AGI-Corporation · AGI-Corporation · Apr 15, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -1,3 +1,8 @@
+## 2026-04-15 - Error handling detail leakage in FastAPI
+**Vulnerability:** The exception details were being logged explicitly and passed to users via `raise HTTPException(status_code=500, detail=str(e))`. This led to internal structure and potentially sensitive operational data to be inadvertently exposed to users.
+**Learning:** Returning generic responses and suppressing complex error descriptions are a common best practice in API applications. When dealing with exceptions that might include full stack traces, server path locations or DB details we must use the standard error logging to log those issues securely for internal diagnosis and only show generic user facing messages to consumers of the API endpoints to limit potential information extraction.
+**Prevention:** Avoid writing explicit `detail=str(e)` lines in endpoints catching generic Exception occurrences. Send standard, generic `HTTPException(status_code=500, detail="An internal server error occurred")` instead and use `logging.error(f"Error: {e}")` to correctly register those errors on the backend.
+
 ## 2025-05-15 - Security Headers Middleware Implementation
 **Vulnerability:** Lack of defense-in-depth headers (X-Frame-Options, CSP, HSTS, etc.) made the application susceptible to clickjacking, MIME-sniffing, and protocol downgrade attacks.
 **Learning:** FastAPI/Starlette does not include these headers by default. Implementing them via `BaseHTTPMiddleware` provides a central way to enforce browser-side security policies across all endpoints. The CSP was specifically tuned to allow `'unsafe-inline'` for script and style to support the FastAPI Swagger UI without breaking functionality.

diff --git a/agents/mistral_agent/agent.py b/agents/mistral_agent/agent.py
@@ -8,6 +8,7 @@
 """
 
 import json
+import logging
 import os
 import uuid
 from datetime import UTC, datetime
@@ -318,7 +319,8 @@ async def gap_analysis(req: GapAnalysisRequest, db: AsyncSession = Depends(get_d
             "model": MISTRAL_MODEL,
         }
     except Exception as e:
-        raise HTTPException(status_code=500, detail=str(e))
+        logging.error(f"Error in gap analysis: {e}")
+        raise HTTPException(status_code=500, detail="An internal server error occurred")
 
 
 @router.post("/code-review", summary="DevSecOps code security analysis with Codestral")
@@ -333,7 +335,8 @@ async def code_review(req: CodeReviewRequest, db: AsyncSession = Depends(get_db)
         )
         return {"analysis": result, "model": MISTRAL_CODE_MODEL}
     except Exception as e:
-        raise HTTPException(status_code=500, detail=str(e))
+        logging.error(f"Error in code review: {e}")
+        raise HTTPException(status_code=500, detail="An internal server error occurred")
 
 
 @router.post("/ask", summary="Ask a CMMC/ZT compliance question")
@@ -343,4 +346,5 @@ async def ask_question(req: QuestionRequest):
         answer = await agent.answer_compliance_question(req.question, req.context)
         return {"question": req.question, "answer": answer, "model": MISTRAL_MODEL}
     except Exception as e:
-        raise HTTPException(status_code=500, detail=str(e))
+        logging.error(f"Error in ask question: {e}")
+        raise HTTPException(status_code=500, detail="An internal server error occurred")