Harden URL redaction in transport errors, bound JSONL reads, fix docs

[OmarAlJarrah]

Summary

A cross-package pass over the assembled SDK turned up three things worth fixing. No behavioral regressions; all 19 packages stay green under -race.

httperr: stop leaking the raw URL on transport failures

TransportError.URL is redacted, but TransportError.Error() formatted the wrapped cause with %v. When that cause is net/http's *url.Error, its own Error() re-embeds the full, unredacted URL — including query secrets — so logging the error string defeated the redaction everywhere else. Error() now unwraps a *url.Error and renders its inner cause instead, while Unwrap() stays lossless so errors.Is/As still reach the original.

jsonl: bound the stream

Decode was the one streaming reader in the SDK without a size cap (sse caps lines at 1 MiB, httperr at 8 KiB). Added an opt-in WithMaxBytes(n) that wraps the reader in an io.LimitReader; an oversized value now surfaces a decode error rather than reading unbounded memory. Default behavior is unchanged — Decode(r) callers are unaffected.

Docs

• Pipeline-order diagrams (README, client.go, CLAUDE.md) now show the optional errors outermost stage and use the actual client-identity stage name; opt-in stages are bracketed.
• CLAUDE.md repository-layout tree was missing idempotency/.
• The "HTTPS-only" note now covers all three credential policies (bearer, basic, API-key), which share the ErrInsecureTransport guard.
• README options regrouped so auth/config options (WithTokenCache, WithBasicAuth, WithAPIKey, WithConfig) no longer sit under Observability.
• pagination.NewLinkHeader GoDoc notes the next URL comes from a server-controlled Link header.

Test plan

• go test -race ./... — all 19 packages pass
• gofmt -l . clean, go vet ./... clean, go build ./... clean
• New tests: TransportError.Error() does not leak a query secret and Unwrap stays lossless; jsonl.WithMaxBytes bounds reads and errors on an oversized value

🤖 Generated with Claude Code