---

This section details on the original issue you should resolve

<issue_title>Avoid exposing secure argument values to STDOUT when using --prompt</issue_title>
<issue_description>--prompt is a global parameter that allows for passing input to stdin, instead of specifying it on the CLI. This is useful for passing confidential information, such as passwords (documented as a common use case @ https://developer.wordpress.org/cli/commands/config/create/#examples).

In case of an error, WP-CLI outputs the full command it runs to stdout. When using --prompt, WP-CLI runs a different command than the user-specified one, as the parameters and arguments specified in --prompt are added to the cmdline.

When using --prompt=dbpass, the stdin value of dbpass (--dbpass='test') is echoed to stdout:

$ /usr/local/bin/wp config create --dbname=wordpress --dbuser=wordpress --dbhost=localhost --prompt=dbpass --path=wp
1/10 [--dbpass=<dbpass>]: test
# This is stdout
wp config create --dbname='wordpress' --dbuser='wordpress' --dbhost='localhost' --dbpass='test' --dbprefix='wp_' --dbcharset='utf8' --dbcollate=''
# This is stderr
ERROR 1045 (28000): Access denied for user 'wordpress'@'localhost' (using password: YES)

This defeats the purpose of using --prompt for security, as stdout may end up in logs and user terminals.

I think it would be useful to hide parameters/arguments specified using --prompt from the cmdline in stdout.

P.S. I'm aware that --quiet suppresses stdout output, but having stdout can be useful for debugging.</issue_description>

<agent_instructions>Instead of secure it should be named sensitive</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@danielbachhuber Thanks for the report, @WilliamDEdwards !

I can confirm the behavior you're describing:

$ wp core config --prompt
1/14 --dbname=<dbname>: dbtest
2/14 --dbuser=<dbuser>: dbtest
3/14 [--dbpass=<dbpass>]: dbtest
4/14 [--dbhost=<dbhost>]:
5/14 [--dbprefix=<dbprefix>]:
6/14 [--dbcharset=<dbcharset>]:
7/14 [--dbcollate=<dbcollate>]:
8/14 [--locale=<locale>]:
9/14 [--extra-php] (Y/n):
10/14 [--skip-salts] (Y/n):
11/14 [--skip-check] (Y/n):
12/14 [--force] (Y/n):
13/14 [--config-file=<path>]:
14/14 [--insecure] (Y/n):
wp config create --dbname='dbtest' --dbuser='dbtest' --dbpass='dbtest' --dbhost='localhost' --dbprefix='wp_' --dbcharset='utf8' --dbcollate=''
ERROR 1045 (28000): Access denied for user 'dbtest'@'localhost' (using password: YES)

It looks like this behavior was added with #5322 for #4995

The original "secure" implementation of --prompt was #3531, and you can see the history here: #129

In this case, I think we should automatically obscure the "secure" arguments we don't want to display (no additional flag). We can improve our argument options API to support a secure attribute:

diff --git a/src/Config_Command.php b/src/Config_Command.php
index 70073d70..5bc107d0 100644
--- a/src/Config_Command.php
+++ b/src/Config_Command.php
@@ -65,6 +65,9 @@ class Config_Command extends WP_CLI_Command {
 	 *
 	 * [--dbpass=<dbpass>]
 	 * : Set the database user password.
+	 * ---
+	 * secure: true
+	 * ---
 	 *
 	 * [--dbhost=<dbhost>]
 	 * : Set the database host.

If secure=true, then the value should be obscured in STDOUT.</comment_new>