> Common Error Handling
Cross-cutting standards for error design, response shapes, error codes, and boundary placement. Use when handling errors, designing exception flows, or standardizing error responses.
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/error-handling?format=md"Common Error Handling Standards
Priority: P1 (OPERATIONAL)
Consistent, predictable error handling is the backbone of maintainable systems. Errors are first-class citizens — design them explicitly.
🏗 Error Response Shape (HTTP APIs)
All API errors MUST use a consistent envelope:
{
"error": {
"code": "USER_NOT_FOUND",
"message": "The requested user does not exist.",
"traceId": "4bf92f3577b34da6a3ce929d0e0e4736",
"details": []
}
}
| Field | Rule |
|---|---|
code | SCREAMING_SNAKE_CASE machine-readable code. Never localize. |
message | Human-readable English summary. Safe for end-users (no stack traces). |
traceId | Correlation ID from the request context. |
details | Optional array of field-level validation errors. Empty for non-validation errors. |
🗂 Error Classification
| Layer | Error Type | Strategy |
|---|---|---|
| Validation | 400 Bad Request | Return details[] with field paths |
| Authentication | 401 Unauthorized | Generic message — never expose reason |
| Authorization | 403 Forbidden | Log attempt, never expose role info |
| Not Found | 404 Not Found | Distinguishable from auth errors |
| Conflict | 409 Conflict | Include conflicting resource ID |
| Unhandled | 500 Internal Server Error | Log full context, return generic message |
📦 Error Wrapping vs Replacement
- Wrap when adding context:
fmt.Errorf("processOrder: %w", err)(Go) /new ServiceError('msg', { cause: err })(JS). - Replace only when the original error leaks sensitive internal details.
- Never swallow: Catch without logging or re-throwing hides bugs — forbidden.
🛡 Boundary Placement
- API Layer: Translate domain/infrastructure errors into HTTP responses. Use a global exception filter/middleware.
- Domain Layer: Throw domain-specific errors (e.g.,
InsufficientStockError). Never reference HTTP status codes. - Infrastructure Layer: Throw infrastructure errors (e.g.,
DatabaseConnectionError). Wrap 3rd party exceptions. - Never: Let infrastructure errors (raw DB/network exceptions) bubble up to the API response.
Request → [API Layer: maps to HTTP] → [Domain: business errors] → [Infra: DB/network errors]
🔢 Error Code Design
- Codes are permanent IDs — treat them like API contracts. Once published, never rename.
- Format:
<DOMAIN>_<NOUN>_<VERB>→ORDER_PAYMENT_FAILED,USER_EMAIL_DUPLICATE. - Define in a centralized constants file; never inline magic strings.
Anti-Patterns
- No
catch(e) {}: Always log or re-throw. - No stack traces in responses: Leak internal structure to attackers.
- No generic
500for validation: Use400withdetails. - No HTTP status codes in domain layer: Domain errors are business concepts, not transport decisions.
- No error-code proliferation: Prefer a small, well-documented set over one code per exception class.
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)