🛡️ Sentinel: [HIGH] Fix sensitive credential exposure in plaintext inputs

[bobdivx]

🚨 Severity: HIGH

💡 Vulnerability: Multiple configuration and setup components in the frontend (UploadTrackersManagerPanel.tsx, UploadAssistantPanel.tsx, UploadTrackerPanel.tsx, TmdbConfig.tsx, TmdbStep.tsx) were using <input type="text"> for highly sensitive fields such as API keys and tracker passkeys. Additionally, autoComplete was left enabled.

🎯 Impact: This exposes these credentials to physical shoulder-surfing (as the characters are fully visible on screen). Furthermore, without autoComplete="off", browsers may cache or suggest these secrets in dropdowns or history, leaving them vulnerable to local machine compromises or accidental exposure during screen sharing.

🔧 Fix: Modified all identified sensitive credential input fields to use <input type="password"> and explicitly set autoComplete="off". This masks the input characters and prevents browsers from recording the values. Documented this critical learning in the .jules/sentinel.md journal.

✅ Verification:

• Verified that all five components have been modified.
• Ran pnpm lint without related errors.
• Ran pnpm test successfully.
• Verified build using pnpm build (via bun install workaround for missing deps) and cleaned up bun.lock.
• Verified .jules/sentinel.md appending.

---

PR created automatically by Jules for task 14569345265680042943 started by @bobdivx

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
popcorn-client	Ready	Preview, Comment	May 25, 2026 6:46am

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Code Review

This pull request enhances security by masking sensitive input fields, such as API keys and passkeys, across multiple configuration and setup components by changing their type to "password" and adding "autoComplete" attributes. It also updates the security documentation to reflect these changes. Feedback across all modified files suggests using 'autoComplete="new-password"' instead of 'autoComplete="off"' to more reliably prevent modern browsers from attempting to autofill or save these secrets as site credentials.

[gemini-code-assist]

While autoComplete="off" is intended to prevent browser caching, modern browsers often ignore it for fields of type="password" to prioritize their built-in password managers. For sensitive fields like API keys that are not traditional login passwords, using autoComplete="new-password" is generally more effective at preventing browsers from offering to save or autofill the field with unrelated credentials.

Suggested change

	type="password"
	autoComplete="off"
	type="password"
	autoComplete="new-password"

[gemini-code-assist]

Modern browsers frequently ignore autoComplete="off" on password-type inputs. To more reliably prevent browser password managers from attempting to capture or autofill these API key and passkey fields, consider using autoComplete="new-password".

Suggested change

	type="password"
	autoComplete="off"
	type="password"
	autoComplete="new-password"

[gemini-code-assist]

As with the API key field, using autoComplete="new-password" here will better prevent modern browsers from ignoring the directive and attempting to manage this passkey as a site password.

Suggested change

	type="password"
	autoComplete="off"
	type="password"
	autoComplete="new-password"

[gemini-code-assist]

Consider using autoComplete="new-password" instead of "off". Most modern browsers ignore the off value for password inputs. new-password is a more robust way to signal that the browser should not autofill this field with existing site passwords.

Suggested change

	type="password"
	autoComplete="off"
	type="password"
	autoComplete="new-password"

[gemini-code-assist]

Using autoComplete="new-password" is typically more effective than "off" for sensitive fields like API keys. Modern browsers often bypass off on password inputs, but new-password explicitly tells the browser's password manager to treat it as a unique secret and avoid autofilling it.

Suggested change

	type="password"
	autoComplete="off"
	type="password"
	autoComplete="new-password"

[gemini-code-assist]

Switching to autoComplete="new-password" here will help ensure that browsers do not incorrectly suggest or save this passkey as a login credential for the application.

Suggested change

	type="password"
	autoComplete="off"
	type="password"
	autoComplete="new-password"

[gemini-code-assist]

To ensure that browsers do not attempt to autofill this TMDB API key with a user's site password, autoComplete="new-password" is recommended over "off", as the latter is often ignored by modern browser heuristics for password-type inputs.

Suggested change

	type="password"
	autoComplete="off"
	type="password"
	autoComplete="new-password"