[plan] Add interactive secret input with password masking #14018
Description
Objective
Enhance the gh aw secret set command with interactive secret input using Huh forms, providing password masking and validation for improved security and user experience.
Context
Issue #14013 identified an opportunity to add interactive secret management. Currently, secrets are set via command-line arguments which can expose sensitive values in shell history.
Approach
- Create
promptForSecret()function inpkg/cli/secret_set_command.go - Use
huh.NewInput()withEchoModePasswordfor masked input - Add validation to prevent empty secrets
- Integrate with
console.IsAccessibleMode()for accessibility
Implementation Details
func promptForSecret() (string, error) {
var secretValue string
form := huh.NewForm(
huh.NewGroup(
huh.NewInput().
Title("Enter secret value").
Description("This value will be encrypted and stored securely").
EchoMode(huh.EchoModePassword).
Value(&secretValue).
Validate(func(s string) error {
if len(s) == 0 {
return fmt.Errorf("secret value cannot be empty")
}
return nil
}),
),
).WithAccessible(console.IsAccessibleMode())
return secretValue, form.Run()
}Files to Modify
- Update:
pkg/cli/secret_set_command.go- Add interactive secret input - Update:
pkg/cli/secret_set_command_test.go- Add tests for interactive mode
Acceptance Criteria
- Interactive secret input with password masking
- Empty secret validation with helpful error message
- Accessibility mode support (plain text mode when needed)
- TTY detection - skip interactive prompt when input is piped
- Command-line argument takes precedence over interactive prompt
- Shell history does not contain secret values
- Tests cover interactive and non-interactive modes
Related to Terminal Stylist Analysis: Console Output Patterns in gh-aw #14013
AI generated by Plan Command for #14013
- expires on Feb 8, 2026, 1:01 AM UTC