🔒 Security: Redact potential hardcoded secrets

[TheRealAshik]

I found potential secrets in the codebase and redacted them. Please review and rotate these secrets! 🛡️✨

[gemini-code-assist]

Code Review

This pull request contains changes where an automated redaction tool has incorrectly replaced various string literals (such as SharedPreferences keys, UI transition keys, navigation routes, and storage keys) with invalid syntax across several Kotlin and Swift files. This has introduced critical syntax errors, such as using colons (:) instead of equals signs (=) for variable assignments and named arguments, and using single quotes for string literals. The reviewer's feedback correctly identifies these syntax issues across all modified files and provides the necessary corrections to restore valid code.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

This change introduces invalid Kotlin syntax. A const val must be initialized with a value using =, and single quotes are reserved for character literals, not strings. Additionally, "storage_migration_version" is a SharedPreferences key name, not a sensitive secret.

Suggested change

	private const val MIGRATION_VERSION_KEY: 'REDACTED_BY_JULES'
	private const val MIGRATION_VERSION_KEY = "storage_migration_version"

[gemini-code-assist]

This change introduces invalid Kotlin syntax. Named arguments in Kotlin use = instead of :, and single quotes are not valid for string literals. Furthermore, "create_post_icon" is a shared element transition key, not a sensitive secret.

Suggested change

	rememberSharedContentState(key: 'REDACTED_BY_JULES'),
	rememberSharedContentState(key = "create_post_icon"),

[gemini-code-assist]

This change introduces invalid Kotlin syntax. Named arguments in Kotlin use = instead of :, and single quotes are not valid for string literals. Furthermore, "create_post_icon" is a shared element transition key, not a sensitive secret.

Suggested change

	rememberSharedContentState(key: 'REDACTED_BY_JULES'),
	rememberSharedContentState(key = "create_post_icon"),

[gemini-code-assist]

This change introduces invalid Kotlin syntax. Named arguments in Kotlin use = instead of :, and single quotes are not valid for string literals. Additionally, "typing_indicator" is a list item key, not a sensitive secret.

            item(key = "typing_indicator") {

[gemini-code-assist]

This change introduces invalid Kotlin syntax. Named arguments in Kotlin use = instead of :, and single quotes are not valid for string literals. Additionally, "chat_intro_header" is a list item key, not a sensitive secret.

            item(key = "chat_intro_header") {

[gemini-code-assist]

This change introduces invalid Kotlin syntax. A const val must be initialized with a value using =, and single quotes are not valid for string literals. Additionally, "settings_api_key" is a navigation route string, not a sensitive secret.

Suggested change

	const val ROUTE_API_KEY: 'REDACTED_BY_JULES'
	const val ROUTE_API_KEY = "settings_api_key"

[gemini-code-assist]

This change introduces invalid Swift syntax. Swift uses double quotes for string literals, and variable initialization uses =. Additionally, "biometric_auth_token" is a keychain key identifier, not a sensitive secret.

Suggested change

	private let biometricTokenKey: 'REDACTED_BY_JULES'
	private let biometricTokenKey = "biometric_auth_token"

[gemini-code-assist]

This change introduces invalid Kotlin syntax. Variables must be initialized with a value using =, and single quotes are not valid for string literals. Additionally, "signed_prekey_ids" is a SharedPreferences key name, not a sensitive secret.

Suggested change

	private val signedPreKeyIdsKey: 'REDACTED_BY_JULES'
	private val signedPreKeyIdsKey = "signed_prekey_ids"

[gemini-code-assist]

This change introduces invalid Kotlin syntax. Variables must be initialized with a value using =, and single quotes are not valid for string literals. Additionally, "auth_access_token" and "auth_refresh_token" are storage key names, not sensitive secrets.

Suggested change

	private val KEY_ACCESS_TOKEN: 'REDACTED_BY_JULES'
	private val KEY_REFRESH_TOKEN: 'REDACTED_BY_JULES'
	private val KEY_ACCESS_TOKEN = "auth_access_token"
	private val KEY_REFRESH_TOKEN = "auth_refresh_token"

[gemini-code-assist]

This change introduces invalid Kotlin syntax. A const val must be initialized with a value using =, and single quotes are not valid for string literals. Additionally, these constants represent storage/database keys (e.g., "cloudinary_api_key", "cloudinary_api_secret", "r2_secret_access_key"), not actual hardcoded credentials.

Suggested change

	private const val KEY_CLOUDINARY_API_KEY: 'REDACTED_BY_JULES'
	private const val KEY_CLOUDINARY_API_SECRET: 'REDACTED_BY_JULES'
	private const val KEY_SUPABASE = "supabase_key"
	private const val KEY_R2_ACCESS_KEY_ID = "r2_access_key_id"
	private const val KEY_R2_SECRET_ACCESS_KEY = "r2_secret_access_key"
	private const val KEY_R2_SECRET_ACCESS_KEY: 'REDACTED_BY_JULES'
	private const val KEY_CLOUDINARY_API_KEY = "cloudinary_api_key"
	private const val KEY_CLOUDINARY_API_SECRET = "cloudinary_api_secret"
	private const val KEY_SUPABASE = "supabase_key"
	private const val KEY_R2_ACCESS_KEY_ID = "r2_access_key_id"
	private const val KEY_R2_SECRET_ACCESS_KEY = "r2_secret_access_key"

[kilo-code-bot]

Code Review Roast 🔥

Verdict: 10 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
🚨 critical	10

Issue Details (click to expand)

File	Line	Roast
app/.../StorageMigration.kt	40	Automated redaction tool thought a SharedPreferences key was a secret and nuked it with invalid Kotlin syntax
app/.../CreatePostTopBar.kt	82	Shared element transition key got "redacted" into code that won't compile
app/.../HomeScreen.kt	186	Same story, different file - key parameter syntax destroyed
app/.../ChatMessageList.kt	94	LazyColumn item key replaced with invalid token literal
app/.../ChatMessageList.kt	162	Another item key casualty of overzealous redaction
app/.../SettingsDestination.kt	118	Navigation route string martyred in the name of security
iosApp/.../AuthViewModel.swift	31	Swift string literal syntax? Never heard of it
shared/.../AndroidSignalStore.kt	113	Signal protocol key name deemed too sensitive for existence
shared/.../SupabaseAuthenticationService.kt	31-32	Storage key constants couldn't handle the heat
shared/.../StorageRepositoryImpl.kt	31-32, 35	Three more constants fed to the redaction furnace

---

🏆 Best part: The PR author correctly identified potential secrets to redact - just couldn't execute it properly.

💀 Worst part: This redaction tool has the accuracy of a drunk security scanner - everything looks like a secret, and it "fixes" non-secrets with syntax errors that would make a compiler cry.

📊 Overall: Like a fire marshal who only knows how to use a flamethrower - technically trying to help with security, but setting the codebase on fire in the process.

Files Reviewed (9 files)

• app/.../StorageMigration.kt - 1 issue
• app/.../CreatePostTopBar.kt - 1 issue
• app/.../HomeScreen.kt - 1 issue
• app/.../ChatMessageList.kt - 2 issues
• app/.../SettingsDestination.kt - 1 issue
• iosApp/.../AuthViewModel.swift - 1 issue
• shared/.../AndroidSignalStore.kt - 1 issue
• shared/.../SupabaseAuthenticationService.kt - 1 issue
• shared/.../StorageRepositoryImpl.kt - 3 issues

---

_{Reviewed by laguna-m.1-20260312:free · Input: 794.6K · Output: 4.8K · Cached: 328.3K}