@terreno/api 0.20.2 → 0.22.0

package/src/realtime/queryMatcher.ts

@@ -1,4 +1,3 @@
-// biome-ignore-all lint/suspicious/noExplicitAny: MongoDB query matcher evaluates dynamic filter shapes
 /**
  * Simple in-memory MongoDB query matcher.
  * Evaluates a MongoDB-style query object against a document without hitting the database.
@@ -6,35 +5,52 @@
  * Supports: equality, $eq, $ne, $gt, $gte, $lt, $lte, $in, $nin, $exists, $and, $or, $not.
  */
 
-const getNestedValue = (doc: any, path: string): any => {
+const getNestedValue = (doc: Record<string, unknown>, path: string): unknown => {
   const parts = path.split(".");
-  let current = doc;
+  let current: unknown = doc;
   for (const part of parts) {
     if (current === null || current === undefined) {
       return undefined;
     }
-    current = current[part];
+    current = (current as Record<string, unknown>)[part];
   }
   return current;
 };
 
-const normalize = (value: any): any => {
+const normalize = (value: unknown): unknown => {
   if (value === null || value === undefined) {
     return value;
   }
   // Handle ObjectId-like objects with toString
-  if (
-    typeof value === "object" &&
-    typeof value.toString === "function" &&
-    value.constructor?.name !== "Object" &&
-    !Array.isArray(value)
-  ) {
-    return value.toString();
+  if (typeof value === "object" && !Array.isArray(value)) {
+    const obj = value as Record<string, unknown>;
+    const ctorName = (obj.constructor as {name?: string} | undefined)?.name;
+    if (typeof obj.toString === "function" && ctorName !== "Object") {
+      return String(value);
+    }
   }
   return value;
 };
 
-const matchesCondition = (rawValue: any, condition: any): boolean => {
+/**
+ * JS abstract relational comparison on unknown values.
+ * Numeric operands compare numerically; everything else compares as strings.
+ * This mirrors the coercion behaviour of `>` / `<` on the `any`-typed values
+ * that MongoDB in-memory matching historically received.
+ */
+const compareValues = (a: unknown, b: unknown): number => {
+  if (typeof a === "number" && typeof b === "number") {
+    return a - b;
+  }
+  if (typeof a === "string" && typeof b === "string") {
+    return a < b ? -1 : a > b ? 1 : 0;
+  }
+  const numA = Number(a);
+  const numB = Number(b);
+  return numA - numB;
+};
+
+const matchesCondition = (rawValue: unknown, condition: unknown): boolean => {
   const value = normalize(rawValue);
 
   // Direct equality (non-object condition)
@@ -49,7 +65,7 @@ const matchesCondition = (rawValue: any, condition: any): boolean => {
   }
 
   // Operator object
-  for (const [op, operand] of Object.entries(condition)) {
+  for (const [op, operand] of Object.entries(condition as Record<string, unknown>)) {
     const normOp = normalize(operand);
 
     switch (op) {
@@ -63,32 +79,40 @@ const matchesCondition = (rawValue: any, condition: any): boolean => {
           return false;
         }
         break;
-      case "$gt":
-        if (!(value > normOp)) {
+      case "$gt": {
+        const cmp = compareValues(value, normOp);
+        if (Number.isNaN(cmp) || cmp <= 0) {
           return false;
         }
         break;
-      case "$gte":
-        if (!(value >= normOp)) {
+      }
+      case "$gte": {
+        const cmp = compareValues(value, normOp);
+        if (Number.isNaN(cmp) || cmp < 0) {
           return false;
         }
         break;
-      case "$lt":
-        if (!(value < normOp)) {
+      }
+      case "$lt": {
+        const cmp = compareValues(value, normOp);
+        if (Number.isNaN(cmp) || cmp >= 0) {
           return false;
         }
         break;
-      case "$lte":
-        if (!(value <= normOp)) {
+      }
+      case "$lte": {
+        const cmp = compareValues(value, normOp);
+        if (Number.isNaN(cmp) || cmp > 0) {
           return false;
         }
         break;
+      }
       case "$in": {
         if (!Array.isArray(operand)) {
           return false;
         }
         const inValues = operand.map(normalize);
-        if (!inValues.some((v: any) => v === value || String(v) === String(value))) {
+        if (!inValues.some((v) => v === value || String(v) === String(value))) {
           return false;
         }
         break;
@@ -98,7 +122,7 @@ const matchesCondition = (rawValue: any, condition: any): boolean => {
           return false;
         }
         const ninValues = operand.map(normalize);
-        if (ninValues.some((v: any) => v === value || String(v) === String(value))) {
+        if (ninValues.some((v) => v === value || String(v) === String(value))) {
           return false;
         }
         break;
@@ -132,14 +156,17 @@ const matchesCondition = (rawValue: any, condition: any): boolean => {
  * @param query - MongoDB-style query object
  * @returns true if the document matches all query conditions
  */
-export const matchesQuery = (doc: any, query: Record<string, any>): boolean => {
+export const matchesQuery = (
+  doc: Record<string, unknown>,
+  query: Record<string, unknown>
+): boolean => {
   for (const [key, condition] of Object.entries(query)) {
     if (key === "$and") {
       if (!Array.isArray(condition)) {
         return false;
       }
       for (const subQuery of condition) {
-        if (!matchesQuery(doc, subQuery)) {
+        if (!matchesQuery(doc, subQuery as Record<string, unknown>)) {
           return false;
         }
       }
@@ -152,7 +179,7 @@ export const matchesQuery = (doc: any, query: Record<string, any>): boolean => {
       }
       let matched = false;
       for (const subQuery of condition) {
-        if (matchesQuery(doc, subQuery)) {
+        if (matchesQuery(doc, subQuery as Record<string, unknown>)) {
           matched = true;
           break;
         }

package/src/realtime/types.ts

@@ -1,4 +1,3 @@
-// biome-ignore-all lint/suspicious/noExplicitAny: realtime config callbacks receive dynamic document shapes
 import type express from "express";
 
 /**
@@ -19,9 +18,9 @@ export interface RealtimeConfig {
     | "owner"
     | "model"
     | "broadcast"
-    | ((doc: any, method: string, req: express.Request) => string[]);
+    | ((doc: Record<string, unknown>, method: string, req: express.Request) => string[]);
   /** Custom serializer for real-time events. Falls back to the modelRouter responseHandler. */
-  realtimeResponseHandler?: (doc: any, method: string) => any;
+  realtimeResponseHandler?: (doc: Record<string, unknown>, method: string) => unknown;
 }
 
 /**
@@ -37,6 +36,7 @@ export interface RealtimeEvent {
   /** Document ID */
   id: string;
   /** Serialized document data (omitted for hard deletes) */
+  // biome-ignore lint/suspicious/noExplicitAny: noExplicitAny: event data is a serialized document whose shape varies by model; consumers must narrow to their specific type
   data?: any;
   /** Fields that were updated (for update events from change streams) */
   updatedFields?: string[];
@@ -102,7 +102,7 @@ export interface QuerySubscription {
   /** Collection tag (e.g. "todos") */
   collection: string;
   /** MongoDB-style query filter (e.g. {completed: false}) */
-  query: Record<string, any>;
+  query: Record<string, unknown>;
   /** Client-provided queryId (ignored — server computes a canonical ID) */
   queryId?: string;
 }

package/src/requestContext.ts

@@ -1,3 +1,28 @@
+/**
+ * Request/job correlation for `@terreno/api`.
+ *
+ * Correlation is how every log line emitted while handling one request (or one background job) can
+ * be tied back together. It is built on Node's {@link AsyncLocalStorage}: a {@link RequestContext}
+ * (with `requestId`, `userId`, `traceId`, etc.) is stored for the duration of a callback, and the
+ * logger's Winston format reads it from there and merges it into each line. Nothing needs to be
+ * threaded through function arguments.
+ *
+ * Two ways a scope is established:
+ *
+ * - **HTTP**: {@link requestContextMiddleware} runs first in the middleware stack. It derives a
+ *   `requestId` from incoming headers ({@link REQUEST_CONTEXT_ATTRIBUTE_NAMES}, `x-correlation-id`,
+ *   Cloud Trace, or W3C `traceparent`) or generates one, echoes it back as `X-Request-ID`, and runs
+ *   the rest of the request inside the scope.
+ * - **Jobs/scripts**: {@link runWithRequestContext} (or {@link runWithRequestContextAttributes})
+ *   establishes the same scope manually so background work is just as traceable.
+ *
+ * The active context is also pushed to Sentry tags/context via {@link applyRequestContextToSentry},
+ * and is exposed to logging via {@link getCurrentLogContext} / {@link getCurrentRequestContext}.
+ *
+ * @see {@link runWithRequestContext}
+ * @see {@link getCurrentLogContext}
+ * @module requestContext
+ */
 import {AsyncLocalStorage} from "node:async_hooks";
 import {randomUUID} from "node:crypto";
 import * as Sentry from "@sentry/bun";
@@ -14,18 +39,35 @@ const TRACE_PARENT_HEADER = "traceparent";
 const TRACE_SAMPLED_HEADER = "x-trace-sampled";
 const USER_ID_HEADER = "x-user-id";
 
+/**
+ * Correlation fields stored in AsyncLocalStorage for the lifetime of a request or job. Every log
+ * line emitted inside the scope is enriched with these. `requestId` is the only required field; the
+ * rest are populated when headers, trace context, or auth supply them.
+ */
 export interface RequestContext {
+  /** Background job identifier (from `x-job-id` or set via {@link runWithRequestContext}). */
   jobId?: string;
+  /** Stable id shared by all log lines for one request/job; echoed to clients as `X-Request-ID`. */
   requestId: string;
+  /** Auth session id, resolved from the JWT/Better Auth session or `x-session-id`. */
   sessionId?: string;
+  /** Distributed-tracing span id, parsed from Cloud Trace or W3C `traceparent`. */
   spanId?: string;
+  /** Distributed-tracing trace id, parsed from Cloud Trace or W3C `traceparent`. */
   traceId?: string;
+  /** Whether the trace is sampled, per the incoming trace headers. */
   traceSampled?: boolean;
+  /** Authenticated user id, populated after auth middleware runs. */
   userId?: string;
 }
 
 export type RequestContextAttributes = Record<string, string>;
 
+/**
+ * Canonical HTTP header names for each correlation field. Use these to propagate context to
+ * downstream services (pair with {@link getCurrentRequestContextAttributes}) or to read it from an
+ * incoming request (pair with {@link getRequestContextFromAttributes}).
+ */
 export const REQUEST_CONTEXT_ATTRIBUTE_NAMES = {
   jobId: JOB_ID_HEADER,
   requestId: "x-request-id",
@@ -161,10 +203,19 @@ export const getRequestContextFromAttributes = (
   };
 };
 
+/**
+ * Returns the full {@link RequestContext} for the active AsyncLocalStorage scope, or `undefined`
+ * when called outside any request/job scope. The logger uses this to enrich each line.
+ */
 export const getCurrentRequestContext = (): RequestContext | undefined => {
   return requestContextStorage.getStore();
 };
 
+/**
+ * Returns the active correlation fields as a plain object (empty when outside a scope). This is the
+ * shape attached to Sentry log attributes and is handy when you need to log or forward the current
+ * context yourself.
+ */
 export const getCurrentLogContext = (): Partial<RequestContext> => {
   const context = getCurrentRequestContext();
   if (!context) {
@@ -254,6 +305,11 @@ const setAttribute = (
   attributes[name] = String(value);
 };
 
+/**
+ * Serializes the active correlation context into HTTP header attributes (keyed by
+ * {@link REQUEST_CONTEXT_ATTRIBUTE_NAMES}) so it can be propagated on outbound requests to other
+ * services, keeping the same `requestId`/`traceId` across service boundaries.
+ */
 export const getCurrentRequestContextAttributes = (
   overrides: Partial<RequestContext> = {}
 ): RequestContextAttributes => {
@@ -269,6 +325,23 @@ export const getCurrentRequestContextAttributes = (
   return attributes;
 };
 
+/**
+ * Runs `callback` inside a fresh correlation scope so every log line it emits shares the same
+ * identifiers — the manual equivalent of {@link requestContextMiddleware} for background jobs,
+ * cron tasks, scripts, queue consumers, etc. A `requestId` is generated when not supplied, and the
+ * context is mirrored to Sentry.
+ *
+ * @example
+ * ```typescript
+ * import {createScopedLogger, runWithRequestContext} from "@terreno/api";
+ *
+ * await runWithRequestContext({jobId: "nightly-sync"}, async () => {
+ *   const log = createScopedLogger({prefix: "[NightlySync]"});
+ *   log.info("started"); // includes jobId + a generated requestId on every line
+ *   await sync();
+ * });
+ * ```
+ */
 export const runWithRequestContext = <T>(
   context: Partial<RequestContext>,
   callback: () => T
@@ -284,6 +357,11 @@ export const runWithRequestContext = <T>(
   });
 };
 
+/**
+ * Like {@link runWithRequestContext}, but seeds the scope from raw header attributes (for example
+ * those received on an incoming message or forwarded by another service). Parses Cloud Trace / W3C
+ * `traceparent` into `traceId`/`spanId` via {@link getRequestContextFromAttributes}.
+ */
 export const runWithRequestContextAttributes = <T>(
   attributes: Record<string, string | undefined> = {},
   callback: () => T
@@ -324,6 +402,14 @@ export const updateRequestContextFromRequest = (
   }
 };
 
+/**
+ * Express middleware that opens a correlation scope for the request. Mounted early by `TerrenoApp` /
+ * `setupServer`, it resolves a `requestId` (from request-id/correlation headers, Cloud Trace, or
+ * W3C `traceparent`, else a new UUID), captures any `jobId`/`sessionId`/trace fields, echoes
+ * `X-Request-ID` back to the client, and runs the remaining middleware inside the scope so all
+ * downstream logs are correlated. A later auth-aware pass ({@link updateRequestContextFromRequest})
+ * fills in `userId`/`sessionId`.
+ */
 export const requestContextMiddleware = (
   req: express.Request,
   res: express.Response,

package/src/secretProviders.test.ts

@@ -1,7 +1,13 @@
 import {beforeEach, describe, expect, it} from "bun:test";
 
 import type {SecretProvider} from "./configurationPlugin";
-import {CachingSecretProvider, CompositeSecretProvider, EnvSecretProvider} from "./secretProviders";
+import {APIError} from "./errors";
+import {
+  CachingSecretProvider,
+  CompositeSecretProvider,
+  EnvSecretProvider,
+  GcpSecretProvider,
+} from "./secretProviders";
 
 describe("EnvSecretProvider", () => {
   beforeEach(() => {
@@ -184,3 +190,215 @@ describe("CachingSecretProvider", () => {
     expect(calls).toBe(1);
   });
 });
+
+// ---------------------------------------------------------------------------
+// GcpSecretProvider
+// ---------------------------------------------------------------------------
+
+interface MockSecretManagerClient {
+  accessSecretVersion: (request: {
+    name: string;
+  }) => Promise<[{payload?: {data?: string | Uint8Array}}]>;
+}
+
+/** Inject a pre-built mock client into a GcpSecretProvider, bypassing getClient(). */
+const injectClient = (provider: GcpSecretProvider, client: MockSecretManagerClient): void => {
+  // Bypass the private `client` field for testing — avoids the dynamic import of
+  // @google-cloud/secret-manager which is an optional peer dependency.
+  Object.defineProperty(provider, "client", {configurable: true, value: client, writable: true});
+};
+
+describe("GcpSecretProvider", () => {
+  it("has the name 'gcp'", () => {
+    const provider = new GcpSecretProvider({projectId: "my-project"});
+    expect(provider.name).toBe("gcp");
+  });
+
+  it("throws APIError when @google-cloud/secret-manager is not installed", async () => {
+    const provider = new GcpSecretProvider({projectId: "my-project"});
+    try {
+      await provider.getSecret("some-secret");
+      expect.unreachable("should have thrown");
+    } catch (error) {
+      expect(error).toBeInstanceOf(APIError);
+      expect((error as APIError).title).toContain(
+        "GcpSecretProvider requires @google-cloud/secret-manager"
+      );
+    }
+  });
+
+  it("resolves a short secret name to the full resource path with default version", async () => {
+    const calls: string[] = [];
+    const mockClient: MockSecretManagerClient = {
+      accessSecretVersion: async (req) => {
+        calls.push(req.name);
+        return [{payload: {data: "secret-value"}}];
+      },
+    };
+    const provider = new GcpSecretProvider({projectId: "my-project"});
+    injectClient(provider, mockClient);
+
+    const result = await provider.getSecret("openai-api-key");
+    expect(result).toBe("secret-value");
+    expect(calls).toEqual(["projects/my-project/secrets/openai-api-key/versions/latest"]);
+  });
+
+  it("resolves a short secret name with an explicit version", async () => {
+    const calls: string[] = [];
+    const mockClient: MockSecretManagerClient = {
+      accessSecretVersion: async (req) => {
+        calls.push(req.name);
+        return [{payload: {data: "v3-value"}}];
+      },
+    };
+    const provider = new GcpSecretProvider({projectId: "p"});
+    injectClient(provider, mockClient);
+
+    const result = await provider.getSecret("my-key", "3");
+    expect(result).toBe("v3-value");
+    expect(calls).toEqual(["projects/p/secrets/my-key/versions/3"]);
+  });
+
+  it("honors a full resource path that already contains /versions/", async () => {
+    const calls: string[] = [];
+    const mockClient: MockSecretManagerClient = {
+      accessSecretVersion: async (req) => {
+        calls.push(req.name);
+        return [{payload: {data: "pinned"}}];
+      },
+    };
+    const provider = new GcpSecretProvider({projectId: "ignored"});
+    injectClient(provider, mockClient);
+
+    const result = await provider.getSecret("projects/p/secrets/s/versions/7");
+    expect(result).toBe("pinned");
+    expect(calls).toEqual(["projects/p/secrets/s/versions/7"]);
+  });
+
+  it("appends /versions/latest to a full resource path without a version suffix", async () => {
+    const calls: string[] = [];
+    const mockClient: MockSecretManagerClient = {
+      accessSecretVersion: async (req) => {
+        calls.push(req.name);
+        return [{payload: {data: "latest-value"}}];
+      },
+    };
+    const provider = new GcpSecretProvider({projectId: "ignored"});
+    injectClient(provider, mockClient);
+
+    const result = await provider.getSecret("projects/p/secrets/s");
+    expect(result).toBe("latest-value");
+    expect(calls).toEqual(["projects/p/secrets/s/versions/latest"]);
+  });
+
+  it("appends the explicit version when full path lacks /versions/", async () => {
+    const calls: string[] = [];
+    const mockClient: MockSecretManagerClient = {
+      accessSecretVersion: async (req) => {
+        calls.push(req.name);
+        return [{payload: {data: "v5"}}];
+      },
+    };
+    const provider = new GcpSecretProvider({projectId: "ignored"});
+    injectClient(provider, mockClient);
+
+    const result = await provider.getSecret("projects/p/secrets/s", "5");
+    expect(result).toBe("v5");
+    expect(calls).toEqual(["projects/p/secrets/s/versions/5"]);
+  });
+
+  it("decodes a Uint8Array payload", async () => {
+    const encoded = new TextEncoder().encode("binary-secret");
+    const mockClient: MockSecretManagerClient = {
+      accessSecretVersion: async () => [{payload: {data: encoded}}],
+    };
+    const provider = new GcpSecretProvider({projectId: "p"});
+    injectClient(provider, mockClient);
+
+    expect(await provider.getSecret("bin-key")).toBe("binary-secret");
+  });
+
+  it("returns null when the payload is empty", async () => {
+    const mockClient: MockSecretManagerClient = {
+      accessSecretVersion: async () => [{payload: {}}],
+    };
+    const provider = new GcpSecretProvider({projectId: "p"});
+    injectClient(provider, mockClient);
+
+    expect(await provider.getSecret("empty-payload")).toBeNull();
+  });
+
+  it("returns null when the payload field is missing entirely", async () => {
+    const mockClient: MockSecretManagerClient = {
+      accessSecretVersion: async () => [{}],
+    };
+    const provider = new GcpSecretProvider({projectId: "p"});
+    injectClient(provider, mockClient);
+
+    expect(await provider.getSecret("no-payload")).toBeNull();
+  });
+
+  it("returns null on NOT_FOUND (gRPC code 5)", async () => {
+    const notFound = Object.assign(new Error("NOT_FOUND"), {code: 5});
+    const mockClient: MockSecretManagerClient = {
+      accessSecretVersion: async () => {
+        throw notFound;
+      },
+    };
+    const provider = new GcpSecretProvider({projectId: "p"});
+    injectClient(provider, mockClient);
+
+    expect(await provider.getSecret("missing-secret")).toBeNull();
+  });
+
+  it("re-throws non-NOT_FOUND errors", async () => {
+    const permissionDenied = Object.assign(new Error("PERMISSION_DENIED"), {code: 7});
+    const mockClient: MockSecretManagerClient = {
+      accessSecretVersion: async () => {
+        throw permissionDenied;
+      },
+    };
+    const provider = new GcpSecretProvider({projectId: "p"});
+    injectClient(provider, mockClient);
+
+    try {
+      await provider.getSecret("forbidden-secret");
+      expect.unreachable("should have thrown");
+    } catch (error) {
+      expect(error).toBe(permissionDenied);
+    }
+  });
+
+  it("re-throws non-Error throwables", async () => {
+    const mockClient: MockSecretManagerClient = {
+      accessSecretVersion: async () => {
+        throw "string-error";
+      },
+    };
+    const provider = new GcpSecretProvider({projectId: "p"});
+    injectClient(provider, mockClient);
+
+    try {
+      await provider.getSecret("x");
+      expect.unreachable("should have thrown");
+    } catch (error) {
+      expect(error).toBe("string-error");
+    }
+  });
+
+  it("caches the client across multiple getSecret calls", async () => {
+    let callCount = 0;
+    const mockClient: MockSecretManagerClient = {
+      accessSecretVersion: async () => {
+        callCount++;
+        return [{payload: {data: `call-${callCount}`}}];
+      },
+    };
+    const provider = new GcpSecretProvider({projectId: "p"});
+    injectClient(provider, mockClient);
+
+    expect(await provider.getSecret("a")).toBe("call-1");
+    expect(await provider.getSecret("b")).toBe("call-2");
+    expect(callCount).toBe(2);
+  });
+});

package/src/syncConsents.test.ts

@@ -2,7 +2,7 @@ import {afterEach, beforeEach, describe, expect, it} from "bun:test";
 import {ConsentForm} from "./models/consentForm";
 import type {ConsentFormDefinition} from "./syncConsents";
 import {syncConsents} from "./syncConsents";
-import {setupDb} from "./tests";
+import {setupDb} from "./tests/testHelper";
 
 const baseDef: ConsentFormDefinition = {
   content: {en: "# Terms\nPlease agree."},

package/src/terrenoApp.test.ts

@@ -6,6 +6,7 @@ import supertest from "supertest";
 import {modelRouter} from "./api";
 import type {UserModel as UserModelType} from "./auth";
 import {configurationPlugin} from "./configurationPlugin";
+import {APIError} from "./errors";
 import {Permissions} from "./permissions";
 import {createdUpdatedPlugin} from "./plugins";
 import {TerrenoApp} from "./terrenoApp";
@@ -42,6 +43,17 @@ describe("TerrenoApp", () => {
       expect(app).toBeDefined();
     });
 
+    it("does not add requestId to GET /openapi.json document bodies", async () => {
+      const app = new TerrenoApp({
+        skipListen: true,
+        userModel: typedUserModel,
+      }).build();
+
+      const res = await supertest(app).get("/openapi.json").expect(200);
+      expect(res.body.openapi).toBe("3.0.0");
+      expect(res.body.requestId).toBeUndefined();
+    });
+
     it("creates server with custom corsOrigin", () => {
       const app = new TerrenoApp({
         corsOrigin: "https://example.com",
@@ -105,6 +117,7 @@ describe("TerrenoApp", () => {
       const res = await agent.get("/food").expect(200);
       expect(res.body.data).toHaveLength(1);
       expect(res.body.data[0].name).toBe("Apple");
+      expect(res.body.requestId).toBe(res.headers["x-request-id"]);
     });
 
     it("supports chaining multiple registrations", async () => {
@@ -196,6 +209,7 @@ describe("TerrenoApp", () => {
       const agent = await authAsUser(app, "admin");
       const res = await agent.get("/configuration/meta");
       expect(res.status).toBe(200);
+      expect(res.body.requestId).toBe(res.headers["x-request-id"]);
     });
 
     it("supports custom basePath via configure options", async () => {
@@ -240,6 +254,30 @@ describe("TerrenoApp", () => {
 
       const res = await supertest(app).get("/trigger-fallthrough");
       expect(res.status).toBe(500);
+      expect(res.body.requestId).toBe(res.headers["x-request-id"]);
+      expect(res.body.status).toBe(500);
+      expect(res.body.title).toBe("Internal server error");
+    });
+
+    it("adds requestId to APIError JSON responses", async () => {
+      const plugin: TerrenoPlugin = {
+        register: (pluginApp) => {
+          pluginApp.get("/api-error-route", () => {
+            throw new APIError({status: 400, title: "Bad request test"});
+          });
+        },
+      };
+      const app = new TerrenoApp({
+        skipListen: true,
+        userModel: typedUserModel,
+      })
+        .register(plugin)
+        .build();
+
+      const res = await supertest(app).get("/api-error-route").set("X-Request-ID", "api-err-rid");
+      expect(res.status).toBe(400);
+      expect(res.body.requestId).toBe("api-err-rid");
+      expect(res.body.title).toBe("Bad request test");
     });
   });