🛡️ Sentinel: [HIGH] Fix sensitive credentials exposure in frontend inputs

[bobdivx]

🚨 Severity: HIGH
💡 Vulnerability: Sensitive API keys and tracker passkeys (TMDB keys, C411 wizard keys, etc.) were being captured via <input type="text">. This exposes the user's secrets to physical observation (shoulder surfing), accidental exposure during screen sharing, and browser plain-text auto-fill databases.
🎯 Impact: Anyone viewing the user's screen or checking their browser history/autofill data could extract high-value API keys and personal passkeys, leading to unauthorized API usage and potential account compromises.
🔧 Fix: Modified the input fields for tmdbKey, apiKey, and passkey across TmdbStep, TmdbConfig, UploadTrackerPanel, UploadAssistantPanel, and UploadTrackersManagerPanel to use <input type="password" autoComplete="off">. This masks the input on-screen and prevents the browser from silently storing the clear-text values in its form autofill history.
✅ Verification: Local pnpm test and pnpm build verified successfully. Manual review of modified components confirms the attributes were successfully swapped out.

---

PR created automatically by Jules for task 7077564351536201263 started by @bobdivx

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
popcorn-client	Ready	Preview, Comment	May 28, 2026 6:21am

[gemini-code-assist]

Code Review

This pull request improves physical security by updating sensitive configuration input fields (such as TMDB API keys, tracker passkeys, and C411 API keys) from plain text to password fields with autocomplete disabled. The reviewer recommends using autoComplete="new-password" instead of autoComplete="off" across all modified files, as modern browsers often ignore off on password fields, which can lead to unwanted credential autofill in these fields.

[gemini-code-assist]

Modern browsers often ignore autoComplete="off" on password fields to prevent sites from blocking password managers. This can cause the browser to autofill the user's saved login credentials into this API key field. Using autoComplete="new-password" is the standard way to reliably prevent browser autofill on sensitive non-password inputs.

Suggested change

	autoComplete="off"
	autoComplete="new-password"

[gemini-code-assist]

Modern browsers often ignore autoComplete="off" on password fields to prevent sites from blocking password managers. This can cause the browser to autofill the user's saved login credentials into this API key field. Using autoComplete="new-password" is the standard way to reliably prevent browser autofill on sensitive non-password inputs.

Suggested change

	autoComplete="off"
	autoComplete="new-password"

[gemini-code-assist]

Modern browsers often ignore autoComplete="off" on password fields to prevent sites from blocking password managers. This can cause the browser to autofill the user's saved login credentials into this passkey field. Using autoComplete="new-password" is the standard way to reliably prevent browser autofill on sensitive non-password inputs.

Suggested change

	autoComplete="off"
	autoComplete="new-password"

[gemini-code-assist]

Modern browsers often ignore autoComplete="off" on password fields to prevent sites from blocking password managers. This can cause the browser to autofill the user's saved login credentials into this passkey field. Using autoComplete="new-password" is the standard way to reliably prevent browser autofill on sensitive non-password inputs.

Suggested change

	autoComplete="off"
	autoComplete="new-password"

[gemini-code-assist]

Modern browsers often ignore autoComplete="off" on password fields to prevent sites from blocking password managers. This can cause the browser to autofill the user's saved login credentials into this API key field. Using autoComplete="new-password" is the standard way to reliably prevent browser autofill on sensitive non-password inputs.

Suggested change

	autoComplete="off"
	autoComplete="new-password"

[gemini-code-assist]

Modern browsers often ignore autoComplete="off" on password fields to prevent sites from blocking password managers. This can cause the browser to autofill the user's saved login credentials into this passkey field. Using autoComplete="new-password" is the standard way to reliably prevent browser autofill on sensitive non-password inputs.

Suggested change

	className="input input-bordered input-sm w-full max-w-xl font-mono"
	autoComplete="new-password"

[gemini-code-assist]

Modern browsers often ignore autoComplete="off" on password fields to prevent sites from blocking password managers. This can cause the browser to autofill the user's saved login credentials into this API key field. Using autoComplete="new-password" is the standard way to reliably prevent browser autofill on sensitive non-password inputs.

Suggested change

	autoComplete="off"
	autoComplete="new-password"