Problem
Some functions return raw err.message to callers which could include API keys, file paths, or stack traces. Other endpoints properly mask errors.
Examples
src/functions/summarize.ts:151 — { success: false, error: msg } leaks raw errorsrc/viewer/server.ts:455 — { error: "internal error" } properly masked
Suggested Fix
Standardize all API responses to never include raw error messages. Log details server-side only.
Problem
Some functions return raw
err.messageto callers which could include API keys, file paths, or stack traces. Other endpoints properly mask errors.Examples
src/functions/summarize.ts:151—{ success: false, error: msg }leaks raw errorsrc/viewer/server.ts:455—{ error: "internal error" }properly maskedSuggested Fix
Standardize all API responses to never include raw error messages. Log details server-side only.