diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 00000000..b69068e2
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-15 - Information Exposure via Public Debug Endpoint
+**Vulnerability:** A public debug endpoint (`/debug`) was exposing sensitive environment variables, including `MONGODB_URI` (truncated but still leaking the password and cluster info) and `NEXTAUTH_URL`.
+**Learning:** Even partial exposure of connection strings (e.g., using `substring(0, 60)`) can leak sensitive authentication material like passwords. Furthermore, debug endpoints intended for local development should never be accessible without authentication or deployed to production.
+**Prevention:** Remove or strictly authenticate and authorize debug routes. Never expose environment variables or connection strings, even partially, in API responses. Use internal logging instead of public-facing endpoints for debugging configuration issues.
diff --git a/src/app/debug/route.ts b/src/app/debug/route.ts
deleted file mode 100644
index 10a77d99..00000000
--- a/src/app/debug/route.ts
+++ /dev/null
@@ -1,100 +0,0 @@
-import { NextResponse } from 'next/server';
-
-/**
- * Simple debug endpoint to check environment variables
- * This is a public endpoint (no auth required)
- * DELETE THIS FILE BEFORE DEPLOYING TO PRODUCTION
- */
-export async function GET() {
-  const envVars = {
-    // Authentication
-    NEXTAUTH_URL: process.env.NEXTAUTH_URL || '❌ NOT SET',
-    NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET ? '✅ SET (hidden for security)' : '❌ NOT SET',
-
-    // API
-    NEXT_PUBLIC_API_URL: process.env.NEXT_PUBLIC_API_URL || '(empty - using same origin)',
-    NODE_ENV: process.env.NODE_ENV,
-
-    // Database
-    MONGODB_URI: process.env.MONGODB_URI
-      ? `✅ SET (${process.env.MONGODB_URI.substring(0, 60)}...)`
-      : '❌ NOT SET',
-
-    // Derived info
-    DEPLOYMENT_URL: process.env.VERCEL_URL
-      ? `https://${process.env.VERCEL_URL}`
-      : 'Not on Vercel (localhost)',
-  };
-
-  // Check if NEXTAUTH_URL is correct
-  const nextAuthUrlStatus = () => {
-    const url = process.env.NEXTAUTH_URL;
-    if (!url) return '❌ NOT SET - This will cause login to fail!';
-    if (url === 'http://localhost:3000') return '⚠️  LOCALHOST - Only for development. Change to your Vercel domain for production!';
-    if (!url.startsWith('http')) return '❌ INVALID - Missing http/https';
-    if (url.includes('localhost')) return '⚠️  LOCALHOST - Change to Vercel domain for production';
-    if (url.includes('vercel.app')) return '✅ LOOKS CORRECT - Production Vercel domain detected';
-    return '✅ LOOKS CORRECT';
-  };
-
-  const recommendations = [];
-
-  if (!process.env.NEXTAUTH_URL) {
-    recommendations.push('❌ CRITICAL: NEXTAUTH_URL not set - Login will fail');
-  } else if (process.env.NEXTAUTH_URL === 'http://localhost:3000' && process.env.NODE_ENV === 'production') {
-    recommendations.push('❌ CRITICAL: NEXTAUTH_URL is localhost on production - Change to your Vercel domain');
-  }
-
-  if (!process.env.NEXTAUTH_SECRET) {
-    recommendations.push('❌ CRITICAL: NEXTAUTH_SECRET not set');
-  }
-
-  if (!process.env.MONGODB_URI) {
-    recommendations.push('❌ CRITICAL: MONGODB_URI not set - Database connection will fail');
-  }
-
-  if (recommendations.length === 0) {
-    recommendations.push('✅ All critical environment variables are set');
-  }
-
-  return NextResponse.json(
-    {
-      status: '🔍 Environment Variable Check',
-      timestamp: new Date().toISOString(),
-      environment: process.env.NODE_ENV,
-      isDevelopment: process.env.NODE_ENV === 'development',
-      isProduction: process.env.NODE_ENV === 'production',
-      isVercel: !!process.env.VERCEL_URL,
-
-      environmentVariables: envVars,
-
-      validationStatus: {
-        NEXTAUTH_URL: nextAuthUrlStatus(),
-        NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET ? '✅ SET' : '❌ NOT SET',
-        MONGODB_URI: process.env.MONGODB_URI ? '✅ SET' : '❌ NOT SET',
-      },
-
-      recommendations,
-
-      debugInfo: {
-        message: 'If you see ❌ (NOT SET) for any variable above, that is the problem',
-        nextStep: 'Go to Vercel Settings → Environment Variables and set the missing variables',
-        waitTime: '⏱️  Wait 2-3 minutes after changing variables for Vercel to redeploy',
-      },
-
-      // Simple table format
-      summary: `
-════════════════════════════════════════════════════════════
-ENVIRONMENT VARIABLE STATUS
-════════════════════════════════════════════════════════════
-NEXTAUTH_URL: ${envVars.NEXTAUTH_URL}
-NEXTAUTH_SECRET: ${process.env.NEXTAUTH_SECRET ? '✅ SET' : '❌ NOT SET'}
-MONGODB_URI: ${process.env.MONGODB_URI ? '✅ SET' : '❌ NOT SET'}
-NEXT_PUBLIC_API_URL: ${envVars.NEXT_PUBLIC_API_URL}
-NODE_ENV: ${process.env.NODE_ENV}
-════════════════════════════════════════════════════════════
-      `,
-    },
-    { status: 200 }
-  );
-}