🛡️ Sentinel: [MEDIUM] Fix information disclosure in upload error handling

[socialawy-dev]

🚨 Severity: MEDIUM
💡 Vulnerability: The /projects/{project_id}/ingest API endpoint returned raw exception messages directly to clients on failure, potentially exposing sensitive internal details like stack traces, specific system errors, or file paths.
🎯 Impact: Attackers could use this internal system information to map infrastructure or find other exploitation vectors.
🔧 Fix: Captured the actual exception using logger.error for safe internal logging, and returned a generic, non-sensitive error message (Upload failed due to an internal error) via the HTTP 500 response.
✅ Verification: Review the log entries to confirm Upload failed for project includes the exception details and that the detail in HTTPException returns the safe string. Tests pass successfully.

---

PR created automatically by Jules for task 13803727874769485186 started by @socialawy

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Code Review

This pull request addresses an information disclosure vulnerability in the /projects/{project_id}/ingest endpoint by sanitizing error messages returned to the client and logging the actual errors internally. It also updates the security documentation to reflect this fix. A review comment suggests using logger.exception instead of logger.error to ensure the full stack trace is captured for debugging purposes.

[gemini-code-assist]

Using logger.exception is preferred over logger.error with the exception string in an except block. logger.exception automatically captures the full stack trace, which is invaluable for debugging internal errors that are now hidden from the API response. Note that logger.exception is already used elsewhere in this file (e.g., line 59).

Suggested change

	logger.error(f"Upload failed for project {project_id}: {e}")
	logger.exception(f"Upload failed for project {project_id}")

[socialawy]

Superseded by #90 (merged ac23b55). The Sentinel/Jules SafeStaticFiles chain was iterating on the same middleware; #90's Path(str(path).lower()) fix addresses the root AttributeError. Closing as duplicate; re-open if a distinct vulnerability emerges.

[google-labs-jules]

Superseded by #90 (merged ac23b55). The Sentinel/Jules SafeStaticFiles chain was iterating on the same middleware; #90's Path(str(path).lower()) fix addresses the root AttributeError. Closing as duplicate; re-open if a distinct vulnerability emerges.

Understood. Acknowledging that this work is superseded by #90 and stopping work on this task.