Skip to content

feat(tui): redact secrets on paste in input box #435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kajogo777 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(tui): redact secrets on paste in input box #435

kajogo777 wants to merge 1 commit into from
+12 −4

Conversation

@kajogo777
Copy link
Member

@kajogo777 kajogo777 commented Jan 14, 2026

Summary

When users paste content containing secrets (API keys, passwords, tokens), automatically detect and redact them with [REDACTED_SECRET:rule-id:hash] placeholders.

Changes

  • Modified tui/src/services/handlers/input.rs to run pasted content through secret_manager.redact_and_store_secrets()
  • Uses the same gitleaks-based detection as the MCP proxy
  • The redacted placeholder appears directly in the input box as visual feedback
  • Mapping is stored in the session's secrets.json so the agent can restore actual values when executing commands

How it works

  1. User pastes export API_KEY=sk-abc123xyz789...
  2. TUI detects the API key pattern and substitutes it: export API_KEY=[REDACTED_SECRET:generic-api-key:a1b2c3]
  3. User sees the redacted version in the input box
  4. When the agent uses this in a command, the MCP proxy restores the actual secret before execution

Testing

  • Build passes: cargo check --package stakpak-tui
  • Tested with various secret patterns (AWS keys, API tokens, etc.)

@kajogo777
feat(tui): redact secrets on paste in input box
b94a7e8 
When users paste content containing secrets (API keys, passwords, tokens),
automatically detect and redact them with [REDACTED_SECRET:rule-id:hash]
placeholders. This uses the same gitleaks-based detection as the MCP proxy.

The redacted placeholder appears directly in the input box as visual feedback,
and the mapping is stored in the session's secrets.json so the agent can
restore actual values when executing commands.
@kajogo777 kajogo777 requested a review from mstfash January 14, 2026 06:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mstfash mstfash Awaiting requested review from mstfash

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kajogo777