From 8869a1a12a1b0c493ec5a32f3722897454f9c623 Mon Sep 17 00:00:00 2001
From: Test User <test@test.com>
Date: Thu, 4 Jun 2026 02:04:29 +0200
Subject: [PATCH] fix(security): strip anyhow chain from robot JSON error
 output Refs #2131

format!("{:#}", err) renders the full anyhow chain
(e.g. "outer: middle: db.internal:5432") into the
robot-mode JSON response printed to stdout, potentially
leaking internal implementation details to callers.

Change to format!("{}", err) which renders only the
outermost message.  The stderr eprintln! keeps {:#}
since that output is developer-facing, not API-facing.

P2 finding from security sentinel review of PR #2129.
---
 crates/terraphim_agent/src/main.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crates/terraphim_agent/src/main.rs b/crates/terraphim_agent/src/main.rs
index 291d18a42..f99db661a 100644
--- a/crates/terraphim_agent/src/main.rs
+++ b/crates/terraphim_agent/src/main.rs
@@ -1319,7 +1319,7 @@ fn emit_robot_error_and_exit(
     if robot || !matches!(format, OutputFormat::Human) {
         use crate::robot::schema::{ResponseMeta, RobotError, RobotResponse};
         let meta = ResponseMeta::new("unknown");
-        let robot_error = RobotError::new(format!("E{:03}", code.code()), format!("{:#}", err));
+        let robot_error = RobotError::new(format!("E{:03}", code.code()), format!("{}", err));
         let response = RobotResponse::<()>::error(vec![robot_error], meta);
         if let Ok(json) = serde_json::to_string(&response) {
             println!("{}", json);