diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 00000000..9668f080
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-20 - MONGODB_URI Password Disclosure Risk via Partial String Masking
+**Vulnerability:** The public unauthenticated `/debug` endpoint was outputting `process.env.MONGODB_URI.substring(0, 60)`, intending to show a truncated preview of the string. However, since MongoDB URIs take the format `mongodb+srv://<username>:<password>@<cluster>.mongodb.net/...`, the first 60 characters usually include the entire username and plaintext password.
+**Learning:** Developers sometimes assume taking the beginning of a string is safe for logging, failing to consider the internal structure of the secret (like connection URIs) where the most sensitive data is at the very beginning.
+**Prevention:** Never use substring on connection strings or URLs to mask them. Either log a boolean (presence check) or use a dedicated parser to extract non-sensitive parts (like the host) if partial logging is truly needed.
diff --git a/src/app/debug/route.ts b/src/app/debug/route.ts
index 10a77d99..dfa30e63 100644
--- a/src/app/debug/route.ts
+++ b/src/app/debug/route.ts
@@ -17,7 +17,7 @@ export async function GET() {
 
     // Database
     MONGODB_URI: process.env.MONGODB_URI
-      ? `✅ SET (${process.env.MONGODB_URI.substring(0, 60)}...)`
+      ? '✅ SET (hidden for security)'
       : '❌ NOT SET',
 
     // Derived info