|
| 1 | +# Error Messages — Worked Examples |
| 2 | + |
| 3 | +Companion to the `## Error Messages` section of `CLAUDE.md`. That section |
| 4 | +holds the rules; this file holds longer examples and anti-patterns that |
| 5 | +would bloat CLAUDE.md if inlined. |
| 6 | + |
| 7 | +## The four ingredients |
| 8 | + |
| 9 | +Every message needs, in order: |
| 10 | + |
| 11 | +1. **What** — the rule that was broken. |
| 12 | +2. **Where** — the exact file, line, key, field, or CLI flag. |
| 13 | +3. **Saw vs. wanted** — the bad value and the allowed shape or set. |
| 14 | +4. **Fix** — one concrete action, in imperative voice. |
| 15 | + |
| 16 | +## Library API errors (terse) |
| 17 | + |
| 18 | +Callers may match on the message text, so stability matters. Aim for one |
| 19 | +sentence. |
| 20 | + |
| 21 | +| ✗ / ✓ | Message | Notes | |
| 22 | +| ----- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | |
| 23 | +| ✗ | `Error: invalid component` | No rule, no saw, no where. | |
| 24 | +| ✗ | `The "name" component of type "npm" failed validation because the provided value "" is empty, which is not allowed because names are required; please provide a non-empty name.` | Restates the rule three times. | |
| 25 | +| ✓ | `npm "name" component is required` | Rule + where + implied saw (missing). Six words. | |
| 26 | +| ✗ | `Error: bad name` | No rule. | |
| 27 | +| ✓ | `name "__proto__" cannot start with an underscore` | Rule, where (`name`), saw (`__proto__`), fix implied. | |
| 28 | +| ✗ | `Error: invalid argument` | No where, no rule, no fix. | |
| 29 | +| ✓ | `orgSlug is required` | Rule + where (`orgSlug`), saw (missing), implies fix. | |
| 30 | +| ✗ | `Error: request failed` | No status, no hint what to check. | |
| 31 | +| ✓ | `Socket API rejected the token (401); check SOCKET_API_TOKEN` | Rule (401), where (token), fix (check env var). | |
| 32 | + |
| 33 | +## Validator / config / build-tool errors (verbose) |
| 34 | + |
| 35 | +The reader is looking at a file and wants to fix the record without |
| 36 | +re-running the tool. Give each ingredient its own words. |
| 37 | + |
| 38 | +✗ `Error: invalid tour config` |
| 39 | + |
| 40 | +✓ `tour.json: part 3 ("Parsing & Normalization") is missing "filename". Add a single-word lowercase filename (e.g. "parsing") to this part — one per part is required to route /<slug>/part/3 at publish time.` |
| 41 | + |
| 42 | +Breakdown: |
| 43 | + |
| 44 | +- **What**: `is missing "filename"` — the rule is "each part has a filename". |
| 45 | +- **Where**: `tour.json: part 3 ("Parsing & Normalization")` — file + record + human label. |
| 46 | +- **Saw vs. wanted**: saw = missing; wanted = a single-word lowercase filename, with `"parsing"` as a concrete model. |
| 47 | +- **Fix**: `Add … to this part` — imperative, specific. |
| 48 | + |
| 49 | +The trailing `to route /<slug>/part/3 at publish time` is optional. Include a _why_ clause only when the rule is non-obvious; skip it for rules the reader already knows (e.g. "names can't start with an underscore"). |
| 50 | + |
| 51 | +## Programmatic errors (terse, rule only) |
| 52 | + |
| 53 | +Internal assertions and invariant checks. No end user will read them; |
| 54 | +terse keeps the assertion readable when you skim the code. |
| 55 | + |
| 56 | +- ✓ `assert(queue.length > 0)` with message `queue drained before worker exit` |
| 57 | +- ✓ `pool size must be positive` |
| 58 | +- ✗ `An unexpected error occurred while trying to acquire a connection from the pool because the pool size was not positive.` — nothing a maintainer can act on that the rule itself doesn't already say. |
| 59 | + |
| 60 | +## Common anti-patterns |
| 61 | + |
| 62 | +**"Invalid X" with no rule.** |
| 63 | + |
| 64 | +- ✗ `Invalid filename 'My Part'` |
| 65 | +- ✓ `filename 'My Part' must be [a-z]+ (lowercase, no spaces)` |
| 66 | + |
| 67 | +**Passive voice on the fix.** |
| 68 | + |
| 69 | +- ✗ `"filename" was missing` |
| 70 | +- ✓ `add "filename" to part 3` |
| 71 | + |
| 72 | +**Naming only one side of a collision.** |
| 73 | + |
| 74 | +- ✗ `duplicate key "foo"` (which record won, which lost?) |
| 75 | +- ✓ `duplicate key "foo" in config.json (lines 12 and 47) — rename one` |
| 76 | + |
| 77 | +**Silently auto-correcting.** |
| 78 | + |
| 79 | +- ✗ Stripping a trailing slash from a URL and continuing. The next run will hit the same bug; nothing learned. |
| 80 | +- ✓ `url "https://api/" has a trailing slash — remove it`. |
| 81 | + |
| 82 | +**Bloat that restates the rule.** |
| 83 | + |
| 84 | +- ✗ `The value provided for "timeout" is invalid because timeouts must be positive numbers and the value you provided was not a positive number.` |
| 85 | +- ✓ `timeout must be a positive number (saw: -5)` |
| 86 | + |
| 87 | +## Formatting lists of values |
| 88 | + |
| 89 | +When the error needs to show an allowed set, a list of conflicting |
| 90 | +records, or multiple missing fields, use the list formatters from |
| 91 | +`@socketsecurity/lib/arrays` rather than hand-joining with commas: |
| 92 | + |
| 93 | +- `joinAnd(['a', 'b', 'c'])` → `"a, b, and c"` — for conjunctions ("missing foo, bar, and baz") |
| 94 | +- `joinOr(['npm', 'pypi', 'maven'])` → `"npm, pypi, or maven"` — for disjunctions ("must be one of: …") |
| 95 | + |
| 96 | +Both wrap `Intl.ListFormat`, so the Oxford comma and one-/two-item cases come out right for free (`joinOr(['a'])` → `"a"`; `joinOr(['a', 'b'])` → `"a or b"`). |
| 97 | + |
| 98 | +- ✗ `--reach-ecosystems must be one of: npm, pypi, maven (saw: "foo")` — hand-joined, breaks if the list has one or two entries. |
| 99 | +- ✓ `` `--reach-ecosystems must be one of: ${joinOr(ALLOWED)} (saw: "foo")` `` |
| 100 | +- ✗ `missing keys: filename slug title` — no separators, no grammar. |
| 101 | +- ✓ `` `missing keys: ${joinAnd(missing)}` `` → `"missing keys: filename, slug, and title"` |
| 102 | + |
| 103 | +Use `joinOr` whenever the error is "must be one of X", `joinAnd` whenever it's "all of X are required / missing / in conflict". |
| 104 | + |
| 105 | +## Working with caught values |
| 106 | + |
| 107 | +`catch (e)` binds `unknown`. The helpers in `@socketsecurity/lib/errors` cover the four patterns that recur everywhere: |
| 108 | + |
| 109 | +```ts |
| 110 | +import { |
| 111 | + errorMessage, |
| 112 | + errorStack, |
| 113 | + isError, |
| 114 | + isErrnoException, |
| 115 | +} from '@socketsecurity/lib/errors' |
| 116 | +``` |
| 117 | + |
| 118 | +### `isError(value)` — replaces `value instanceof Error` |
| 119 | + |
| 120 | +Cross-realm-safe. Uses the native ES2025 `Error.isError` when the engine ships it, falls back to a spec-compliant shim otherwise. Catches Errors from worker threads, `vm` contexts, and iframes that same-realm `instanceof Error` silently misses. |
| 121 | + |
| 122 | +- ✗ `if (e instanceof Error) { … }` |
| 123 | +- ✓ `if (isError(e)) { … }` |
| 124 | + |
| 125 | +### `isErrnoException(value)` — replaces `'code' in err` guards |
| 126 | + |
| 127 | +Narrows to `NodeJS.ErrnoException` (an Error with a string `code` set by libuv/syscalls like `ENOENT`, `EACCES`, `EBUSY`, `EPERM`). Builds on `isError`, so it's also cross-realm-safe, and it checks that `code` is a string — a merely branded Error without a real errno code returns `false`. |
| 128 | + |
| 129 | +- ✗ `if (e && typeof e === 'object' && 'code' in e && e.code === 'ENOENT') { … }` |
| 130 | +- ✓ `if (isErrnoException(e) && e.code === 'ENOENT') { … }` |
| 131 | + |
| 132 | +### `errorMessage(value)` — replaces the `instanceof Error ? e.message : String(e)` pattern |
| 133 | + |
| 134 | +Walks the `cause` chain via `messageWithCauses`, coerces primitives and objects to string, and returns the shared `UNKNOWN_ERROR` sentinel (the string `'Unknown error'`) for `null`, `undefined`, empty strings, `[object Object]`, or Errors with no message. |
| 135 | + |
| 136 | +That last bullet is the important one: **every `|| 'Unknown error'` fallback in the fleet should collapse into a single `errorMessage(e)` call.** |
| 137 | + |
| 138 | +- ✗ `` `Failed: ${e instanceof Error ? e.message : String(e)}` `` |
| 139 | +- ✗ `` `Failed: ${(e as Error)?.message ?? 'Unknown error'}` `` |
| 140 | +- ✗ `` `Failed: ${e instanceof Error ? e.message : 'Unknown error'}` `` |
| 141 | +- ✓ `` `Failed: ${errorMessage(e)}` `` |
| 142 | + |
| 143 | +When you want to preserve the cause chain upstream (recommended), pair it with `{ cause }`: |
| 144 | + |
| 145 | +```ts |
| 146 | +try { |
| 147 | + await readConfig(path) |
| 148 | +} catch (e) { |
| 149 | + throw new Error(`Failed to read ${path}: ${errorMessage(e)}`, { cause: e }) |
| 150 | +} |
| 151 | +``` |
| 152 | + |
| 153 | +### `errorStack(value)` — cause-aware stack, or `undefined` |
| 154 | + |
| 155 | +Returns the cause-walking stack for Errors; returns `undefined` for non-Errors so logger calls stay safe: |
| 156 | + |
| 157 | +```ts |
| 158 | +logger.error(`rebuild failed: ${errorMessage(e)}`, { stack: errorStack(e) }) |
| 159 | +``` |
| 160 | + |
| 161 | +## Voice & tone |
| 162 | + |
| 163 | +- Imperative for the fix: `rename`, `add`, `remove`, `set`. |
| 164 | +- Present tense for the rule: `must be`, `cannot`, `is required`. |
| 165 | +- No apology ("Sorry, …"), no blame ("You provided …"). State the rule and the fix. |
| 166 | +- Don't end with "please"; it doesn't add information and it makes the message feel longer than it is. |
| 167 | + |
| 168 | +## Bloat check |
| 169 | + |
| 170 | +Before shipping a message, cross out any word that, if removed, leaves the information intact. If only rhythm or politeness disappears, drop it. |
0 commit comments