mc/metacircular
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CLI security standard: never echo passwords

Browse Source 
New standard requiring mcdsl/terminal.ReadPassword for interactive
password prompts. Codifies the fix applied to MCP's login command.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-28 11:11:53 -07:00
parent cadbb3f234
commit 86bbfa640f
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
engineering-standards.md
View File

@@ -1018,6 +1018,13 @@ Write these before writing code. They are the blueprint, not the afterthought.
- **Never log secrets.** Keys, passwords, tokens, and plaintext must never - **Never log secrets.** Keys, passwords, tokens, and plaintext must never
appear in log output. appear in log output.
### CLI Security
- **Never echo passwords.** Interactive password prompts must suppress
terminal echo. Use `mcdsl/terminal.ReadPassword` — it wraps
`golang.org/x/term.ReadPassword` with proper prompt and newline handling.
Never read passwords with `bufio.Scanner` or `fmt.Scanln`.
### Web Security ### Web Security
- CSRF tokens on all mutating requests. - CSRF tokens on all mutating requests.