fix: harden setup.sh credential handling (security + robustness)

[marcusquinn]

Summary

Addresses all 3 medium-severity findings from Gemini code review on PR #25 (setup.sh).

• Mask sensitive input: API Key and Application ID now use read -rs (silent mode) to prevent shoulder-surfing and terminal scrollback exposure. Existing values show only last 4 chars as masked hints (****XXXX) instead of the full credential.
• Eliminate file permission race condition: Credentials file is now written inside a umask 077 subshell, so it's created with 600 permissions atomically — no window where the file exists with default (644) permissions.
• Prefer jq for JSON parsing: Uses jq when available for robust credential file reading, with grep/sed fallback and a warning when jq is not installed. Consistent with jq usage elsewhere in the script.

Verification

• ShellCheck: clean
• 201 unit tests: all pass
• TypeScript build: clean
• ESLint: clean

Closes #32

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 22 minutes and 14 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d8f99433-b533-441d-bb7d-f6d162bdbdf8

📥 Commits

Reviewing files that changed from the base of the PR and between 1c5f74a and 85cda6d.

📒 Files selected for processing (1)

• setup.sh

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/quality-debt-setup-sh-32

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[marcusquinn]

This PR appears orphaned — no active worker process found and no activity for 6+ hours. The linked issue is already closed. Flagging for review. If work is still in progress, remove the status:orphaned label.

[marcusquinn]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.