Skip to content

P2: Verify error masking; make masking explicit (#177)#195

Open
dkijania wants to merge 1 commit into
mainfrom
feat/verify-error-masking
Open

P2: Verify error masking; make masking explicit (#177)#195
dkijania wants to merge 1 commit into
mainfrom
feat/verify-error-masking

Conversation

@dkijania

Copy link
Copy Markdown
Contributor

What & why

Part of the production-readiness epic (#163). Closes #177.

Yoga masks unexpected errors by default, but nothing in the repo guaranteed it stayed on or proved that internal details don't leak.

Changes

  • maskedErrors: true set explicitly in the Yoga config — the production posture is now intentional and can't be silently turned off by a future edit.
  • Extracted buildYoga from buildServer so the server's exact config is unit-testable (without binding a port).
  • Tests:
    • A db_client whose query throws connection to server failed: password=topsecret → the client receives a generic Unexpected error. and the payload contains no password/topsecret/internal text.
    • An unknown-field query still returns the normal GraphQL validation error verbatim (masking doesn't hide client-facing errors).

Testing

  • npm run build / npm run lint / npx prettier --debug-check . — clean
  • npm run test:unit — all pass (2 new masking assertions)

🤖 Generated with Claude Code

Yoga masks unexpected errors by default, but nothing guaranteed it stayed on or
proved internals don't leak.

- Set `maskedErrors: true` explicitly in the Yoga config so the production
  posture is intentional and can't be silently disabled.
- Extract `buildYoga` from `buildServer` so the server's exact config is
  unit-testable.
- Add tests proving a DB error carrying a password/connection string is returned
  to the client as a generic "Unexpected error." with no internals in the
  payload, while ordinary GraphQL validation errors still surface verbatim.

Closes #177.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01QSuak9smCHbp4N17xjjLF6
@dkijania dkijania added production-readiness Work toward making the API production-ready / publicly available P2 GA polish / hygiene labels Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

P2 GA polish / hygiene production-readiness Work toward making the API production-ready / publicly available

Projects

None yet

Development

Successfully merging this pull request may close these issues.

P2: Verify error masking (no raw Postgres errors leak to clients)

1 participant