🛡️ Sentinel: [CRITICAL] Fix hardcoded password in test comments

[kingkillery]

🚨 Severity: CRITICAL
💡 Vulnerability: Hardcoded password in tests/inference_test.py used for encrypted PDF test comment.
🎯 Impact: While just a test comment, it violates the zero-hardcoded-secrets policy and can trigger security scanners, leading to noise. Hardcoding secrets in any file (even comments) risks accidental leakage of real credentials if habits aren't strict.
🔧 Fix: Replaced the hardcoded password string with a reference to an environment variable PDF_TEST_PASSWORD. Also added a critical learning to .jules/sentinel.md to document this project convention.
✅ Verification: Ran uv run ruff check commonforms/ tests/ and uv run pytest tests/ which completed successfully and showed no issues.

---

PR created automatically by Jules for task 10164501244541927882 started by @kingkillery

Summary by CodeRabbit

• Security

  • Replaced hardcoded sensitive information in tests with secure environment variable references
  • Enhanced credential handling practices in the test infrastructure

• Documentation

  • Added security best practices guidance for credential management

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Walkthrough

A security finding regarding a hardcoded password in test comments was documented and corrected. A new sentinel entry was created to record the finding, and the corresponding test comment was updated to reference an environment variable instead of the hardcoded secret.

Changes

Cohort / File(s)	Summary
Security Documentation & Test Comment Update .jules/sentinel.md, tests/inference_test.py	Added sentinel documentation recording a hardcoded password finding in test comments. Updated the test comment in test_encrypted_failure to reference environment variable PDF_TEST_PASSWORD instead of hardcoded string.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A secret was hiding in plain sight,
In comments where passwords took flight,
Now environment vars keep it safe,
No hardcoded traces to trace! ✨
Security strengthened, all is right! 🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly summarizes the main change: fixing a hardcoded password in test comments, which is exactly what the PR accomplishes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-remove-hardcoded-test-password-10164501244541927882

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.jules/sentinel.md:
- Line 1: Update the date in the markdown header string "## 2025-04-09 -
Hardcoded Password in Test Comments" to the correct year 2026 so it reads "##
2026-04-09 - Hardcoded Password in Test Comments"; locate and replace that
header line in .jules/sentinel.md (the header string is the unique identifier)
and ensure no other date strings in the file remain with 2025.

In `@tests/inference_test.py`:
- Line 47: Add documentation for the PDF_TEST_PASSWORD environment variable used
by tests/inference_test.py (see the reminder comment and TODOs around lines
54-57): describe the variable name, its purpose (password for encrypted PDF used
in tests), where to set it (CI secrets and local .env), expected format/value,
and how tests will read it so future developers can find and configure it
without scanning test files; update the project testing documentation (README or
dedicated TESTING.md) and reference the variable name exactly as
PDF_TEST_PASSWORD in the docs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1f12bc7c-5702-46e5-8a20-45609613fd7c

📥 Commits

Reviewing files that changed from the base of the PR and between e00f2d1 and bdfb9ce.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tests/inference_test.py

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix the year in the date.

The date shows "2025-04-09" but this PR was created on 2026-04-09. The year should be 2026.

📅 Proposed fix for the date

-## 2025-04-09 - Hardcoded Password in Test Comments
+## 2026-04-09 - Hardcoded Password in Test Comments

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 2025-04-09 - Hardcoded Password in Test Comments
	## 2026-04-09 - Hardcoded Password in Test Comments

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md at line 1, Update the date in the markdown header string
"## 2025-04-09 - Hardcoded Password in Test Comments" to the correct year 2026
so it reads "## 2026-04-09 - Hardcoded Password in Test Comments"; locate and
replace that header line in .jules/sentinel.md (the header string is the unique
identifier) and ensure no other date strings in the file remain with 2025.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for documentation and usage of PDF_TEST_PASSWORD environment variable.

# Search for references to PDF_TEST_PASSWORD in documentation files
echo "=== Checking documentation files ==="
fd -e md -e rst -e txt --exec rg -l 'PDF_TEST_PASSWORD' {}

# Search for actual usage in code (os.environ, os.getenv, etc.)
echo -e "\n=== Checking for code usage ==="
rg -n 'PDF_TEST_PASSWORD' --type=py

# Check for test setup or configuration files
echo -e "\n=== Checking test configuration ==="
fd -e ini -e cfg -e yaml -e yml -e toml -e env --exec cat {}

Repository: kingkillery/commonforms-pk

Length of output: 2144

---

🏁 Script executed:

#!/bin/bash
# Check for other potential documentation files
echo "=== Looking for all documentation files ==="
fd -e md -e rst -e txt -e asciidoc

echo -e "\n=== Checking if README mentions environment variables ==="
if [ -f README.md ]; then
  cat README.md | head -100
fi

echo -e "\n=== Checking for docs directory ==="
if [ -d docs ]; then
  fd . docs
fi

echo -e "\n=== Checking for .env.example or similar ==="
fd -e example -e template | grep -E '(env|config)'

Repository: kingkillery/commonforms-pk

Length of output: 3721

---

Document the PDF_TEST_PASSWORD environment variable in project testing documentation.

The environment variable referenced in this comment is not documented anywhere in the codebase (README.md, configuration files, or test setup guides). When the TODO items (lines 54-57) are implemented and the password is actually needed, developers should be able to quickly find where to set or retrieve this value without having to read comments.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/inference_test.py` at line 47, Add documentation for the
PDF_TEST_PASSWORD environment variable used by tests/inference_test.py (see the
reminder comment and TODOs around lines 54-57): describe the variable name, its
purpose (password for encrypted PDF used in tests), where to set it (CI secrets
and local .env), expected format/value, and how tests will read it so future
developers can find and configure it without scanning test files; update the
project testing documentation (README or dedicated TESTING.md) and reference the
variable name exactly as PDF_TEST_PASSWORD in the docs.