Problem
Every error handler in src/routes/tasks.js returns res.status(500).json({ error: err.message }), exposing raw SQLite error messages (table names, column names, constraint names) to the client. This violates the 'Never expose internal error details to clients' rule in api.instructions.md.
Recommendation
Replace err.message with a generic user-facing string (e.g., 'Internal server error') in all 500 responses, and log the real error server-side with context using console.error.
Location: src/routes/tasks.js — all db.run/db.get/db.all error callbacks
Severity: high
Problem
Every error handler in
src/routes/tasks.jsreturnsres.status(500).json({ error: err.message }), exposing raw SQLite error messages (table names, column names, constraint names) to the client. This violates the 'Never expose internal error details to clients' rule inapi.instructions.md.Recommendation
Replace
err.messagewith a generic user-facing string (e.g.,'Internal server error') in all 500 responses, and log the real error server-side with context usingconsole.error.Location:
src/routes/tasks.js— alldb.run/db.get/db.allerror callbacksSeverity: high