🛡️ Sentinel: [MEDIUM] Fix information leakage in upload route

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2025-05-31 - [API Error Handling Leakage]
+**Vulnerability:** Next.js API routes were leaking detailed configuration and error statuses directly in client HTTP responses. For example, `src/app/api/upload/route.ts` returned whether `CLOUDINARY_CLOUD_NAME`, `CLOUDINARY_API_KEY`, and `CLOUDINARY_API_SECRET` environment variables were set, and also passed detailed Cloudinary exceptions including potential HTTP codes and library-specific errors back to the caller.
+**Learning:** Returning deep object errors to clients is a common pattern for debugging but violates the principle of failing securely. It exposes service topology and potential missing configurations to the public network, which attackers could use to fingerprint services or identify vulnerable attack surfaces.
+**Prevention:** Implement a consistent error-handling boundary in API routes. Log detailed service errors, environment variable states, and upstream API responses locally using `console.error` (or a dedicated logging service) for server-side debugging. Respond to clients with sanitized, generic error strings (e.g., 'An error occurred during file upload' or 'Service configuration error') to adhere to the fail-secure principle.