🛡️ Sentinel: [MEDIUM] Fix physical security exposure of sensitive credentials

[bobdivx]

🚨 Severity: MEDIUM
💡 Vulnerability: Sensitive credentials like API keys and passkeys were being rendered in frontend settings components (e.g., TmdbConfig, UploadAssistantPanel) using standard text inputs (<input type="text">).
🎯 Impact: This creates a physical security exposure, making these sensitive values susceptible to shoulder-surfing. Additionally, it increases the risk of these values being cached by the browser or exposed via autofill.
🔧 Fix: Updated the relevant input fields to use <input type="password"> alongside autoComplete="off". This ensures the inputs are visually masked and prevents browser caching/autofill behavior.
✅ Verification: Ran npm test and npm run build locally to verify no regressions were introduced. Evaluated component implementations in TmdbConfig.tsx, UploadTrackerPanel.tsx, UploadTrackersManagerPanel.tsx, and UploadAssistantPanel.tsx.

---

PR created automatically by Jules for task 16863479979649137440 started by @bobdivx

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
popcorn-client	Ready	Preview, Comment	May 24, 2026 6:29am

[gemini-code-assist]

Code Review

This pull request enhances physical security by updating sensitive credential fields, such as API keys and passkeys, to use type="password" and autoComplete="off" across several settings panels. The review identified critical logic errors in UploadAssistantPanel.tsx and UploadTrackersManagerPanel.tsx where incorrect state setters are called during focus events, potentially clearing the wrong data. Additionally, the feedback suggests extending these security improvements to other sensitive fields like announceUrl and rawCookie that remain exposed to browser caching and autofill.

[gemini-code-assist]

The change to type="password" is correct for physical security. However, there is a bug on line 1704 (just outside this hunk) where onFocus calls setApiKey('') instead of setPasskey(''). This will cause the API key to be cleared when the passkey field is focused.

[gemini-code-assist]

The change to type="password" is correct. However, there is a bug on line 292 (just outside this hunk) where onFocus calls setApiKey('') instead of setPasskey(''). Additionally, the announceUrl field at line 300 also contains a sensitive passkey and should be protected with autoComplete="off" to align with the security goals of this PR.

[gemini-code-assist]

The change to type="password" is correct. However, the announceUrl field at line 373 and the rawCookie textarea at line 295 also contain sensitive credentials and remain exposed. These fields should at least have autoComplete="off" added to prevent browser caching and autofill, consistent with the security improvements made to other sensitive fields in this PR.