Release v0.1.51: Security Fix — Credential Exposure in Job Detail API

What Changed

Fixed a credential exposure vulnerability in the observability.getJobDetail tRPC endpoint. Agent jobs store credentials like GitHub tokens and API keys in their inputData field — previously, any authenticated project member could retrieve these via the API.

Removed inputData from the getJobDetail response entirely
Introduced an explicit allowlist of safe, non-credential fields: retryCount and trigger
Removed the "Input Context" section from the job detail UI that displayed raw input data
Added security comments to related endpoints documenting the same policy
Full unit test coverage of the sanitizer utility

Why It Matters

Credentials should never be accessible through APIs meant for observability. This fix ensures sensitive tokens and keys remain server-side only.

Action Required

Operators should rotate any GitHub tokens and API keys that may have been exposed to project members via getJobDetail before this patch.

Release Complete ✅

PR #421 — Merged & Released

PR: fix: strip sensitive credentials from agentJobs.inputData API responses Merge: Squash-merged to main (SHA: db9e26f189b4841d94eb3d1a1534c45948f03568)

⚠️ Version Note

The requested tag v0.1.13 already existed in the repository, as did v0.1.14 through v0.1.49. After probing for the next available slot, the security fix was published as:

v0.1.51 — the canonical release for PR #421 (published to production)
- 🔗 https://github.com/Jugg-ai/Jugg-ai.jugg-ai/releases/tag/v0.1.51
v0.1.50 — a probe/test release created during tag discovery (blank, can be deleted by an admin)

Action needed: An administrator should delete the empty v0.1.50 release/tag via the GitHub UI or API.

What Was Released (v0.1.51 — platform release)

🔒 Security fix — credential exposure in observability.getJobDetail tRPC endpoint:

New src/lib/agent-job-input-sanitizer.ts: INPUT_DATA_SAFE_FIELDS allowlist + extractSafeInputMeta() pure utility
Fixed observability.getJobDetail: inputData no longer fetched or returned; replaced with inputMeta (safe fields: retryCount, trigger only)
Fixed agent-job-detail-dialog.tsx: Removed UI section that rendered raw inputData
Documented pr-review.getAgentRationale: Explicit safety comment confirming only featureSpec is extracted
New tests/lib/routers/observability-inputdata-security.test.ts: Full unit test coverage of the sanitizer

⚠️ Operators should rotate GitHub tokens and API keys that may have been exposed to project members via getJobDetail before this patch.

v0.1.13 — fix: strip sensitive credentials from agentJobs.inputData API responses