fix: Hide potentially-sensitive alert errors

[pulpdrew]

Summary

This PR updates the recent alert runner error persistence + display (#2132) to hardcode webhook and unknown-type errors. The raw error messages could contain potentially sensitive information, so we won't persist them or show them in the UI.

How to test locally or on Vercel

This can be tested locally by running an alert with an invalid webhook destination.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 72d3340

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hyperdx-oss	Ready	Preview, Comment	Apr 20, 2026 11:14am

[github-actions]

🔴 Tier 4 — Critical

Touches auth, data models, config, tasks, OTel pipeline, ClickHouse, or CI/CD.

Why this tier:

• Critical-path files (1):
  • packages/api/src/tasks/checkAlerts/index.ts

Review process: Deep review from a domain expert. Synchronous walkthrough may be required.
SLA: Schedule synchronous review within 2 business days.

Stats

• Production files changed: 1
• Production lines changed: 14 (+ 86 in test files, excluded from tier calculation)
• Branch: drew/alert-error-security
• Author: pulpdrew

To override this classification, remove the review/tier-4 label and apply a different review/tier-* label. Manual overrides are preserved on subsequent pushes.

[github-actions]

PR Review

✅ No critical issues found.

• ⚠️ .slice(0, 10000) is applied to hardcoded strings in makeAlertError — harmless but redundant since the constants are under 200 chars. No fix required, minor cleanup opportunity.
• ℹ️ QUERY_ERROR and INVALID_ALERT still surface raw messages (ClickHouse errors, internal validation). The inline comment explains this is intentional ("authored by us"), but worth a second look if ClickHouse errors could ever include user-supplied query content that embeds sensitive data.

Overall: clean approach, well-tested, tests explicitly assert the raw error string does not leak (!e.message.includes('group webhook failed')). Good addition of the UNKNOWN error test case.

[github-actions]

E2E Test Results

✅ All tests passed • 147 passed • 3 skipped • 1073s

Status	Count
✅ Passed	147
❌ Failed	0
⚠️ Flaky	3
⏭️ Skipped	3

Tests ran across 4 shards in parallel.

View full report →