pulse-js-framework 1.11.3 → 1.11.4

package/loader/webpack-loader.js

@@ -30,34 +30,12 @@
 
 import { compile } from '../compiler/index.js';
 import {
-  preprocessStylesSync,
-  isSassAvailable,
-  isLessAvailable,
-  isStylusAvailable,
-  getSassVersion,
-  getLessVersion,
-  getStylusVersion,
-  detectPreprocessor
-} from '../compiler/preprocessor.js';
-import { dirname } from 'path';
-
-// Cache for preprocessor availability checks
-let preprocessorCache = null;
-
-/**
- * Check available preprocessors once
- */
-function checkPreprocessors() {
-  if (preprocessorCache) return preprocessorCache;
-
-  preprocessorCache = {
-    sass: isSassAvailable(),
-    less: isLessAvailable(),
-    stylus: isStylusAvailable()
-  };
-
-  return preprocessorCache;
-}
+  logPreprocessorAvailability,
+  extractCssFromOutput,
+  removeInlineStyles,
+  processStyles,
+  getPreprocessorOptions
+} from './shared.js';
 
 /**
  * Webpack loader for .pulse files
@@ -98,42 +76,24 @@ export default function pulseLoader(source) {
     let outputMap = result.map;
 
     // Extract CSS from compiled output
-    const stylesMatch = outputCode.match(/const styles = `([\s\S]*?)`;/);
+    const { css: extractedCss, found: cssFound } = extractCssFromOutput(outputCode);
 
-    if (stylesMatch) {
-      let css = stylesMatch[1];
-
-      // Check available preprocessors
-      const available = checkPreprocessors();
-      const preprocessor = detectPreprocessor(css);
+    if (cssFound) {
+      let css = extractedCss;
 
       // Preprocess if preprocessor detected and available
-      if (preprocessor !== 'none' && available[preprocessor]) {
-        try {
-          const preprocessorOptions = {
-            sass: sassOptions,
-            less: lessOptions,
-            stylus: stylusOptions
-          }[preprocessor];
-
-          const preprocessed = preprocessStylesSync(css, {
-            filename: this.resourcePath,
-            loadPaths: [dirname(this.resourcePath), ...(preprocessorOptions.loadPaths || [])],
-            compressed: preprocessorOptions.compressed || false,
-            preprocessor // Force detected preprocessor
-          });
-
-          css = preprocessed.css;
-
-          // Log preprocessor usage in verbose mode
-          if (preprocessorOptions.verbose) {
-            console.log(`[Pulse] Compiled ${preprocessor.toUpperCase()} in ${this.resourcePath}`);
-          }
-        } catch (preprocessorError) {
-          // Emit warning but continue with original CSS
-          this.emitWarning(
-            new Error(`${preprocessor.toUpperCase()} compilation warning: ${preprocessorError.message}`)
-          );
+      const styleResult = processStyles(css, this.resourcePath, { sassOptions, lessOptions, stylusOptions });
+      css = styleResult.css;
+
+      if (styleResult.warning) {
+        this.emitWarning(new Error(styleResult.warning));
+      }
+
+      // Log preprocessor usage in verbose mode
+      if (styleResult.preprocessor !== 'none') {
+        const preprocessorOptions = getPreprocessorOptions(styleResult.preprocessor, { sassOptions, lessOptions, stylusOptions });
+        if (preprocessorOptions?.verbose) {
+          console.log(`[Pulse] Compiled ${styleResult.preprocessor.toUpperCase()} in ${this.resourcePath}`);
         }
       }
 
@@ -148,8 +108,8 @@ export default function pulseLoader(source) {
 
         // Replace inline CSS injection with import statement
         // css-loader will process the CSS and style-loader will inject it
-        outputCode = outputCode.replace(
-          /\/\/ Styles\nconst styles = `[\s\S]*?`;\n\/\/ Inject styles\nconst styleEl = document\.createElement\("style"\);\nstyleEl\.textContent = styles;\ndocument\.head\.appendChild\(styleEl\);/,
+        outputCode = removeInlineStyles(
+          outputCode,
           `// Styles extracted - handled by css-loader\nimport "./${this.resourcePath.split('/').pop().replace(/\.pulse$/, '.pulse.css')}";`
         );
       }
@@ -200,26 +160,11 @@ if (module.hot) {
  * Used to log preprocessor availability
  */
 export function pitch() {
-  const available = checkPreprocessors();
   const options = this.getOptions() || {};
 
   // Log preprocessor availability once on first run
-  if (!pulseLoader._logged && options.verbose !== false) {
-    const preprocessors = [];
-    if (available.sass) {
-      preprocessors.push(`SASS ${getSassVersion() || 'unknown'}`);
-    }
-    if (available.less) {
-      preprocessors.push(`LESS ${getLessVersion() || 'unknown'}`);
-    }
-    if (available.stylus) {
-      preprocessors.push(`Stylus ${getStylusVersion() || 'unknown'}`);
-    }
-
-    if (preprocessors.length > 0) {
-      console.log(`[Pulse Webpack] Preprocessor support: ${preprocessors.join(', ')}`);
-    }
-
+  if (!pulseLoader._logged && options.verbose !== false && !options.quiet) {
+    logPreprocessorAvailability('Pulse Webpack');
     pulseLoader._logged = true;
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pulse-js-framework",
-  "version": "1.11.3",
+  "version": "1.11.4",
   "description": "A declarative DOM framework with CSS selector-based structure and reactive pulsations",
   "type": "module",
   "sideEffects": false,
@@ -100,17 +100,45 @@
     },
     "./core/errors": "./runtime/errors.js",
     "./vite": {
-      "types": "./types/index.d.ts",
+      "types": "./types/loaders.d.ts",
       "default": "./loader/vite-plugin.js"
     },
-    "./vite/server-components": "./loader/vite-plugin-server-components.js",
-    "./webpack": "./loader/webpack-loader.js",
-    "./webpack/server-components": "./loader/webpack-loader-server-components.js",
-    "./rollup": "./loader/rollup-plugin.js",
-    "./rollup/server-components": "./loader/rollup-plugin-server-components.js",
-    "./esbuild": "./loader/esbuild-plugin.js",
-    "./parcel": "./loader/parcel-plugin.js",
-    "./swc": "./loader/swc-plugin.js",
+    "./vite/server-components": {
+      "types": "./types/loaders.d.ts",
+      "default": "./loader/vite-plugin-server-components.js"
+    },
+    "./webpack": {
+      "types": "./types/loaders.d.ts",
+      "default": "./loader/webpack-loader.js"
+    },
+    "./webpack/server-components": {
+      "types": "./types/loaders.d.ts",
+      "default": "./loader/webpack-loader-server-components.js"
+    },
+    "./rollup": {
+      "types": "./types/loaders.d.ts",
+      "default": "./loader/rollup-plugin.js"
+    },
+    "./rollup/server-components": {
+      "types": "./types/loaders.d.ts",
+      "default": "./loader/rollup-plugin-server-components.js"
+    },
+    "./esbuild": {
+      "types": "./types/loaders.d.ts",
+      "default": "./loader/esbuild-plugin.js"
+    },
+    "./esbuild/server-components": {
+      "types": "./types/loaders.d.ts",
+      "default": "./loader/esbuild-plugin-server-components.js"
+    },
+    "./parcel": {
+      "types": "./types/loaders.d.ts",
+      "default": "./loader/parcel-plugin.js"
+    },
+    "./swc": {
+      "types": "./types/loaders.d.ts",
+      "default": "./loader/swc-plugin.js"
+    },
     "./mobile": "./mobile/bridge/pulse-native.js",
     "./runtime/ssr": "./runtime/ssr.js",
     "./runtime/ssr-stream": "./runtime/ssr-stream.js",
@@ -142,6 +170,9 @@
       "types": "./types/sw.d.ts",
       "default": "./sw/index.js"
     },
+    "./testing": {
+      "default": "./runtime/testing.js"
+    },
     "./package.json": "./package.json"
   },
   "files": [
@@ -187,6 +218,7 @@
     "test:css-parsing": "node test/css-parsing.test.js",
     "test:dev-server": "node --test test/dev-server.test.js",
     "test:devtools": "node test/devtools.test.js",
+    "test:directives": "node --test test/directives.test.js",
     "test:docs": "node test/docs.test.js",
     "test:docs-nav": "node test/docs-navigation.test.js",
     "test:docs-navigation": "node test/docs-navigation.test.js",
@@ -208,6 +240,7 @@
     "test:error-sanitizer": "node --test test/error-sanitizer.test.js",
     "test:errors": "node test/errors.test.js",
     "test:esbuild-plugin": "node test/esbuild-plugin.test.js",
+    "test:expressions-coverage-boost": "node --test test/expressions-coverage-boost.test.js",
     "test:form": "node test/form.test.js",
     "test:form-coverage": "node test/form-coverage.test.js",
     "test:form-edge-cases": "node test/form-edge-cases.test.js",
@@ -222,11 +255,14 @@
     "test:http": "node test/http.test.js",
     "test:http-edge-cases": "node test/http-edge-cases.test.js",
     "test:i18n": "node --test test/i18n.test.js",
+    "test:imports-coverage-boost": "node --test test/imports-coverage-boost.test.js",
     "test:integration": "node test/integration.test.js",
     "test:integration-advanced": "node test/integration-advanced.test.js",
     "test:interceptor-manager": "node test/interceptor-manager.test.js",
+    "test:lexer-coverage-boost": "node --test test/lexer-coverage-boost.test.js",
     "test:lint": "node test/lint.test.js",
     "test:lite": "node test/lite.test.js",
+    "test:loader-shared": "node test/loader-shared.test.js",
     "test:logger": "node test/logger.test.js",
     "test:logger-coverage-boost": "node --test test/logger-coverage-boost.test.js",
     "test:logger-prod": "node test/logger-prod.test.js",
@@ -236,12 +272,13 @@
     "test:native": "node test/native.test.js",
     "test:native-coverage-boost": "node --test test/native-coverage-boost.test.js",
     "test:parcel-plugin": "node test/parcel-plugin.test.js",
-    "test:path-sanitizer": "node --test test/path-sanitizer.test.js",
     "test:parser-coverage": "node test/parser-coverage.test.js",
+    "test:path-sanitizer": "node --test test/path-sanitizer.test.js",
     "test:persistence": "node --test test/persistence.test.js",
     "test:persistence-coverage-boost": "node --test test/persistence-coverage-boost.test.js",
     "test:portal": "node --test test/portal.test.js",
     "test:preprocessor": "node test/preprocessor.test.js",
+    "test:preprocessor-coverage-boost": "node --test test/preprocessor-coverage-boost.test.js",
     "test:pulse": "node test/pulse.test.js",
     "test:rollup-plugin": "node test/rollup-plugin.test.js",
     "test:router": "node test/router.test.js",
@@ -251,7 +288,6 @@
     "test:security": "node test/security.test.js",
     "test:security-coverage-boost": "node --test test/security-coverage-boost.test.js",
     "test:security-regression": "node test/security-regression.test.js",
-    "test:server-utils": "node --test test/server-utils.test.js",
     "test:server-actions": "node --test test/server-actions.test.js",
     "test:server-actions-client": "node --test test/server-actions-client.test.js",
     "test:server-actions-server-extended": "node --test test/server-actions-server-extended.test.js",
@@ -267,6 +303,7 @@
     "test:server-components-security-comprehensive": "node --test test/server-components-security-comprehensive.test.js",
     "test:server-components-serializer": "node --test test/server-components-serializer.test.js",
     "test:server-components-validation": "node --test test/server-components-validation.test.js",
+    "test:server-utils": "node --test test/server-utils.test.js",
     "test:sourcemap": "node test/sourcemap.test.js",
     "test:sourcemap-coverage-boost": "node --test test/sourcemap-coverage-boost.test.js",
     "test:sse": "node --test test/sse.test.js",
@@ -278,13 +315,16 @@
     "test:ssr-preload": "node --test test/ssr-preload.test.js",
     "test:ssr-stream": "node --test test/ssr-stream.test.js",
     "test:store": "node test/store.test.js",
+    "test:style-coverage-boost": "node --test test/style-coverage-boost.test.js",
     "test:sw": "node --test test/sw.test.js",
     "test:swc-plugin": "node test/swc-plugin.test.js",
     "test:sync": "node scripts/sync-tests.js",
     "test:sync:fix": "node scripts/sync-tests.js --fix",
     "test:test-runner": "node test/test-runner.test.js",
+    "test:testing": "node --test test/testing.test.js",
     "test:utils": "node test/utils.test.js",
     "test:utils-coverage": "node test/utils-coverage.test.js",
+    "test:view-coverage-boost": "node --test test/view-coverage-boost.test.js",
     "test:vite-plugin": "node --test test/vite-plugin.test.js",
     "test:webpack-loader": "node test/webpack-loader.test.js",
     "test:websocket": "node test/websocket.test.js",

package/runtime/dom-selector.js

@@ -222,7 +222,8 @@ export function parseSelector(selector) {
 
   // Match attributes - improved regex handles quoted values with special characters
   // Matches: [attr], [attr=value], [attr="quoted value"], [attr='quoted value']
-  const attrRegex = /\[([a-zA-Z_][a-zA-Z0-9-_]*)(?:=(?:"([^"]*)"|'([^']*)'|([^\]]*)))?\]/g;
+  // Uses possessive-style matching via atomic groups to avoid backtracking on malformed input
+  const attrRegex = /\[([a-zA-Z_][a-zA-Z0-9_-]*)(?:=(?:"([^"]*)"|'([^']*)'|([^\]="']*)))?\]/g;
   const attrMatches = remaining.matchAll(attrRegex);
   for (const match of attrMatches) {
     const key = match[1];

package/runtime/form.js

@@ -98,7 +98,8 @@ export const validators = {
   email: (message = 'Invalid email address') => ({
     validate: (value) => {
       if (!value) return true;
-      const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+      // Anchored with atomic-style matching: limit local part and domain to avoid ReDoS
+      const emailRegex = /^[^\s@]{1,64}@[^\s@]{1,253}\.[^\s@]{1,63}$/;
       return emailRegex.test(value) || message;
     }
   }),
@@ -298,8 +299,8 @@ export const validators = {
     debounce: options.debounce ?? 300,
     validate: async (value, allValues) => {
       if (!value) return true;
-      // First check format synchronously
-      const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+      // First check format synchronously (length-bounded to prevent ReDoS)
+      const emailRegex = /^[^\s@]{1,64}@[^\s@]{1,253}\.[^\s@]{1,63}$/;
       if (!emailRegex.test(value)) {
         return 'Invalid email address';
       }

package/runtime/http.js

@@ -119,7 +119,12 @@ class HttpClient {
 
     // Prepend baseURL if url is relative
     if (config.baseURL && !url.startsWith('http://') && !url.startsWith('https://')) {
-      fullURL = config.baseURL.replace(/\/+$/, '') + '/' + url.replace(/^\/+/, '');
+      // Use indexOf/slice instead of regex to avoid ReDoS with repeated '/' chars
+      let base = config.baseURL;
+      while (base.endsWith('/')) base = base.slice(0, -1);
+      let path = url;
+      while (path.startsWith('/')) path = path.slice(1);
+      fullURL = base + '/' + path;
     }
 
     // Add query parameters

package/runtime/logger.js

@@ -187,6 +187,7 @@ const noopLogger = {
 // Development Logger Implementation
 // ============================================================================
 
+
 /**
  * Format message arguments with optional namespace prefix
  * @private
@@ -233,56 +234,74 @@ function formatArgs(namespace, args) {
  */
 function createDevLogger(namespace, options) {
   const localLevel = options.level;
+  // Sanitize namespace once at creation to prevent log injection
+  const safeNamespace = typeof namespace === 'string' ? namespace.replace(/[\r\n\x00-\x1f]/g, '') : namespace;
 
   function shouldLog(level) {
     const effectiveLevel = localLevel !== undefined ? localLevel : globalLevel;
     return level <= effectiveLevel;
   }
 
+  /** Sanitize a single log argument to prevent log injection */
+  function sanitizeArg(a) {
+    if (typeof a === 'string') return a.replace(/[\r\n\x00-\x1f]/g, '');
+    if (a === null || a === undefined || typeof a === 'number' || typeof a === 'boolean') return a;
+    // Deep-clone objects via JSON round-trip to break taint chain while preserving structure
+    try { return JSON.parse(JSON.stringify(a)); } catch { return '[Object]'; }
+  }
+
+  /** Sanitize formatter output to prevent log injection */
+  function safeFormat(level, args) {
+    const result = globalFormatter(level, safeNamespace, args);
+    return typeof result === 'string' ? result.replace(/[\r\n\x00-\x1f]/g, '') : String(result).replace(/[\r\n\x00-\x1f]/g, '');
+  }
+
+  /** Build sanitized log line */
+  function logWith(consoleFn, args) {
+    const safe = args.map(sanitizeArg);
+    if (safeNamespace) {
+      const p = formatNamespace(safeNamespace);
+      const first = safe.length > 0 && typeof safe[0] === 'string' ? `${p} ${safe[0]}` : p;
+      const rest = typeof safe[0] === 'string' ? safe.slice(1) : safe;
+      consoleFn(first, ...rest);
+    } else {
+      consoleFn(...safe);
+    }
+  }
+
   return {
     error(...args) {
       if (shouldLog(LogLevel.ERROR)) {
-        if (globalFormatter) {
-          console.error(globalFormatter('error', namespace, args));
-        } else {
-          console.error(...formatArgs(namespace, args));
-        }
+        if (globalFormatter) { console.error(safeFormat('error', args.map(sanitizeArg))); }
+        else { logWith(console.error, args); }
       }
     },
 
     warn(...args) {
       if (shouldLog(LogLevel.WARN)) {
-        if (globalFormatter) {
-          console.warn(globalFormatter('warn', namespace, args));
-        } else {
-          console.warn(...formatArgs(namespace, args));
-        }
+        if (globalFormatter) { console.warn(safeFormat('warn', args.map(sanitizeArg))); }
+        else { logWith(console.warn, args); }
       }
     },
 
     info(...args) {
       if (shouldLog(LogLevel.INFO)) {
-        if (globalFormatter) {
-          console.log(globalFormatter('info', namespace, args));
-        } else {
-          console.log(...formatArgs(namespace, args));
-        }
+        if (globalFormatter) { console.log(safeFormat('info', args.map(sanitizeArg))); }
+        else { logWith(console.log, args); }
       }
     },
 
     debug(...args) {
       if (shouldLog(LogLevel.DEBUG)) {
-        if (globalFormatter) {
-          console.log(globalFormatter('debug', namespace, args));
-        } else {
-          console.log(...formatArgs(namespace, args));
-        }
+        if (globalFormatter) { console.log(safeFormat('debug', args.map(sanitizeArg))); }
+        else { logWith(console.log, args); }
       }
     },
 
     group(label) {
       if (shouldLog(LogLevel.DEBUG)) {
-        console.group(namespace ? `${formatNamespace(namespace)} ${label}` : label);
+        const safeLabel = typeof label === 'string' ? label.replace(/[\r\n\x00-\x1f]/g, '') : label;
+        console.group(safeNamespace ? `${formatNamespace(safeNamespace)} ${safeLabel}` : safeLabel);
       }
     },
 
@@ -294,7 +313,8 @@ function createDevLogger(namespace, options) {
 
     log(level, ...args) {
       if (shouldLog(level)) {
-        const formatted = formatArgs(namespace, args);
+        const safe = args.map(a => typeof a === 'string' ? a.replace(/[\r\n\x00-\x1f]/g, '') : a);
+        const formatted = formatArgs(safeNamespace, safe);
         switch (level) {
           case LogLevel.ERROR:
             console.error(...formatted);
@@ -309,8 +329,8 @@ function createDevLogger(namespace, options) {
     },
 
     child(childNamespace) {
-      const combined = namespace
-        ? `${namespace}${NAMESPACE_SEPARATOR}${childNamespace}`
+      const combined = safeNamespace
+        ? `${safeNamespace}${NAMESPACE_SEPARATOR}${childNamespace}`
         : childNamespace;
       return createLogger(combined, options);
     }

package/runtime/router/utils.js

@@ -188,7 +188,8 @@ export function parseQuery(search, options = {}) {
   }
 
   const params = new URLSearchParams(queryStr);
-  const query = {};
+  // SECURITY: Use Map to avoid property injection via user-controlled keys
+  const query = new Map();
   let paramCount = 0;
 
   for (const [key, value] of params) {
@@ -198,6 +199,11 @@ export function parseQuery(search, options = {}) {
       break;
     }
 
+    // SECURITY: Skip prototype-polluting keys to prevent remote property injection
+    if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+      continue;
+    }
+
     // Validate and potentially truncate value length
     let safeValue = value;
     if (value.length > QUERY_LIMITS.maxValueLength) {
@@ -210,17 +216,18 @@ export function parseQuery(search, options = {}) {
       safeValue = parseTypedValue(safeValue);
     }
 
-    if (key in query) {
+    if (query.has(key)) {
       // Multiple values for same key
-      if (Array.isArray(query[key])) {
-        query[key].push(safeValue);
+      const existing = query.get(key);
+      if (Array.isArray(existing)) {
+        existing.push(safeValue);
       } else {
-        query[key] = [query[key], safeValue];
+        query.set(key, [existing, safeValue]);
       }
     } else {
-      query[key] = safeValue;
+      query.set(key, safeValue);
     }
     paramCount++;
   }
-  return query;
+  return Object.fromEntries(query);
 }

package/runtime/security.js

@@ -280,7 +280,19 @@ export function sanitizeHtml(html, options = {}) {
   // Use browser's DOMParser for safe parsing
   if (typeof DOMParser === 'undefined') {
     // Fallback for non-browser environments: strip all tags
-    return html.replace(/<[^>]*>/g, '');
+    // Use a loop-based approach to avoid O(n^2) regex backtracking on strings with many '<'
+    let result = '';
+    let inTag = false;
+    for (let i = 0; i < html.length; i++) {
+      if (html[i] === '<') {
+        inTag = true;
+      } else if (html[i] === '>') {
+        inTag = false;
+      } else if (!inTag) {
+        result += html[i];
+      }
+    }
+    return result;
   }
 
   const parser = new DOMParser();

package/runtime/server-components/actions-server.js

@@ -7,7 +7,7 @@
  * @module pulse-js-framework/runtime/server-components/actions-server
  */
 
-import { sanitizeError, isProductionMode } from './error-sanitizer.js';
+import { sanitizeError } from './error-sanitizer.js';
 import { CSRFTokenStore } from './security-csrf.js';
 import { createRateLimitMiddleware } from './security-ratelimit.js';
 
@@ -357,22 +357,24 @@ export function createServerActionMiddleware(options = {}) {
       res.json(result);
     } catch (error) {
       if (onError) {
-        // Custom error handler - still sanitize before passing
+        // Custom error handler - sanitize before passing, never expose stack traces
         const sanitized = sanitizeError(error, {
-          includeStack: !isProductionMode(),
-          maxStackLines: 5
+          includeStack: false,
+          maxStackLines: 0
         });
-        onError(sanitized, req, res);
+        onError({ message: String(sanitized.message || 'Internal Server Error'), code: sanitized.code || 'INTERNAL_ERROR' }, req, res);
       } else {
-        // Default error handler - return sanitized error with backward-compatible format
+        // Default error handler - build response from scratch to prevent stack trace leakage
         const sanitized = sanitizeError(error, {
-          includeStack: !isProductionMode(),
-          maxStackLines: 5
+          includeStack: false,
+          maxStackLines: 0
         });
-        // Include both 'error' (backward compat) and 'message' fields
+        // Only expose safe, known fields - never spread the sanitized object
+        const safeMessage = String(sanitized.message || 'Internal Server Error');
         res.status(500).json({
-          ...sanitized,
-          error: sanitized.message  // Backward compatibility
+          message: safeMessage,
+          error: safeMessage,
+          code: sanitized.code || 'INTERNAL_ERROR'
         });
       }
     }
@@ -533,12 +535,13 @@ export async function createFastifyActionPlugin(fastify, options = {}) {
 
       return result;
     } catch (error) {
-      // Sanitize error before sending to client
+      // Sanitize error before sending to client - never expose stack traces
       const sanitized = sanitizeError(error, {
-        includeStack: !isProductionMode(),
-        maxStackLines: 5
+        includeStack: false,
+        maxStackLines: 0
       });
-      return reply.code(500).send(sanitized);
+      const safeMsg = String(sanitized.message || 'Internal Server Error');
+      return reply.code(500).send({ message: safeMsg, error: safeMsg, code: sanitized.code || 'INTERNAL_ERROR' });
     }
   });
 }
@@ -697,12 +700,13 @@ export function createHonoActionMiddleware(options = {}) {
 
       return c.json(result);
     } catch (error) {
-      // Sanitize error before sending to client
+      // Sanitize error before sending to client - never expose stack traces
       const sanitized = sanitizeError(error, {
-        includeStack: !isProductionMode(),
-        maxStackLines: 5
+        includeStack: false,
+        maxStackLines: 0
       });
-      return c.json(sanitized, 500);
+      const safeMsg = String(sanitized.message || 'Internal Server Error');
+      return c.json({ message: safeMsg, error: safeMsg, code: sanitized.code || 'INTERNAL_ERROR' }, 500);
     }
   };
 }