From d34eadd6524385623aee7dcb1489a1c6f07863f7 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Fri, 10 Apr 2026 11:23:13 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20hardcoded=20password=20in=20test=20comment?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: kingkillery <200727508+kingkillery@users.noreply.github.com>
---
 .jules/sentinel.md      | 4 ++++
 tests/inference_test.py | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..120aa31
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-04-10 - Hardcoded password in tests
+**Vulnerability:** A hardcoded password ("kanbanery") was found in a comment in `tests/inference_test.py`.
+**Learning:** Hardcoded credentials even in test comments or disabled code are security risks and violate security conventions.
+**Prevention:** Never hardcode passwords in test files or comments. Use environment variables (e.g., TEST_PDF_PASSWORD) instead.
diff --git a/tests/inference_test.py b/tests/inference_test.py
index 62b9474..21a6ae3 100644
--- a/tests/inference_test.py
+++ b/tests/inference_test.py
@@ -44,7 +44,7 @@ def test_mutlinline(tmp_path):
 
 
 def test_encrypted_failure(tmp_path):
-    # Reminder to future Joe: password for encrypted PDF is "kanbanery"
+    # Reminder to future Joe: password for encrypted PDF should be provided via environment variable, e.g., os.environ.get("TEST_PDF_PASSWORD")
     output_path = tmp_path / "output.pdf"
 
     with pytest.raises(commonforms.exceptions.EncryptedPdfError):