@adobe/aio-cli-plugin-api-mesh 5.6.6 → 5.7.0-alpha.1

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@adobe/aio-cli-plugin-api-mesh",
-	"version": "5.6.6",
+	"version": "5.7.0-alpha.1",
 	"description": "Adobe I/O CLI plugin to develop and manage API mesh sources",
 	"keywords": [
 		"oclif-plugin"
@@ -38,7 +38,7 @@
 		"version": "oclif-dev readme && git add README.md"
 	},
 	"dependencies": {
-		"@adobe-apimesh/mesh-builder": "^2.4.1",
+		"@adobe-apimesh/mesh-builder": "^2.4.2-alpha.1",
 		"@adobe/aio-cli-lib-console": "^5.0.0",
 		"@adobe/aio-lib-core-config": "^5.0.0",
 		"@adobe/aio-lib-core-logging": "^3.0.0",
@@ -48,6 +48,7 @@
 		"@adobe/plugin-on-fetch": "0.1.1",
 		"@adobe/plugin-source-headers": "^0.0.2",
 		"@envelop/disable-introspection": "^6.0.0",
+		"@escape.tech/graphql-armor": "3.2.0",
 		"@graphql-mesh/cli": "0.82.30",
 		"@graphql-mesh/graphql": "0.34.13",
 		"@graphql-mesh/http": "^0.96.9",

package/src/commands/__fixtures__/sample_mesh_with_queryConfig.json

@@ -0,0 +1,23 @@
+{
+	"meshConfig": {
+		"sources": [
+			{
+				"name": "<api_name>",
+				"handler": {
+					"graphql": {
+						"endpoint": "<gql_endpoint>"
+					}
+				}
+			}
+		],
+		"queryConfig": {
+			"maxDepth": { "enabled": true, "limit": 4 },
+			"maxAliases": { "enabled": true, "limit": 10 },
+			"maxTokens": { "enabled": true, "limit": 500 },
+			"maxDirectives": { "enabled": true, "limit": 20 },
+			"costLimit": { "enabled": true, "maxCost": 1000 },
+			"blockFieldSuggestion": { "enabled": true, "mask": "[hidden]" },
+			"maskErrors": { "enabled": true, "message": "Something went wrong." }
+		}
+	}
+}

package/src/commands/api-mesh/__tests__/create.test.js

@@ -32,6 +32,7 @@ jest.mock('../../../lib/smsClient');
 const CreateCommand = require('../create');
 const sampleCreateMeshConfig = require('../../__fixtures__/sample_mesh.json');
 const meshConfigWithComposerFiles = require('../../__fixtures__/sample_mesh_with_composer_files.json');
+const sampleMeshWithQueryConfig = require('../../__fixtures__/sample_mesh_with_queryConfig.json');
 const { initSdk, promptConfirm, interpolateMesh, importFiles } = require('../../../helpers');
 const {
 	getMesh,
@@ -407,6 +408,77 @@ describe('create command tests', () => {
 		expect(errorLogSpy.mock.calls).toMatchInlineSnapshot(`[]`);
 	});
 
+	test('should pass queryConfig fields through to createMesh without modification', async () => {
+		createMesh.mockResolvedValueOnce({
+			mesh: {
+				meshId: 'dummy_mesh_id',
+				meshConfig: sampleMeshWithQueryConfig.meshConfig,
+			},
+		});
+		parseSpy.mockResolvedValueOnce({
+			args: { file: 'src/commands/__fixtures__/sample_mesh_with_queryConfig.json' },
+			flags: {
+				ignoreCache: mockIgnoreCacheFlag,
+				autoConfirmAction: mockAutoApproveAction,
+			},
+		});
+		await CreateCommand.run();
+		expect(createMesh.mock.calls[0]).toMatchInlineSnapshot(`
+		[
+		  "CODE1234@AdobeOrg",
+		  "5678",
+		  "123456789",
+		  "Workspace01",
+		  "ORG01",
+		  "Project01",
+		  {
+		    "meshConfig": {
+		      "queryConfig": {
+		        "blockFieldSuggestion": {
+		          "enabled": true,
+		          "mask": "[hidden]",
+		        },
+		        "costLimit": {
+		          "enabled": true,
+		          "maxCost": 1000,
+		        },
+		        "maskErrors": {
+		          "enabled": true,
+		          "message": "Something went wrong.",
+		        },
+		        "maxAliases": {
+		          "enabled": true,
+		          "limit": 10,
+		        },
+		        "maxDepth": {
+		          "enabled": true,
+		          "limit": 4,
+		        },
+		        "maxDirectives": {
+		          "enabled": true,
+		          "limit": 20,
+		        },
+		        "maxTokens": {
+		          "enabled": true,
+		          "limit": 500,
+		        },
+		      },
+		      "sources": [
+		        {
+		          "handler": {
+		            "graphql": {
+		              "endpoint": "<gql_endpoint>",
+		            },
+		          },
+		          "name": "<api_name>",
+		        },
+		      ],
+		    },
+		  },
+		]
+		`);
+	});
+
 	test('should create and return Ti mesh url if a valid mesh config file for TI client is provided', async () => {
 		let fetchedMeshConfig = sampleCreateMeshConfig;
 		fetchedMeshConfig.meshId = 'dummy_id';

package/src/commands/api-mesh/__tests__/run.test.js

@@ -1104,6 +1104,26 @@ describe('run command tests', () => {
 		);
 	});
 
+	test('should successfully run the mesh with queryConfig', async () => {
+		const cliInput = {
+			args: { file: 'src/commands/__fixtures__/sample_mesh_with_queryConfig.json' },
+			flags: {
+				port: 5000,
+				debug: false,
+				inspectPort: 9229,
+			},
+		};
+		parseSpy.mockResolvedValueOnce(cliInput);
+
+		await RunCommand.run();
+		expect(start).toHaveBeenCalledWith(
+			expect.anything(),
+			cliInput.flags.port,
+			cliInput.flags.debug,
+			cliInput.flags.inspectPort,
+		);
+	});
+
 	test('should escape variables that are preceded by backslash symbol', async () => {
 		const cliInput = {
 			args: { file: 'src/commands/__fixtures__/sample_mesh_with_escaped_secrets.json' },

package/src/commands/api-mesh/__tests__/update.test.js

@@ -137,6 +137,155 @@ describe('update command tests', () => {
 		expect(errorLogSpy.mock.calls).toMatchInlineSnapshot(`[]`);
 	});
 
+	test('should pass queryConfig with all fields enabled through to updateMesh', async () => {
+		const meshWithQueryConfigEnabled = {
+			meshConfig: {
+				sources: [{ name: '<api_name>', handler: { graphql: { endpoint: '<gql_endpoint>' } } }],
+				queryConfig: {
+					maxDepth: { enabled: true, limit: 4 },
+					maxAliases: { enabled: true, limit: 10 },
+					maxTokens: { enabled: true, limit: 500 },
+					maxDirectives: { enabled: true, limit: 20 },
+					costLimit: { enabled: true, maxCost: 1000 },
+					blockFieldSuggestion: { enabled: true, mask: '[hidden]' },
+					maskErrors: { enabled: true, message: 'Something went wrong.' },
+				},
+			},
+		};
+		readFile.mockResolvedValueOnce(JSON.stringify(meshWithQueryConfigEnabled));
+		parseSpy.mockResolvedValueOnce({
+			args: { file: 'src/commands/__fixtures__/sample_mesh_with_queryConfig.json' },
+			flags: { ignoreCache: mockIgnoreCacheFlag, autoConfirmAction: mockAutoApproveAction },
+		});
+		await UpdateCommand.run();
+		expect(updateMesh.mock.calls[0]).toMatchInlineSnapshot(`
+		[
+		  "CODE1234@AdobeOrg",
+		  "5678",
+		  "123456789",
+		  "Workspace01",
+		  "ORG01",
+		  "Project01",
+		  "mesh_id",
+		  {
+		    "meshConfig": {
+		      "queryConfig": {
+		        "blockFieldSuggestion": {
+		          "enabled": true,
+		          "mask": "[hidden]",
+		        },
+		        "costLimit": {
+		          "enabled": true,
+		          "maxCost": 1000,
+		        },
+		        "maskErrors": {
+		          "enabled": true,
+		          "message": "Something went wrong.",
+		        },
+		        "maxAliases": {
+		          "enabled": true,
+		          "limit": 10,
+		        },
+		        "maxDepth": {
+		          "enabled": true,
+		          "limit": 4,
+		        },
+		        "maxDirectives": {
+		          "enabled": true,
+		          "limit": 20,
+		        },
+		        "maxTokens": {
+		          "enabled": true,
+		          "limit": 500,
+		        },
+		      },
+		      "sources": [
+		        {
+		          "handler": {
+		            "graphql": {
+		              "endpoint": "<gql_endpoint>",
+		            },
+		          },
+		          "name": "<api_name>",
+		        },
+		      ],
+		    },
+		  },
+		]
+		`);
+	});
+
+	test('should pass queryConfig with all fields disabled through to updateMesh', async () => {
+		const meshWithQueryConfigDisabled = {
+			meshConfig: {
+				sources: [{ name: '<api_name>', handler: { graphql: { endpoint: '<gql_endpoint>' } } }],
+				queryConfig: {
+					maxDepth: { enabled: false },
+					maxAliases: { enabled: false },
+					maxTokens: { enabled: false },
+					maxDirectives: { enabled: false },
+					costLimit: { enabled: false },
+					blockFieldSuggestion: { enabled: false },
+					maskErrors: { enabled: false },
+				},
+			},
+		};
+		readFile.mockResolvedValueOnce(JSON.stringify(meshWithQueryConfigDisabled));
+		parseSpy.mockResolvedValueOnce({
+			args: { file: 'src/commands/__fixtures__/sample_mesh.json' },
+			flags: { ignoreCache: mockIgnoreCacheFlag, autoConfirmAction: mockAutoApproveAction },
+		});
+		await UpdateCommand.run();
+		expect(updateMesh.mock.calls[0]).toMatchInlineSnapshot(`
+		[
+		  "CODE1234@AdobeOrg",
+		  "5678",
+		  "123456789",
+		  "Workspace01",
+		  "ORG01",
+		  "Project01",
+		  "mesh_id",
+		  {
+		    "meshConfig": {
+		      "queryConfig": {
+		        "blockFieldSuggestion": {
+		          "enabled": false,
+		        },
+		        "costLimit": {
+		          "enabled": false,
+		        },
+		        "maskErrors": {
+		          "enabled": false,
+		        },
+		        "maxAliases": {
+		          "enabled": false,
+		        },
+		        "maxDepth": {
+		          "enabled": false,
+		        },
+		        "maxDirectives": {
+		          "enabled": false,
+		        },
+		        "maxTokens": {
+		          "enabled": false,
+		        },
+		      },
+		      "sources": [
+		        {
+		          "handler": {
+		            "graphql": {
+		              "endpoint": "<gql_endpoint>",
+		            },
+		          },
+		          "name": "<api_name>",
+		        },
+		      ],
+		    },
+		  },
+		]
+		`);
+	});
+
 	test('should pass with valid args and ignoreCache flag', async () => {
 		let sampleMesh = {
 			meshConfig: {

package/src/plugins/queryConfig/__tests__/queryConfig.test.js

@@ -0,0 +1,167 @@
+const { EnvelopArmorPlugin } = require('@escape.tech/graphql-armor');
+const useQueryConfig = require('../index');
+
+jest.mock('@escape.tech/graphql-armor', () => ({
+	EnvelopArmorPlugin: jest.fn(() => ({ pluginName: 'EnvelopArmor' })),
+}));
+
+beforeEach(() => {
+	EnvelopArmorPlugin.mockClear();
+});
+
+describe('useQueryConfig', () => {
+	describe('no config — all protections disabled', () => {
+		it('disables all protections when called with undefined', () => {
+			useQueryConfig(undefined);
+			expect(EnvelopArmorPlugin).toHaveBeenCalledWith({
+				costLimit: { enabled: false },
+				maxDepth: { enabled: false },
+				maxAliases: { enabled: false },
+				maxTokens: { enabled: false },
+				maxDirectives: { enabled: false },
+				blockFieldSuggestion: { enabled: false },
+			});
+		});
+
+		it('disables all protections when called with empty object', () => {
+			useQueryConfig({});
+			expect(EnvelopArmorPlugin).toHaveBeenCalledWith({
+				costLimit: { enabled: false },
+				maxDepth: { enabled: false },
+				maxAliases: { enabled: false },
+				maxTokens: { enabled: false },
+				maxDirectives: { enabled: false },
+				blockFieldSuggestion: { enabled: false },
+			});
+		});
+	});
+
+	describe('maxDepth', () => {
+		it('passes enabled and limit (mapped to n) to armor', () => {
+			useQueryConfig({ maxDepth: { enabled: true, limit: 5 } });
+			expect(EnvelopArmorPlugin.mock.calls[0][0].maxDepth).toEqual({ enabled: true, n: 5 });
+		});
+
+		it('passes enabled: false with no limit', () => {
+			useQueryConfig({ maxDepth: { enabled: false } });
+			expect(EnvelopArmorPlugin.mock.calls[0][0].maxDepth).toEqual({
+				enabled: false,
+				n: undefined,
+			});
+		});
+
+		it('passes enabled: false with limit retained', () => {
+			useQueryConfig({ maxDepth: { enabled: false, limit: 3 } });
+			expect(EnvelopArmorPlugin.mock.calls[0][0].maxDepth).toEqual({ enabled: false, n: 3 });
+		});
+	});
+
+	describe('maxAliases', () => {
+		it('passes enabled and limit (mapped to n)', () => {
+			useQueryConfig({ maxAliases: { enabled: true, limit: 10 } });
+			expect(EnvelopArmorPlugin.mock.calls[0][0].maxAliases).toEqual({ enabled: true, n: 10 });
+		});
+
+		it('passes n: undefined when enabled but no limit — armor uses its default', () => {
+			useQueryConfig({ maxAliases: { enabled: true } });
+			expect(EnvelopArmorPlugin.mock.calls[0][0].maxAliases).toEqual({
+				enabled: true,
+				n: undefined,
+			});
+		});
+	});
+
+	describe('maxTokens', () => {
+		it('passes enabled and limit (mapped to n)', () => {
+			useQueryConfig({ maxTokens: { enabled: true, limit: 500 } });
+			expect(EnvelopArmorPlugin.mock.calls[0][0].maxTokens).toEqual({ enabled: true, n: 500 });
+		});
+	});
+
+	describe('maxDirectives', () => {
+		it('passes enabled and limit (mapped to n)', () => {
+			useQueryConfig({ maxDirectives: { enabled: true, limit: 25 } });
+			expect(EnvelopArmorPlugin.mock.calls[0][0].maxDirectives).toEqual({ enabled: true, n: 25 });
+		});
+	});
+
+	describe('costLimit', () => {
+		it('passes enabled and maxCost', () => {
+			useQueryConfig({ costLimit: { enabled: true, maxCost: 2000 } });
+			expect(EnvelopArmorPlugin.mock.calls[0][0].costLimit).toEqual({
+				enabled: true,
+				maxCost: 2000,
+			});
+		});
+
+		it('passes enabled: false with maxCost retained', () => {
+			useQueryConfig({ costLimit: { enabled: false, maxCost: 1000 } });
+			expect(EnvelopArmorPlugin.mock.calls[0][0].costLimit).toEqual({
+				enabled: false,
+				maxCost: 1000,
+			});
+		});
+	});
+
+	describe('blockFieldSuggestion', () => {
+		function getPlugin(queryConfig) {
+			const [, plugin] = useQueryConfig(queryConfig);
+			return plugin;
+		}
+
+		function runValidate(plugin, messages) {
+			const errors = messages.map(m => Object.assign(new Error(m), {}));
+			let result = errors;
+			plugin.onValidate()({
+				valid: false,
+				result: errors,
+				setResult: e => {
+					result = e;
+				},
+			});
+			return result.map(e => e.message);
+		}
+
+		it('should always pass { enabled: false } to armor', () => {
+			useQueryConfig({ blockFieldSuggestion: { enabled: true, mask: '[hidden]' } });
+			expect(EnvelopArmorPlugin.mock.calls[0][0].blockFieldSuggestion).toEqual({ enabled: false });
+		});
+
+		it('should strip "Did you mean" hint when enabled', () => {
+			const out = runValidate(getPlugin({ blockFieldSuggestion: { enabled: true } }), [
+				'Cannot query field "continentz". Did you mean "continents"?',
+			]);
+			expect(out[0]).toBe('Cannot query field "continentz".');
+		});
+
+		it('should use custom mask when provided', () => {
+			const out = runValidate(
+				getPlugin({ blockFieldSuggestion: { enabled: true, mask: '[hidden]' } }),
+				['Cannot query field "foo". Did you mean "bar"?'],
+			);
+			expect(out[0]).toBe('Cannot query field "foo". [hidden]');
+		});
+
+		it('should not strip hint when disabled', () => {
+			const out = runValidate(getPlugin({ blockFieldSuggestion: { enabled: false } }), [
+				'Cannot query field "x". Did you mean "y"?',
+			]);
+			expect(out[0]).toBe('Cannot query field "x". Did you mean "y"?');
+		});
+
+		it('should strip multi-candidate hint with custom mask', () => {
+			const out = runValidate(
+				getPlugin({ blockFieldSuggestion: { enabled: true, mask: '[hidden]' } }),
+				['Cannot query field "nam". Did you mean "name", "names", or "named"?'],
+			);
+			expect(out[0]).toBe('Cannot query field "nam". [hidden]');
+		});
+	});
+
+	describe('maskErrors', () => {
+		it('is not passed to EnvelopArmorPlugin — handled separately via yoga maskedErrors', () => {
+			useQueryConfig({ maskErrors: { enabled: true, message: 'Unexpected error.' } });
+			expect(EnvelopArmorPlugin.mock.calls[0][0]).not.toHaveProperty('maskErrors');
+		});
+	});
+});

package/src/plugins/queryConfig/index.js

@@ -0,0 +1,51 @@
+const { EnvelopArmorPlugin } = require('@escape.tech/graphql-armor');
+
+// All protections are opt-in — nothing enabled unless explicitly configured.
+// blockFieldSuggestion uses a custom onValidate hook: armor's graphql@^16.10.0 creates a
+// duplicate class under nohoist, breaking its instanceof GraphQLError check.
+function useQueryConfig(queryConfig) {
+	return [
+		EnvelopArmorPlugin({
+			costLimit: queryConfig?.costLimit
+				? { enabled: queryConfig.costLimit.enabled, maxCost: queryConfig.costLimit.maxCost }
+				: { enabled: false },
+			maxDepth: queryConfig?.maxDepth
+				? { enabled: queryConfig.maxDepth.enabled, n: queryConfig.maxDepth.limit }
+				: { enabled: false },
+			maxAliases: queryConfig?.maxAliases
+				? { enabled: queryConfig.maxAliases.enabled, n: queryConfig.maxAliases.limit }
+				: { enabled: false },
+			maxTokens: queryConfig?.maxTokens
+				? { enabled: queryConfig.maxTokens.enabled, n: queryConfig.maxTokens.limit }
+				: { enabled: false },
+			maxDirectives: queryConfig?.maxDirectives
+				? { enabled: queryConfig.maxDirectives.enabled, n: queryConfig.maxDirectives.limit }
+				: { enabled: false },
+			blockFieldSuggestion: { enabled: false },
+		}),
+		blockFieldSuggestionPlugin(queryConfig),
+	];
+}
+
+function blockFieldSuggestionPlugin(queryConfig) {
+	const enabled = queryConfig?.blockFieldSuggestion?.enabled === true;
+	const mask = queryConfig?.blockFieldSuggestion?.mask ?? '';
+	return {
+		onValidate() {
+			return function onValidateEnd({ valid, result, setResult }) {
+				if (!valid && enabled) {
+					setResult(
+						result.map(error => {
+							if (typeof error.message === 'string') {
+								error.message = error.message.replace(/Did you mean ".+"\?/g, mask).trim();
+							}
+							return error;
+						}),
+					);
+				}
+			};
+		},
+	};
+}
+
+module.exports = useQueryConfig;

package/src/server.js

@@ -4,13 +4,14 @@ import { KvStateApiImpl } from './state';
 
 const { getCorsOptions } = require('./cors');
 const { createYoga } = require('graphql-yoga');
-const { GraphQLError } = require('graphql/error');
 
 const { loadMeshSecrets, getSecretsHandler } = require('./secrets');
 const useComplianceHeaders = require('./plugins/complianceHeaders');
 const UseHttpDetailsExtensions = require('./plugins/httpDetailsExtensions');
+const useQueryConfig = require('./plugins/queryConfig');
 const useSourceHeaders = require('@adobe/plugin-source-headers');
 const { useDisableIntrospection } = require('@envelop/disable-introspection');
+const { maskError } = require('./utils/maskError');
 
 let meshInstance$;
 
@@ -31,6 +32,8 @@ async function buildMeshInstance(meshArtifacts, meshConfig) {
 		options.additionalEnvelopPlugins.push(useDisableIntrospection());
 	}
 
+	options.additionalEnvelopPlugins.push(...useQueryConfig(meshConfig.queryConfig));
+
 	return getMesh(options).then(mesh => {
 		const id = mesh.pubsub.subscribe('destroy', () => {
 			meshInstance$ = undefined;
@@ -67,18 +70,14 @@ async function buildYogaServer(env, tenantMesh, meshConfig, meshSecrets) {
 			state: stateApi,
 		}),
 		maskedErrors: {
-			maskError: maskError,
+			maskError: error =>
+				maskError(error, {
+					mask: meshConfig.queryConfig?.maskErrors?.enabled === true,
+					message: meshConfig.queryConfig?.maskErrors?.message,
+				}),
 		},
 		logging: 'debug',
 	});
 }
 
-const maskError = error => {
-	if (error instanceof GraphQLError && error.extensions?.http?.headers) {
-		delete error.extensions.http.headers;
-	}
-
-	return error;
-};
-
 module.exports = { buildServer };

package/src/utils/__tests__/maskError.test.js

@@ -0,0 +1,80 @@
+const { GraphQLError } = require('graphql/error');
+const { maskError } = require('../maskError');
+
+describe('maskError', () => {
+	describe('header stripping', () => {
+		it('should remove http.headers from GraphQLError extensions', () => {
+			const error = new GraphQLError('oops', {
+				extensions: { http: { headers: { 'set-cookie': 'x' } } },
+			});
+			maskError(error, { mask: false });
+			expect(error.extensions?.http?.headers).toBeUndefined();
+		});
+
+		it('should leave other extensions intact when http.headers is absent', () => {
+			const error = new GraphQLError('oops', { extensions: { code: 'SOME_CODE' } });
+			maskError(error, { mask: false });
+			expect(error.extensions?.code).toBe('SOME_CODE');
+		});
+
+		it('should return non-GraphQL errors unchanged when mask is false', () => {
+			const error = new Error('plain error');
+			const result = maskError(error, { mask: false });
+			expect(result).toBe(error);
+		});
+	});
+
+	describe('mask: true (default)', () => {
+		it('should pass through errors with extensions.code', () => {
+			const error = new GraphQLError('unauthorized', { extensions: { code: 'UNAUTHENTICATED' } });
+			const result = maskError(error);
+			expect(result).toBe(error);
+		});
+
+		it('should replace unknown GraphQL errors with generic message', () => {
+			const error = new GraphQLError('internal details');
+			const result = maskError(error);
+			expect(result.message).toBe('Oops. Something went wrong.');
+		});
+
+		it('should replace non-GraphQL errors with generic message', () => {
+			const error = new Error('internal details');
+			const result = maskError(error);
+			expect(result.message).toBe('Oops. Something went wrong.');
+		});
+
+		it('should use custom message from opts.message when provided', () => {
+			const error = new GraphQLError('internal details');
+			const result = maskError(error, { message: 'Something went wrong.' });
+			expect(result.message).toBe('Something went wrong.');
+		});
+
+		it('should fall back to generic message when opts.message is not provided', () => {
+			const error = new GraphQLError('internal details');
+			const result = maskError(error, { mask: true });
+			expect(result.message).toBe('Oops. Something went wrong.');
+		});
+
+		it('should strip http.headers before masking', () => {
+			const error = new GraphQLError('oops', {
+				extensions: { http: { headers: { 'set-cookie': 'x' } } },
+			});
+			maskError(error);
+			expect(error.extensions?.http?.headers).toBeUndefined();
+		});
+	});
+
+	describe('mask: false', () => {
+		it('should return the original error message unchanged', () => {
+			const error = new GraphQLError('internal details');
+			const result = maskError(error, { mask: false });
+			expect(result.message).toBe('internal details');
+		});
+
+		it('should ignore opts.message when masking is disabled', () => {
+			const error = new GraphQLError('internal details');
+			const result = maskError(error, { mask: false, message: 'Should be ignored.' });
+			expect(result.message).toBe('internal details');
+		});
+	});
+});

package/src/utils/maskError.js

@@ -0,0 +1,21 @@
+const { GraphQLError } = require('graphql/error');
+
+// Always strips http.headers from extensions (prevents duplicate Set-Cookie → Cloudflare error).
+// When mask is true (default): errors with extensions.code pass through; all others are replaced
+// with opts.message to avoid leaking stack traces or internal details.
+const maskError = (error, opts) => {
+	if (error instanceof GraphQLError && error.extensions?.http?.headers) {
+		delete error.extensions.http.headers;
+	}
+
+	if (opts?.mask !== false) {
+		if (error instanceof GraphQLError && error.extensions?.code) {
+			return error;
+		}
+		return new GraphQLError(opts?.message || 'Oops. Something went wrong.');
+	}
+
+	return error;
+};
+
+module.exports = { maskError };