🛡️ Sentinel: [MEDIUM] Fix missing autoComplete on apiKey password inputs

[bobdivx]

🚨 Severity: MEDIUM
💡 Vulnerability: <input type="password"> fields used for sensitive system credentials (like apiKey in indexer settings) lacked the autoComplete="off" attribute.
🎯 Impact: Browser password managers and autofill systems could mistakenly prompt to save these tokens as user credentials or unintentionally overwrite/expose them via autofill UI, leading to credential leakage or broken integrations.
🔧 Fix: Added autoComplete="off" to the relevant <input type="password"> fields in src/components/settings/IndexersManager.tsx and src/components/setup/steps/IndexersStep.tsx.
✅ Verification: Verified locally via grep that the attributes are present and confirmed build and tests passed successfully using pnpm. Added a journal entry to .jules/sentinel.md documenting this pattern.

---

PR created automatically by Jules for task 17653662034110982133 started by @bobdivx

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
popcorn-client	Ready	Preview, Comment	May 31, 2026 6:24am

[gemini-code-assist]

Code Review

This pull request adds autoComplete="off" to password input fields used for API keys in IndexersManager.tsx and IndexersStep.tsx to prevent browser autofill, and documents this change in .jules/sentinel.md. The reviewer suggests using autoComplete="new-password" instead of autoComplete="off" because modern browsers often ignore off on password fields to prevent disabling password managers.

[gemini-code-assist]

Modern browsers (such as Chrome, Firefox, and Safari) often ignore autoComplete="off" on <input type="password"> fields to prevent websites from disabling password managers. To reliably prevent browsers from autofilling the user's saved login credentials into this API key field, use autoComplete="new-password" instead.

Suggested change

	<input
	type="password"
	autoComplete="off"
	class="input input-bordered bg-gray-800 border-gray-700 text-white"
	<input
	type="password"
	autoComplete="new-password"
	class="input input-bordered bg-gray-800 border-gray-700 text-white"

[gemini-code-assist]

Similarly, use autoComplete="new-password" here to ensure modern browsers do not ignore the autocomplete directive and autofill saved user credentials into this API key field.

Suggested change

	<input
	type="password"
	autoComplete="off"
	class="input input-bordered bg-gray-800 border-gray-700 text-white"
	<input
	type="password"
	autoComplete="new-password"
	class="input input-bordered bg-gray-800 border-gray-700 text-white"

[gemini-code-assist]

Use autoComplete="new-password" instead of autoComplete="off" to reliably prevent browsers from autofilling saved login credentials into this API key field.

Suggested change

	<input type="password" autoComplete="off" className={inputClass} value={formData.apiKey} onInput={(e) => setFormData({ ...formData, apiKey: (e.target as HTMLInputElement).value })} required={effectiveDef?.requiresApiKey ?? false} placeholder={field.placeholder} />
	<input type="password" autoComplete="new-password" className={inputClass} value={formData.apiKey} onInput={(e) => setFormData({ ...formData, apiKey: (e.target as HTMLInputElement).value })} required={effectiveDef?.requiresApiKey ?? false} placeholder={field.placeholder} />

[gemini-code-assist]

Use autoComplete="new-password" here as well to prevent password managers from autofilling saved credentials into this optional API key field.

Suggested change

	<input type="password" autoComplete="off" className={inputClass} value={formData.apiKey} onInput={(e) => setFormData({ ...formData, apiKey: (e.target as HTMLInputElement).value })} placeholder={t('indexersManager.optional')} />
	<input type="password" autoComplete="new-password" className={inputClass} value={formData.apiKey} onInput={(e) => setFormData({ ...formData, apiKey: (e.target as HTMLInputElement).value })} placeholder={t('indexersManager.optional')} />