Skip to content

TUI does not redact pasted password #282

New issue
New issue
Open
Open
TUI does not redact pasted password#282
Assignees
mstfash
Labels
bugSomething isn't working
@mstfash

Description

@mstfash
mstfash
opened on Oct 16, 2025

Problem

When prompted for a password, pasted values are not detected as sensitive data and appear in plain text in both the UI and LLM responses.

Expected Behavior

  • Pasted passwords should be automatically redacted in the UI
  • LLM should not print actual password values
  • Passwords should be masked in logs and output

Actual Behavior

  • Password appears in plain text when pasted
  • LLM includes actual password in responses
  • No redaction occurs despite password context

Steps to Reproduce

  1. Run Stakpak in interactive mode
  2. Trigger a command requiring password input
  3. Paste password when prompted
  4. Observe plain text display and unredacted LLM responses

Security Impact

HIGH SEVERITY - Sensitive credentials are exposed in UI and potentially logged/transmitted.

Root Cause

Password detection only works for variables like (API_KEY={$PASSWORD} or PASSWORD={$PASSWORD}) but not for direct pasted values in password contexts.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions