feat: OOB secure input improvements + credential_store toolset

README.md

@@ -271,6 +271,9 @@ Apra Fleet is an MCP server that agentic coding systems connect to. It manages a
 | `setup_git_app` | One-time setup: register a GitHub App for scoped git token minting |
 | `provision_vcs_auth` | Deploy VCS credentials to a member (GitHub App, Bitbucket, Azure DevOps) |
 | `revoke_vcs_auth` | Remove deployed VCS credentials from a member |
+| `credential_store_set` | Store a secret credential for use in commands (entered OOB — never in chat) |
+| `credential_store_list` | List stored credential names (values are never returned) |
+| `credential_store_delete` | Delete a stored credential |
 
 ### Infrastructure
 
@@ -281,6 +284,41 @@ Apra Fleet is an MCP server that agentic coding systems connect to. It manages a
 | `shutdown_server` | Gracefully shut down the MCP server |
 | `version` | Report server version |
 
+## Secure Credentials
+
+Secrets never enter the LLM conversation or logs. Fleet's credential store keeps plaintext isolated: you enter it once in a separate terminal window, it's encrypted at rest, and commands receive it as a resolved value — never as readable text.
+
+**Three-step workflow:**
+
+```
+# 1. Store once — Fleet opens an OOB terminal prompt, never asks in chat
+credential_store_set  name=github_pat
+
+# 2. Use in execute_command — {{secure.NAME}} is resolved only in commands, never in prompts
+execute_command  command="curl -H 'Authorization: Bearer {{secure.github_pat}}' https://api.github.com/user"
+
+# 3. Output is automatically redacted before it reaches the LLM
+# Output: Authorization: Bearer [REDACTED:github_pat]
+```
+
+**Tools that support `{{secure.NAME}}` token substitution:**
+
+- `execute_command` — shell commands on any member
+- `register_member` — SSH password field during registration
+- `update_member` — updating stored member passwords
+- `provision_vcs_auth` — VCS token fields (GitHub PAT, Bitbucket token, Azure DevOps PAT)
+- `provision_auth` — LLM API key fields
+
+`execute_prompt` does **not** support `{{secure.NAME}}` — secrets must never be passed to LLM prompts. In `execute_prompt`, reference credentials by name only (e.g. `"authenticate using credential github_pat"`); the member resolves the token in its own `execute_command` calls.
+
+**Credential store tools:**
+
+| Tool | What it does |
+|------|-------------|
+| `credential_store_set` | Prompt for a secret OOB and store it encrypted under a name |
+| `credential_store_list` | List stored credential names — values are never returned |
+| `credential_store_delete` | Remove a stored credential by name |
+
 ## Multi-Provider Fleets
 
 ### Provisioning auth for non-Claude members

SECURITY.md

@@ -26,6 +26,17 @@ Email **contact@apralabs.com** with:
 
 We will coordinate disclosure timing with you and credit reporters in release notes unless you prefer to remain anonymous.
 
+## Credential Handling
+
+Fleet is designed so that secrets never enter the LLM conversation or appear in logs. The following controls are in place:
+
+- **Encryption at rest** — credentials stored via `credential_store_set` are encrypted with AES-256-GCM. Plaintext is never written to disk or config files.
+- **Out-of-band collection** — secret values are always collected via a separate terminal window (OOB prompt), not through the chat interface. The LLM never sees the value during input.
+- **LLM context isolation** — `{{secure.NAME}}` tokens are resolved server-side, after the LLM has finished generating the command. The plaintext value is substituted at execution time, not during prompt construction.
+- **Output redaction** — any command output that contains a stored credential's plaintext value is automatically redacted to `[REDACTED:NAME]` before the result is returned to the LLM. This applies to stdout, stderr, and structured output.
+- **Network egress policy** — each credential can be assigned an egress policy (`allow`, `confirm`, `deny`) controlling whether it can be sent to external hosts. The server enforces this before executing commands that would transmit the resolved value over the network.
+- **No value retrieval** — `credential_store_list` returns credential names only. There is no API to retrieve stored plaintext — secrets are write-once from the credential store's perspective.
+
 ## Out of Scope
 
 The following are not considered security vulnerabilities for this project:

llms-full.txt

@@ -274,6 +274,9 @@ Apra Fleet is an MCP server that agentic coding systems connect to. It manages a
 | `setup_git_app` | One-time setup: register a GitHub App for scoped git token minting |
 | `provision_vcs_auth` | Deploy VCS credentials to a member (GitHub App, Bitbucket, Azure DevOps) |
 | `revoke_vcs_auth` | Remove deployed VCS credentials from a member |
+| `credential_store_set` | Store a secret credential for use in commands (entered OOB — never in chat) |
+| `credential_store_list` | List stored credential names (values are never returned) |
+| `credential_store_delete` | Delete a stored credential |
 
 ### Infrastructure
 
@@ -284,6 +287,41 @@ Apra Fleet is an MCP server that agentic coding systems connect to. It manages a
 | `shutdown_server` | Gracefully shut down the MCP server |
 | `version` | Report server version |
 
+## Secure Credentials
+
+Secrets never enter the LLM conversation or logs. Fleet's credential store keeps plaintext isolated: you enter it once in a separate terminal window, it's encrypted at rest, and commands receive it as a resolved value — never as readable text.
+
+**Three-step workflow:**
+
+```
+# 1. Store once — Fleet opens an OOB terminal prompt, never asks in chat
+credential_store_set  name=github_pat
+
+# 2. Use in execute_command — {{secure.NAME}} is resolved only in commands, never in prompts
+execute_command  command="curl -H 'Authorization: Bearer {{secure.github_pat}}' https://api.github.com/user"
+
+# 3. Output is automatically redacted before it reaches the LLM
+# Output: Authorization: Bearer [REDACTED:github_pat]
+```
+
+**Tools that support `{{secure.NAME}}` token substitution:**
+
+- `execute_command` — shell commands on any member
+- `register_member` — SSH password field during registration
+- `update_member` — updating stored member passwords
+- `provision_vcs_auth` — VCS token fields (GitHub PAT, Bitbucket token, Azure DevOps PAT)
+- `provision_auth` — LLM API key fields
+
+`execute_prompt` does **not** support `{{secure.NAME}}` — secrets must never be passed to LLM prompts. In `execute_prompt`, reference credentials by name only (e.g. `"authenticate using credential github_pat"`); the member resolves the token in its own `execute_command` calls.
+
+**Credential store tools:**
+
+| Tool | What it does |
+|------|-------------|
+| `credential_store_set` | Prompt for a secret OOB and store it encrypted under a name |
+| `credential_store_list` | List stored credential names — values are never returned |
+| `credential_store_delete` | Remove a stored credential by name |
+
 ## Multi-Provider Fleets
 
 ### Provisioning auth for non-Claude members

package.json

@@ -43,6 +43,7 @@
   ],
   "license": "Apache-2.0",
   "dependencies": {
+    "@inquirer/password": "^5.0.11",
     "@modelcontextprotocol/sdk": "^1.27.0",
     "smol-toml": "^1.6.1",
     "ssh2": "^1.17.0",

scripts/smoke-secure-input.ts

@@ -0,0 +1,9 @@
+import { secureInput } from '../src/utils/secure-input.js';
+
+try {
+  const value = await secureInput({ prompt: 'Password', allowEmpty: true });
+  console.log(`Captured: ${value}`);
+  console.log(`Length: ${value.length}`);
+} catch (err: any) {
+  console.log(`Cancelled: ${err.message}`);
+}