From 86bbfa640fb45d8d8873e8184836587d301cf5ed Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Sat, 28 Mar 2026 11:11:53 -0700
Subject: [PATCH] Add CLI security standard: never echo passwords

New standard requiring mcdsl/terminal.ReadPassword for interactive
password prompts. Codifies the fix applied to MCP's login command.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 engineering-standards.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/engineering-standards.md b/engineering-standards.md
index 7752983..f4cebfa 100644
--- a/engineering-standards.md
+++ b/engineering-standards.md
@@ -1018,6 +1018,13 @@ Write these before writing code. They are the blueprint, not the afterthought.
 - **Never log secrets.** Keys, passwords, tokens, and plaintext must never
   appear in log output.
 
+### CLI Security
+
+- **Never echo passwords.** Interactive password prompts must suppress
+  terminal echo. Use `mcdsl/terminal.ReadPassword` — it wraps
+  `golang.org/x/term.ReadPassword` with proper prompt and newline handling.
+  Never read passwords with `bufio.Scanner` or `fmt.Scanln`.
+
 ### Web Security
 
 - CSRF tokens on all mutating requests.