/**
 * Error sanitization for API responses.
 *
 * By default, returns a generic message to the client and logs the full
 * error server-side. Set PORTAL_DEBUG_ERRORS=true to return the raw
 * error message to the client (useful during development/debugging).
 */

const DEBUG_ERRORS = process.env.PORTAL_DEBUG_ERRORS === "true";

/**
 * Returns a safe error string for API responses.
 *
 * - In debug mode (PORTAL_DEBUG_ERRORS=true): returns the raw e.message
 * - In production mode: returns the fallback string and logs the real error
 *
 * Recognises common HTTP status codes from k8s/vault errors and returns
 * appropriate short messages even in production mode.
 */
export function safeError(e: unknown, fallback: string): string {
  const err = e instanceof Error ? e : new Error(String(e));
  const statusCode = (err as any).statusCode as number | undefined;

  if (DEBUG_ERRORS) {
    return err.message;
  }

  // Map well-known status codes to safe messages
  if (statusCode === 404) return "Not found";
  if (statusCode === 403) return "Forbidden";
  if (statusCode === 409) return "Conflict";
  if (statusCode === 401) return "Unauthorized";

  // Log full error server-side, return generic to client
  console.error(`${fallback}:`, err.message);
  return fallback;
}