed to a single commit.

The error banner is now styled entirely via theme.generated.css tokens — --oc-status-danger-text/--oc-status-danger-border for the red and --oc-border-border2 for the box border — so it matches Bruno desktop's script-error banner exactly (hsl(8,60%,52%) danger red, #cccccc border) and stays light/dark theme-aware. No hardcoded colors.

Verified live in collection docs: browser-blocked, unreachable, timeout, and unknown all render correctly; 13 unit + 3 e2e green.