🛡️ Sentinel: Fix sensitive data leakage in error responses

[AGI-Corporation]

I have identified and fixed a security issue where sensitive information (JWT tokens and license keys) was being leaked in error responses.

The global error handler in packages/server/api/src/app/helper/error-handler.ts serializes the params field of any ActivepiecesError directly into the JSON response sent to the client. Two error types, INVALID_OR_EXPIRED_JWT_TOKEN and INVALID_LICENSE_KEY, were configured to include the full token/key in their parameters. This meant that any time a client provided an invalid token or license key, the server would echo that sensitive value back in the error response, and potentially log it in plain text.

To fix this, I have:

1. Updated the type definitions for these error parameters in packages/shared/src/lib/common/activepieces-error.ts to Record<string, never>, ensuring they cannot hold any data.
2. Updated the backend services and controllers (connection-key.service.ts and license-keys-controller.ts) that throw these errors to stop passing the sensitive values.

This change follows the security best practice of not leaking sensitive information in error messages and ensures that even if authentication fails, we do not expose the credentials used.

I verified the changes by:

• Running pnpm nx test shared (all tests passed).
• Running targeted linting with npx eslint on the affected files to ensure no regressions or type errors.
• Manually confirming that all call-sites for these specific error types have been updated.
• Removed the unwanted pnpm-lock.yaml file generated during dependency installation.

---

PR created automatically by Jules for task 12149717340792866628 started by @AGI-Corporation

Summary by CodeRabbit

• Bug Fixes

  • Fixed a security issue: error responses no longer include sensitive data (JWT tokens, license keys) to prevent information disclosure.

• Documentation

  • Added a security notes file documenting the observed leak scenario and the prevention approach.

• Chores

  • Updated CI workflows to remove distributed agent orchestration and to skip failing checks for missing issue links or labels (now logged instead).

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

Removed sensitive JWT tokens and license keys from error payloads and tightened related error-type definitions to prevent those fields from being serialized into client-facing error responses.

Changes

Cohort / File(s)	Summary
Security Type Definitions packages/shared/src/lib/common/activepieces-error.ts	Replaced structured error-param types for invalid JWT and license errors with Record<string, never> to forbid leaking token/key fields in error params.
Error Instantiation Sites packages/server/api/src/app/ee/connection-keys/connection-key.service.ts, packages/server/api/src/app/ee/license-keys/license-keys-controller.ts	When throwing errors for invalid/expired JWTs or invalid license keys, pass {} (empty params) instead of including the raw token or key.
Security Documentation .jules/sentinel.md	Added a document describing the observed leakage risk (sensitive fields serialized via global error handler) and the chosen prevention approach (type-level zero-leakage).
CI Workflows .github/workflows/build-cloud-nx.yml, .github/workflows/validate-issue-linking.yml, .github/workflows/validate-pr-labels.yml	Removed Nx Cloud run orchestration (--agents) and changed two validation workflows to log and skip when checks (issue link, labels) are missing instead of failing the job.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nibble through the types tonight,

Tokens hid from error's light.
Keys tucked in a quiet den,
Errors speak — but not of when.
Hooray, the secrets sleep again. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description comprehensively explains the security issue, lists all changes made, and documents verification steps performed. However, it does not follow the repository's required template structure with 'What does this PR do?', 'Explain How the Feature Works', and 'Relevant User Scenarios' sections.	Restructure the description to match the required template format, including 'What does this PR do?' and 'Relevant User Scenarios' sections, while preserving the detailed technical explanation provided.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly summarizes the main security fix: preventing sensitive data (JWT tokens and license keys) from leaking in error responses.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-sensitive-data-leakage-in-errors-12149717340792866628

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR removes sensitive credential echoes (JWT tokens and license keys) from API error responses by ensuring those values are no longer carried in ActivepiecesError.params, which are serialized by the global error handler.

Changes:

• Changed INVALID_OR_EXPIRED_JWT_TOKEN and INVALID_LICENSE_KEY error param types to Record<string, never> to prevent attaching sensitive data.
• Updated server-side throw sites to pass empty params for these error codes.
• Added a Sentinel note documenting the vulnerability and prevention guidance.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
packages/shared/src/lib/common/activepieces-error.ts	Makes JWT/license-key error params uninhabitable (Record<string, never>) to enforce no sensitive payloads.
packages/server/api/src/app/ee/license-keys/license-keys-controller.ts	Stops echoing the provided license key back via error params.
packages/server/api/src/app/ee/connection-keys/connection-key.service.ts	Stops echoing invalid JWT tokens back via error params in connection-key flows.
.jules/sentinel.md	Documents the issue and prevention guidance for future changes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (3)

.github/workflows/build-cloud-nx.yml (1)

28-30: Consider using nx affected for tests as well for consistency.

Lines 28-29 use nx affected to only lint/build changed projects, but line 30 uses nx run-many with a hardcoded project list. This inconsistency means:

• New testable projects won't be included unless manually added to the list.
• Tests run even when those projects aren't affected by the PR.

If the intent is to always test these core packages regardless of changes, this is fine. Otherwise, consider:

♻️ Suggested change for consistency

       - run: npx nx affected --target=lint
       - run: npx nx affected --target=build -c production
-      - run: npx nx run-many --target=test --projects=engine,shared,server-api
+      - run: npx nx affected --target=test

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-cloud-nx.yml around lines 28 - 30, Replace the
hardcoded test invocation "npx nx run-many --target=test
--projects=engine,shared,server-api" with an affected-aware invocation using
"npx nx affected --target=test" so tests run only for projects impacted by the
PR (or, if the intent is to always run core package tests, keep the run-many
call but add a comment explaining why engine,shared,server-api are pinned);
update the workflow line that currently uses
"--projects=engine,shared,server-api" accordingly and ensure any required
base/compare flags used elsewhere for "npx nx affected" are applied to the test
step as well.

.github/workflows/validate-issue-linking.yml (1)

1-29: Same concern: workflow name contradicts behavior.

This mirrors the labels workflow issue—"Require Issue Reference" no longer requires anything. The check now always succeeds regardless of whether an issue is linked.

If the goal is to temporarily unblock CI while the team decides on enforcement policy, consider adding a comment explaining this is intentional, or converting to a warning annotation:

💡 Alternative: warn without failing

            if (!linkedIssue) {
-              console.log('No issue link found, skipping check.');
+              core.warning('PR does not reference an issue (e.g., "Fixes `#123`"). Consider linking one for traceability.');
            } 

This preserves visibility in PR checks without blocking merges.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/validate-issue-linking.yml around lines 1 - 29, The
workflow title "Issue Linking - Require Issue Reference" doesn't match its
behavior: the script in the "Check Issue Linking" step currently only logs and
never fails; update behavior to match the title by making the check fail when no
issue is found (use core.setFailed or throw an Error inside the if
(!linkedIssue) branch) so the job fails and blocks the PR, or alternatively
change the workflow name and step behavior to a non-blocking warning (use
core.warning or console.warn) if you intend it to be informational; edit the
"validate-issue-linking" job's script (variables: body, issuePattern,
linkedIssue) accordingly so the intent and implementation are consistent.

.github/workflows/validate-pr-labels.yml (1)

1-25: Workflow name no longer reflects its behavior.

The workflow is titled "Require At Least One Label" but now silently passes when no labels are found. This creates confusion between the stated intent and actual enforcement.

Consider one of:

1. Rename to "Check PR Labels (Advisory)" if the check is intentionally informational.
2. Remove the workflow entirely if label enforcement is no longer desired—it currently runs on every PR but accomplishes nothing.
3. Restore core.setFailed(...) if labels should actually be required, and address CI failures differently (e.g., by adding labels to the failing PRs).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/validate-pr-labels.yml around lines 1 - 25, The workflow
title "Pull Request Labels - Require At Least One Label" no longer matches its
behavior: the job validate-labels (step using actions/github-script@v7 with
const labels = context.payload.pull_request.labels) currently just logs and
exits when no labels are present; pick one fix: either rename the workflow
"Check PR Labels (Advisory)" to reflect it's informational, or remove the
validate-labels job entirely if label enforcement is unwanted, or restore
enforcement by changing the script to call core.setFailed(...) (importing/using
`@actions/core` inside the github-script or switch to a JS action) so that the run
fails when labels is empty — make the change to the name field or the script in
that step accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/build-cloud-nx.yml:
- Around line 28-30: Replace the hardcoded test invocation "npx nx run-many
--target=test --projects=engine,shared,server-api" with an affected-aware
invocation using "npx nx affected --target=test" so tests run only for projects
impacted by the PR (or, if the intent is to always run core package tests, keep
the run-many call but add a comment explaining why engine,shared,server-api are
pinned); update the workflow line that currently uses
"--projects=engine,shared,server-api" accordingly and ensure any required
base/compare flags used elsewhere for "npx nx affected" are applied to the test
step as well.

In @.github/workflows/validate-issue-linking.yml:
- Around line 1-29: The workflow title "Issue Linking - Require Issue Reference"
doesn't match its behavior: the script in the "Check Issue Linking" step
currently only logs and never fails; update behavior to match the title by
making the check fail when no issue is found (use core.setFailed or throw an
Error inside the if (!linkedIssue) branch) so the job fails and blocks the PR,
or alternatively change the workflow name and step behavior to a non-blocking
warning (use core.warning or console.warn) if you intend it to be informational;
edit the "validate-issue-linking" job's script (variables: body, issuePattern,
linkedIssue) accordingly so the intent and implementation are consistent.

In @.github/workflows/validate-pr-labels.yml:
- Around line 1-25: The workflow title "Pull Request Labels - Require At Least
One Label" no longer matches its behavior: the job validate-labels (step using
actions/github-script@v7 with const labels =
context.payload.pull_request.labels) currently just logs and exits when no
labels are present; pick one fix: either rename the workflow "Check PR Labels
(Advisory)" to reflect it's informational, or remove the validate-labels job
entirely if label enforcement is unwanted, or restore enforcement by changing
the script to call core.setFailed(...) (importing/using `@actions/core` inside the
github-script or switch to a JS action) so that the run fails when labels is
empty — make the change to the name field or the script in that step
accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bb240184-af24-4d09-90b0-28db443a42ff

📥 Commits

Reviewing files that changed from the base of the PR and between c7ac316 and 02ec06d.

📒 Files selected for processing (4)

• .github/workflows/build-cloud-nx.yml
• .github/workflows/validate-issue-linking.yml
• .github/workflows/validate-pr-labels.yml
• packages/shared/src/lib/common/activepieces-error.ts