feat(cli): stdin support for --password / --url / --ssh-password (closes #158) by Maxteabag · Pull Request #240 · Maxteabag/sqlit

Maxteabag · 2026-05-25T14:30:17Z

Closes #158.

Passing --password foo or a URL with embedded creds on the CLI exposes the secret to anyone who can ps or read /proc/<pid>/cmdline. This adds opt-in stdin variants so callers can pipe secrets in instead:

--password-stdin (top-level, connect <provider>, connections add <provider>, connections edit)
--url-stdin (connections add)
--ssh-password-stdin (per-provider + connections edit)

Reads one line, strips the trailing newline (handles \r\n too), refuses a TTY stdin, errors on EOF. Mutex with the cleartext flag and with each other (stdin is a single stream).

Example:

echo "$DB_PW" | sqlit connect postgresql --name prod \
  --server db.example.com --port 5432 --database app --username svc \
  --password-stdin

The existing --password etc. are unchanged — these flags are purely additive.

#158) Add --password-stdin, --url-stdin, and --ssh-password-stdin opt-in flags so secrets can be piped in instead of passed on argv, where they'd be visible to other users via ps / /proc/<pid>/cmdline. Mutex with the existing cleartext flags; only one --*-stdin per invocation (stdin is a single stream).

Maxteabag merged commit c16cccc into main May 25, 2026
21 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(cli): stdin support for --password / --url / --ssh-password (closes #158)#240

feat(cli): stdin support for --password / --url / --ssh-password (closes #158)#240
Maxteabag merged 1 commit into
mainfrom
worktree-conn-string-stdin

Maxteabag commented May 25, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

Maxteabag commented May 25, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant