fix(webapp): sweep remaining api.v1 loaders/actions for thrown-error leaks

Earlier passes covered routes with leaking `catch (e) { return json({error:
e.message}, 500) }` shapes, and two specific naked routes. This sweep
covers the rest of the API surface that doesn't go through
`createLoaderApiRoute`/`createActionApiRoute` — 26 files across deploy,
projects, orgs, deployments, auth-jwt, artifacts, and alert-channel routes.

Each handler now wraps its body in try/catch, re-throws `Response`
instances so auth helpers' `throw json(...)` / `throw redirect(...)`
pass through unchanged, logs non-Response errors via `logger.error`, and
returns a generic `{ error: "Internal Server Error" }` 500.

Routes that already had an inner try/catch covering a service call but
with auth/parsing outside the try (alertChannels, batches.results,
deployments.finalize, several others) get an outer try/catch added so the
inner typed-error handling is preserved. The api.v1.authorization-code.ts
catch branch was returning `error.message` verbatim — switched to a generic
body.

Each route verified locally with the established synthetic-throw probe:
inject `throw new Error("SYNTHETIC ...")` at the top of the catch'd try,
curl with a dummy bearer, confirm the response body is the generic shape
and that the synthetic message lands server-side via `logger.error`.
Sampled legitimate 4xx paths (no-auth 401s, auth-helper Response throws,
happy 200 returns) across each pattern variant to confirm the wrap does
not interfere with normal control flow.

Author: d-cs

.server-changes/sanitize-api-loader-action-leaks-sweep.md

@@ -0,0 +1,10 @@
+---
+area: webapp
+type: fix
+---
+
+Sweep across the remaining `apps/webapp/app/routes/api.v1.*` raw loaders/actions that previously let thrown errors propagate to Remix's default 500 serializer, which writes `error.message` into the response body. Earlier passes covered routes with leaking `catch` blocks and two specific naked routes; this pass covers the rest of the API surface that doesn't go through `createLoaderApiRoute` / `createActionApiRoute`.
+
+Each handler now wraps its body in try/catch, re-throws `Response` instances so auth helpers' `throw json(...)` / `throw redirect(...)` pass through unchanged, logs non-Response errors, and returns `{ error: "Internal Server Error" }` 500. For routes that already had an inner try/catch covering a service call but with auth/parsing outside the try (alertChannels, batches.results, deployments.finalize, several others), an outer try/catch is added so the inner typed-error handling is preserved. The `api.v1.authorization-code.ts` catch branch was returning `error.message` verbatim — switched to a generic body.
+
+Each route was verified locally with a synthetic-throw probe: inject `throw new Error("SYNTHETIC ...")` at the top of the catch'd try, curl the route with a dummy bearer token, confirm the response body is the generic shape and that the synthetic message is captured server-side via `logger.error`.

apps/webapp/app/routes/api.v1.artifacts.ts

@@ -13,6 +13,7 @@ export async function action({ request }: ActionFunctionArgs) {
     return json({ error: "Method Not Allowed" }, { status: 405 });
   }
 
+  try {
   const authenticationResult = await authenticateRequest(request, {
     apiKey: true,
     organizationAccessToken: false,
@@ -88,4 +89,9 @@ export async function action({ request }: ActionFunctionArgs) {
         }
       }
     );
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to create artifact", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }

apps/webapp/app/routes/api.v1.auth.jwt.claims.ts

@@ -1,19 +1,26 @@
 import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 
 export async function action({ request }: LoaderFunctionArgs) {
-  // Next authenticate the request
-  const authenticationResult = await authenticateApiRequest(request);
+  try {
+    // Next authenticate the request
+    const authenticationResult = await authenticateApiRequest(request);
 
-  if (!authenticationResult) {
-    return json({ error: "Invalid or Missing API key" }, { status: 401 });
-  }
+    if (!authenticationResult) {
+      return json({ error: "Invalid or Missing API key" }, { status: 401 });
+    }
 
-  const claims = {
-    sub: authenticationResult.environment.id,
-    pub: true,
-  };
+    const claims = {
+      sub: authenticationResult.environment.id,
+      pub: true,
+    };
 
-  return json(claims);
+    return json(claims);
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to read auth jwt claims", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }

apps/webapp/app/routes/api.v1.auth.jwt.ts

@@ -1,6 +1,7 @@
 import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { json } from "@remix-run/server-runtime";
 import { authenticateApiRequest } from "~/services/apiAuth.server";
+import { logger } from "~/services/logger.server";
 import { z } from "zod";
 import { generateJWT as internal_generateJWT } from "@trigger.dev/core/v3";
 
@@ -14,6 +15,7 @@ const RequestBodySchema = z.object({
 });
 
 export async function action({ request }: LoaderFunctionArgs) {
+  try {
   // Next authenticate the request
   const authenticationResult = await authenticateApiRequest(request);
 
@@ -46,4 +48,9 @@ export async function action({ request }: LoaderFunctionArgs) {
   });
 
   return json({ token: jwt });
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to mint auth jwt", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }

apps/webapp/app/routes/api.v1.authorization-code.ts

@@ -32,7 +32,7 @@ export async function action({ request }: ActionFunctionArgs) {
         error: error.message,
       });
 
-      return json({ error: error.message }, { status: 400 });
+      return json({ error: "Internal Server Error" }, { status: 500 });
     }
 
     return json({ error: "Something went wrong" }, { status: 500 });

apps/webapp/app/routes/api.v1.batches.$batchParam.results.ts

@@ -12,6 +12,7 @@ const ParamsSchema = z.object({
 });
 
 export async function loader({ request, params }: LoaderFunctionArgs) {
+  try {
   // Authenticate the request
   const authenticationResult = await authenticateApiRequest(request);
 
@@ -40,4 +41,9 @@ export async function loader({ request, params }: LoaderFunctionArgs) {
     logger.error("Failed to load batch results", { error });
     return json({ error: "Something went wrong, please try again." }, { status: 500 });
   }
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to load batch results (outer)", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }

apps/webapp/app/routes/api.v1.deployments.$deploymentId.background-workers.ts

@@ -23,6 +23,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
+  try {
   // Next authenticate the request
   const authenticationResult = await authenticateApiRequest(request);
 
@@ -76,4 +77,9 @@ export async function action({ request, params }: ActionFunctionArgs) {
 
     return json({ error: "Failed to create background worker" }, { status: 500 });
   }
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to create deployment background worker", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }

apps/webapp/app/routes/api.v1.deployments.$deploymentId.cancel.ts

@@ -20,6 +20,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
+  try {
   const authenticationResult = await authenticateRequest(request, {
     apiKey: true,
     organizationAccessToken: false,
@@ -69,4 +70,9 @@ export async function action({ request, params }: ActionFunctionArgs) {
         }
       }
     );
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to cancel deployment", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }

apps/webapp/app/routes/api.v1.deployments.$deploymentId.fail.ts

@@ -21,6 +21,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
+  try {
   // Next authenticate the request
   const authenticationResult = await authenticateApiRequest(request);
 
@@ -49,4 +50,9 @@ export async function action({ request, params }: ActionFunctionArgs) {
     },
     { status: 200 }
   );
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to fail deployment", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }

apps/webapp/app/routes/api.v1.deployments.$deploymentId.finalize.ts

@@ -22,6 +22,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
     return json({ error: "Invalid params" }, { status: 400 });
   }
 
+  try {
   // Next authenticate the request
   const authenticationResult = await authenticateApiRequest(request);
 
@@ -59,4 +60,9 @@ export async function action({ request, params }: ActionFunctionArgs) {
     logger.error("Error finalizing deployment", { error });
     return json({ error: "Internal server error" }, { status: 500 });
   }
+  } catch (error) {
+    if (error instanceof Response) throw error;
+    logger.error("Failed to finalize deployment", { error });
+    return json({ error: "Internal Server Error" }, { status: 500 });
+  }
 }