@govuk-pay/cli 0.0.52 → 0.0.54

package/src/commands/secrets/providers/bitwarden_cli.js

@@ -0,0 +1,98 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BitwardenCLIProvider = void 0;
+const child_process_1 = require("child_process");
+const providers_types_1 = require("./providers.types");
+class BitwardenCLIProvider extends providers_types_1.AbstractSecretProvider {
+    bitwardenUnlockToken;
+    constructor(env, secretSource) {
+        super(env, secretSource);
+        this.bitwardenUnlockToken = checkBitwardenStatus();
+    }
+    async get(secretConfig) {
+        const env = {
+            ...process.env
+        };
+        if (this.bitwardenUnlockToken !== undefined) {
+            env.BW_SESSION = this.bitwardenUnlockToken;
+        }
+        const bwGetPasswordResult = (0, child_process_1.spawnSync)('bw', ['get', 'password', secretConfig.secretSourceValue], {
+            env
+        });
+        if (bwGetPasswordResult.status !== 0) {
+            if (bwGetPasswordResult.stderr.toString().includes('Not found.')) {
+                console.error(`Secret ${secretConfig.secretSourceValue} not found in bitwarden. This can either be because it doesn't exist, or you don't have access`);
+                return undefined;
+            }
+            console.error('Unknown error when trying to get the password from bitwarden, output from the get follows:');
+            console.error(bwGetPasswordResult.output.toString());
+            process.exit(1);
+        }
+        return bwGetPasswordResult.stdout.toString();
+    }
+}
+exports.BitwardenCLIProvider = BitwardenCLIProvider;
+function checkBitwardenStatus() {
+    const bwAvailableResult = (0, child_process_1.spawnSync)('command', ['-v', 'bw'], { shell: true });
+    if (bwAvailableResult.status !== 0) {
+        console.error('You need to install the bitwarden CLI before you can source secrets from it: `brew install bitwarden-cli`');
+        process.exit(1);
+    }
+    const bwStatusResult = (0, child_process_1.spawnSync)('bw', ['status']);
+    if (bwStatusResult.status !== 0) {
+        console.error('Could not check the login status of the bitwarden cli with command `bw status`. Output from the command follows:');
+        console.error(bwStatusResult.output.toString());
+        process.exit(1);
+    }
+    let bwStatusJson;
+    try {
+        bwStatusJson = JSON.parse(bwStatusResult.stdout.toString());
+    }
+    catch (e) {
+        console.error('An error occured when trying to parse the JSON output of `bw status`. The output of that command follows:');
+        console.error(bwStatusResult.output.toString());
+        process.exit(1);
+    }
+    if (!('status' in bwStatusJson)) {
+        console.error('The JSON output of `bw status` did not contain a \'status\' key. The output of that command follows:');
+        console.error(bwStatusResult.output.toString());
+        process.exit(1);
+    }
+    if (bwStatusJson.status === 'unauthenticated') {
+        console.error('Error: You are not authenticated in the bitwarden cli, you need to run `bw login` and login');
+        process.exit(1);
+    }
+    else if (bwStatusJson.status === 'locked') {
+        console.warn('Your bitwarden cli is logged in, but locked. Executing `bw unlock`, please enter your master password when prompted');
+        return unlockBitWarden();
+    }
+    else if (bwStatusJson.status === 'unlocked') {
+        return undefined;
+    }
+}
+function unlockBitWarden() {
+    const bwUnlockResult = (0, child_process_1.spawnSync)('bw', ['unlock'], {
+        shell: true,
+        stdio: ['inherit', 'pipe', 'inherit']
+    });
+    if (bwUnlockResult.status !== 0) {
+        console.error('Failed to unlock your bitwarden vault.');
+        process.exit(1);
+    }
+    const lineWithToken = bwUnlockResult.stdout.toString().split('\n').find((line) => {
+        return line.startsWith('$ export BW_SESSION=');
+    });
+    if (lineWithToken === undefined) {
+        console.error('Could not find the BW_SESSION token in the `bw unlock` output. Looking for a line that starts with `$ export BW_SESSION=`. Got:');
+        console.error(bwUnlockResult.output.toString());
+        process.exit(1);
+    }
+    const sessionToken = lineWithToken.substring(lineWithToken.indexOf('"') + 1, lineWithToken.lastIndexOf('"'));
+    if (sessionToken.length === 0 || sessionToken.startsWith('$ export BW_SESSION=') || sessionToken.includes('"')) {
+        console.error('The session token we read from `bw unlock` does not look correct. Output from the command follows');
+        console.error(bwUnlockResult.output.toString());
+        process.exit(1);
+    }
+    console.warn('Bitwarden unlocked');
+    return sessionToken;
+}

package/src/commands/secrets/providers/factory.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.providerFor = void 0;
+const bitwarden_cli_1 = require("./bitwarden_cli");
+const pass_repo_1 = require("./pass_repo");
+const ssm_1 = require("./ssm");
+const value_1 = require("./value");
+const providers = {
+    'bitwarden-cli': {},
+    'pay-low-pass': {},
+    ssm: {},
+    value: {}
+};
+function providerFor(secretConfig) {
+    let memoisedProvider = providers[secretConfig.source][secretConfig.environment];
+    if (memoisedProvider === undefined) {
+        switch (secretConfig.source) {
+            case 'pay-low-pass': {
+                memoisedProvider = new pass_repo_1.PassRepoProvider(secretConfig.environment, secretConfig.source);
+                break;
+            }
+            case 'value': {
+                memoisedProvider = new value_1.ValueProvider(secretConfig.environment, secretConfig.source);
+                break;
+            }
+            case 'ssm': {
+                memoisedProvider = new ssm_1.SSMProvider(secretConfig.environment, secretConfig.source);
+                break;
+            }
+            case 'bitwarden-cli': {
+                memoisedProvider = new bitwarden_cli_1.BitwardenCLIProvider(secretConfig.environment, secretConfig.source);
+                break;
+            }
+        }
+        providers[secretConfig.source][secretConfig.environment] = memoisedProvider;
+    }
+    if (memoisedProvider === undefined) {
+        throw new Error(`Failed to retrieve, or create a provider for the secret ${secretConfig.secretSourceValue} in ${secretConfig.environment} from the ${secretConfig.source} provider`);
+    }
+    return memoisedProvider;
+}
+exports.providerFor = providerFor;

package/src/commands/secrets/providers/pass_repo.js

@@ -0,0 +1,65 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PassRepoProvider = void 0;
+const node_child_process_1 = __importDefault(require("node:child_process"));
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const providers_types_1 = require("./providers.types");
+const configs_1 = require("../../../util/configs");
+class PassRepoProvider extends providers_types_1.AbstractSecretProvider {
+    passRepoDirectory;
+    constructor(environment, secretSource) {
+        super(environment, secretSource);
+        this.passRepoDirectory = this.getPassDirectory();
+    }
+    async get(secretConfig) {
+        const passCommandResult = node_child_process_1.default.spawnSync('pass', [secretConfig.secretSourceValue], {
+            env: {
+                ...process.env,
+                PASSWORD_STORE_DIR: this.passRepoDirectory
+            },
+            // This sets stdin, to be inherited by the spawned process, this is neccessary so that
+            // the pass command can prompt the user for a PIN.
+            // However we need to capture the stdout and stderr (which pass writes the secret to) so we set
+            // that to be pipe which will store it in the results .output Buffer[], .stdout Buffer, and .stderr Buffer
+            stdio: [
+                'inherit', // stdin
+                'pipe', // stdout
+                'pipe' // stderr
+            ]
+        });
+        if (passCommandResult.status === null) {
+            if (passCommandResult.signal === null) {
+                console.error(`The pass command to load the secret ${secretConfig.secretSourceValue} failed due to an unknown reason. It's output follows:`);
+            }
+            else {
+                console.error(`The pass command to load the secret ${secretConfig.secretSourceValue} was terminated by signal ${passCommandResult.signal}. It's output follows`);
+            }
+            console.error(passCommandResult.output.map((buffer) => { return buffer === null ? '' : buffer.toString('utf-8'); }).join('\n'));
+            process.exit(1);
+        }
+        if (passCommandResult.status !== 0) {
+            const stdErrString = passCommandResult.output.map((buffer) => { return buffer === null ? '' : buffer.toString('utf-8'); }).join('\n');
+            if (stdErrString.includes('is not in the password store')) {
+                return undefined;
+            }
+            console.error(`The pass command to load the secret ${secretConfig.secretSourceValue} failed with exit code ${passCommandResult.status}. It's output follows:`);
+            console.error(stdErrString);
+            process.exit(1);
+        }
+        return passCommandResult.stdout.toString('utf-8').trim();
+    }
+    getPassDirectory() {
+        const worksspaceDir = (0, configs_1.workspaceEnvVar)();
+        const passRepoDirectory = node_path_1.default.resolve(node_path_1.default.join(worksspaceDir, this.secretSource));
+        const pathStat = node_fs_1.default.lstatSync(passRepoDirectory);
+        if (!pathStat.isDirectory()) {
+            throw new Error(`The pass repo directory specified ${passRepoDirectory} is not a directory`);
+        }
+        return passRepoDirectory;
+    }
+}
+exports.PassRepoProvider = PassRepoProvider;

package/src/commands/secrets/providers/providers.types.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AbstractSecretProvider = void 0;
+class AbstractSecretProvider {
+    environment;
+    secretSource;
+    constructor(environment, secretSource) {
+        this.environment = environment;
+        this.secretSource = secretSource;
+    }
+    async get(_secretConfig) {
+        throw new Error('Not implemented');
+    }
+    async set(_secretConfig, _secretValue) {
+        throw new Error('Not implemented');
+    }
+    async list(_serviceName) {
+        throw new Error('Not implemented');
+    }
+}
+exports.AbstractSecretProvider = AbstractSecretProvider;

package/src/commands/secrets/providers/ssm.js

@@ -0,0 +1,155 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SSMProvider = void 0;
+const client_ssm_1 = require("@aws-sdk/client-ssm");
+const providers_types_1 = require("./providers.types");
+const service_secrets_1 = require("../config/service_secrets");
+const CONCOURSE_SECRETS = [
+    'cd-pay-dev',
+    'cd-pay-deploy',
+    'cd-main'
+];
+const CONCOURSE_PARAMETER_NAME_PREFIX = '/pay-cd/concourse/pipelines/';
+const LOWERCASE_SECRET_NAMES_TO_SECRET_NAMES = service_secrets_1.SECRET_NAMES.reduce((result, secretName) => {
+    return { ...result, [secretName.toLowerCase()]: secretName };
+}, {});
+class SSMProvider extends providers_types_1.AbstractSecretProvider {
+    ssmClient;
+    constructor(env, secretSource) {
+        super(env, secretSource);
+        this.ssmClient = new client_ssm_1.SSMClient({ region: 'eu-west-1' });
+    }
+    async get(secretConfig) {
+        const ssmParameterName = ssmParameterNameForSecret(secretConfig);
+        const getParameterCommand = new client_ssm_1.GetParameterCommand({
+            Name: ssmParameterName,
+            WithDecryption: true
+        });
+        let response;
+        try {
+            response = await this.ssmClient.send(getParameterCommand);
+        }
+        catch (e) {
+            if (e instanceof client_ssm_1.ParameterNotFound) {
+                return undefined;
+            }
+            else if (e instanceof Error && e.name === 'CredentialsProviderError') {
+                console.error('AWS Could not load any credentials, perhaps you need to run this with aws-vault: `aws-vault exec <account> -- pay secrets ...`?');
+                process.exit(1);
+            }
+            console.error(`An error occured while trying to get the parameter ${ssmParameterName}.`);
+            throw e;
+        }
+        if (response.Parameter?.Value === undefined) {
+            let errorMessage = `When calling SSM to get the parameter ${ssmParameterName} there was no parameter or value returned, and no error raised! `;
+            if (response.$metadata.httpStatusCode === undefined) {
+                errorMessage += 'There was also no http status code in the response metadata!';
+            }
+            else {
+                errorMessage += `The last http status code of the request to get the parameter was ${response.$metadata.httpStatusCode}`;
+            }
+            throw new Error(errorMessage);
+        }
+        return response.Parameter.Value;
+    }
+    async set(secretConfig, value) {
+        const ssmParameterName = ssmParameterNameForSecret(secretConfig);
+        const putParameterCommand = new client_ssm_1.PutParameterCommand({
+            Name: ssmParameterName,
+            Type: 'SecureString',
+            Value: value,
+            Overwrite: true
+        });
+        try {
+            await this.ssmClient.send(putParameterCommand);
+        }
+        catch (e) {
+            if (e instanceof client_ssm_1.InvalidAllowedPatternException || e instanceof client_ssm_1.ParameterPatternMismatchException) {
+                console.error(`When trying to set secret ${secretConfig.name} in environment ${secretConfig.environment} for service ${secretConfig.service}`);
+                console.error(`AWS returned an error that the parameter ${ssmParameterName} is not a valid parameter name.`);
+                console.error('See https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-su-create.html#sysman-parameter-name-constraints for constraints on parameter names');
+                process.exit(1);
+            }
+            else if (e instanceof Error && e.name === 'CredentialsProviderError') {
+                console.error('AWS Could not load any credentials, perhaps you need to run this with aws-vault: `aws-vault exec <account> -- pay secrets ...`?');
+                process.exit(1);
+            }
+            else {
+                console.error(`When trying to set secret ${secretConfig.name} in environment ${secretConfig.environment} for service ${secretConfig.service} AWS returned an unhandled (by us) excpetion, re-throwing error`);
+                throw e;
+            }
+        }
+        return true;
+    }
+    async list(serviceName) {
+        const filters = [
+            {
+                Key: 'Name',
+                Option: 'BeginsWith',
+                Values: [
+                    ssmParameterNamePrefix(this.environment, serviceName)
+                ]
+            }
+        ];
+        const paginator = (0, client_ssm_1.paginateDescribeParameters)({ client: this.ssmClient }, { ParameterFilters: filters });
+        const parameters = [];
+        for await (const page of paginator) {
+            if (page.Parameters === undefined) {
+                continue;
+            }
+            parameters.push(...page.Parameters);
+        }
+        const secretConfigs = [];
+        for (const parameter of parameters) {
+            if (parameter.Name === undefined) {
+                continue;
+            }
+            const secretConfig = this.ssmParameterNameToLowercaseSecret(parameter.Name, serviceName);
+            secretConfigs.push(secretConfig);
+        }
+        return secretConfigs;
+    }
+    ssmParameterNameToLowercaseSecret(parameterName, serviceName) {
+        if (parameterName.startsWith(CONCOURSE_PARAMETER_NAME_PREFIX)) {
+            return this.concourseParameterNameToLowercaseSecret(parameterName, serviceName);
+        }
+        const lowercaseSecretName = parameterName.substring(parameterName.indexOf('.') + 1);
+        return {
+            environment: this.environment,
+            name: lowercaseSecretName in LOWERCASE_SECRET_NAMES_TO_SECRET_NAMES ? LOWERCASE_SECRET_NAMES_TO_SECRET_NAMES[lowercaseSecretName] : lowercaseSecretName,
+            secretSourceValue: parameterName,
+            service: serviceName,
+            source: 'ssm'
+        };
+    }
+    concourseParameterNameToLowercaseSecret(parameterName, serviceName) {
+        const paramNameWithoutPrefix = parameterName.substring(CONCOURSE_PARAMETER_NAME_PREFIX.length);
+        const lowercaseSecretName = paramNameWithoutPrefix.substring(paramNameWithoutPrefix.indexOf('/') + 1);
+        return {
+            environment: this.environment,
+            name: lowercaseSecretName in LOWERCASE_SECRET_NAMES_TO_SECRET_NAMES ? LOWERCASE_SECRET_NAMES_TO_SECRET_NAMES[lowercaseSecretName] : lowercaseSecretName,
+            secretSourceValue: parameterName,
+            service: serviceName,
+            source: 'ssm'
+        };
+    }
+}
+exports.SSMProvider = SSMProvider;
+function ssmParameterNameForSecret(secretConfig) {
+    if (CONCOURSE_SECRETS.includes(secretConfig.service)) {
+        return concourseSecretName(secretConfig);
+    }
+    return `${secretConfig.environment}_${secretConfig.service}.${secretConfig.name}`.toLowerCase();
+}
+function concourseSecretName(secretConfig) {
+    // Service name is `cd-pay-dev` but the ssm name is only `pay-dev` so remove the cd-
+    const serviceName = secretConfig.service.substring(3);
+    return `${CONCOURSE_PARAMETER_NAME_PREFIX}${serviceName.toLowerCase()}/${secretConfig.name.toLowerCase()}`;
+}
+function ssmParameterNamePrefix(environment, serviceName) {
+    if (CONCOURSE_SECRETS.includes(serviceName)) {
+        // Service name is `cd-pay-dev` but the ssm name is only `pay-dev` so remove the cd-
+        return `${CONCOURSE_PARAMETER_NAME_PREFIX}${serviceName.toLowerCase().substring(3)}/`;
+    }
+    return `${environment}_${serviceName}.`;
+}

package/src/commands/secrets/providers/value.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ValueProvider = void 0;
+const providers_types_1 = require("../providers/providers.types");
+class ValueProvider extends providers_types_1.AbstractSecretProvider {
+    async get(secretConfig) {
+        return secretConfig.secretSourceValue;
+    }
+}
+exports.ValueProvider = ValueProvider;

package/src/commands/secrets/subcommands/audit.js

@@ -4,27 +4,59 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.handler = exports.builder = exports.desc = exports.command = void 0;
-const node_child_process_1 = require("node:child_process");
-const preflight_js_1 = __importDefault(require("../utils/preflight.js"));
-exports.command = 'audit <service> <env..>';
-exports.desc = 'Audits secrets for <service> for the given <envs..>';
+const cli_table3_1 = __importDefault(require("cli-table3"));
+const config_types_1 = require("../config/config.types");
+const service_secrets_js_1 = require("../config/service_secrets.js");
+const ssm_1 = require("../providers/ssm");
+const configs_1 = require("../../../util/configs");
+const standardContent_js_1 = require("../../../core/standardContent.js");
+exports.command = 'audit <service> <env>';
+exports.desc = 'Check whether the configured secrets for <service> in <env> are provisioned. Also lists secrets which are provisioned but which we do not have config for. Note: Does not check the value of the secret, only existance';
 const builder = (yargs) => {
     return yargs
         .positional('service', {
         type: 'string',
-        description: 'The service (e.g. connector) to audit the secret for'
+        description: 'The service (e.g. connector) to audit the secret for',
+        choices: config_types_1.SERVICE_NAMES
     })
         .positional('env', {
         type: 'string',
-        description: 'The environment (e.g. test-12) to audit the secret for'
+        description: 'The environment (e.g. test-12) to audit the secret for',
+        choices: config_types_1.ENVIRONMENT_NAMES
     });
 };
 exports.builder = builder;
 exports.handler = auditHandler;
 async function auditHandler(argv) {
     const service = argv.service;
-    const envs = argv.env;
-    const preflightInfo = (0, preflight_js_1.default)();
-    (0, node_child_process_1.spawnSync)(preflightInfo.rbenvCommand, ['exec', 'bundle', 'exec', 'bin/pay', 'secrets', 'audit', service, ...envs], { shell: true, stdio: 'inherit', cwd: preflightInfo.pathToLegacyRubyCli });
+    const env = argv.env;
+    await (0, standardContent_js_1.showHeader)();
+    await (0, configs_1.checkAwsCredentials)((0, configs_1.payEnvironmentToAWSAccountName)(env));
+    const secretsToAudit = service_secrets_js_1.SERVICE_SECRETS[service].sort();
+    const ssmProvider = new ssm_1.SSMProvider(env, 'ssm');
+    const secretsInSSM = await ssmProvider.list(service);
+    const checkedSecretsInSSM = new Map();
+    for (const secretInSSM of secretsInSSM) {
+        checkedSecretsInSSM.set(secretInSSM.name, secretInSSM);
+    }
+    const table = new cli_table3_1.default({
+        head: [`Secrets for ${service}`, env]
+    });
+    for (const secretToAudit of secretsToAudit) {
+        if (checkedSecretsInSSM.has(secretToAudit)) {
+            table.push([secretToAudit, '✅']);
+            checkedSecretsInSSM.delete(secretToAudit);
+        }
+        else {
+            table.push([secretToAudit, '❌']);
+        }
+    }
+    if (checkedSecretsInSSM.size > 0) {
+        table.push([
+            'Provisioned Secrets which are not configured in pay secrets',
+            Array.from(checkedSecretsInSSM.keys()).sort().join('\n')
+        ]);
+    }
+    console.log(table.toString());
 }
 exports.default = auditHandler;

package/src/commands/secrets/subcommands/fetch.js

@@ -1,26 +1,30 @@
 "use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.handler = exports.builder = exports.desc = exports.command = void 0;
-const node_child_process_1 = require("node:child_process");
-const preflight_js_1 = __importDefault(require("../utils/preflight.js"));
+const config_types_1 = require("../config/config.types");
+const service_secrets_1 = require("../config/service_secrets");
+const secrets_1 = require("../config/secrets");
+const configs_1 = require("../../../util/configs");
+const factory_1 = require("../providers/factory");
+const standardContent_1 = require("../../../core/standardContent");
 exports.command = 'fetch <env> <service> <secret_name> [--use-ssm]';
 exports.desc = 'Fetches a <named secret> for <service> for <env>, if use-ssm is set then get the secret from ssm';
 const builder = (yargs) => {
     return yargs
         .positional('env', {
         type: 'string',
-        description: 'The environment (e.g. test-12) to fetch the secret for'
+        description: 'The environment (e.g. test-12) to fetch the secret for',
+        choices: config_types_1.ENVIRONMENT_NAMES
     })
         .positional('service', {
         type: 'string',
-        description: 'The service (e.g. connector) to fetch the secret for'
+        description: 'The service (e.g. connector) to fetch the secret for',
+        choices: config_types_1.SERVICE_NAMES
     })
         .positional('secret_name', {
         type: 'string',
-        description: 'The name of the secret to get'
+        description: 'The name of the secret to get',
+        choices: service_secrets_1.SECRET_NAMES
     })
         .option('use-ssm', {
         type: 'boolean',
@@ -31,17 +35,34 @@ const builder = (yargs) => {
 exports.builder = builder;
 exports.handler = fetchHandler;
 async function fetchHandler(argv) {
-    const service = argv.service;
     const env = argv.env;
+    const service = argv.service;
     const secretName = argv.secret_name;
     const useSSM = argv.useSsm;
-    const preflightInfo = (0, preflight_js_1.default)();
-    const rbenvArgs = ['exec', 'bundle', 'exec', 'bin/pay', 'secrets', 'fetch', env, service, secretName];
+    // Printing the header to stdout so you can use this command piped to another process
+    // and the other process will only recevie the printed secret. E.g | pbcopy to copy the secret
+    // to your copy paste buffer without the header etc
+    await (0, standardContent_1.showHeaderStdErr)();
+    const secretConfig = (0, secrets_1.getSecretConfig)(env, service, secretName);
     if (useSSM) {
-        rbenvArgs.push('--use-ssm');
+        secretConfig.source = 'ssm';
+    }
+    if (secretConfig.source === 'ssm') {
+        await (0, configs_1.checkAwsCredentials)((0, configs_1.payEnvironmentToAWSAccountName)(env));
+    }
+    const secretProvider = (0, factory_1.providerFor)(secretConfig);
+    const secretValue = await secretProvider.get(secretConfig);
+    if (secretValue === undefined) {
+        console.error(`The secret ${secretName} was not found in ${secretConfig.source}`);
+        process.exit(1);
+    }
+    if (!process.stdout.isTTY) {
+        // If stdout of the process isn't connected to a terminal (e.g. if it's piped to another process, like pbcopy for instance)
+        // Print to stderr a message to make it clear to the user the value is being hidden from display, but has been printed to stdout
+        process.stderr.write('HIDDEN - Actual Value written to stdout');
     }
-    (0, node_child_process_1.spawnSync)(preflightInfo.rbenvCommand, rbenvArgs, { shell: true, stdio: 'inherit', cwd: preflightInfo.pathToLegacyRubyCli });
-    // The fetch command doesn't output a newline which is really annoying, so add one
-    console.log();
+    process.stdout.write(secretValue);
+    // Since the secret is written with no trailing newline we should print one (to stderr) to improve the UX
+    console.warn();
 }
 exports.default = fetchHandler;