diff --git a/.jules/sentinel.md b/.jules/sentinel.md
index a6c92980..67d91a69 100644
--- a/.jules/sentinel.md
+++ b/.jules/sentinel.md
@@ -126,3 +126,4 @@ Error messages should never include raw values from sensitive sources like envir
 **Prevention:**
 1.  Avoid including raw values in error messages when the source is potentially sensitive (env vars, auth headers).
 2.  Use generic error messages for validation failures of sensitive data.
+## 2026-02-24 - [MEDIUM] Environment Variable Leakage in Error Messages\n\n**Vulnerability:**\nError messages for environment variable configuration were returning the raw value string. If a user configured it to point to a sensitive environment variable, the secret value would be exposed in the error message.\n\n**Learning:**\nError messages should never include raw values from sensitive sources like environment variables, even for validation errors. Configuration errors can easily lead to secrets being treated as normal values.\n\n**Prevention:**\n1.  Avoid including raw values in error messages when the source is potentially sensitive (env vars, auth headers).\n2.  Use generic error messages for validation failures of sensitive data.\n
diff --git a/src/automation/artifact-signing-config.ts b/src/automation/artifact-signing-config.ts
index 1b328b7f..678f0613 100644
--- a/src/automation/artifact-signing-config.ts
+++ b/src/automation/artifact-signing-config.ts
@@ -53,5 +53,5 @@ function parseExplicitBoolean(value: string | undefined, envName: string): boole
     return false;
   }
 
-  throw new ConfigurationError(`${envName} must be either 'true' or 'false', got '${normalized}'.`);
+  throw new ConfigurationError(`${envName} must be either 'true' or 'false'.`);
 }
diff --git a/src/mcp/mcp-server.ts b/src/mcp/mcp-server.ts
index 9e35ac39..e26dfeed 100644
--- a/src/mcp/mcp-server.ts
+++ b/src/mcp/mcp-server.ts
@@ -2483,7 +2483,7 @@ export class MCPServer {
     const parsed = Number(raw);
     if (Number.isNaN(parsed) || parsed <= 0) {
       throw new ConfigurationError(
-        `Invalid MCP4_TOOL_FILTER_WARN_THRESHOLD_PCT: expected positive number, got '${raw}'.`
+        `Invalid MCP4_TOOL_FILTER_WARN_THRESHOLD_PCT: expected positive number.`
       );
     }
     return parsed;
diff --git a/src/tool-filter/config/env-config-parser.ts b/src/tool-filter/config/env-config-parser.ts
index e11a617f..4ee5c44b 100644
--- a/src/tool-filter/config/env-config-parser.ts
+++ b/src/tool-filter/config/env-config-parser.ts
@@ -100,7 +100,7 @@ export class EnvConfigParser {
       }
 
       throw new ConfigurationError(
-        `MCP4_TOOL_FILTER_ALLOW_CATEGORIES supports only 'list' and 'read', got '${entry}'`
+        `MCP4_TOOL_FILTER_ALLOW_CATEGORIES supports only 'list' and 'read'.`
       );
     }