fix(webapp): catch loader/action throws before Remix serializes them (#3664)

## Summary

Companion to #3536, which patched routes that already had a leaking
`catch (e) { return json({error: e.message}, 500) }`. That pattern can't
reach routes which have no catch in the first place — when those throw,
Remix's default error path serializes `error.message` into the response
body, and the SDK then wraps the leaked string as `TriggerApiError`.

Across 28 raw api.v1 loaders/actions plus one dashboard polling
endpoint, each handler now:

- Wraps its body in `try { ... } catch (error) { ... }`.
- Re-throws `Response` instances so auth helpers' `throw json(...)` /
`throw redirect(...)` pass through unchanged.
- Logs non-Response errors via `logger.error` so server-side visibility
is preserved.
- Returns a generic body — `{"error": "Internal Server Error"}` 500 for
raw API routes, or `{ changelogs: [] }` 200 for the polling widget
(degrade silently across transient blips; the consumer hook already
coped with empty payloads).

For six routes where #3536 left an inner try/catch covering only a
service call (`alertChannels`, `batches.results`,
`deployments.finalize`, `deployments.background-workers`,
`deployments.promote`, `projects.background-workers`): an outer
try/catch is added so auth/parsing failures are also sanitized. Inner
typed-error handling (`ServiceValidationError` → 422 with message, etc.)
is preserved exactly.

For two routes whose existing catch returned 400 + `error.message`
(`api.v1.authorization-code`, `api.v1.orgs.\$orgParam.projects` action):
the body is sanitized to a generic per-route string. **Status code stays
400** — clients that key on the 4xx/5xx distinction (and the SDK's
no-retry-on-4xx behavior) are unaffected.

## Test plan

- [x] \`pnpm run typecheck --filter webapp\`
- [x] Per-route synthetic-throw probe: inject \`throw new
Error("SYNTHETIC ...")\` at the top of each catch'd try, curl the route
with a dummy bearer, confirm the response body is the generic shape and
that the synthetic message lands server-side via \`logger.error\`. 29
routes verified.
- [x] Real-P1001 probe on the envvars loader: \`docker stop database\`
mid-flight, confirm response is generic 500 (not the leaked Prisma
message).
- [x] Sampled legitimate 4xx/2xx paths across each pattern variant
(naked-wrap, partial-expanded, 400-preserved) to confirm the wraps don't
interfere with normal control flow.

Author: d-cs

.server-changes/sanitize-loader-action-leaks.md

@@ -0,0 +1,6 @@
+---
+area: webapp
+type: fix
+---
+
+Expand API error response sanitization to additional loaders and actions so internal exception messages (Prisma errors, etc.) no longer leak to callers via 5xx response bodies.

apps/webapp/app/routes/api.v1.artifacts.ts

@@ -13,79 +13,85 @@ export async function action({ request }: ActionFunctionArgs) {
     return json({ error: "Method Not Allowed" }, { status: 405 });
   }
 
-  const authenticationResult = await authenticateRequest(request, {
-    apiKey: true,
-    organizationAccessToken: false,
-    personalAccessToken: false,
-  });
+  try {
+    const authenticationResult = await authenticateRequest(request, {
+      apiKey: true,
+      organizationAccessToken: false,
+      personalAccessToken: false,
+    });
 
-  if (!authenticationResult || !authenticationResult.result.ok) {
-    logger.info("Invalid or missing api key", { url: request.url });
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult || !authenticationResult.result.ok) {
+      logger.info("Invalid or missing api key", { url: request.url });
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const [, rawBody] = await tryCatch(request.json());
-  const body = CreateArtifactRequestBody.safeParse(rawBody ?? {});
+    const [, rawBody] = await tryCatch(request.json());
+    const body = CreateArtifactRequestBody.safeParse(rawBody ?? {});
 
-  if (!body.success) {
-    return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
-  }
+    if (!body.success) {
+      return json({ error: "Invalid request body", issues: body.error.issues }, { status: 400 });
+    }
 
-  const { environment: authenticatedEnv } = authenticationResult.result;
+    const { environment: authenticatedEnv } = authenticationResult.result;
 
-  const service = new ArtifactsService();
-  return await service
-    .createArtifact(body.data.type, authenticatedEnv, body.data.contentLength)
-    .match(
-      (result) => {
-        return json(
-          {
-            artifactKey: result.artifactKey,
-            uploadUrl: result.uploadUrl,
-            uploadFields: result.uploadFields,
-            expiresAt: result.expiresAt.toISOString(),
-          } satisfies CreateArtifactResponseBody,
-          { status: 201 }
-        );
-      },
-      (error) => {
-        switch (error.type) {
-          case "artifact_size_exceeds_limit": {
-            logger.warn("Artifact size exceeds limit", { error });
-            const sizeMB = parseFloat((error.contentLength / (1024 * 1024)).toFixed(1));
-            const limitMB = parseFloat((error.sizeLimit / (1024 * 1024)).toFixed(1));
+    const service = new ArtifactsService();
+    return await service
+      .createArtifact(body.data.type, authenticatedEnv, body.data.contentLength)
+      .match(
+        (result) => {
+          return json(
+            {
+              artifactKey: result.artifactKey,
+              uploadUrl: result.uploadUrl,
+              uploadFields: result.uploadFields,
+              expiresAt: result.expiresAt.toISOString(),
+            } satisfies CreateArtifactResponseBody,
+            { status: 201 }
+          );
+        },
+        (error) => {
+          switch (error.type) {
+            case "artifact_size_exceeds_limit": {
+              logger.warn("Artifact size exceeds limit", { error });
+              const sizeMB = parseFloat((error.contentLength / (1024 * 1024)).toFixed(1));
+              const limitMB = parseFloat((error.sizeLimit / (1024 * 1024)).toFixed(1));
 
-            let errorMessage;
+              let errorMessage;
 
-            switch (body.data.type) {
-              case "deployment_context":
-                errorMessage = `Artifact size (${sizeMB} MB) exceeds the allowed limit of ${limitMB} MB. Make sure you are in the correct directory of your Trigger.dev project. Reach out to us if you are seeing this error consistently.`;
-                break;
-              default:
-                body.data.type satisfies never;
-                errorMessage = `Artifact size (${sizeMB} MB) exceeds the allowed limit of ${limitMB} MB`;
+              switch (body.data.type) {
+                case "deployment_context":
+                  errorMessage = `Artifact size (${sizeMB} MB) exceeds the allowed limit of ${limitMB} MB. Make sure you are in the correct directory of your Trigger.dev project. Reach out to us if you are seeing this error consistently.`;
+                  break;
+                default:
+                  body.data.type satisfies never;
+                  errorMessage = `Artifact size (${sizeMB} MB) exceeds the allowed limit of ${limitMB} MB`;
+              }
+              return json(
+                {
+                  error: errorMessage,
+                },
+                { status: 400 }
+              );
+            }
+            case "failed_to_create_presigned_post": {
+              logger.error("Failed to create presigned POST", { error });
+              return json({ error: "Failed to generate artifact upload URL" }, { status: 500 });
+            }
+            case "artifacts_bucket_not_configured": {
+              logger.error("Artifacts bucket not configured", { error });
+              return json({ error: "Internal server error" }, { status: 500 });
+            }
+            default: {
+              error satisfies never;
+              logger.error("Failed creating artifact", { error });
+              return json({ error: "Internal server error" }, { status: 500 });
             }
-            return json(
-              {
-                error: errorMessage,
-              },
-              { status: 400 }
-            );
-          }
-          case "failed_to_create_presigned_post": {
-            logger.error("Failed to create presigned POST", { error });
-            return json({ error: "Failed to generate artifact upload URL" }, { status: 500 });
-          }
-          case "artifacts_bucket_not_configured": {
-            logger.error("Artifacts bucket not configured", { error });
-            return json({ error: "Internal server error" }, { status: 500 });
-          }
-          default: {
-            error satisfies never;
-            logger.error("Failed creating artifact", { error });
-            return json({ error: "Internal server error" }, { status: 500 });
           }
         }
-      }
-    );
+      );
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to create artifact", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }

apps/webapp/app/routes/api.v1.auth.jwt.claims.ts

@@ -1,19 +1,26 @@
 import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 
 export async function action({ request }: LoaderFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const claims = {
-    sub: authenticationResult.environment.id,
-    pub: true,
-  };
+    const claims = {
+      sub: authenticationResult.environment.id,
+      pub: true,
+    };
 
-  return json(claims);
+    return json(claims);
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to read auth jwt claims", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }

apps/webapp/app/routes/api.v1.auth.jwt.ts

@@ -1,6 +1,7 @@
 import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 import { z } from "zod";
 import { generateJWT as internal_generateJWT } from "@trigger.dev/core/v3";
 
@@ -14,36 +15,42 @@ const RequestBodySchema = z.object({
 });
 
 export async function action({ request }: LoaderFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
-
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
+
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
+
+    const parsedBody = RequestBodySchema.safeParse(await request.json());
+
+    if (!parsedBody.success) {
+      return json(
+        { error: "Invalid request body", issues: parsedBody.error.issues },
+        { status: 400 }
+      );
+    }
+
+    const claims = {
+      sub: authenticationResult.environment.id,
+      pub: true,
+      ...parsedBody.data.claims,
+    };
+
+    // Sign with the environment's current canonical key, not the raw header key,
+    // so JWTs minted with a revoked (grace-window) key still validate — validation
+    // in jwtAuth.server.ts uses environment.apiKey.
+    const jwt = await internal_generateJWT({
+      secretKey: authenticationResult.environment.apiKey,
+      payload: claims,
+      expirationTime: parsedBody.data.expirationTime ?? "1h",
+    });
+
+    return json({ token: jwt });
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to mint auth jwt", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
-
-  const parsedBody = RequestBodySchema.safeParse(await request.json());
-
-  if (!parsedBody.success) {
-    return json(
-      { error: "Invalid request body", issues: parsedBody.error.issues },
-      { status: 400 }
-    );
-  }
-
-  const claims = {
-    sub: authenticationResult.environment.id,
-    pub: true,
-    ...parsedBody.data.claims,
-  };
-
-  // Sign with the environment's current canonical key, not the raw header key,
-  // so JWTs minted with a revoked (grace-window) key still validate — validation
-  // in jwtAuth.server.ts uses environment.apiKey.
-  const jwt = await internal_generateJWT({
-    secretKey: authenticationResult.environment.apiKey,
-    payload: claims,
-    expirationTime: parsedBody.data.expirationTime ?? "1h",
-  });
-
-  return json({ token: jwt });
 }

apps/webapp/app/routes/api.v1.authorization-code.ts

@@ -32,7 +32,7 @@ export async function action({ request }: ActionFunctionArgs) {
         error: error.message,
       });
 
-      return json({ error: error.message }, { status: 400 });
+      return json({ error: "Failed to create authorization code" }, { status: 400 });
     }
 
     return json({ error: "Something went wrong" }, { status: 500 });

apps/webapp/app/routes/api.v1.batches.$batchParam.results.ts

@@ -12,32 +12,38 @@ const ParamsSchema = z.object({
 });
 
 export async function loader({ request, params }: LoaderFunctionArgs) {
-  // Authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
+  try {
+    // Authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API Key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API Key" }, { status: 401 });
+    }
 
-  const parsed = ParamsSchema.safeParse(params);
+    const parsed = ParamsSchema.safeParse(params);
 
-  if (!parsed.success) {
-    return json({ error: "Invalid or missing run ID" }, { status: 400 });
-  }
+    if (!parsed.success) {
+      return json({ error: "Invalid or missing run ID" }, { status: 400 });
+    }
 
-  const { batchParam } = parsed.data;
+    const { batchParam } = parsed.data;
 
-  try {
-    const presenter = new ApiBatchResultsPresenter();
-    const result = await presenter.call(batchParam, authenticationResult.environment);
+    try {
+      const presenter = new ApiBatchResultsPresenter();
+      const result = await presenter.call(batchParam, authenticationResult.environment);
 
-    if (!result) {
-      return json({ error: "Batch not found" }, { status: 404 });
-    }
+      if (!result) {
+        return json({ error: "Batch not found" }, { status: 404 });
+      }
 
-    return json(result);
+      return json(result);
+    } catch (error) {
+      logger.error("Failed to load batch results", { error });
+      return json({ error: "Something went wrong, please try again." }, { status: 500 });
+    }
   } catch (error) {
-    logger.error("Failed to load batch results", { error });
-    return json({ error: "Something went wrong, please try again." }, { status: 500 });
+    if (error instanceof Response) throw error;
+    logger.error("Failed to load batch results (outer)", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
   }
 }