Remove hardcoded credentials and fix code quality issues from PR #46

[Copilot]

Addresses security vulnerabilities and code quality issues identified in PR #46 review: exposed credentials in documentation/scripts and hardcoded environment-specific paths in production code.

Security Fixes

• Removed exposed Gmail credentials from setup_smtp_secrets.sh and SMTP_SETUP.md

  • Replaced [email protected] and app password wusv nhcj hjok vqml with placeholder values

• Eliminated hardcoded file paths in MCP adapters

  • Before: /Users/garvey/Documents/GitHub/AJOB4AGENT/mcp-servers/...
  • After: process.env.YC_MCP_SERVER_PATH || './mcp-servers/ycombinator-server/dist/index.js'
  • Applied to ycombinator-adapter.ts and tech-talent-adapter.ts

Code Quality

• Removed unused variables: platformManager (unified-job-search.ts), accountInfo (oauth-manager.ts), name (test-10-platform-integration.js)
• Refactored conditional logic in enhanced-greenhouse-adapter.ts to eliminate uninitialized variable declaration
• Enhanced error message in daily-email-report.ts with specific database query requirements

// Before
constructor(serverPath: string = '/Users/garvey/Documents/...') {
  this.serverPath = serverPath;

// After  
constructor(serverPath?: string) {
  this.serverPath = serverPath || process.env.YC_MCP_SERVER_PATH || './mcp-servers/...';

CodeQL scan: 0 vulnerabilities

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
ajob-4-agent	Ready	Preview, Comment	Dec 15, 2025 10:18pm

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

H

[sentry]

Bug: The MCPClient constructor incorrectly uses the serverPath parameter for its args, instead of the resolved this.serverPath class property, causing a startup failure.
_{Severity: CRITICAL | Confidence: High}

🔍 Detailed Analysis

In the YCombinatorAdapter and TechTalentAdapter constructors, the MCPClient is initialized with args: [serverPath]. Since these adapters are instantiated without arguments, the serverPath parameter is undefined. The client should be initialized using this.serverPath, which correctly resolves the server path from the parameter, an environment variable, or a default value. This misconfiguration will cause the MCPClient to fail to connect to its server process during application startup, preventing any search functionality for the YCombinator or TechTalent platforms from working.

💡 Suggested Fix

In the MCPClient configuration within the YCombinatorAdapter and TechTalentAdapter constructors, change args: [serverPath] to args: [this.serverPath] to ensure the correctly resolved path is used.

🤖 Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: services/agent-orchestrator/src/adapters/ycombinator-adapter.ts#L8-L12

Potential issue: In the `YCombinatorAdapter` and `TechTalentAdapter` constructors, the
`MCPClient` is initialized with `args: [serverPath]`. Since these adapters are
instantiated without arguments, the `serverPath` parameter is `undefined`. The client
should be initialized using `this.serverPath`, which correctly resolves the server path
from the parameter, an environment variable, or a default value. This misconfiguration
will cause the `MCPClient` to fail to connect to its server process during application
startup, preventing any search functionality for the YCombinator or TechTalent platforms
from working.

_{Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 7782543}

[Copilot]

Pull request overview

This PR addresses security vulnerabilities by removing hardcoded credentials from documentation and scripts, and eliminates environment-specific hardcoded file paths in MCP adapter constructors. It also includes code quality improvements by removing unused variables and enhancing error messages.

• Removed exposed Gmail credentials ([email protected] and app password) from setup scripts and documentation
• Refactored MCP adapter constructors to use environment variables and relative paths instead of hardcoded absolute paths
• Cleaned up unused variables across multiple files and improved error messaging

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
setup_smtp_secrets.sh	Replaced hardcoded email credentials with placeholder values for security
SMTP_SETUP.md	Updated documentation to use generic placeholders instead of actual credentials
services/agent-orchestrator/src/adapters/ycombinator-adapter.ts	Made serverPath optional with environment variable fallback (but introduced bug in MCPClient initialization)
services/agent-orchestrator/src/adapters/tech-talent-adapter.ts	Made serverPath optional with environment variable fallback (but introduced bug in MCPClient initialization)
services/agent-orchestrator/src/adapters/enhanced-greenhouse-adapter.ts	Refactored conditional logic to eliminate uninitialized variable declaration
services/agent-orchestrator/src/auth/oauth-manager.ts	Removed unused accountInfo variable and replaced with TODO comment
services/agent-orchestrator/src/api/unified-job-search.ts	Removed unused module-level platformManager variable
services/agent-orchestrator/src/reports/daily-email-report.ts	Enhanced error message with specific database query requirements
test-10-platform-integration.js	Removed unused name variable from test loop

[Copilot]

This change introduces a bug in the constructor. While line 9 correctly assigns the fallback path to this.serverPath, the MCPClient initialization on line 14 (not shown in diff) still uses the parameter serverPath directly in args: [serverPath]. When no path is provided, serverPath will be undefined, causing the MCP server to fail to start. Line 14 should use this.serverPath instead of serverPath to properly use the fallback logic.

[Copilot]

This change introduces a bug in the constructor. While line 9 correctly assigns the fallback path to this.serverPath, the MCPClient initialization on line 14 (not shown in diff) still uses the parameter serverPath directly in args: [serverPath]. When no path is provided, serverPath will be undefined, causing the MCP server to fail to start. Line 14 should use this.serverPath instead of serverPath to properly use the fallback logic.