🛡️ Sentinel: [MEDIUM] Fix sensitive fields exposure

[bobdivx]

🚨 Severity: MEDIUM
💡 Vulnerability: Sensitive API keys and Passkeys were previously inputted in plain text fields (type="text") across the Upload tracker configuration panels. This leads to credential exposure through shoulder surfing and browser autofill history leakage.
🎯 Impact: An attacker or unauthorized individual looking over a user's shoulder, or gaining access to the browser's autocomplete history, could obtain these keys and use them to impersonate the user or bypass authentication measures on integrated external trackers.
🔧 Fix: Updated the input fields for apiKey and passkey in UploadAssistantPanel.tsx, UploadTrackerPanel.tsx, and UploadTrackersManagerPanel.tsx to use type="password" to visually mask the characters, and added autoComplete="off" to explicitly instruct browsers not to store the values in their form history.
✅ Verification: Ran pnpm test and pnpm build successfully, ensuring no regressions. When a user enters text into the API Key or Passkey fields in these panels, the characters should now appear as dots/asterisks, and the browser should no longer offer previous entries as autocomplete suggestions.

---

PR created automatically by Jules for task 15627435920515958039 started by @bobdivx

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
popcorn-client	Ready	Preview, Comment	May 27, 2026 6:40am

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Code Review

This pull request improves security by changing sensitive input fields (API keys and passkeys) from plain text to password fields with autocomplete disabled. The reviewer suggests using autoComplete="new-password" instead of autoComplete="off" across all updated inputs, as modern browsers and password managers often ignore "off" on password fields, which can lead to unwanted credential autofill.

[gemini-code-assist]

Modern browsers and password managers often ignore autoComplete='off' on fields of type='password' to ensure password managers can still function. This can cause browsers to autofill the user's saved login credentials into these API key and passkey fields. To reliably prevent autofill on sensitive fields that are not the user's login password, use autoComplete='new-password' instead.

Suggested change

	type="password"
	autoComplete="off"
	type="password"
	autoComplete="new-password"

[gemini-code-assist]

Modern browsers and password managers often ignore autoComplete='off' on fields of type='password' to ensure password managers can still function. This can cause browsers to autofill the user's saved login credentials into these API key and passkey fields. To reliably prevent autofill on sensitive fields that are not the user's login password, use autoComplete='new-password' instead.

Suggested change

	type="password"
	autoComplete="off"
	type="password"
	autoComplete="new-password"

[gemini-code-assist]

Modern browsers and password managers often ignore autoComplete='off' on fields of type='password' to ensure password managers can still function. This can cause browsers to autofill the user's saved login credentials into these API key and passkey fields. To reliably prevent autofill on sensitive fields that are not the user's login password, use autoComplete='new-password' instead.

Suggested change

	type="password"
	autoComplete="off"
	type="password"
	autoComplete="new-password"

[gemini-code-assist]

Modern browsers and password managers often ignore autoComplete='off' on fields of type='password' to ensure password managers can still function. This can cause browsers to autofill the user's saved login credentials into these API key and passkey fields. To reliably prevent autofill on sensitive fields that are not the user's login password, use autoComplete='new-password' instead.

Suggested change

	type="password"
	autoComplete="off"
	type="password"
	autoComplete="new-password"

[gemini-code-assist]

Modern browsers and password managers often ignore autoComplete='off' on fields of type='password' to ensure password managers can still function. This can cause browsers to autofill the user's saved login credentials into these API key and passkey fields. To reliably prevent autofill on sensitive fields that are not the user's login password, use autoComplete='new-password' instead.

Suggested change

	type="password"
	autoComplete="off"
	type="password"
	autoComplete="new-password"