fix: masked password prompt with asterisk echo for IMAP accounts (#216)

## Summary

- Replace `term.ReadPassword` (no visual feedback) with
`charmbracelet/huh` masked input that shows `*` per keystroke during
IMAP password entry
- Add pipe detection: when stdin is not a terminal, read password from
piped stdin for scripted usage (`echo "pass" | msgvault add-imap ...`)
- Use `go-isatty` for TTY detection (including Cygwin/MSYS), matching
existing codebase patterns
- Extract `choosePasswordStrategy()` with table-driven tests covering
all stdin/stdout/stderr TTY combinations
- Remove `golang.org/x/term` direct dependency (no longer needed)
- Update nix flake vendorHash for new dependency

The strategy selection is a pure function of four booleans, tested
across 10 cases:

| stdin | stderr | stdout | method |
|-------|--------|--------|--------|
| any TTY | TTY | any | huh → stderr |
| any TTY | redirected | TTY | huh → stdout |
| any TTY | redirected | redirected | clear error |
| not TTY | any | any | pipe read |

## Test plan

- [x] Table-driven tests for `choosePasswordStrategy`: 10 cases covering
native/Cygwin/piped stdin × stderr/stdout TTY combinations
- [x] Table-driven tests for `readPasswordFromPipe`: newline trimming,
CRLF, empty input, whitespace-only, EOF, multi-line
- [ ] Manual test: `msgvault add-imap --host ... --username ...` shows
asterisks during password entry
- [ ] Manual test: `echo "pass" | msgvault add-imap --host ...
--username ...` reads from pipe

Closes #209

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: wesm

.gitignore

@@ -1,5 +1,6 @@
 # Go binaries
 /msgvault
+/msgvault.exe
 /mimeshootout
 
 # Database files

Makefile

@@ -42,7 +42,7 @@ install:
 
 # Clean build artifacts
 clean:
-	rm -f msgvault mimeshootout
+	rm -f msgvault msgvault.exe mimeshootout
 	rm -rf bin/
 
 # Run tests

cmd/msgvault/cmd/addimap.go

@@ -1,15 +1,53 @@
 package cmd
 
 import (
+	"bufio"
 	"fmt"
+	"io"
 	"os"
+	"strings"
 
+	"github.com/charmbracelet/huh"
+	"github.com/mattn/go-isatty"
 	"github.com/spf13/cobra"
 	imapclient "github.com/wesm/msgvault/internal/imap"
 	"github.com/wesm/msgvault/internal/store"
-	"golang.org/x/term"
 )
 
+// passwordMethod describes how to read the password.
+type passwordMethod int
+
+const (
+	// passwordInteractive uses huh masked input with asterisk echo.
+	passwordInteractive passwordMethod = iota
+	// passwordNoPrompt means stdin is a TTY but no output TTY is
+	// available for the prompt. Fail with a clear error.
+	passwordNoPrompt
+	// passwordPipe reads from piped (non-terminal) stdin.
+	passwordPipe
+)
+
+// choosePasswordStrategy selects the password input method based on
+// which file descriptors are terminals. Returns the method and, for
+// passwordInteractive, the output file to render the TUI to.
+func choosePasswordStrategy(
+	stdinNative, stdinCygwin, stderrTTY, stdoutTTY bool,
+) (passwordMethod, *os.File) {
+	stdinTTY := stdinNative || stdinCygwin
+	if !stdinTTY {
+		return passwordPipe, nil
+	}
+	// Prefer stderr (keeps stdout clean); fall back to stdout.
+	switch {
+	case stderrTTY:
+		return passwordInteractive, os.Stderr
+	case stdoutTTY:
+		return passwordInteractive, os.Stdout
+	default:
+		return passwordNoPrompt, nil
+	}
+}
+
 var (
 	imapHost     string
 	imapPort     int
@@ -28,6 +66,9 @@ Use --starttls for STARTTLS upgrade on port 143.
 Use --no-tls for a plain unencrypted connection (not recommended).
 
 You will be prompted to enter your password interactively.
+For scripting, pipe the password via stdin to avoid exposing it in
+shell history or process listings:
+  read -s PASS && echo "$PASS" | msgvault add-imap --host ... --username ...
 
 Security note: Your password is stored on disk with restricted file
 permissions (0600). For stronger security, use an app-specific password
@@ -58,17 +99,28 @@ Examples:
 			Username: imapUsername,
 		}
 
-		// Get password via secure interactive prompt only (never via flag to
-		// avoid exposure in shell history and process listings).
-		fmt.Printf("Password for %s@%s: ", imapUsername, imapHost)
-		raw, err := term.ReadPassword(int(os.Stdin.Fd()))
-		fmt.Println()
-		if err != nil {
-			return fmt.Errorf("read password: %w", err)
+		prompt := fmt.Sprintf("Password for %s@%s:", imapUsername, imapHost)
+		method, promptOut := choosePasswordStrategy(
+			isatty.IsTerminal(os.Stdin.Fd()),
+			isatty.IsCygwinTerminal(os.Stdin.Fd()),
+			isatty.IsTerminal(os.Stderr.Fd()) || isatty.IsCygwinTerminal(os.Stderr.Fd()),
+			isatty.IsTerminal(os.Stdout.Fd()) || isatty.IsCygwinTerminal(os.Stdout.Fd()),
+		)
+
+		var (
+			password string
+			err      error
+		)
+		switch method {
+		case passwordInteractive:
+			password, err = readPasswordInteractive(prompt, promptOut)
+		case passwordNoPrompt:
+			return fmt.Errorf("cannot read password: no terminal available for prompt (try piping the password via stdin)")
+		case passwordPipe:
+			password, err = readPasswordFromPipe(os.Stdin)
 		}
-		password := string(raw)
-		if password == "" {
-			return fmt.Errorf("password is required")
+		if err != nil {
+			return err
 		}
 
 		// Test connection
@@ -131,6 +183,44 @@ Examples:
 	},
 }
 
+// readPasswordFromPipe reads a password from a non-terminal reader
+// (e.g. piped stdin). Uses only the first line.
+func readPasswordFromPipe(r io.Reader) (string, error) {
+	scanner := bufio.NewScanner(r)
+	if !scanner.Scan() {
+		if err := scanner.Err(); err != nil {
+			return "", fmt.Errorf("read password: %w", err)
+		}
+		return "", fmt.Errorf("password is required")
+	}
+	password := strings.TrimRight(scanner.Text(), "\r\n")
+	if strings.TrimSpace(password) == "" {
+		return "", fmt.Errorf("password is required")
+	}
+	return password, nil
+}
+
+// readPasswordInteractive prompts for a password using a masked
+// input field with asterisk echo. The output writer controls where
+// the TUI renders (typically stderr to avoid polluting stdout).
+func readPasswordInteractive(prompt string, output io.Writer) (string, error) {
+	var password string
+	input := huh.NewInput().
+		Title(prompt).
+		EchoMode(huh.EchoModePassword).
+		Value(&password)
+	err := huh.NewForm(huh.NewGroup(input)).
+		WithOutput(output).
+		Run()
+	if err != nil {
+		return "", fmt.Errorf("read password: %w", err)
+	}
+	if strings.TrimSpace(password) == "" {
+		return "", fmt.Errorf("password is required")
+	}
+	return password, nil
+}
+
 func init() {
 	addIMAPCmd.Flags().StringVar(&imapHost, "host", "", "IMAP server hostname (required)")
 	addIMAPCmd.Flags().IntVar(&imapPort, "port", 0, "IMAP server port (default: 993 for TLS, 143 otherwise)")

cmd/msgvault/cmd/addimap_test.go

@@ -0,0 +1,196 @@
+package cmd
+
+import (
+	"io"
+	"os"
+	"strings"
+	"testing"
+)
+
+func TestPasswordPromptStrategy(t *testing.T) {
+	tests := []struct {
+		name       string
+		stdinNat   bool // stdin is a native terminal
+		stdinCyg   bool // stdin is a Cygwin/MSYS PTY
+		stderrTTY  bool
+		stdoutTTY  bool
+		wantMethod passwordMethod
+		wantOutput *os.File // nil for pipe/error methods
+	}{
+		{
+			name:       "normal interactive terminal",
+			stdinNat:   true,
+			stderrTTY:  true,
+			stdoutTTY:  true,
+			wantMethod: passwordInteractive,
+			wantOutput: os.Stderr,
+		},
+		{
+			name:       "stdout redirected",
+			stdinNat:   true,
+			stderrTTY:  true,
+			stdoutTTY:  false,
+			wantMethod: passwordInteractive,
+			wantOutput: os.Stderr,
+		},
+		{
+			name:       "stderr redirected",
+			stdinNat:   true,
+			stderrTTY:  false,
+			stdoutTTY:  true,
+			wantMethod: passwordInteractive,
+			wantOutput: os.Stdout,
+		},
+		{
+			name:       "both outputs redirected, native stdin",
+			stdinNat:   true,
+			stderrTTY:  false,
+			stdoutTTY:  false,
+			wantMethod: passwordNoPrompt,
+		},
+		{
+			name:       "cygwin normal terminal",
+			stdinCyg:   true,
+			stderrTTY:  true,
+			stdoutTTY:  true,
+			wantMethod: passwordInteractive,
+			wantOutput: os.Stderr,
+		},
+		{
+			name:       "cygwin stdout redirected",
+			stdinCyg:   true,
+			stderrTTY:  true,
+			stdoutTTY:  false,
+			wantMethod: passwordInteractive,
+			wantOutput: os.Stderr,
+		},
+		{
+			name:       "cygwin stderr redirected",
+			stdinCyg:   true,
+			stderrTTY:  false,
+			stdoutTTY:  true,
+			wantMethod: passwordInteractive,
+			wantOutput: os.Stdout,
+		},
+		{
+			name:       "cygwin both outputs redirected",
+			stdinCyg:   true,
+			stderrTTY:  false,
+			stdoutTTY:  false,
+			wantMethod: passwordNoPrompt,
+		},
+		{
+			name:       "piped stdin",
+			stdinNat:   false,
+			stdinCyg:   false,
+			stderrTTY:  true,
+			stdoutTTY:  true,
+			wantMethod: passwordPipe,
+		},
+		{
+			name:       "piped stdin, all redirected",
+			stdinNat:   false,
+			stdinCyg:   false,
+			stderrTTY:  false,
+			stdoutTTY:  false,
+			wantMethod: passwordPipe,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			method, output := choosePasswordStrategy(
+				tt.stdinNat, tt.stdinCyg, tt.stderrTTY, tt.stdoutTTY,
+			)
+			if method != tt.wantMethod {
+				t.Errorf("method = %v, want %v", method, tt.wantMethod)
+			}
+			if output != tt.wantOutput {
+				t.Errorf("output = %v, want %v", output, tt.wantOutput)
+			}
+		})
+	}
+}
+
+func TestReadPasswordFromPipe(t *testing.T) {
+	tests := []struct {
+		name    string
+		input   string
+		want    string
+		wantErr string
+	}{
+		{
+			name:  "reads password from pipe",
+			input: "secret123\n",
+			want:  "secret123",
+		},
+		{
+			name:  "trims trailing newline",
+			input: "mypassword\n",
+			want:  "mypassword",
+		},
+		{
+			name:  "trims trailing CRLF",
+			input: "mypassword\r\n",
+			want:  "mypassword",
+		},
+		{
+			name:  "handles no trailing newline",
+			input: "mypassword",
+			want:  "mypassword",
+		},
+		{
+			name:    "rejects empty input",
+			input:   "\n",
+			wantErr: "password is required",
+		},
+		{
+			name:    "rejects whitespace-only input",
+			input:   "  \n",
+			wantErr: "password is required",
+		},
+		{
+			name:    "rejects EOF with no data",
+			input:   "",
+			wantErr: "password is required",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r := strings.NewReader(tt.input)
+			got, err := readPasswordFromPipe(r)
+			if tt.wantErr != "" {
+				if err == nil {
+					t.Fatalf("expected error containing %q, got nil", tt.wantErr)
+				}
+				if !strings.Contains(err.Error(), tt.wantErr) {
+					t.Fatalf("error %q does not contain %q", err.Error(), tt.wantErr)
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if got != tt.want {
+				t.Errorf("got %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestReadPasswordFromPipeLargeInput(t *testing.T) {
+	// Only first line should be used as the password.
+	input := "firstline\nsecondline\n"
+	r := strings.NewReader(input)
+	got, err := readPasswordFromPipe(r)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if got != "firstline" {
+		t.Errorf("got %q, want %q", got, "firstline")
+	}
+}
+
+// Verify the function signature accepts io.Reader.
+var _ func(io.Reader) (string, error) = readPasswordFromPipe

flake.nix

@@ -29,7 +29,7 @@
             pname = "msgvault";
             version = "0.0.0-dev";
             src = ./.;
-            vendorHash = "sha256-EyVSGMpQIVo3zn+2BJ/KaMT4HdkdZpe2OQtveoj7oAQ=";
+            vendorHash = "sha256-o7yjPy1pDkD6Ia1H/4Ny/GYqfwv4Vbsd86bQJY6IiVo=";
             proxyVendor = true;
             subPackages = [ "cmd/msgvault" ];
             tags = [ "fts5" ];