Truncate FailureResponse.message before appending addr suffix in _failure_text

``OperationalError._MAX_DISPLAY_MESSAGE`` (1024 codepoints)
caps the display ``message`` field. ``DqliteProtocol._failure_text``
appended the peer-address suffix AFTER the server message.
For server messages >1 KiB (ORM-generated SQL with many bound
parameters, large constraint-violation diagnostics, etc.), the
suffix landed in the truncated tail — operators tailing logs
via ``logger.error("%s", exc)`` saw the truncated server text
but lost the ``" to <peer>"`` attribution that makes
multi-node diagnosis tractable.

Apply the per-node ``_truncate_error`` cap (200 codepoints,
already used in cluster aggregate-error rendering) to
``response.message`` BEFORE appending the addr suffix. The
``_MAX_DISPLAY_MESSAGE`` cap in ``OperationalError`` stays
in place as a defense-in-depth net for any caller that
constructs from raw text outside this helper, but the common
case now arrives pre-truncated with the suffix preserved.

Pairs with the X2 ``raw_message`` kwarg fix: the verbatim
server text continues to flow through ``e.raw_message`` so
forensic / log-aggregator views still have the un-truncated
copy.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: antoineleclair

src/dqliteclient/protocol.py

@@ -749,8 +749,21 @@ def _failure_text(self, response: FailureResponse) -> str:
         :func:`_failure_message` with the protocol's ``_addr_suffix``.
         Used uniformly across the query-path raise sites so the
         rendering is consistent.
+
+        Truncates the server message BEFORE composing the addr
+        suffix so the suffix survives the
+        ``OperationalError._MAX_DISPLAY_MESSAGE`` codepoint cap on
+        the exception's display ``message`` field. Without
+        pre-truncation, a long server message (e.g. ORM-generated
+        SQL with many bound parameters) would push the suffix past
+        the cutoff — operators tailing logs via
+        ``logger.error("%s", exc)`` would see the truncated server
+        text but lose the peer-address attribution.
         """
-        return _failure_message(response.message, self._addr_suffix())
+        from dqliteclient.cluster import _truncate_error
+
+        truncated_msg = _truncate_error(response.message)
+        return _failure_message(truncated_msg, self._addr_suffix())
 
     def _operation_deadline(self) -> float:
         """Deadline (monotonic seconds) for a single read-side protocol

tests/test_operationalerror_raw_message_clean.py

@@ -48,3 +48,33 @@ def test_operational_error_truncation_preserves_raw_message_full_length() -> Non
     err = OperationalError(1, long_text, raw_message=long_text)
     assert len(err.raw_message) == 4096
     assert "[truncated," in err.message
+
+
+def test_failure_text_truncates_message_before_appending_addr_suffix() -> None:
+    """Pin: ``DqliteProtocol._failure_text`` truncates the server
+    message BEFORE appending the addr suffix so the suffix
+    survives the ``_MAX_DISPLAY_MESSAGE`` codepoint cap on the
+    exception's display ``message`` field. Without pre-
+    truncation, a 100k-char ORM-generated SQL error would
+    push the addr suffix past the cutoff and operators
+    tailing logs lose the peer-address attribution.
+    """
+    from unittest.mock import AsyncMock, MagicMock
+
+    from dqliteclient.protocol import DqliteProtocol
+    from dqlitewire.messages import FailureResponse
+
+    proto = DqliteProtocol(
+        AsyncMock(spec=["read"]),
+        MagicMock(spec=["close", "wait_closed"]),
+        address="some-host:9001",
+    )
+    huge = "x" * 100_000
+    response = FailureResponse(code=1, message=huge)
+
+    rendered = proto._failure_text(response)
+
+    # Suffix must appear at the end of the rendered text.
+    assert rendered.endswith(" to some-host:9001"), (
+        f"Addr suffix must survive truncation; rendered ends with: {rendered[-100:]!r}"
+    )