AGI-Corporation · AGI-Corporation · Apr 14, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -7,3 +7,8 @@
 **Vulnerability:** Not a direct security vulnerability, but an environmental instability. The `requirements.txt` allowed `mistralai>=1.1.0`, which pulled in version 2.x.
 **Learning:** MistralAI 2.x introduces breaking changes in the client import structure (`from mistralai import Mistral` fails if not using the new client correctly or if expecting the old one). This caused the entire application (including security tests) to fail on startup.
 **Prevention:** Pin critical dependencies like `mistralai==1.1.0` in `requirements.txt` to ensure consistent behavior across development and CI environments, especially when using agents that rely on specific API structures.
+
+## 2026-04-14 - Information Leakage in API Exception Handling
+**Vulnerability:** FastAPIs `HTTPException` endpoints (`/gap-analysis`, `/code-review`, `/ask`) were exposing raw internal exception details (`str(e)`) directly to clients on HTTP 500 errors.
+**Learning:** Exposing raw exceptions (`str(e)`) in API responses is an information leakage risk because it can reveal sensitive system details, internal paths, configurations, or downstream dependencies (e.g., Mistral client errors) to external users. The application needs to securely log the internal stack trace without exposing it.
+**Prevention:** Always log exceptions server-side using the `logging` module (`logging.error()`) and raise an `HTTPException` with a generic `detail` message (e.g., "An internal server error occurred.") to avoid leaking implementation details.
diff --git a/agents/mistral_agent/agent.py b/agents/mistral_agent/agent.py
@@ -8,6 +8,7 @@
 """
 
 import json
+import logging
 import os
 import uuid
 from datetime import UTC, datetime
@@ -318,7 +319,8 @@ async def gap_analysis(req: GapAnalysisRequest, db: AsyncSession = Depends(get_d
             "model": MISTRAL_MODEL,
         }
     except Exception as e:
-        raise HTTPException(status_code=500, detail=str(e))
+        logging.error(f"Error in /gap-analysis: {e}")
+        raise HTTPException(status_code=500, detail="An internal server error occurred")
 
 
 @router.post("/code-review", summary="DevSecOps code security analysis with Codestral")
@@ -333,7 +335,8 @@ async def code_review(req: CodeReviewRequest, db: AsyncSession = Depends(get_db)
         )
         return {"analysis": result, "model": MISTRAL_CODE_MODEL}
     except Exception as e:
-        raise HTTPException(status_code=500, detail=str(e))
+        logging.error(f"Error in /code-review: {e}")
+        raise HTTPException(status_code=500, detail="An internal server error occurred")
 
 
 @router.post("/ask", summary="Ask a CMMC/ZT compliance question")
@@ -343,4 +346,5 @@ async def ask_question(req: QuestionRequest):
         answer = await agent.answer_compliance_question(req.question, req.context)
         return {"question": req.question, "answer": answer, "model": MISTRAL_MODEL}
     except Exception as e:
-        raise HTTPException(status_code=500, detail=str(e))
+        logging.error(f"Error in /ask: {e}")
+        raise HTTPException(status_code=500, detail="An internal server error occurred")