🛡️ Sentinel: [HIGH] Fix sensitive credential exposure in inputs

[bobdivx]

🚨 Severity: HIGH
💡 Vulnerability: Sensitive credentials (API keys and passkeys) were exposed as plain text via <input type="text">, introducing physical shoulder-surfing risks and browser autofill history leakage vulnerabilities.
🎯 Impact: Attackers could gain unauthorized access to TMDB API keys, C411 API keys, and passkeys via shoulder-surfing or local machine access, leading to credential theft.
🔧 Fix: Replaced <input type="text"> with <input type="password"> and set autoComplete="off" for all sensitive keys in src/components/settings/UploadAssistantPanel.tsx, src/components/setup/steps/TmdbStep.tsx, and src/components/settings/TmdbConfig.tsx.
✅ Verification: Ran pnpm build and pnpm test. Verified changes manually via code inspection.

---

PR created automatically by Jules for task 4555932048091957854 started by @bobdivx

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
popcorn-client	Ready	Preview, Comment	May 20, 2026 6:46am

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Code Review

This pull request addresses a security vulnerability where sensitive credentials, such as API keys and passkeys, were exposed as plain text in input fields. The changes update several components—TmdbConfig.tsx, UploadAssistantPanel.tsx, and TmdbStep.tsx—to use type="password" and autoComplete="off", and the sentinel documentation has been updated accordingly. Feedback across all modified files suggests using autoComplete="new-password" instead of "off" to more effectively prevent modern browsers from suggesting or caching credentials.

[gemini-code-assist]

Modern browsers often ignore autoComplete='off' for password fields. Using autoComplete='new-password' is more effective at preventing the browser from suggesting saved credentials.

Suggested change

	autoComplete="off"
	autoComplete="new-password"

[gemini-code-assist]

Modern browsers often ignore autoComplete='off' for password fields. Using autoComplete='new-password' is more effective at preventing the browser from suggesting saved credentials.

Suggested change

	autoComplete="off"
	autoComplete="new-password"

[gemini-code-assist]

Modern browsers often ignore autoComplete='off' for password fields. Using autoComplete='new-password' is more effective at preventing the browser from suggesting saved credentials.

Suggested change

	autoComplete="off"
	autoComplete="new-password"

[gemini-code-assist]

Modern browsers often ignore autoComplete='off' for password fields. Using autoComplete='new-password' is more effective at preventing the browser from suggesting saved credentials.

Suggested change

	autoComplete="off"
	autoComplete="new-password"