Strip stack traces from RPC error responses (OAC-05)

Mathéo · claude · Mathéo · commit b5186727b673 · 2026-03-05T16:48:02.000+01:00
Remove the `stack` property from serialized error objects in
RpcState.reply() to prevent internal file paths, line numbers,
and code structure from leaking to callers via postMessage or
URL-encoded redirect responses.

The full error (including stack) is still logged via console.debug
for debugging purposes.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/lib/RpcServer.es.js b/src/lib/RpcServer.es.js
@@ -148,9 +148,9 @@ class RpcState {
     reply(status, result) {
         console.debug('RpcServer REPLY', result);
         if (status === ResponseStatus.ERROR) {
-            // serialize error objects
+            // serialize error objects, omitting stack traces to avoid leaking internal details
             result = typeof result === 'object'
-                ? { message: result.message, stack: result.stack, name: result.name }
+                ? { message: result.message, name: result.name }
                 : { message: result };
         }
         if (this._postMessage) {
