v1.2.7

Temporarily disable the caller's local terminal ECHO while a PTY-backed child runs so typed passwords are not visible on the host terminal. Adds makeRaw/restoreTerminal hooks and OS-specific setEcho implementations (Linux/BSD) and uses them in the PTY startup path. Includes unit tests (TestExecute_SetsHostTerminalRaw and PTY simulation) and updates docs, release notes, changelog, and the version bump to v1.2.7. Also includes small lint/quality fixes referenced in the changelog.

Author: VoxDroid

CHANGELOG.md

@@ -3,6 +3,16 @@
 
 All notable changes to this project will be documented in this file.
 
+## v1.2.7 - 2026-02-19
+
+- **Bugfix (Executor/TUI):** Prevent passwords from being visible when running interactive commands (e.g., `sudo`). When the executor runs a child in hybrid PTY mode we now temporarily disable *local echo* on the caller's terminal so typed passwords are not echoed back to the host terminal. Only the local ECHO flag is toggled (other terminal output processing is preserved) to avoid changing how child output is rendered.
+  - Added `makeRaw`/`restoreTerminal` hooks and OS-specific `setEcho` helpers to safely toggle host echo and make the behavior testable.
+  - Added `TestExecute_SetsHostTerminalRaw` and PTY-simulation helpers to prevent regressions.
+- **Quality:** Fixed revive lint warnings and kept `gocyclo` under the configured threshold; all `golangci-lint`, `gocyclo`, and unit tests pass locally.
+- **Docs:** Updated `docs/executor.md` and `docs/tui.md` to document the host-terminal echo behavior during interactive PTY-backed runs.
+- **Version:** Bump to `v1.2.7`.
+
+
 ## v1.2.6 - 2026-02-17
 
 - **Bugfix (Registry):** Fix rollback creating duplicate version entries — rolling back to a previous version was producing both an "update" and a "rollback" version record because `ApplyVersionByName` called `ReplaceCommands` (which records an "update") and then separately recorded a "rollback". Now uses a single transaction with `replaceCommandsTx` + `recordVersionTx` so only one "rollback" version is created.

RELEASE_NOTES/GITHUB_v1.2.7.md

@@ -0,0 +1,17 @@
+# v1.2.7 - 2026-02-19
+
+This patch prevents passwords from being visible when running interactive commands (for example `sudo`) via `krnr` or the TUI by disabling local echo on the host terminal while a PTY-backed child is running.
+
+## Bug fixes
+
+### Hide password input during interactive runs
+Interactive programs (such as `sudo`) already read from the child's PTY, but the host terminal could locally echo typed keystrokes — which made passwords visible to observers of the host terminal.
+
+**Fix:** temporarily disable the host terminal's ECHO flag while the PTY-backed child runs and restore the previous terminal state afterwards. The change only toggles local echo (preserves output post-processing) to avoid affecting child output rendering.
+
+## Tests & docs
+- Unit tests added to validate host-terminal echo toggling in PTY scenarios.
+- Documentation updated to mention the behavior in `docs/executor.md` and `docs/tui.md`.
+
+## Upgrade notes
+No DB or user-facing CLI changes required — upgrade to v1.2.7 to get the fix.

docs/executor.md

@@ -24,6 +24,10 @@ Hybrid PTY mode:
   be answered while keeping output simple and viewport-friendly.
 - PTY output written to `/dev/tty` by the child (e.g., password prompts) is read
   from the PTY master and forwarded to the caller's stdout.
+- While a PTY-backed child is running, the executor temporarily disables the host
+  terminal's local echo so password input typed by the user is not visible on
+  the host terminal. Only the local echo flag is toggled (output post-processing
+  remains unchanged) to avoid affecting how child output is rendered.
 
 Notes:
 - By default, `Shell` is empty and the OS default shell is used. Set `Shell` to

docs/releases/v1.2.7.md

@@ -0,0 +1,22 @@
+# v1.2.7 - 2026-02-19
+
+This patch fixes an issue where passwords typed into interactive child processes (for example `sudo`) could be visible in the host terminal when running commands via `krnr`/TUI.
+
+## Bug fixes
+
+### Prevent passwords from being echoed locally
+When the executor runs a child in hybrid PTY mode the child already has a proper `/dev/tty`, but the host terminal could still echo typed characters locally — causing passwords to be visible to someone watching the host terminal.
+
+**Fix:** while a PTY-backed child runs we temporarily disable *local echo* on the caller's terminal and restore the prior terminal state afterward. Only the local ECHO flag is toggled so output post-processing and rendering remain unchanged (no more visual glitches).
+
+**Tests:** added unit tests that simulate terminal-like stdin and verify host-terminal echo toggling.
+
+## Tests & Quality
+- Added `TestExecute_SetsHostTerminalRaw` and supporting test hooks for terminal-mode behavior.
+- Addressed small linter/test hygiene issues; `golangci-lint`, `gocyclo`, and unit tests pass locally.
+
+## Docs
+- Updated `docs/executor.md` and `docs/tui.md` to document the host-terminal echo behavior during interactive runs.
+
+## Upgrade notes
+- No DB schema changes. Users should simply upgrade to v1.2.7.

docs/tui.md

@@ -55,6 +55,7 @@ Sanitizing run output
 Interactive commands & hybrid PTY
 - The TUI supports running interactive commands that require user input (e.g., `sudo` password prompts, `pacman` confirmations). When a run is in progress, typed keys are forwarded to the process stdin.
 - The executor uses a **hybrid PTY** approach: stdin and the controlling terminal use a PTY so programs that read from `/dev/tty` work, while stdout/stderr remain as pipes for viewport-friendly output.
+- While a PTY-backed child runs, the host terminal's local echo is temporarily disabled so password input is not visible to observers of the host terminal; the TUI forwards keystrokes into the process while preserving how output renders in the viewport.
 - All prompts and output appear inside the **run output panel** (viewport), not in the footer or bottom bar.
 - Output streams live — no keypress required to see results.
 

internal/executor/executor_pty_simulated_test.go

@@ -8,6 +8,8 @@ import (
 	"io"
 	"os/exec"
 	"testing"
+
+	"golang.org/x/term"
 )
 
 // fakeReader simulates an io.Reader that also exposes a file descriptor.
@@ -49,3 +51,36 @@ func TestExecute_PTYSimulated(t *testing.T) {
 		t.Fatalf("expected prompt streamed to stdout, got: %q", out.String())
 	}
 }
+
+func TestExecute_SetsHostTerminalRaw(t *testing.T) {
+	// Ensure we call makeRaw/restoreTerminal when stdin is a terminal-like FD.
+	origIsTerminal := isTerminal
+	origMakeRaw := makeRaw
+	origRestore := restoreTerminal
+	defer func() { isTerminal = origIsTerminal; makeRaw = origMakeRaw; restoreTerminal = origRestore }()
+
+	isTerminal = func(fd uintptr) bool { return fd == 0xdead }
+
+	calledMake := false
+	calledRestore := false
+	makeRaw = func(_ int) (*term.State, error) {
+		calledMake = true
+		return &term.State{}, nil
+	}
+	restoreTerminal = func(_ int, _ *term.State) error {
+		calledRestore = true
+		return nil
+	}
+
+	ctx := context.Background()
+	e := &Executor{}
+	var out bytes.Buffer
+	var errb bytes.Buffer
+	stdin := &fakeReader{fd: 0xdead}
+	if err := e.Execute(ctx, "true", "", stdin, &out, &errb); err != nil {
+		t.Fatalf("Execute failed: %v", err)
+	}
+	if !calledMake || !calledRestore {
+		t.Fatalf("expected makeRaw and restoreTerminal to be called; got make=%v restore=%v", calledMake, calledRestore)
+	}
+}

internal/executor/pty_unix.go

@@ -19,6 +19,24 @@ var isTerminal = func(fd uintptr) bool {
 	return term.IsTerminal(int(fd))
 }
 
+// makeRaw/restoreTerminal wrap terminal mode changes so tests can override
+// them. Default behavior: save the current terminal state and *disable local
+// echo only* (do not flip other flags such as OPOST) so the host terminal
+// does not display typed passwords but output post-processing stays intact.
+// Tests can still override these hooks.
+var makeRaw = func(fd int) (*term.State, error) {
+	oldState, err := term.GetState(fd)
+	if err != nil {
+		return nil, err
+	}
+	// disable local echo only
+	if err := setEcho(fd, false); err != nil {
+		return nil, err
+	}
+	return oldState, nil
+}
+var restoreTerminal = func(fd int, state *term.State) error { return term.Restore(fd, state) }
+
 // ptyStarter encapsulates starting a command with a hybrid PTY setup.
 // The child's stdin and controlling terminal use a PTY so programs like
 // sudo that open /dev/tty work correctly. Stdout and stderr remain as
@@ -58,6 +76,18 @@ var ptyStarter = func(cmd *exec.Cmd, stdin io.Reader, stdout, stderr io.Writer)
 	}
 	_ = pts.Close() // child has its own copy; close ours
 
+	// If the caller's stdin is a terminal, put the *caller* terminal into
+	// raw mode while the child runs. This prevents the host terminal from
+	// locally echoing keystrokes (so password entry remains hidden) while
+	// we forward input into the child's PTY master.
+	if f, ok := stdin.(interface{ Fd() uintptr }); ok {
+		if isTerminal(f.Fd()) {
+			if oldState, err := makeRaw(int(f.Fd())); err == nil {
+				defer func() { _ = restoreTerminal(int(f.Fd()), oldState) }()
+			}
+		}
+	}
+
 	// Forward user input from the caller's reader into the PTY master
 	// so interactive prompts (sudo password, etc.) receive keystrokes.
 	go func() { _, _ = io.Copy(ptmx, stdin) }()

internal/executor/term_setecho_bsd.go

@@ -0,0 +1,19 @@
+//go:build darwin || freebsd || netbsd || openbsd || dragonfly
+
+package executor
+
+import "golang.org/x/sys/unix"
+
+// setEcho toggles the ECHO bit on the terminal referenced by fd (BSD / macOS).
+func setEcho(fd int, enabled bool) error {
+	t, err := unix.IoctlGetTermios(fd, unix.TIOCGETA)
+	if err != nil {
+		return err
+	}
+	if enabled {
+		t.Lflag |= unix.ECHO
+	} else {
+		t.Lflag &^= unix.ECHO
+	}
+	return unix.IoctlSetTermios(fd, unix.TIOCSETA, t)
+}

internal/executor/term_setecho_linux.go

@@ -0,0 +1,19 @@
+//go:build linux || android
+
+package executor
+
+import "golang.org/x/sys/unix"
+
+// setEcho toggles the ECHO bit on the terminal referenced by fd (Linux).
+func setEcho(fd int, enabled bool) error {
+	t, err := unix.IoctlGetTermios(fd, unix.TCGETS)
+	if err != nil {
+		return err
+	}
+	if enabled {
+		t.Lflag |= unix.ECHO
+	} else {
+		t.Lflag &^= unix.ECHO
+	}
+	return unix.IoctlSetTermios(fd, unix.TCSETS, t)
+}

internal/version/version.go

@@ -3,4 +3,4 @@ package version
 
 // Version is set at build time via -ldflags "-X github.com/VoxDroid/krnr/internal/version.Version=<value>"
 // The default is a development placeholder.
-var Version = "v1.2.6"
+var Version = "v1.2.7"