From 2fdec3a9a8469eb9308df6e2e6626e3614a6b325 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 18 Apr 2026 07:11:40 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20Internal=20Error=20Leakage=20via=20API=20Responses=20i?=
 =?UTF-8?q?n=20MCP=20Server?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: davidruzicka <14172985+davidruzicka@users.noreply.github.com>
---
 src/mcp/mcp-server-apps.test.ts |  4 ++--
 src/mcp/mcp-server.ts           | 24 +++++++++++++++++++++---
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/src/mcp/mcp-server-apps.test.ts b/src/mcp/mcp-server-apps.test.ts
index 0b1d042d..7c255418 100644
--- a/src/mcp/mcp-server-apps.test.ts
+++ b/src/mcp/mcp-server-apps.test.ts
@@ -277,11 +277,11 @@ describe('MCPServer apps resources', () => {
 
     expect(invalidReadResponse.error).toEqual({
       code: -32602,
-      message: 'resources/read requires string parameter "uri"',
+      message: expect.stringMatching(/^Validation error: resources\/read requires string parameter "uri" \(correlation ID: [a-f0-9-]+\)$/),
     });
     expect(invalidCompletionResponse.error).toEqual({
       code: -32602,
-      message: 'completion/complete requires a resource ref',
+      message: expect.stringMatching(/^Validation error: completion\/complete requires a resource ref \(correlation ID: [a-f0-9-]+\)$/),
     });
   });
 
diff --git a/src/mcp/mcp-server.ts b/src/mcp/mcp-server.ts
index 9e35ac39..798c4642 100644
--- a/src/mcp/mcp-server.ts
+++ b/src/mcp/mcp-server.ts
@@ -1858,12 +1858,18 @@ export class MCPServer {
           code = -32601;
         }
 
+        const correlationId = generateCorrelationId();
+        this.logger.error('prompts/get handler error', error instanceof Error ? error : new Error(String(error)), {
+          correlationId,
+          method: 'prompts/get',
+        });
+
         return {
           jsonrpc: '2.0',
           id: req.id,
           error: {
             code,
-            message: (error as Error).message,
+            message: this.formatErrorForClient(error, correlationId),
           },
         };
       }
@@ -1901,12 +1907,18 @@ export class MCPServer {
           result: await this.readResource(params.uri, sessionId, profileId),
         };
       } catch (error) {
+        const correlationId = generateCorrelationId();
+        this.logger.error('resources/read handler error', error instanceof Error ? error : new Error(String(error)), {
+          correlationId,
+          method: 'resources/read',
+        });
+
         return {
           jsonrpc: '2.0',
           id: req.id,
           error: {
             code: error instanceof ValidationError ? -32602 : -32601,
-            message: (error as Error).message,
+            message: this.formatErrorForClient(error, correlationId),
           },
         };
       }
@@ -1920,12 +1932,18 @@ export class MCPServer {
           result: await this.completeResourceArgument(req as CompleteRequest, sessionId, profileId),
         };
       } catch (error) {
+        const correlationId = generateCorrelationId();
+        this.logger.error('completion/complete handler error', error instanceof Error ? error : new Error(String(error)), {
+          correlationId,
+          method: 'completion/complete',
+        });
+
         return {
           jsonrpc: '2.0',
           id: req.id,
           error: {
             code: error instanceof ValidationError ? -32602 : -32601,
-            message: (error as Error).message,
+            message: this.formatErrorForClient(error, correlationId),
           },
         };
       }