feat: improve interactive prompt for missing secrets

List all missing secrets upfront with descriptions before prompting,
add step counter ([1/3]), show profile and provider in header, and
use inquire::Password for consistent masked input. Remove rpassword
dependency in favor of inquire which was already used elsewhere.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: domenkozar

CHANGELOG.md

@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Changed
+- Improved interactive prompt for missing secrets: lists all missing secrets upfront with descriptions, adds step counter (`[1/3]`), and uses `inquire::Password` for consistent masked input. Removed `rpassword` dependency.
+
 ## [0.7.0] - 2026-02-08
 
 ### Added

Cargo.lock

@@ -18,7 +18,6 @@ toml = "0.9"
 thiserror = "2.0"
 directories = "6.0"
 colored = "3.0"
-rpassword = "7.4.0"
 dotenvy = "0.15"
 serde-envfile = "0.3"
 inquire = "0.9"

Cargo.toml

@@ -23,7 +23,6 @@ toml.workspace = true
 thiserror.workspace = true
 directories.workspace = true
 colored.workspace = true
-rpassword.workspace = true
 dotenvy.workspace = true
 serde-envfile.workspace = true
 inquire.workspace = true

secretspec/Cargo.toml

@@ -9,7 +9,7 @@ use secrecy::{ExposeSecret, SecretString};
 use std::collections::{HashMap, HashSet};
 use std::convert::TryFrom;
 use std::env;
-use std::io::{self, IsTerminal, Read, Write};
+use std::io::{self, IsTerminal, Read};
 use std::path::Path;
 use std::process::Command;
 
@@ -552,11 +552,11 @@ impl Secrets {
         let value = if let Some(v) = value {
             SecretString::new(v.into())
         } else if io::stdin().is_terminal() {
-            // Use rpassword for single-line input (most common case)
-            // For multiline secrets, users should pipe the content
-            let secret = rpassword::prompt_password(format!(
-                "Enter value for {name} (profile: {profile_name}): "
-            ))?;
+            let secret = inquire::Password::new(&format!(
+                "Enter value for {name} (profile: {profile_name}):"
+            ))
+            .without_confirmation()
+            .prompt()?;
             SecretString::new(secret.into())
         } else {
             // Read from stdin when input is piped
@@ -696,29 +696,61 @@ impl Secrets {
             Err(validation_errors) => {
                 // If we're in interactive mode and have missing required secrets, prompt for them
                 if interactive && !validation_errors.missing_required.is_empty() {
-                    eprintln!("\nThe following required secrets are missing:");
-                    for secret_name in &validation_errors.missing_required {
+                    if !io::stdin().is_terminal() {
+                        return Err(SecretSpecError::RequiredSecretMissing(
+                            validation_errors.missing_required.join(", "),
+                        ));
+                    }
+
+                    let missing = &validation_errors.missing_required;
+                    let total = missing.len();
+                    let default_backend = self.get_provider(provider_arg.clone())?;
+
+                    // List all missing secrets upfront
+                    eprintln!(
+                        "\n{} required {} missing in profile {} with provider {}:\n",
+                        total,
+                        if total == 1 {
+                            "secret is"
+                        } else {
+                            "secrets are"
+                        },
+                        profile_display.bold(),
+                        default_backend.name().bold(),
+                    );
+                    for secret_name in missing {
+                        let description = self
+                            .resolve_secret_config(secret_name, Some(&profile_display))
+                            .and_then(|c| c.description)
+                            .unwrap_or_default();
+                        if description.is_empty() {
+                            eprintln!("  {} {}", "-".dimmed(), secret_name.bold());
+                        } else {
+                            eprintln!(
+                                "  {} {} - {}",
+                                "-".dimmed(),
+                                secret_name.bold(),
+                                description
+                            );
+                        }
+                    }
+                    eprintln!();
+
+                    // Prompt for each missing secret
+                    for (i, secret_name) in missing.iter().enumerate() {
                         if let Some(secret_config) =
                             self.resolve_secret_config(secret_name, Some(&profile_display))
                         {
-                            let description = secret_config
-                                .description
-                                .as_deref()
-                                .unwrap_or("No description");
-                            eprintln!("\n{} - {}", secret_name.bold(), description);
-                            let value = if io::stdin().is_terminal() {
-                                print!(
-                                    "Enter value for {} (profile: {}): ",
-                                    secret_name, profile_display
-                                );
-                                io::stdout().flush()?;
-                                rpassword::read_password()?
-                            } else {
-                                // When stdin is not a terminal, we can't prompt interactively
-                                return Err(SecretSpecError::RequiredSecretMissing(
-                                    validation_errors.missing_required.join(", "),
-                                ));
-                            };
+                            let prompt_msg =
+                                format!("[{}/{}] Enter value for {}:", i + 1, total, secret_name,);
+                            let mut prompt =
+                                inquire::Password::new(&prompt_msg).without_confirmation();
+
+                            if let Some(ref desc) = secret_config.description {
+                                prompt = prompt.with_help_message(desc);
+                            }
+
+                            let value = prompt.prompt()?;
 
                             // Get the provider for this specific secret
                             // Use first provider in list if specified, otherwise use CLI provider or default