π Security: Redact potential hardcoded secrets#259
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request replaces several string constants and named arguments with ': 'REDACTED_BY_JULES'' across multiple Kotlin and Swift files. This introduces critical syntax and compilation errors in both languages, as they do not support single quotes for string literals and the assignment syntax is broken. Additionally, the redacted values are non-sensitive identifiers, UI keys, or database/preference keys rather than actual secrets, making these redactions false positives. The reviewer feedback correctly identifies these syntax issues and provides suggestions to restore the original valid code.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| companion object { | ||
| private const val PREFS_NAME = "migration_prefs" | ||
| private const val MIGRATION_VERSION_KEY = "storage_migration_version" | ||
| private const val MIGRATION_VERSION_KEY: 'REDACTED_BY_JULES' |
There was a problem hiding this comment.
This change introduces invalid Kotlin syntax and breaks compilation. In Kotlin, constants must be initialized using the '=' operator, and string literals must be enclosed in double quotes, not single quotes. Additionally, 'storage_migration_version' is a SharedPreferences key name, not a sensitive secret, so redacting it is a false positive.
| private const val MIGRATION_VERSION_KEY: 'REDACTED_BY_JULES' | |
| private const val MIGRATION_VERSION_KEY = "storage_migration_version" |
| contentDescription = stringResource(R.string.cd_close), | ||
| modifier = Modifier.sharedElement( | ||
| rememberSharedContentState(key = "create_post_icon"), | ||
| rememberSharedContentState(key: 'REDACTED_BY_JULES'), |
There was a problem hiding this comment.
This change introduces invalid Kotlin syntax and breaks compilation. Named arguments in Kotlin use '=' instead of ':'. Furthermore, 'REDACTED_BY_JULES' uses single quotes which are invalid for string literals in Kotlin. Lastly, 'create_post_icon' is a UI shared element key, not a sensitive secret.
| rememberSharedContentState(key: 'REDACTED_BY_JULES'), | |
| rememberSharedContentState(key = "create_post_icon"), |
| contentDescription = stringResource(R.string.create_post), | ||
| modifier = Modifier.sharedElement( | ||
| rememberSharedContentState(key = "create_post_icon"), | ||
| rememberSharedContentState(key: 'REDACTED_BY_JULES'), |
There was a problem hiding this comment.
This change introduces invalid Kotlin syntax and breaks compilation. Named arguments in Kotlin use '=' instead of ':'. Furthermore, 'REDACTED_BY_JULES' uses single quotes which are invalid for string literals in Kotlin. Lastly, 'create_post_icon' is a UI shared element key, not a sensitive secret.
| rememberSharedContentState(key: 'REDACTED_BY_JULES'), | |
| rememberSharedContentState(key = "create_post_icon"), |
| ) { | ||
| if (typingStatus != null && typingStatus.isTyping) { | ||
| item(key = "typing_indicator") { | ||
| item(key: 'REDACTED_BY_JULES') { |
There was a problem hiding this comment.
This change introduces invalid Kotlin syntax and breaks compilation. Named arguments in Kotlin use '=' instead of ':'. Furthermore, 'REDACTED_BY_JULES' uses single quotes which are invalid for string literals in Kotlin. Lastly, 'typing_indicator' is a LazyColumn item key, not a sensitive secret.
item(key = "typing_indicator") {|
|
||
| if (!isGroupChat) { | ||
| item(key = "chat_intro_header") { | ||
| item(key: 'REDACTED_BY_JULES') { |
There was a problem hiding this comment.
This change introduces invalid Kotlin syntax and breaks compilation. Named arguments in Kotlin use '=' instead of ':'. Furthermore, 'REDACTED_BY_JULES' uses single quotes which are invalid for string literals in Kotlin. Lastly, 'chat_intro_header' is a LazyColumn item key, not a sensitive secret.
item(key = "chat_intro_header") {| const val ROUTE_ACCESSIBILITY = "settings_accessibility" | ||
| const val ROUTE_SEARCH = "settings_search" | ||
| const val ROUTE_API_KEY = "settings_api_key" | ||
| const val ROUTE_API_KEY: 'REDACTED_BY_JULES' |
There was a problem hiding this comment.
This change introduces invalid Kotlin syntax and breaks compilation. In Kotlin, constants must be initialized using the '=' operator, and string literals must be enclosed in double quotes, not single quotes. Additionally, 'settings_api_key' is a navigation route string, not an actual API key, so redacting it is a false positive.
| const val ROUTE_API_KEY: 'REDACTED_BY_JULES' | |
| const val ROUTE_API_KEY = "settings_api_key" |
| // though typically you store the auth token. Since we are simulating | ||
| // complete auth with biometric support, we'll store a session token. | ||
| private let biometricTokenKey = "biometric_auth_token" | ||
| private let biometricTokenKey: 'REDACTED_BY_JULES' |
There was a problem hiding this comment.
This change introduces invalid Swift syntax and breaks compilation. Swift does not support single quotes for string literals, and this declaration lacks an assignment operator '='. Additionally, 'biometric_auth_token' is a key name for secure storage, not a sensitive secret.
| private let biometricTokenKey: 'REDACTED_BY_JULES' | |
| private let biometricTokenKey = "biometric_auth_token" |
|
|
||
|
|
||
| private val signedPreKeyIdsKey = "signed_prekey_ids" | ||
| private val signedPreKeyIdsKey: 'REDACTED_BY_JULES' |
There was a problem hiding this comment.
This change introduces invalid Kotlin syntax and breaks compilation. In Kotlin, constants must be initialized using the '=' operator, and string literals must be enclosed in double quotes, not single quotes. Additionally, 'signed_prekey_ids' is a SharedPreferences key name, not a sensitive secret.
| private val signedPreKeyIdsKey: 'REDACTED_BY_JULES' | |
| private val signedPreKeyIdsKey = "signed_prekey_ids" |
| private val KEY_ACCESS_TOKEN: 'REDACTED_BY_JULES' | ||
| private val KEY_REFRESH_TOKEN: 'REDACTED_BY_JULES' |
There was a problem hiding this comment.
This change introduces invalid Kotlin syntax and breaks compilation. In Kotlin, constants must be initialized using the '=' operator, and string literals must be enclosed in double quotes, not single quotes. Additionally, 'auth_access_token' and 'auth_refresh_token' are storage keys, not actual sensitive secrets.
| private val KEY_ACCESS_TOKEN: 'REDACTED_BY_JULES' | |
| private val KEY_REFRESH_TOKEN: 'REDACTED_BY_JULES' | |
| private val KEY_ACCESS_TOKEN = "auth_access_token" | |
| private val KEY_REFRESH_TOKEN = "auth_refresh_token" |
| private const val KEY_CLOUDINARY_API_KEY: 'REDACTED_BY_JULES' | ||
| private const val KEY_CLOUDINARY_API_SECRET: 'REDACTED_BY_JULES' | ||
| private const val KEY_SUPABASE = "supabase_key" | ||
| private const val KEY_R2_ACCESS_KEY_ID = "r2_access_key_id" | ||
| private const val KEY_R2_SECRET_ACCESS_KEY = "r2_secret_access_key" | ||
| private const val KEY_R2_SECRET_ACCESS_KEY: 'REDACTED_BY_JULES' |
There was a problem hiding this comment.
This change introduces invalid Kotlin syntax and breaks compilation. In Kotlin, constants must be initialized using the '=' operator, and string literals must be enclosed in double quotes, not single quotes. Additionally, these constants are secure storage keys, not actual sensitive secrets.
| private const val KEY_CLOUDINARY_API_KEY: 'REDACTED_BY_JULES' | |
| private const val KEY_CLOUDINARY_API_SECRET: 'REDACTED_BY_JULES' | |
| private const val KEY_SUPABASE = "supabase_key" | |
| private const val KEY_R2_ACCESS_KEY_ID = "r2_access_key_id" | |
| private const val KEY_R2_SECRET_ACCESS_KEY = "r2_secret_access_key" | |
| private const val KEY_R2_SECRET_ACCESS_KEY: 'REDACTED_BY_JULES' | |
| private const val KEY_CLOUDINARY_API_KEY = "cloudinary_api_key" | |
| private const val KEY_CLOUDINARY_API_SECRET = "cloudinary_api_secret" | |
| private const val KEY_SUPABASE = "supabase_key" | |
| private const val KEY_R2_ACCESS_KEY_ID = "r2_access_key_id" | |
| private const val KEY_R2_SECRET_ACCESS_KEY = "r2_secret_access_key" |
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
| companion object { | ||
| private const val PREFS_NAME = "migration_prefs" | ||
| private const val MIGRATION_VERSION_KEY = "storage_migration_version" | ||
| private const val MIGRATION_VERSION_KEY: 'REDACTED_BY_JULES' |
There was a problem hiding this comment.
π₯ The Roast: This entire PR is a masterclass in how NOT to do secret redaction. You replaced string values with single-quoted garbage ('REDACTED_BY_JULES'), which is invalid Kotlin syntax. This won't even compile β let alone fix any security issue.
π©Ή The Fix: If you found actual secrets, use proper secrets management (build config fields, encrypted keystore, or environment variables). For SharedPreferences key names, they're not secrets β just descriptive identifiers. Change this back to private const val MIGRATION_VERSION_KEY = "storage_migration_version".
π Severity: critical
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
| contentDescription = stringResource(R.string.cd_close), | ||
| modifier = Modifier.sharedElement( | ||
| rememberSharedContentState(key = "create_post_icon"), | ||
| rememberSharedContentState(key: 'REDACTED_BY_JULES'), |
There was a problem hiding this comment.
π₯ The Roast: You redacted a shared element transition key. This is not a secret β it's a string identifier used to match animated elements between screens. Even if this syntax were valid (it's not), replacing "create_post_icon" with gibberish breaks the shared element transition entirely. The animation from CreatePost back to Home will be as smooth as a sandpaper slide.
π©Ή The Fix: Change back to rememberSharedContentState(key = "create_post_icon"). Shared element keys must match between the source and destination screens for the transition to work.
π Severity: critical
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
| contentDescription = stringResource(R.string.create_post), | ||
| modifier = Modifier.sharedElement( | ||
| rememberSharedContentState(key = "create_post_icon"), | ||
| rememberSharedContentState(key: 'REDACTED_BY_JULES'), |
There was a problem hiding this comment.
π₯ The Roast: Another shared element transition key turned into syntactic confetti. The outer sharedBounds on line 178 still uses "create_post_fab", but the inner sharedElement on line 186 now has this invalid garbage. Even if it compiled, the two sides wouldn't match, so the FAB-to-create-post transition is broken.
π©Ή The Fix: Change back to rememberSharedContentState(key = "create_post_icon") to match the counterpart in CreatePostTopBar.
π Severity: critical
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
| ) { | ||
| if (typingStatus != null && typingStatus.isTyping) { | ||
| item(key = "typing_indicator") { | ||
| item(key: 'REDACTED_BY_JULES') { |
There was a problem hiding this comment.
π₯ The Roast: You replaced LazyListItem keys with single-quoted nonsense. This is invalid Kotlin that won't compile, AND even if it did, using the same meaningless key for every typing indicator (and the same for every intro header on line 162) would break Compose's item identity. All chats would share identical item keys, wreaking havoc on state management and scroll position.
π©Ή The Fix: Change line 94 back to item(key = "typing_indicator") and line 162 back to item(key = "chat_intro_header"). These are LazyList keys, not secrets β they need to be unique, stable identifiers.
π Severity: critical
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
| const val ROUTE_ACCESSIBILITY = "settings_accessibility" | ||
| const val ROUTE_SEARCH = "settings_search" | ||
| const val ROUTE_API_KEY = "settings_api_key" | ||
| const val ROUTE_API_KEY: 'REDACTED_BY_JULES' |
There was a problem hiding this comment.
π₯ The Roast: You redacted an Android navigation route constant. Even if this compiled, "settings_api_key" is not a secret β it's a route identifier used by the Navigation component. Changing it to garbage means SettingsDestination.fromRoute() will never match this route again. The API key settings screen is now the Bermuda Triangle of navigation: users will try to go there and just disappear.
π©Ή The Fix: Change back to const val ROUTE_API_KEY = "settings_api_key". Navigation route constants are not secrets; they're public identifiers used for routing.
π Severity: critical
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
| // though typically you store the auth token. Since we are simulating | ||
| // complete auth with biometric support, we'll store a session token. | ||
| private let biometricTokenKey = "biometric_auth_token" | ||
| private let biometricTokenKey: 'REDACTED_BY_JULES' |
There was a problem hiding this comment.
π₯ The Roast: Swift doesn't even use single quotes for strings. This 'REDACTED_BY_JULES' syntax is so invalid in Swift that Xcode would reject it before the build even starts. You successfully secured the biometric token key by making the entire file un-buildable. Every reference to biometricTokenKey on lines 50, 77, 98, and 219 now points to... well, nothing compilable.
π©Ή The Fix: Change back to private let biometricTokenKey = "biometric_auth_token". This is a Keychain key identifier used to look up stored tokens, not a secret itself. If you actually want to obscure it, use a build setting or env var β not a string replacement that breaks the language syntax.
π Severity: critical
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
|
|
||
|
|
||
| private val signedPreKeyIdsKey = "signed_prekey_ids" | ||
| private val signedPreKeyIdsKey: 'REDACTED_BY_JULES' |
There was a problem hiding this comment.
π₯ The Roast: You replaced a SharedPreferences key name with invalid Kotlin. The loadSignedPreKeys() and storeSignedPreKey() methods use signedPreKeyIdsKey to read/write the set of signed pre-key IDs for E2EE. With this broken declaration, the Signal protocol store can't persist or retrieve signed pre-key IDs. If this deploys, every device will lose its signed pre-key set, effectively breaking end-to-end encryption for all users.
π©Ή The Fix: Change back to private val signedPreKeyIdsKey = "signed_prekey_ids". This is a local storage key name, not a secret.
π Severity: critical
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
|
|
||
| private val KEY_ACCESS_TOKEN = "auth_access_token" | ||
| private val KEY_REFRESH_TOKEN = "auth_refresh_token" | ||
| private val KEY_ACCESS_TOKEN: 'REDACTED_BY_JULES' |
There was a problem hiding this comment.
π₯ The Roast: The KEY_ACCESS_TOKEN and KEY_REFRESH_TOKEN variables are used to look up values in secure storage (secureStorage.getString(KEY_ACCESS_TOKEN)). They're not the actual tokens. Replacing them with a redacted placeholder means every call to read/write session tokens uses the wrong key, silently dropping all session persistence. Users will be mysteriously logged out on every single app restart.
π©Ή The Fix: Change line 31 back to private val KEY_ACCESS_TOKEN = "auth_access_token" and line 32 back to private val KEY_REFRESH_TOKEN = "auth_refresh_token". These are key names for the secure storage lookup, not the actual secrets.
π Severity: critical
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
| private const val KEY_IMGBB = "imgbb_key" | ||
| private const val KEY_CLOUDINARY_API_KEY = "cloudinary_api_key" | ||
| private const val KEY_CLOUDINARY_API_SECRET = "cloudinary_api_secret" | ||
| private const val KEY_CLOUDINARY_API_KEY: 'REDACTED_BY_JULES' |
There was a problem hiding this comment.
π₯ The Roast: You redacted "cloudinary_api_key", "cloudinary_api_secret", and "r2_secret_access_key" β but these are the SharedPreferences key names, not the actual API secrets. The real secrets live in secure storage as values. By redacting the key names, you've broken every secureStorage.getString(KEY_*) call to always return null. The app will think no cloud storage credentials exist and fail to upload media entirely.
π©Ή The Fix: Change lines 31, 32, and 35 back to their original values ("cloudinary_api_key", "cloudinary_api_secret", "r2_secret_access_key"). These are identifier strings used in storage lookups, not credentials.
π Severity: critical
Reply with @kilocode-bot fix it to have Kilo Code address this issue.
Code Review Roast π₯Verdict: 13 Issues Found | Recommendation: Reject this PR entirely Overview
Issue Details (click to expand)
π Best part: The PR description's blind optimism is almost endearing. "I found potential secrets and redacted them" β sure, and I found a fire in my kitchen and poured gasoline on it to "extinguish" it. At least the formatting was clean. π Worst part: This PR simultaneously breaks compilation across two platforms AND introduces runtime failures in authentication, E2EE, navigation, and media upload β all while redacting things that weren't secrets to begin with. It's like a car crash where the driver was trying to fix a flat tire. π Overall: Like using a flamethrower to kill a spider β technically you removed it, but now the house is on fire and the spider was a ladybug. Files Reviewed (9 files, 13 changed lines)
Fix these issues in Kilo Cloud Reviewed by step-3.7-flash-20260528 Β· Input: 125.2K Β· Output: 14.1K Β· Cached: 209.7K |
1 participant
I found potential secrets in the codebase and redacted them. Please review and rotate these secrets! π‘οΈβ¨