@omnitronix/game-engine-sdk 1.0.4 → 2.0.2

package/CHANGELOG.md

@@ -0,0 +1,86 @@
+# Changelog
+
+All notable changes to `@omnitronix/game-engine-sdk` will be documented in this file.
+
+## [2.0.1] - 2026-02-04
+
+### Fixed
+- **OWASP A01**: ExceptionsFilter HTTP path now returns error code only — no longer leaks `DomainException.message` to clients (consistent with gRPC sanitization)
+- **OWASP A01**: `handleHttpException` now sanitizes 5xx messages — returns "Internal server error" instead of leaking internal details
+- **Type safety**: Replaced `(appModule as any).register` cast in bootstrap with proper `hasRegisterMethod` type guard
+- **Type safety**: Removed dead `safeStringify` from Logger, fixed `errorData: any` → `Record<string, unknown>`
+- **Type safety**: `HealthCheckFailedException.details` typed as `unknown` (was `any`)
+- **Type safety**: `GameEngineAutoRegisterService` catch handlers typed as `unknown` (was `any`)
+- **Type safety**: `RetryPolicy.isRetryable` uses proper typed casts (no `as any`)
+- **Type safety**: `INestApplication<any>` → `INestApplication` in API docs setup
+- **Type safety**: Logger `log()` method uses `Record<string, unknown>` (was `Record<string, any>`)
+- **Shutdown reliability**: Removed duplicate shutdown guard in bootstrap — now uses `ShutdownOutPort.isShuttingDown()` as single source of truth
+- **TypeScript correctness**: `unhandledRejection` handler now types `reason` as `unknown` (not `Error`), handles non-Error rejections safely
+- **HTTP status codes**: `UNAUTHORIZED` error code now maps to HTTP 401 (was incorrectly 403)
+- **Error mapping**: `ErrorCodeMapper` default fallback changed from 400 to 500 — unknown error codes are server errors, not client errors
+- **Dead code**: Removed unused `safeStringify` method from `GameEngineGrpcInAdapter` and `Logger`
+- **Formatting**: All source files pass Prettier check (CI was failing on 6 files)
+- **ExceptionsFilter**: Removed `as any` casts in `handleHttpException` — uses typed `Record<string, unknown>` instead
+- **PrometheusService**: `initializeMetricsFromDatabase` is now a no-op instead of throwing (prevents crash if called)
+- **LoggingMiddleware**: Removed hardcoded `/api/races/active` endpoint — now configurable via `LOG_BLOCKED_ENDPOINTS` env var
+- **Security**: Removed `.npmrc` with hardcoded npm token from disk
+- **Type safety**: All `catch` blocks annotated with `: unknown` — bootstrap, retry-policy, gRPC out-adapter, AWS secrets provider
+- **Type safety**: `RetryPolicy.execute` catch wraps non-Error throws in `new Error()` instead of unsafe `as Error` cast
+- **Type safety**: `handleHttpException` validates pre-shaped responses field-by-field instead of blind `as ErrorResponse` cast
+- **Type safety**: `ErrorCodeMapper` uses `??` (nullish coalescing) instead of `||` for fallback — correct for `0` status codes
+- **Code quality**: Removed redundant catch-and-rethrow in `HealthService.checkHealth()` — errors propagate naturally
+- **CI/CD**: Removed `--passWithNoTests` from CI test step — tests must actually exist and run
+- **CI/CD**: Added coverage artifact upload to CI pipeline (Node 20 matrix)
+- **CI/CD**: Added `format:check` step to release workflow — prevents publishing unformatted code
+
+### Added
+- Jest `coverageThreshold` enforced in config (80% statements/branches/functions/lines)
+- `CHANGELOG.md` and `MIGRATION.md` documentation
+
+## [2.0.0] - 2026-02-04
+
+### Breaking Changes
+- All generic type defaults changed from `any` to `unknown` in `types.ts` (SDK-001)
+- `InternalErrorCode` enum reduced from 64 codes to 11 game-engine-relevant codes (SDK-002)
+- gRPC error responses now return error code only, not internal message (SDK-004)
+
+### Fixed
+- **GLI-19**: RNG seed validation prevents silent data corruption — rejects `undefined`, `NaN`, `Infinity` seeds with `INVALID_RNG_SEED` error (SDK-003)
+- **OWASP A01**: gRPC error messages sanitized — internal details logged but never sent to client (SDK-004)
+- **OWASP A03**: gRPC input validation — missing/empty command ID and type rejected with `INVALID_COMMAND` (SDK-005)
+- **Reliability**: h2c gRPC server integrated with graceful shutdown service — no more race conditions (SDK-006)
+
+### Added
+- `HealthModule` now exports `SHUTDOWN_OUT_PORT` and `HEALTH_IN_PORT` providers (SDK-007)
+- `ConnectRouter` extensibility — `additionalRoutes` option for crash game streaming services (SDK-008)
+- Proto schema `game_name` and `provider` fields in `GetGameEngineInfoResponse` (SDK-009)
+- Comprehensive test coverage — 87 tests, 94.71% statements (SDK-010)
+
+## [1.0.4] - 2026-01-30
+
+### Fixed
+- File log transport disabled by default for container compatibility
+- CORS origin hardcoding removed
+- Error message leakage in Swagger responses
+- Log redaction for sensitive fields
+- `.npmrc` removed from tracking
+
+## [1.0.2] - 2026-01-28
+
+### Fixed
+- Inline CI in release workflow
+- Use published contract from npmjs.org
+
+## [1.0.0] - 2026-01-25
+
+### Added
+- Initial release
+- NestJS application bootstrap with standard configuration
+- Connect RPC (h2c) gRPC server
+- Health check module with graceful shutdown
+- Game engine auto-registration service
+- Logging with Winston (JSON and pretty formats)
+- Prometheus metrics integration
+- AWS Secrets Manager provider
+- Swagger/OpenAPI documentation setup
+- Retry policies with exponential backoff

package/MIGRATION.md

@@ -0,0 +1,126 @@
+# Migration Guide
+
+## Migrating from v1.x to v2.0.0
+
+### Breaking Changes
+
+#### 1. Generic Type Defaults: `any` → `unknown`
+
+All generic type parameters in `types.ts` now default to `unknown` instead of `any`.
+
+**Before (v1.x):**
+```typescript
+// Implicit any — no type errors on wrong usage
+const result: CommandProcessingResult = { ... };
+result.publicState.balance; // No error (unsafe)
+```
+
+**After (v2.0):**
+```typescript
+// Must narrow or cast explicitly
+const result: CommandProcessingResult = { ... };
+(result.publicState as { balance: number }).balance; // Explicit
+
+// Or use generics for type safety:
+const result: CommandProcessingResult<MyPublicState, MyPrivateState> = { ... };
+result.publicState.balance; // Type-safe
+```
+
+**Migration:** Add explicit generic type parameters to `CommandProcessingResult`, `GameActionCommand`, and `GameEngine` where you use them. This is the recommended approach — it gives you compile-time type safety.
+
+#### 2. InternalErrorCode Enum Reduced
+
+`InternalErrorCode` was reduced from 64 platform-level codes to 11 game-engine-relevant codes.
+
+**Removed codes (examples):**
+- `SESSION_NOT_FOUND`, `OPERATOR_NOT_FOUND`, `TRANSACTION_FAILED`
+- `JACKPOT_ERROR`, `GEO_BLOCKED`, `RNG_REPLAY_ERROR`
+- All session, operator, auth, transaction, jackpot, geo, and RNG replay codes
+
+**Kept codes:**
+```typescript
+GAME_ENGINE_ERROR
+DEBUG_COMMANDS_DISABLED
+UNKNOWN_COMMAND
+INVALID_COMMAND
+INVALID_RNG_SEED
+INTERNAL_SERVER_ERROR
+FORBIDDEN
+UNAUTHORIZED
+VALIDATION_ERROR
+SERVICE_UNAVAILABLE
+HEALTH_CHECK_FAILED
+```
+
+**Migration:** If your game engine service references removed error codes, either:
+1. Map to a remaining code (e.g., `SESSION_NOT_FOUND` → `INTERNAL_SERVER_ERROR`)
+2. Define the code in your service's own enum (platform codes belong in the RGS platform)
+
+#### 3. gRPC Error Response Format
+
+gRPC error responses now return the error code string as the `message` field, not the internal exception message.
+
+**Before (v1.x):**
+```json
+{
+  "success": false,
+  "message": "Internal: database connection lost at pool#42"
+}
+```
+
+**After (v2.0):**
+```json
+{
+  "success": false,
+  "message": "GAME_ENGINE_ERROR"
+}
+```
+
+**Migration:** If your client-side code parses `message` for internal error details, update it to handle error code strings instead. Internal details are logged server-side but never exposed to clients (OWASP A01).
+
+### New Features (Non-Breaking)
+
+#### ConnectRouter Extensibility
+
+If you need additional gRPC services (e.g., crash game streaming):
+
+```typescript
+await createGameEngineApp({
+  serviceName: 'crash-game-engine',
+  appModule: AppModule,
+  additionalRoutes: (router) => {
+    router.service(CrashGameStreamService, {
+      streamMultiplier: myStreamHandler,
+    });
+  },
+});
+```
+
+#### HealthModule Exports
+
+`SHUTDOWN_OUT_PORT` and `HEALTH_IN_PORT` are now exported from `HealthModule`. You can inject them in your own modules:
+
+```typescript
+@Module({
+  imports: [HealthModule],
+})
+export class MyModule {
+  constructor(
+    @Inject(SHUTDOWN_OUT_PORT) private shutdown: ShutdownOutPort,
+    @Inject(HEALTH_IN_PORT) private health: HealthInPort,
+  ) {}
+}
+```
+
+#### Proto Schema Updates
+
+`GetGameEngineInfoResponse` now includes `game_name` and `provider` fields. These are populated from your `GameEngineInfo` implementation.
+
+### Checklist
+
+- [ ] Update `@omnitronix/game-engine-sdk` to `^2.0.0` in `package.json`
+- [ ] Add explicit generic type parameters where `CommandProcessingResult` or `GameEngine` are used
+- [ ] Remove references to deleted `InternalErrorCode` values (if any)
+- [ ] Update client-side error handling to expect error code strings in gRPC `message` field
+- [ ] Verify `npm run build` succeeds
+- [ ] Verify `npm test` passes

package/dist/bootstrap/index.d.ts

@@ -1,12 +1,15 @@
+import { ConnectRouterOptions } from '../grpc/connect-router.middleware';
 import { Type } from '@nestjs/common';
 export interface GameEngineAppOptions {
     serviceName: string;
-    appModule: Type<any>;
+    appModule: Type<unknown>;
     bootstrapOptions?: {
         driver: 'database' | 'in-memory';
     };
     /** Allowed CORS origins. Defaults to false (CORS disabled). */
     corsOrigins?: string[] | boolean;
+    /** Additional Connect RPC routes (e.g., crash game streaming services). */
+    additionalRoutes?: ConnectRouterOptions['additionalRoutes'];
 }
 /**
  * Creates and bootstraps a game engine NestJS application with

package/dist/bootstrap/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/bootstrap/index.ts"],"names":[],"mappings":"AAUA,OAAO,EAAsD,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAK1F,MAAM,WAAW,oBAAoB;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IACrB,gBAAgB,CAAC,EAAE;QAAE,MAAM,EAAE,UAAU,GAAG,WAAW,CAAA;KAAE,CAAC;IACxD,+DAA+D;IAC/D,WAAW,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;CAClC;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,oBAAoB,2DA0HtE"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/bootstrap/index.ts"],"names":[],"mappings":"AASA,OAAO,EAAuB,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AAC9F,OAAO,EAKL,IAAI,EACL,MAAM,gBAAgB,CAAC;AAKxB,MAAM,WAAW,oBAAoB;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IACzB,gBAAgB,CAAC,EAAE;QAAE,MAAM,EAAE,UAAU,GAAG,WAAW,CAAA;KAAE,CAAC;IACxD,+DAA+D;IAC/D,WAAW,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IACjC,2EAA2E;IAC3E,gBAAgB,CAAC,EAAE,oBAAoB,CAAC,kBAAkB,CAAC,CAAC;CAC7D;AASD;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,oBAAoB,2DA+HtE"}

package/dist/bootstrap/index.js

@@ -45,18 +45,20 @@ const common_1 = require("@nestjs/common");
 const config_1 = require("@nestjs/config");
 const core_1 = require("@nestjs/core");
 const http2 = __importStar(require("http2"));
+/** Type guard for NestJS dynamic modules with a static `register` method. */
+function hasRegisterMethod(module) {
+    return 'register' in module && typeof module.register === 'function';
+}
 /**
  * Creates and bootstraps a game engine NestJS application with
  * standard configuration: CORS, validation pipes, exception filters,
  * Swagger docs, Connect RPC gRPC server, and graceful shutdown.
  */
 async function createGameEngineApp(options) {
-    const { serviceName, appModule, bootstrapOptions, corsOrigins = false } = options;
+    const { serviceName, appModule, bootstrapOptions, corsOrigins = false, additionalRoutes, } = options;
     const logger = new logger_1.Logger(serviceName);
-    const moduleArg = bootstrapOptions
-        ? appModule.register
-            ? appModule.register(bootstrapOptions)
-            : appModule
+    const moduleArg = bootstrapOptions && hasRegisterMethod(appModule)
+        ? appModule.register(bootstrapOptions)
         : appModule;
     const app = await core_1.NestFactory.create(moduleArg, {
         logger: logger,
@@ -66,42 +68,33 @@ async function createGameEngineApp(options) {
     }
     const configService = app.get(config_1.ConfigService);
     const shutdownService = app.get(shutdown_out_port_1.SHUTDOWN_OUT_PORT);
-    let isShuttingDown = false;
+    // Fatal error handler uses ShutdownOutPort's guard to prevent duplicate shutdowns.
+    // No separate local flag — single source of truth avoids desync.
     const handleFatalError = async (errorType, error) => {
-        logger.error(`${errorType}:`, {
-            error: error.message,
-            stack: error.stack,
-        });
-        if (isShuttingDown) {
+        const errorMessage = error instanceof Error ? error.message : String(error);
+        const errorStack = error instanceof Error ? error.stack : undefined;
+        logger.error(`${errorType}:`, { error: errorMessage, stack: errorStack });
+        if (shutdownService.isShuttingDown()) {
             logger.warn('Shutdown already in progress, ignoring additional error');
             return;
         }
-        isShuttingDown = true;
         try {
             logger.warn(`Initiating graceful shutdown due to ${errorType}...`);
             await shutdownService.startGracefulShutdown();
             logger.log('Graceful shutdown completed, exiting process');
         }
         catch (shutdownError) {
-            logger.error('Error during graceful shutdown:', shutdownError);
+            const shutdownMsg = shutdownError instanceof Error ? shutdownError.message : String(shutdownError);
+            logger.error(`Error during graceful shutdown: ${shutdownMsg}`);
         }
         finally {
             process.exit(1);
         }
     };
     process.on('uncaughtException', (error) => {
-        logger.error('Uncaught Exception:', {
-            error: error.message,
-            stack: error.stack,
-        });
         void handleFatalError('uncaughtException', error);
     });
-    process.on('unhandledRejection', (reason, promise) => {
-        logger.error('Unhandled Rejection:', {
-            reason: reason.message,
-            stack: reason.stack,
-            promise,
-        });
+    process.on('unhandledRejection', (reason) => {
         void handleFatalError('unhandledRejection', reason);
     });
     app.setGlobalPrefix('api', {
@@ -127,11 +120,11 @@ async function createGameEngineApp(options) {
         },
     }));
     app.useGlobalFilters(app.get(all_exceptions_filter_1.ExceptionsFilter));
-    const PORT = configService.get('PORT') || 3000;
+    const PORT = configService.get('PORT') ?? 3000;
     await (0, setup_documentation_1.setupDocumentation)(app, PORT, serviceName);
     // Setup Connect RPC server
     const gameEngineAdapter = app.get(game_engine_grpc_in_adapter_1.GameEngineGrpcInAdapter);
-    const connectRouter = (0, connect_router_middleware_1.createConnectRouter)(gameEngineAdapter);
+    const connectRouter = (0, connect_router_middleware_1.createConnectRouter)(gameEngineAdapter, { additionalRoutes });
     // Mount Connect router on /connect path
     app.use('/connect', connectRouter);
     app.enableShutdownHooks(['SIGTERM', 'SIGINT']);
@@ -144,14 +137,21 @@ async function createGameEngineApp(options) {
     h2cServer.listen(GRPC_PORT, '0.0.0.0', () => {
         logger.log(`Connect RPC (h2c) is available on: http://localhost:${GRPC_PORT}`);
     });
-    // Close h2c server during graceful shutdown
-    const closeH2c = () => {
-        h2cServer.close(() => {
-            logger.log('h2c gRPC server closed');
+    // Register h2c server closure with graceful shutdown service
+    shutdownService.registerCleanupCallback('h2c-grpc-server', () => {
+        return new Promise((resolve, reject) => {
+            h2cServer.close(err => {
+                if (err) {
+                    logger.error('Error closing h2c gRPC server:', err);
+                    reject(err);
+                }
+                else {
+                    logger.log('h2c gRPC server closed');
+                    resolve();
+                }
+            });
         });
-    };
-    process.on('SIGTERM', closeH2c);
-    process.on('SIGINT', closeH2c);
+    });
     await app.listen(PORT, '0.0.0.0');
     logger.log(`Application is running on: http://localhost:${PORT}`);
     return app;

package/dist/common/api-docs/setup-documentation.d.ts

@@ -1,3 +1,3 @@
 import { INestApplication } from '@nestjs/common';
-export declare const setupDocumentation: (app: INestApplication<any>, port: number, serviceName?: string) => Promise<void>;
+export declare const setupDocumentation: (app: INestApplication, port: number, serviceName?: string) => Promise<void>;
 //# sourceMappingURL=setup-documentation.d.ts.map

package/dist/common/api-docs/setup-documentation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"setup-documentation.d.ts","sourceRoot":"","sources":["../../../src/common/api-docs/setup-documentation.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAMlD,eAAO,MAAM,kBAAkB,GAC7B,KAAK,gBAAgB,CAAC,GAAG,CAAC,EAC1B,MAAM,MAAM,EACZ,cAAc,MAAM,kBA0BrB,CAAC"}
+{"version":3,"file":"setup-documentation.d.ts","sourceRoot":"","sources":["../../../src/common/api-docs/setup-documentation.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAMlD,eAAO,MAAM,kBAAkB,GAC7B,KAAK,gBAAgB,EACrB,MAAM,MAAM,EACZ,cAAc,MAAM,kBA0BrB,CAAC"}

package/dist/common/error-handling/all-exceptions.filter.d.ts

@@ -1,4 +1,3 @@
-import { MetricsPort } from '../metrics/metrics.port';
 import { ArgumentsHost, ExceptionFilter } from '@nestjs/common';
 export interface ErrorResponse {
     statusCode: number;
@@ -8,9 +7,7 @@ export interface ErrorResponse {
     path: string;
 }
 export declare class ExceptionsFilter implements ExceptionFilter {
-    private readonly metricsPort;
     private readonly logger;
-    constructor(metricsPort: MetricsPort);
     catch(exception: unknown, host: ArgumentsHost): void;
     private buildErrorResponse;
     private handleDomainException;

package/dist/common/error-handling/all-exceptions.filter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"all-exceptions.filter.d.ts","sourceRoot":"","sources":["../../../src/common/error-handling/all-exceptions.filter.ts"],"names":[],"mappings":"AACA,OAAO,EAAgB,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACpE,OAAO,EACL,aAAa,EAEb,eAAe,EAIhB,MAAM,gBAAgB,CAAC;AAOxB,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,qBACa,gBAAiB,YAAW,eAAe;IAKpD,OAAO,CAAC,QAAQ,CAAC,WAAW;IAJ9B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;gBAIb,WAAW,EAAE,WAAW;IAK3C,KAAK,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa;IAS7C,OAAO,CAAC,kBAAkB;IAgB1B,OAAO,CAAC,qBAAqB;IAqB7B,OAAO,CAAC,mBAAmB;IAmD3B,OAAO,CAAC,kBAAkB;IAa1B,OAAO,CAAC,kBAAkB;IAe1B,OAAO,CAAC,oBAAoB;CAmB7B"}
+{"version":3,"file":"all-exceptions.filter.d.ts","sourceRoot":"","sources":["../../../src/common/error-handling/all-exceptions.filter.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAS,eAAe,EAA6B,MAAM,gBAAgB,CAAC;AAOlG,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,qBACa,gBAAiB,YAAW,eAAe;IACtD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAqC;IAE5D,KAAK,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa;IAS7C,OAAO,CAAC,kBAAkB;IAgB1B,OAAO,CAAC,qBAAqB;IAwB7B,OAAO,CAAC,mBAAmB;IA4E3B,OAAO,CAAC,kBAAkB;IAa1B,OAAO,CAAC,kBAAkB;IAe1B,OAAO,CAAC,oBAAoB;CAmB7B"}

package/dist/common/error-handling/all-exceptions.filter.js

@@ -5,24 +5,16 @@ var __decorate = (this && this.__decorate) || function (decorators, target, key,
     else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
     return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var __metadata = (this && this.__metadata) || function (k, v) {
-    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
-};
-var __param = (this && this.__param) || function (paramIndex, decorator) {
-    return function (target, key) { decorator(target, key, paramIndex); }
-};
 var ExceptionsFilter_1;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ExceptionsFilter = void 0;
 const logger_1 = require("../logger/logger");
-const metrics_port_1 = require("../metrics/metrics.port");
 const common_1 = require("@nestjs/common");
 const domain_exception_1 = require("./domain.exception");
 const error_code_mapper_1 = require("./error-code-mapper");
 const internal_error_code_1 = require("./internal-error-code");
 let ExceptionsFilter = ExceptionsFilter_1 = class ExceptionsFilter {
-    constructor(metricsPort) {
-        this.metricsPort = metricsPort;
+    constructor() {
         this.logger = new logger_1.Logger(ExceptionsFilter_1.name);
     }
     catch(exception, host) {
@@ -47,14 +39,17 @@ let ExceptionsFilter = ExceptionsFilter_1 = class ExceptionsFilter {
     handleDomainException(exception, request) {
         const status = error_code_mapper_1.ErrorCodeMapper.mapToHttpStatus(exception.errorCode);
         const level = status >= 500 ? 'error' : 'warn';
+        // Log full internal details for debugging — never sent to client
         this.logger.log(`DomainException (status: ${status} at ${request.method} ${request.url}): Internal Code ${exception.errorCode} Message: ${exception.message}`, { level });
         if (exception.cause) {
             this.logger.error('Exception cause:', exception.cause);
         }
+        // OWASP A01: Return error code only — never expose internal error.message to clients.
+        // Consistent with gRPC error sanitization in GameEngineGrpcInAdapter.
         return this.buildResponsePayload({
             status,
             internalCode: exception.errorCode,
-            message: exception.message,
+            message: exception.errorCode,
             path: request.url,
         });
     }
@@ -62,17 +57,29 @@ let ExceptionsFilter = ExceptionsFilter_1 = class ExceptionsFilter {
         const status = exception.getStatus();
         const responseData = exception.getResponse();
         // Check if this is a custom validation error response
-        if (typeof responseData === 'object' &&
-            responseData.internalCode &&
-            responseData.statusCode) {
-            return responseData;
+        const responseRecord = typeof responseData === 'object' && responseData !== null
+            ? responseData
+            : null;
+        if (responseRecord &&
+            typeof responseRecord.internalCode === 'string' &&
+            typeof responseRecord.statusCode === 'number' &&
+            typeof responseRecord.message !== 'undefined') {
+            return {
+                statusCode: responseRecord.statusCode,
+                internalCode: responseRecord.internalCode,
+                message: String(responseRecord.message),
+                timestamp: typeof responseRecord.timestamp === 'string'
+                    ? responseRecord.timestamp
+                    : new Date().toISOString(),
+                path: typeof responseRecord.path === 'string' ? responseRecord.path : request.url,
+            };
         }
         let message = 'HTTP Exception';
         if (typeof responseData === 'string') {
             message = responseData;
         }
-        else if (typeof responseData === 'object' && responseData.message) {
-            message = responseData.message;
+        else if (responseRecord && typeof responseRecord.message === 'string') {
+            message = responseRecord.message;
         }
         const level = status >= 500 ? 'error' : 'warn';
         this.logger.log(`HttpException (status: ${status} at ${request.method} ${request.url}): ${message}`, { level });
@@ -85,12 +92,21 @@ let ExceptionsFilter = ExceptionsFilter_1 = class ExceptionsFilter {
                 path: request.url,
             });
         }
-        if (status === common_1.HttpStatus.INTERNAL_SERVER_ERROR) {
+        // OWASP A01: Never expose internal error details for server errors.
+        // 5xx messages may contain stack traces, DB errors, or internal details.
+        if (status >= 500) {
             this.logger.error('HttpException stack:', exception.stack);
+            return this.buildResponsePayload({
+                status,
+                internalCode: internal_error_code_1.InternalErrorCode.INTERNAL_SERVER_ERROR,
+                message: 'Internal server error',
+                path: request.url,
+            });
         }
+        // 4xx client errors — framework messages are safe (e.g., "Not Found", "Bad Request")
         return this.buildResponsePayload({
             status,
-            internalCode: internal_error_code_1.InternalErrorCode.INTERNAL_SERVER_ERROR,
+            internalCode: internal_error_code_1.InternalErrorCode.VALIDATION_ERROR,
             message,
             path: request.url,
         });
@@ -125,7 +141,5 @@ let ExceptionsFilter = ExceptionsFilter_1 = class ExceptionsFilter {
 };
 exports.ExceptionsFilter = ExceptionsFilter;
 exports.ExceptionsFilter = ExceptionsFilter = ExceptionsFilter_1 = __decorate([
-    (0, common_1.Catch)(),
-    __param(0, (0, common_1.Inject)(metrics_port_1.METRICS_PORT)),
-    __metadata("design:paramtypes", [Object])
+    (0, common_1.Catch)()
 ], ExceptionsFilter);

package/dist/common/error-handling/error-code-mapper.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"error-code-mapper.d.ts","sourceRoot":"","sources":["../../../src/common/error-handling/error-code-mapper.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAa1D,qBAAa,eAAe;IAC1B,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CA4E5C;IAEF,MAAM,CAAC,eAAe,CAAC,SAAS,EAAE,iBAAiB,GAAG,MAAM;CAG7D"}
+{"version":3,"file":"error-code-mapper.d.ts","sourceRoot":"","sources":["../../../src/common/error-handling/error-code-mapper.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAc1D,qBAAa,eAAe;IAC1B,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAmB5C;IAEF,MAAM,CAAC,eAAe,CAAC,SAAS,EAAE,iBAAiB,GAAG,MAAM;CAG7D"}

package/dist/common/error-handling/error-code-mapper.js

@@ -5,89 +5,34 @@ const internal_error_code_1 = require("./internal-error-code");
 // HTTP status codes
 const HttpStatus = {
     BAD_REQUEST: 400,
-    CONFLICT: 409,
+    UNAUTHORIZED: 401,
     FORBIDDEN: 403,
     NOT_FOUND: 404,
+    CONFLICT: 409,
     UNPROCESSABLE_ENTITY: 422,
     INTERNAL_SERVER_ERROR: 500,
     SERVICE_UNAVAILABLE: 503,
 };
 class ErrorCodeMapper {
     static mapToHttpStatus(errorCode) {
-        return this.ERROR_CODE_TO_HTTP_MAP[errorCode] || HttpStatus.BAD_REQUEST;
+        return this.ERROR_CODE_TO_HTTP_MAP[errorCode] ?? HttpStatus.INTERNAL_SERVER_ERROR;
     }
 }
 exports.ErrorCodeMapper = ErrorCodeMapper;
 ErrorCodeMapper.ERROR_CODE_TO_HTTP_MAP = {
-    [internal_error_code_1.InternalErrorCode.FORBIDDEN]: HttpStatus.FORBIDDEN,
-    [internal_error_code_1.InternalErrorCode.INVALID_CURRENCY_CODE]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.INSUFFICIENT_FUNDS]: HttpStatus.UNPROCESSABLE_ENTITY,
-    [internal_error_code_1.InternalErrorCode.INTERNAL_SERVER_ERROR]: HttpStatus.INTERNAL_SERVER_ERROR,
-    // Game Catalog errors
-    [internal_error_code_1.InternalErrorCode.GAME_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    [internal_error_code_1.InternalErrorCode.GAME_CONFIG_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    [internal_error_code_1.InternalErrorCode.GAME_CONFIG_ALREADY_EXISTS_WITH_SAME_JURISDICTION_AND_RTP]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.OPERATOR_GAME_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    [internal_error_code_1.InternalErrorCode.OPERATOR_GAME_ALREADY_ENABLED]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.INVALID_GAME_CONFIG_DATA]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.INVALID_GAME_UPDATE_DATA]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.GAME_CODE_ALREADY_EXISTS]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.GAME_OR_GAME_CONFIG_DISABLED]: HttpStatus.BAD_REQUEST,
+    // Core game engine errors
+    [internal_error_code_1.InternalErrorCode.GAME_ENGINE_ERROR]: HttpStatus.INTERNAL_SERVER_ERROR,
     [internal_error_code_1.InternalErrorCode.DEBUG_COMMANDS_DISABLED]: HttpStatus.FORBIDDEN,
-    // Game Orchestrator errors
-    [internal_error_code_1.InternalErrorCode.INVALID_SESSION]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.SESSION_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    [internal_error_code_1.InternalErrorCode.SESSION_NOT_ACTIVE]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.SESSION_MISMATCH]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.INVALID_STATE_TRANSITION]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.INVALID_BET_AMOUNT]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.REALITY_CHECK_IN_PROGRESS]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.UNKNOWN_COMMAND]: HttpStatus.NOT_FOUND,
-    // Operator errors
-    [internal_error_code_1.InternalErrorCode.MISSING_OPERATOR_CODE]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.INVALID_OPERATOR_CODE]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.OPERATOR_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    [internal_error_code_1.InternalErrorCode.OPERATOR_INACTIVE]: HttpStatus.FORBIDDEN,
-    [internal_error_code_1.InternalErrorCode.COUNTRY_CODE_RESTRICTED]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.UNAUTHORIZED]: HttpStatus.FORBIDDEN,
-    [internal_error_code_1.InternalErrorCode.AUTH_VALIDATION_FAILED]: HttpStatus.FORBIDDEN,
-    [internal_error_code_1.InternalErrorCode.BALANCE_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    [internal_error_code_1.InternalErrorCode.INVALID_AUTH_DATA]: HttpStatus.BAD_REQUEST,
+    [internal_error_code_1.InternalErrorCode.UNKNOWN_COMMAND]: HttpStatus.BAD_REQUEST,
+    [internal_error_code_1.InternalErrorCode.INVALID_COMMAND]: HttpStatus.BAD_REQUEST,
+    // RNG integrity (GLI-19)
+    [internal_error_code_1.InternalErrorCode.INVALID_RNG_SEED]: HttpStatus.INTERNAL_SERVER_ERROR,
+    // Infrastructure errors
+    [internal_error_code_1.InternalErrorCode.INTERNAL_SERVER_ERROR]: HttpStatus.INTERNAL_SERVER_ERROR,
+    [internal_error_code_1.InternalErrorCode.FORBIDDEN]: HttpStatus.FORBIDDEN,
+    [internal_error_code_1.InternalErrorCode.UNAUTHORIZED]: HttpStatus.UNAUTHORIZED,
     [internal_error_code_1.InternalErrorCode.VALIDATION_ERROR]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.JURISDICTION_CONFIG_ALREADY_EXISTS]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.JURISDICTION_CONFIG_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    [internal_error_code_1.InternalErrorCode.OPERATOR_JURISDICTION_CONFIG_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    [internal_error_code_1.InternalErrorCode.GAME_ENGINE_ERROR]: HttpStatus.INTERNAL_SERVER_ERROR,
-    [internal_error_code_1.InternalErrorCode.DEBIT_FAILED]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.CREDIT_FAILED]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.GAME_ROUND_LOG_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    // Geo Validation errors
-    [internal_error_code_1.InternalErrorCode.COUNTRY_NOT_PERMITTED]: HttpStatus.FORBIDDEN,
-    [internal_error_code_1.InternalErrorCode.GEO_VALIDATION_SERVICE_UNAVAILABLE]: HttpStatus.INTERNAL_SERVER_ERROR,
-    [internal_error_code_1.InternalErrorCode.RESOURCE_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    [internal_error_code_1.InternalErrorCode.FINANCIAL_TRANSACTION_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    [internal_error_code_1.InternalErrorCode.SESSION_TERMINATED]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.SESSION_CANNOT_BE_TERMINATED]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.SESSION_AUTO_RESOLVE_FAILED]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.SESSION_ALREADY_EXISTS]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.INCOMPATIBLE_GAMEPLAY_CONFIG]: HttpStatus.BAD_REQUEST,
-    // Health check errors
-    [internal_error_code_1.InternalErrorCode.HEALTH_CHECK_FAILED]: HttpStatus.SERVICE_UNAVAILABLE,
-    //Jackpot errors
-    [internal_error_code_1.InternalErrorCode.JACKPOT_TYPE_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    [internal_error_code_1.InternalErrorCode.JACKPOT_TIER_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    [internal_error_code_1.InternalErrorCode.JACKPOT_CONFIGURATION_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    [internal_error_code_1.InternalErrorCode.JACKPOT_CONFIGURATION_IS_ACTIVE]: HttpStatus.BAD_REQUEST,
-    // RNG and Replay errors
-    [internal_error_code_1.InternalErrorCode.RNG_SEED_NOT_FOUND]: HttpStatus.NOT_FOUND,
-    [internal_error_code_1.InternalErrorCode.RNG_SEED_MISMATCH]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.MASTER_HASH_INVALID]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.REPLAY_OUTCOME_MISMATCH]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.JACKPOT_POOL_CONTRIBUTION_ALREADY_PROCESSED]: HttpStatus.INTERNAL_SERVER_ERROR,
-    [internal_error_code_1.InternalErrorCode.JACKPOT_TYPE_DOES_NOT_SUPPORT_TIERS]: HttpStatus.BAD_REQUEST,
-    [internal_error_code_1.InternalErrorCode.CONCURRENT_MODIFICATION]: HttpStatus.CONFLICT,
-    [internal_error_code_1.InternalErrorCode.ACCOUNT_LOCKED]: HttpStatus.FORBIDDEN,
-    [internal_error_code_1.InternalErrorCode.DAILY_LIMIT_EXCEEDED]: HttpStatus.UNPROCESSABLE_ENTITY,
-    [internal_error_code_1.InternalErrorCode.INVALID_AMOUNT]: HttpStatus.BAD_REQUEST,
     [internal_error_code_1.InternalErrorCode.SERVICE_UNAVAILABLE]: HttpStatus.SERVICE_UNAVAILABLE,
+    // Health check
+    [internal_error_code_1.InternalErrorCode.HEALTH_CHECK_FAILED]: HttpStatus.SERVICE_UNAVAILABLE,
 };