Hide SQL details in production JSON/NDJSON/SSE/CSV error responses

[lovasoa]

hide SQL details in production error responses for every output format

In production, the HTML renderer already hid DB errors behind a generic message, but the JSON, NDJSON, SSE, and CSV renderers wrote the full error (the .sql path, the exact SQL statement, and the raw DB error) into the response body once streaming had started. Since the format is picked from the Accept header, a visitor could request an HTML page with Accept: application/json and read back its SQL.

Design

One centralized censoring point, no environment checks in the rendering logic:

• Errors stay full anyhow::Error everywhere. Producers never think about dev/prod.
• The single place that turns an internal error into a user-facing one is ClientError::new in error.rs. It is also the only caller of DevOrProd::is_prod: in production it strips detail to a generic message, in development it keeps message/backtrace/hint. The full error is always logged server-side.
• Every renderer (HTML, JSON, NDJSON, SSE, CSV) and the header/pre-body path receives a ClientError and only formats it. None inspect environment. A new output format is safe by construction: it can only render ClientError's already-censored fields.

render.rs now renders components; error.rs owns turning errors into user-facing representations. Moved into error.rs: the ClientError type, the production message, get_backtrace_as_strings, and the error-component data construction.

Verify

The single environment check:

$ grep -rn 'is_prod()' src/render.rs src/webserver/error.rs
src/webserver/error.rs:78:        if environment.is_prod() {

render.rs shrank to mostly renderer dispatch; the error type and policy live in error.rs:

$ git diff --stat origin/main..HEAD -- src/render.rs src/webserver/error.rs
 src/render.rs          | 199 +++++++++++++++++------------
 src/webserver/error.rs | 211 +++++++++++++++++++++++++++++--

Behavior is covered by tests in tests/data_formats/mod.rs: production JSON, CSV, CSV-before-first-row, and an HTML-only page requested as JSON all return the generic message and leak nothing; a unit test in error.rs asserts the production ClientError exposes no sensitive substring at the single boundary.

$ cargo test --test mod data_formats   # 13 passed (incl. 4 prod-leak tests)
$ cargo test --test mod errors         # 9 passed
$ cargo test --lib -- webserver::error render::tests   # 4 passed
$ cargo clippy --all-targets --all-features -- -D warnings   # clean

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cf94b4525c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".