🛡️ Sentinel: [HIGH] Fix sensitive credential exposure in TMDB setup

[bobdivx]

🚨 Severity: HIGH
💡 Vulnerability: The application was rendering TMDB API keys in plain text <input type="text"> fields within the TmdbConfig and TmdbStep components. This leaves sensitive credentials vulnerable to physical exposure (shoulder surfing) and unauthorized capture via screen sharing or potentially rogue browser extensions.
🎯 Impact: An attacker who obtains a user's API key can perform unauthorized actions and consume quota associated with the TMDB account.
🔧 Fix: Modified the input components in src/components/settings/TmdbConfig.tsx and src/components/setup/steps/TmdbStep.tsx to use type="password" and added autoComplete="off" to ensure browsers do not mistakenly offer to save or autofill the API key.
✅ Verification: Verified using pnpm test and pnpm build. Added a learning to .jules/sentinel.md regarding input field types for sensitive data.

---

PR created automatically by Jules for task 10337575705692383388 started by @bobdivx

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
popcorn-client	Ready	Preview, Comment	Jun 1, 2026 6:44am

[gemini-code-assist]

Code Review

This pull request addresses a sensitive credential exposure vulnerability by changing the TMDB API key input fields in TmdbConfig.tsx and TmdbStep.tsx from plain text to masked password fields with autoComplete="off". The reviewer recommends using autoComplete="new-password" instead of autoComplete="off" because modern browsers often ignore the latter on password fields, which could lead to unwanted autofill of user credentials.

[gemini-code-assist]

Using autoComplete="off" on a type="password" input is often ignored by modern browsers (such as Chrome, Safari, and Firefox) to protect password manager functionality. This can cause the browser to automatically autofill the user's saved login credentials (like their site password) into this TMDB API key field, or prompt them to save the dummy/masked key as their account password.

To reliably prevent autofill on sensitive token/key inputs, use autoComplete="new-password" instead.

Suggested change

	<input
	type="text"
	type="password"
	autoComplete="off"
	<input
	type="password"
	autoComplete="new-password"

[gemini-code-assist]

Using autoComplete="off" on a type="password" input is often ignored by modern browsers to protect password manager functionality. This can lead to the browser autofilling the user's site login credentials into the TMDB API key field.

Using autoComplete="new-password" is the standard and most reliable way to instruct browsers and password managers not to autofill existing credentials into this field.

Suggested change

	<input
	type="text"
	type="password"
	autoComplete="off"
	<input
	type="password"
	autoComplete="new-password"