security: suppress mnemonic display in non-TTY contexts

Mnemonic was printed unconditionally to stderr, leaking into CI logs, piped output, and terminal scroll buffers.

New behaviour mirrors GPG / ssh-keygen: - stderr is a TTY → show full mnemonic box (user is watching, can write it down) - stderr is not a TTY → suppress mnemonic; print word count + hint to re-run interactively in a terminal

Add _stderr_isatty() module hook for test monkeypatching. Add 9 tests in test_auth_mnemonic_display.py covering both paths and the JSON boundary (mnemonic_word_count preserved, plaintext never in stdout). Update test_hd_keygen_unified.py to patch _stderr_isatty when asserting the mnemonic appears in output.

sha256:5e946ca6a85d4bbd868aa9e0e9789b9714596c93ac80a468deb871d834212485 sha

sha256:e3216d3355ffd8fca6eabb7732ca88dc7024cb7f79a6592f0a67099307afcfa7 parent

sha256:17c0c1d83636bef7a356409324b69e63a9a7692796002f9154b54d71dfca1fd6 snapshot

← Older Oldest on task/tty-gated-mnemonic

All commits

Newer → Latest on task/tty-gated-mnemonic

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:5e946ca6a85d4bbd868aa9e0e9789b9714596c93ac80a468deb871d834212485 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump patch

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:17c0c1d83636bef7a356409324b69e63a9a7692796002f9154b54d71dfca1fd6

Files 0

Browse tree at this commit →

Commit

SHA sha256:5e946ca6a85d4bbd868aa9e0e9789b9714596c93ac80a468deb871d834212485

Parent

sha256:e3216d3355ffd8fca6eabb7732ca88dc7024cb7f79a6592f0a67099307afcfa7

Branch task/tty-gated-mnemonic