Origin
Resolution of audit finding HC-7 (2026-04-07). Prior rule text on some domain files suggested variants such as NOT_FOUND "Entity not found or already deleted" — a legacy pattern that leaked soft-delete state through the error message itself. The canonical format eliminates the variance.
Rule Text
The canonical NOT_FOUND error takes the form NOT_FOUND "<Entity> not found" where <Entity> is the capitalized singular noun for the entity type. No "or already deleted" suffix. No "or soft-deleted" suffix. No interpolation of user input, entity IDs, or request parameters into the string.
Testable Assertion
expect(error.code).toBe('NOT_FOUND');
expect(error.message).toMatch(/^[A-Z][a-z ]+ not found$/);
expect(error.message).not.toMatch(/\d/); // no interpolated IDsEnforcement
- Gate-time — Static-analysis rule matches every
NOT_FOUNDTRPCError construction in procedure files and asserts the message conforms to the canonical regex. Fails the build on any variant.
Violation Closed
Soft-delete state leakage through error messages (attackers could distinguish “deleted” from “never existed”). User-input interpolation that enabled log-injection attacks via crafted entity IDs. Cross-domain variance that made mechanical assertion impossible.