AI Fix Prompts for Keybard Ng

Fix a hardcoded credential in repository 'morganvenable__keybard-ng'.

**Issue**: Hard-coded api_key found (Vault Token)
**File**: src/services/fragment-composer.service.ts
**Line**: 64
**Severity**: CRITICAL

**Current code around the issue:**
```
      59 |             const instanceKeys = this.expandInstance(kbinfo, idx, instance, cols);
      60 |             Object.assign(layout, instanceKeys);
      61 |         }
      62 | 
      63 |         // Apply GUI-side placement corrections for thumb clusters
>>>   64 |         layout = this.applyPlacementCorrections(layout, kbinfo);
      65 | 
      66 |         return layout;
      67 |     }
      68 | 
      69 |     /**
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'morganvenable__keybard-ng'.

**Issue**: Hard-coded api_key found (Vault Token)
**File**: src/services/fragment-composer.service.ts
**Line**: 94
**Severity**: CRITICAL

**Current code around the issue:**
```
      89 |             console.warn(`Fragment "${fragmentName}" not found or has no KLE data`);
      90 |             return layout;
      91 |         }
      92 | 
      93 |         // Get placement and matrix map
>>>   94 |         const { placement, matrixMap } = this.getPlacementAndMatrixMap(instance, fragmentName);
      95 |         if (!placement || !matrixMap) {
      96 |             console.warn(`Missing placement or matrix_map for instance "${instance.id}"`);
      97 |             return layout;
      98 |         }
      99 | 
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'morganvenable__keybard-ng'.

**Issue**: Hard-coded api_key found (Vault Token)
**File**: src/services/layer-library.service.ts
**Line**: 262
**Severity**: CRITICAL

**Current code around the issue:**
```
     257 |      * Import a .viable or .vil file and add it to localStorage
     258 |      */
     259 |     async importLayoutFromFile(file: File): Promise<LayoutGroup> {
     260 |         const kbinfo = await fileService.loadFile(file);
     261 |         const name = file.name.replace(/\.(viable|vil|json)$/i, '');
>>>  262 |         return this.importLayoutFromKeyboardInfo(kbinfo, name);
     263 |     }
     264 | 
     265 |     /**
     266 |      * Convert KeyboardInfo to LayoutGroup
     267 |      */
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'morganvenable__keybard-ng'.

**Issue**: Hard-coded api_key found (Vault Token)
**File**: src/services/vial.service.ts
**Line**: 479
**Severity**: CRITICAL

**Current code around the issue:**
```
     474 |         return 0;
     475 |     }
     476 | 
     477 |     async getActiveLayerIndex(): Promise<number> {
     478 |         const mask = await this.getLayerStateMask();
>>>  479 |         return this.getActiveLayerIndexFromMask(mask);
     480 |     }
     481 | 
     482 |     // API methods for updating keyboard settings
     483 |     async updateKey(layer: number, row: number, col: number, keymask: number): Promise<void> {
     484 |         const BE16 = (num: number) => [(num >> 8) & 0xff, num & 0xff];
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Fix a hardcoded credential in repository 'morganvenable__keybard-ng'.

**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: src/components/ConnectKeyboard.tsx
**Line**: 99
**Severity**: HIGH

**Current code around the issue:**
```
      94 | 
      95 |     const handleLoadDemo = async () => {
      96 |         setLoading(true);
      97 |         setError(null);
      98 |         try {
>>>   99 |             const response = await fetch(import.meta.env.BASE_URL + "sval-default.viable");
     100 |             if (!response.ok) throw new Error("Failed to fetch demo file");
     101 |             const blob = await response.blob();
     102 |             const file = new File([blob], "sval-default.viable", { type: "application/octet-stream" });
     103 |             await loadFromFile(file);
     104 |         } catch (err) {
```

**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated

**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment

Address OWASP A02 (Cryptographic Failures) compliance gap in 'morganvenable__keybard-ng'.

**OWASP Category**: A02 -- Cryptographic Failures
**Fix guidance**: Remove hardcoded secrets, use strong encryption (AES-256-GCM), enforce TLS, never store passwords in plaintext (use bcrypt/argon2).

**Steps:**
1. Identify all code paths related to cryptographic failures
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Address OWASP A06 (Vulnerable Components) compliance gap in 'morganvenable__keybard-ng'.

**OWASP Category**: A06 -- Vulnerable Components
**Fix guidance**: Update all dependencies to latest stable versions, remove unused dependencies, monitor for new CVEs.

**Steps:**
1. Identify all code paths related to vulnerable components
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Address OWASP A07 (Auth Failures) compliance gap in 'morganvenable__keybard-ng'.

**OWASP Category**: A07 -- Auth Failures
**Fix guidance**: Implement proper session management, use MFA where possible, enforce strong passwords, protect against brute force.

**Steps:**
1. Identify all code paths related to auth failures
2. Apply the fixes described above
3. Add automated tests to verify the fix
4. Document any security assumptions in code comments

Repository 'morganvenable__keybard-ng' is failing the quality gate.

Failed conditions:
- overall_score: actual 0.0 >= 50 (FAILED)
- security_score: actual 0.0 >= 40 (FAILED)
- critical_credentials: actual 4.0 <= 0 (FAILED)

Fix each failing condition to make the repo pass the quality gate.

Repository 'morganvenable__keybard-ng' has 10 open issues:

- [CRITICAL] Hard-coded api_key: Vault Token (src/services/layer-library.service.ts)
- [CRITICAL] Hard-coded api_key: Vault Token (src/services/fragment-composer.service.ts)
- [CRITICAL] Hard-coded api_key: Vault Token (src/services/vial.service.ts)
- [CRITICAL] Hard-coded api_key: Vault Token (src/services/fragment-composer.service.ts)
- [HIGH] Hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL (src/components/ConnectKeyboard.tsx)
- [HIGH] GHSA-r6q2-hw4h-h46w: tar
- [HIGH] GHSA-c2c7-rcm5-vvqj: picomatch
- [HIGH] GHSA-mw96-cpmx-2vgc: rollup
- [HIGH] GHSA-34x7-hfp2-rc4v: tar
- [HIGH] GHSA-83g3-92jg-28cx: tar

Resolve each issue. For security issues, apply the appropriate fix. For quality issues, refactor the affected code.

Static analysis found 1 security issues in 'morganvenable__keybard-ng':

- [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at src/components/ConnectKeyboard.tsx:99

For each finding:
- SQL injection: use parameterized queries
- Command injection: use subprocess with list args, no shell=True
- Path traversal: validate and sanitize paths
- Insecure deserialization: use json instead of pickle
- IaC misconfigs: apply the suggested fix from the rule