@jhizzard/termdeck 0.5.1 → 0.6.1

package/packages/client/public/app.js

@@ -2478,6 +2478,16 @@
 
     let setupModalOpen = false;
 
+    // Sprint 25 T3 — Supabase MCP auto-flow state. Closure-scoped to this module
+    // so a re-render of the tier list (refreshSetupStatus) doesn't lose an
+    // in-flight picker step. The PAT lives here only between /connect success
+    // and /select success; we null `supabaseAutoState` after /select returns ok.
+    // Never log .pat. Never assign it to a property of `state` or `window`.
+    let supabaseAutoState = null;
+    // Cache of the last /api/setup payload so we can re-render the tier list
+    // (e.g. PAT entry → project picker) without forcing another HTTP fetch.
+    let lastSetupData = null;
+
     function ensureSetupModal() {
       if (document.getElementById('setupModal')) return;
       const modal = document.createElement('div');
@@ -2546,6 +2556,7 @@
       if (recheckBtn) { recheckBtn.disabled = true; recheckBtn.textContent = 're-checking…'; }
       try {
         const data = await api('GET', '/api/setup');
+        lastSetupData = data;
         renderSetupTiers(data);
         const cur = Number(data.tier) || 1;
         if (subtitle) {
@@ -2582,8 +2593,13 @@
         // Sprint 23 T2: tier 2 renders a credential form instead of CLI commands
         // when not active, so users can paste URL/keys directly in the browser.
         const isCredentialForm = tier.id === '2' && status !== 'active';
+        // Sprint 25 T3: above the manual paste form, offer the Supabase MCP
+        // auto-flow. Only render for tier 2 when status is not_configured or
+        // partial — once active there is nothing to configure.
+        const showSupabaseAutoFlow = tier.id === '2' && (status === 'not_configured' || status === 'partial');
+        const autoFlowHtml = showSupabaseAutoFlow ? renderSupabaseAutoFlow() : '';
         const cmds = isCredentialForm
-          ? renderSetupCredentialForm()
+          ? `${autoFlowHtml}${renderSetupCredentialForm()}`
           : (status === 'active' || tier.commands.length === 0)
             ? ''
             : `<div class="setup-cmds">${tier.commands.map((c) => {
@@ -2643,6 +2659,199 @@
           }
         });
       }
+
+      // Sprint 25 T3 — Supabase MCP auto-flow handlers. The form is only in the
+      // DOM when showSupabaseAutoFlow was true above; querying for missing nodes
+      // is a no-op and keeps this branch defensive against re-render order.
+      const autoConnectBtn = tiersEl.querySelector('#supabaseAutoConnect');
+      if (autoConnectBtn) {
+        autoConnectBtn.addEventListener('click', handleSupabaseAutoConnect);
+      }
+      const autoPatInput = tiersEl.querySelector('#supabaseAutoPat');
+      if (autoPatInput) {
+        autoPatInput.addEventListener('keydown', (e) => {
+          if (e.key === 'Enter') {
+            e.preventDefault();
+            handleSupabaseAutoConnect();
+          }
+        });
+      }
+      const autoSelectBtn = tiersEl.querySelector('#supabaseAutoSelect');
+      if (autoSelectBtn) {
+        autoSelectBtn.addEventListener('click', handleSupabaseAutoSelect);
+      }
+      const autoBackBtn = tiersEl.querySelector('#supabaseAutoBack');
+      if (autoBackBtn) {
+        autoBackBtn.addEventListener('click', handleSupabaseAutoBack);
+      }
+    }
+
+    // Sprint 25 T3 — Supabase MCP auto-flow renderer.
+    // Inline-styled (Sprint 23 T1 owns style.css). Renders one of two states
+    // driven by `supabaseAutoState`: the PAT entry form (default), or the
+    // project picker (when state.picking is true). Errors render inline; the
+    // manual credential form is always still visible below as a fallback.
+    function renderSupabaseAutoFlow() {
+      const s = supabaseAutoState || {};
+      const wrapStyle = 'margin-top:10px;padding:12px;background:rgba(0,0,0,0.18);border:1px solid var(--border, #2a2c3a);border-radius:6px;';
+      const titleStyle = 'font-size:11px;font-weight:600;color:var(--text, #e2e3e8);margin-bottom:4px;';
+      const helpStyle = 'font-size:10px;color:var(--text-dim, #8a8d9a);margin-bottom:10px;line-height:1.4;';
+      const inputStyle = 'flex:1;padding:6px 8px;background:var(--bg, #0f1017);color:var(--text, #e2e3e8);border:1px solid var(--border, #2a2c3a);border-radius:4px;font-family:monospace;font-size:12px;box-sizing:border-box;';
+      const btnStyle = 'padding:6px 14px;background:var(--accent, #7aa2f7);color:#000;border:none;border-radius:4px;font-weight:600;cursor:pointer;font-size:11px;';
+      const ghostBtnStyle = 'padding:6px 14px;background:transparent;color:var(--text-dim, #8a8d9a);border:1px solid var(--border, #2a2c3a);border-radius:4px;cursor:pointer;font-size:11px;';
+      const dividerStyle = 'text-align:center;font-size:10px;color:var(--text-dim, #8a8d9a);margin:10px 0 0;text-transform:uppercase;letter-spacing:0.05em;';
+      const errStyle = 'font-size:11px;color:var(--red, #f7768e);margin-top:8px;min-height:14px;line-height:1.4;';
+      const linkStyle = 'color:var(--accent, #7aa2f7);text-decoration:underline;';
+
+      let body;
+      if (s.picking && Array.isArray(s.projects)) {
+        if (s.projects.length === 0) {
+          body = `
+            <div style="${errStyle}">
+              Token accepted, but no projects were found on this account.
+              Create one at <a href="https://supabase.com/dashboard" target="_blank" rel="noopener" style="${linkStyle}">supabase.com/dashboard</a> and try again.
+            </div>
+            <button type="button" id="supabaseAutoBack" style="margin-top:10px;${ghostBtnStyle}">Use a different token</button>
+          `;
+        } else {
+          const opts = s.projects.map((p) => {
+            const id = escapeHtml(String((p && p.id) || ''));
+            const name = (p && p.name) || 'unnamed';
+            const region = p && p.region ? ` — ${p.region}` : '';
+            return `<option value="${id}">${escapeHtml(name + region)}</option>`;
+          }).join('');
+          body = `
+            <label style="display:block;font-size:11px;color:var(--text-dim, #8a8d9a);margin-bottom:4px;">Project</label>
+            <select id="supabaseAutoProject" style="${inputStyle}width:100%;font-family:inherit;">${opts}</select>
+            <div style="display:flex;gap:8px;margin-top:10px;">
+              <button type="button" id="supabaseAutoSelect" style="${btnStyle}">Use this project</button>
+              <button type="button" id="supabaseAutoBack" style="${ghostBtnStyle}">Use a different token</button>
+            </div>
+            <div id="supabaseAutoError" style="${errStyle}">${s.error ? escapeHtml(s.error) : ''}</div>
+          `;
+        }
+      } else {
+        body = `
+          <div style="display:flex;gap:8px;align-items:stretch;">
+            <input type="password" id="supabaseAutoPat" name="supabase_pat_one_time"
+                   autocomplete="new-password" spellcheck="false"
+                   autocapitalize="off" autocorrect="off"
+                   placeholder="sbp_..." aria-label="Supabase Personal Access Token"
+                   style="${inputStyle}">
+            <button type="button" id="supabaseAutoConnect" style="${btnStyle}">Connect</button>
+          </div>
+          <div id="supabaseAutoError" style="${errStyle}">${s.error ? escapeHtml(s.error) : ''}</div>
+        `;
+      }
+
+      return `
+        <div style="${wrapStyle}">
+          <div style="${titleStyle}">Faster: connect Supabase automatically</div>
+          <div style="${helpStyle}">
+            Paste a Supabase Personal Access Token and pick your project from a list — we'll fetch the credentials for you.
+            Mint a PAT at <a href="https://supabase.com/dashboard/account/tokens" target="_blank" rel="noopener" style="${linkStyle}">supabase.com/dashboard/account/tokens</a>.
+          </div>
+          ${body}
+        </div>
+        <div style="${dividerStyle}">— or paste credentials manually below —</div>
+      `;
+    }
+
+    function rerenderSetupTiersFromCache() {
+      if (lastSetupData) renderSetupTiers(lastSetupData);
+    }
+
+    async function handleSupabaseAutoConnect() {
+      const input = document.getElementById('supabaseAutoPat');
+      const errEl = document.getElementById('supabaseAutoError');
+      const btn = document.getElementById('supabaseAutoConnect');
+      const pat = ((input && input.value) || '').trim();
+      if (!pat) {
+        if (errEl) errEl.textContent = 'Paste a Personal Access Token to continue.';
+        return;
+      }
+      if (errEl) errEl.textContent = '';
+      if (btn) { btn.disabled = true; btn.textContent = 'Connecting…'; }
+      try {
+        const res = await fetch(`${API}/api/setup/supabase/connect`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ pat })
+        });
+        let data = {};
+        try { data = await res.json(); } catch { data = {}; }
+        if (res.ok && data && data.ok) {
+          const projects = Array.isArray(data.projects) ? data.projects : [];
+          // Hold the PAT in module-scope state only; never on `state`/`window`.
+          supabaseAutoState = { pat, projects, picking: true, error: null };
+          rerenderSetupTiersFromCache();
+          return;
+        }
+        const code = data && data.code;
+        let msg;
+        if (code === 'mcp_not_installed') {
+          msg = "The Supabase MCP isn't installed on this machine. Run `npx @jhizzard/termdeck-stack --tier 4` to install it, or paste credentials manually below.";
+        } else if (code === 'pat_invalid') {
+          const detail = (data && data.detail) || 'token rejected';
+          msg = `Token rejected: ${detail}. Mint a fresh PAT and try again.`;
+        } else if (code === 'mcp_timeout') {
+          msg = "Supabase didn't respond in time. Try again or paste credentials manually below.";
+        } else {
+          msg = (data && (data.error || data.detail)) || `Connect failed (HTTP ${res.status}). Paste credentials manually below.`;
+        }
+        if (errEl) errEl.textContent = msg;
+      } catch (err) {
+        if (errEl) errEl.textContent = `Request failed: ${err && err.message ? err.message : String(err)}`;
+      } finally {
+        if (btn) { btn.disabled = false; btn.textContent = 'Connect'; }
+      }
+    }
+
+    async function handleSupabaseAutoSelect() {
+      if (!supabaseAutoState || !supabaseAutoState.pat) return;
+      const sel = document.getElementById('supabaseAutoProject');
+      const errEl = document.getElementById('supabaseAutoError');
+      const btn = document.getElementById('supabaseAutoSelect');
+      const projectId = sel ? sel.value : '';
+      if (!projectId) {
+        if (errEl) errEl.textContent = 'Pick a project first.';
+        return;
+      }
+      if (errEl) errEl.textContent = '';
+      if (btn) { btn.disabled = true; btn.textContent = 'Configuring…'; }
+      // Snapshot the PAT locally so we can null out module state before the
+      // network call resolves; the snapshot only lives for the duration of
+      // this async function.
+      const patSnapshot = supabaseAutoState.pat;
+      try {
+        const res = await fetch(`${API}/api/setup/supabase/select`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ pat: patSnapshot, projectId })
+        });
+        let data = {};
+        try { data = await res.json(); } catch { data = {}; }
+        if (res.ok && data && data.ok) {
+          // Null out the PAT before doing anything else with the response.
+          supabaseAutoState = null;
+          await refreshSetupStatus();
+          return;
+        }
+        const detail = (data && (data.error || data.detail)) || `HTTP ${res.status}`;
+        if (errEl) {
+          errEl.textContent = `Couldn't finish setup: ${detail}. Paste credentials manually below if this keeps failing.`;
+        }
+      } catch (err) {
+        if (errEl) errEl.textContent = `Request failed: ${err && err.message ? err.message : String(err)}`;
+      } finally {
+        if (btn) { btn.disabled = false; btn.textContent = 'Use this project'; }
+      }
+    }
+
+    function handleSupabaseAutoBack() {
+      // Drop the PAT and any cached project list and re-render from scratch.
+      supabaseAutoState = null;
+      rerenderSetupTiersFromCache();
     }
 
     // Sprint 23 T2 — credential form for Tier 2.

package/packages/server/src/index.js

@@ -418,6 +418,226 @@ function createServer(config) {
     }
   });
 
+  // ── Sprint 25 T2 — Supabase MCP wizard endpoints ──────────────────────────
+  //
+  // Three thin orchestrators that let the Tier-2 setup wizard skip the manual
+  // 4-credential paste step. They sit on top of T1's `supabase-mcp.callTool`
+  // bridge plus the existing Sprint 23 `configure` + `migrate` flow. The PAT
+  // travels in the request body for the lifetime of the call only — it is
+  // never persisted, never echoed, and never logged.
+  let _supabaseMcp = null;
+  try {
+    _supabaseMcp = require('./setup/supabase-mcp');
+  } catch (_err) {
+    // T1's bridge module may not exist yet on a fresh checkout, or the user
+    // may not have `@supabase/mcp-server-supabase` on PATH. Either case
+    // surfaces as `code: 'mcp_not_installed'` at request time.
+  }
+  let _supabaseSelectInFlight = false;
+
+  function _mapMcpError(err) {
+    const code = err && (err.code || (err.cause && err.cause.code));
+    const msg = (err && err.message) || '';
+    if (code === 'mcp_not_installed' || code === 'ENOENT' || /not.*installed|cannot.*spawn|module not found/i.test(msg)) {
+      return {
+        status: 400,
+        body: { ok: false, code: 'mcp_not_installed', detail: 'run: npm install -g @supabase/mcp-server-supabase' }
+      };
+    }
+    if (code === 'mcp_timeout' || code === 'ETIMEDOUT' || /timeout|timed out/i.test(msg)) {
+      return { status: 504, body: { ok: false, code: 'mcp_timeout' } };
+    }
+    return { status: 401, body: { ok: false, code: 'pat_invalid', detail: msg || 'PAT verification failed' } };
+  }
+
+  function _ensureMcpAvailable(res) {
+    if (_supabaseMcp && typeof _supabaseMcp.callTool === 'function') return true;
+    res.status(400).json({
+      ok: false,
+      code: 'mcp_not_installed',
+      detail: 'run: npm install -g @supabase/mcp-server-supabase'
+    });
+    return false;
+  }
+
+  // POST /api/setup/supabase/connect — verify a PAT works by listing projects.
+  // We only return the count; the project list itself is fetched by /projects.
+  app.post('/api/setup/supabase/connect', async (req, res) => {
+    const pat = (req.body && typeof req.body.pat === 'string') ? req.body.pat : '';
+    if (!pat) {
+      return res.status(400).json({ ok: false, code: 'pat_invalid', detail: 'pat field is required' });
+    }
+    if (!_ensureMcpAvailable(res)) return;
+    try {
+      const result = await _supabaseMcp.callTool(pat, 'list_projects', {}, { timeoutMs: 6000 });
+      const list = Array.isArray(result)
+        ? result
+        : (Array.isArray(result && result.projects) ? result.projects : []);
+      console.log(`[setup] supabase/connect ok (${list.length} projects)`);
+      return res.json({ ok: true, projectCount: list.length });
+    } catch (err) {
+      const m = _mapMcpError(err);
+      console.warn(`[setup] supabase/connect failed: ${m.body.code}`);
+      return res.status(m.status).json(m.body);
+    }
+  });
+
+  // POST /api/setup/supabase/projects — return a stable-shape project list.
+  // Mapping isolates the wizard from MCP field-name churn.
+  app.post('/api/setup/supabase/projects', async (req, res) => {
+    const pat = (req.body && typeof req.body.pat === 'string') ? req.body.pat : '';
+    if (!pat) {
+      return res.status(400).json({ ok: false, code: 'pat_invalid', detail: 'pat field is required' });
+    }
+    if (!_ensureMcpAvailable(res)) return;
+    try {
+      const result = await _supabaseMcp.callTool(pat, 'list_projects', {}, { timeoutMs: 6000 });
+      const raw = Array.isArray(result)
+        ? result
+        : (Array.isArray(result && result.projects) ? result.projects : []);
+      const projects = raw.map((p) => ({
+        id: (p && (p.id || p.ref || p.project_id)) || '',
+        name: (p && p.name) || '',
+        region: (p && (p.region || p.region_name)) || null,
+        createdAt: (p && (p.createdAt || p.created_at)) || null,
+      }));
+      console.log(`[setup] supabase/projects ok (${projects.length} returned)`);
+      return res.json({ ok: true, projects });
+    } catch (err) {
+      const m = _mapMcpError(err);
+      console.warn(`[setup] supabase/projects failed: ${m.body.code}`);
+      return res.status(m.status).json(m.body);
+    }
+  });
+
+  // POST /api/setup/supabase/select — full chain: MCP → configure → migrate.
+  // Concurrency guarded by a module-scoped boolean — second call gets 409.
+  app.post('/api/setup/supabase/select', async (req, res) => {
+    if (_supabaseSelectInFlight) {
+      return res.status(409).json({ ok: false, code: 'select_in_flight', error: 'Supabase select already in progress' });
+    }
+    const pat = (req.body && typeof req.body.pat === 'string') ? req.body.pat : '';
+    const projectId = (req.body && typeof req.body.projectId === 'string') ? req.body.projectId.trim() : '';
+    if (!pat || !projectId) {
+      return res.status(400).json({ ok: false, code: 'bad_request', detail: 'pat and projectId are required' });
+    }
+    if (!_ensureMcpAvailable(res)) return;
+
+    _supabaseSelectInFlight = true;
+    try {
+      // 1. Pull credentials via MCP. Prefer the bundled tool if T1 ships one;
+      //    fall back to the four single-field tools so we are robust to either
+      //    bridge shape.
+      let creds;
+      try {
+        creds = await _supabaseMcp.callTool(pat, 'fetch_project_credentials', { projectId }, { timeoutMs: 8000 });
+      } catch (errBundle) {
+        const code = errBundle && errBundle.code;
+        const msg = (errBundle && errBundle.message) || '';
+        const isUnknownTool = code === 'unknown_tool' || /unknown.?tool|method not found|no such tool/i.test(msg);
+        if (!isUnknownTool) throw errBundle;
+        const [proj, anon, service, db] = await Promise.all([
+          _supabaseMcp.callTool(pat, 'get_project', { projectId }, { timeoutMs: 6000 }),
+          _supabaseMcp.callTool(pat, 'get_anon_key', { projectId }, { timeoutMs: 6000 }),
+          _supabaseMcp.callTool(pat, 'get_service_role_key', { projectId }, { timeoutMs: 6000 }),
+          _supabaseMcp.callTool(pat, 'get_database_url', { projectId }, { timeoutMs: 6000 }),
+        ]);
+        creds = {
+          url: (proj && (proj.url || proj.api_url)) || '',
+          anonKey: (anon && (anon.key || anon.anon_key)) || (typeof anon === 'string' ? anon : ''),
+          serviceRoleKey: (service && (service.key || service.service_role_key)) || (typeof service === 'string' ? service : ''),
+          databaseUrl: (db && (db.connectionString || db.url || db.database_url)) || (typeof db === 'string' ? db : ''),
+        };
+      }
+
+      const supabaseUrl = (creds && (creds.url || creds.supabaseUrl || creds.api_url)) || '';
+      const serviceRoleKey = (creds && (creds.serviceRoleKey || creds.service_role_key)) || '';
+      const databaseUrl = (creds && (creds.databaseUrl || creds.database_url)) || '';
+      const anonKey = (creds && (creds.anonKey || creds.anon_key)) || '';
+
+      if (!supabaseUrl || !serviceRoleKey || !databaseUrl) {
+        return res.status(502).json({
+          ok: false,
+          code: 'mcp_incomplete',
+          detail: 'MCP did not return all required credentials (url, service role key, database url)'
+        });
+      }
+
+      // 2. Hand off to existing /api/setup/configure via in-process loopback
+      //    fetch. This keeps Sprint 23's validators and writers as the single
+      //    source of truth — no validation logic is duplicated here.
+      const port = (config && config.port) || 3000;
+      const headers = { 'content-type': 'application/json' };
+      if (req.headers.authorization) headers.authorization = req.headers.authorization;
+
+      const openaiApiKey = (req.body && typeof req.body.openaiApiKey === 'string')
+        ? req.body.openaiApiKey
+        : (process.env.OPENAI_API_KEY || '');
+      const anthropicApiKey = (req.body && typeof req.body.anthropicApiKey === 'string')
+        ? req.body.anthropicApiKey
+        : (process.env.ANTHROPIC_API_KEY || '');
+
+      const configureRes = await fetch(`http://127.0.0.1:${port}/api/setup/configure`, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify({
+          supabaseUrl,
+          supabaseServiceRoleKey: serviceRoleKey,
+          databaseUrl,
+          openaiApiKey,
+          anthropicApiKey,
+          // anonKey is not part of the Sprint 23 contract — we hold it here
+          // for parity with future runtime needs but do not pass it on.
+        })
+      });
+      const configureBody = await configureRes.json().catch(() => ({}));
+      if (!configureRes.ok || configureBody.success === false) {
+        const status = configureRes.status >= 400 ? configureRes.status : 500;
+        return res.status(status).json({
+          ok: false,
+          code: 'configure_failed',
+          detail: configureBody.error || 'configure step failed',
+          validation: configureBody.validation || null,
+        });
+      }
+
+      // 3. Trigger /api/setup/migrate. Pass databaseUrl explicitly so we don't
+      //    depend on the migrate endpoint's dotenv refresh ordering.
+      const migrateRes = await fetch(`http://127.0.0.1:${port}/api/setup/migrate`, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify({ databaseUrl })
+      });
+      const migrateBody = await migrateRes.json().catch(() => ({}));
+      if (!migrateRes.ok || migrateBody.ok === false) {
+        const status = migrateRes.status >= 400 ? migrateRes.status : 500;
+        return res.status(status).json({
+          ok: false,
+          code: 'migrate_failed',
+          detail: migrateBody.error || 'migrate step failed',
+          applied: migrateBody.applied || 0,
+        });
+      }
+
+      console.log(`[setup] supabase/select complete (${migrateBody.applied || 0} migrations applied)`);
+      // Mark the anonKey unused so lint stays clean — see comment above.
+      void anonKey;
+      return res.json({
+        ok: true,
+        configured: true,
+        migrated: true,
+        validation: configureBody.validation || null,
+        applied: migrateBody.applied || 0,
+      });
+    } catch (err) {
+      const m = _mapMcpError(err);
+      console.warn(`[setup] supabase/select failed: ${m.body.code}`);
+      return res.status(m.status).json(m.body);
+    } finally {
+      _supabaseSelectInFlight = false;
+    }
+  });
+
   // GET /api/sessions - list all active sessions
   app.get('/api/sessions', (req, res) => {
     res.json(sessions.getAll());

package/packages/server/src/session.js

@@ -55,7 +55,7 @@ const PATTERNS = {
   // tools (cat, ls, cd, rm, etc.) report filesystem misses in plain English
   // without ever emitting the ENOENT errno code. Flagged as a gap by Rumen's
   // first production kickstart insight on 2026-04-15.
-  error: /\b(error|Error|ERROR|exception|Exception|Traceback|fatal|FATAL|segmentation fault|panic|EACCES|ECONNREFUSED|ENOENT|command not found|undefined reference|cannot find module|failed with exit code|No such file or directory|Permission denied|\b5\d\d\b)\b/,
+  error: /(?:^|\n)\s*(?:Error:\s+\S|error:\s+\S|Traceback \(most recent call last\):|npm ERR!|error\[E\d+\]:|Uncaught Exception|Fatal:)/m,
   // Stricter line-anchored variant for Claude Code, whose tool output (grep
   // results, test logs, file contents) routinely mentions "Error" mid-line
   // without representing an actual failure of the agent itself.

package/packages/server/src/setup/prompts.js

@@ -105,13 +105,38 @@ async function askOptional(question, { validate } = {}) {
 // Secret prompt. On TTY we mute echo; on non-TTY we fall back to a visible
 // line read. Callers typically pass an empty string for `question` and write
 // their own label first.
+//
+// Reported as broken on MobaXterm SSH (Brad, 2026-04-25): the wizard would
+// abort after the Anthropic key prompt as if Ctrl-C were pressed. Three real
+// bugs hardened against here, all from the original raw-mode loop:
+//
+//   1. CRLF leak. When the terminal sends "\r\n" as a single chunk (Windows /
+//      MobaXterm Enter key), the original loop matched the "\r", resolved,
+//      and dropped the rest of the chunk on the floor. The trailing "\n"
+//      then surfaced through the next prompt's data path. Worst case the
+//      dropped chunk also contained  from a stray keystroke and the
+//      original SIGINT branch fired, killing the wizard mid-flow.
+//
+//   2. ANSI / escape-sequence pollution. Some terminals emit "[..."
+//      sequences for non-character events (focus changes, cursor reports,
+//      paste-bracketing). The old loop fed those bytes into the password
+//      buffer and echoed "*" for each one. We now consume escape sequences
+//      silently.
+//
+//   3. SIGINT during a secret prompt is now a soft cancel — return empty
+//      string, let the caller's shape validator re-prompt — instead of
+//      `process.kill`-ing the process. The hard-kill was masking the CRLF
+//      bug above and aborting the wizard from stray bytes.
+//
+// Carry-over bytes (anything in the chunk after the resolving "\r"/"\n")
+// are pushed back onto stdin via `stdin.unshift` so the next consumer
+// (readline, the next askSecret) reads from a clean stream. Regression
+// fixtures in tests/setup-prompts.test.js.
 async function askSecret(question) {
   if (!process.stdin.isTTY) {
     return ask(question);
   }
   if (question) process.stdout.write(`${question}: `);
-  // Raw-mode reader. Detach the shared readline for the duration so both
-  // consumers aren't racing on stdin 'data' events.
   return new Promise((resolve) => {
     if (rl) rl.pause();
     const stdin = process.stdin;
@@ -120,30 +145,78 @@ async function askSecret(question) {
     stdin.setEncoding('utf-8');
 
     let buffer = '';
+    let inEscape = false;
+    let escapeDepth = 0;
+
+    const cleanup = () => {
+      stdin.setRawMode(false);
+      stdin.removeListener('data', onData);
+      process.stdout.write('\n');
+      if (rl) rl.resume();
+    };
+
+    const carryOver = (chunk, fromIndex) => {
+      if (fromIndex >= chunk.length) return;
+      const tail = chunk.slice(fromIndex);
+      // Drop a single leading \n if we just consumed \r (CRLF pair already
+      // accounted for at the call site).
+      const trimmed = tail[0] === '\n' ? tail.slice(1) : tail;
+      if (trimmed.length > 0) {
+        try { stdin.unshift(Buffer.from(trimmed, 'utf-8')); } catch (_e) { /* unsupported on some Node versions */ }
+      }
+    };
+
     const onData = (chunk) => {
-      for (const ch of chunk) {
-        if (ch === '\n' || ch === '\r' || ch === '\u0004') {
-          stdin.setRawMode(false);
-          stdin.removeListener('data', onData);
-          process.stdout.write('\n');
-          if (rl) rl.resume();
+      for (let i = 0; i < chunk.length; i++) {
+        const ch = chunk[i];
+
+        // Bug #2: silently consume ANSI escape sequences. ESC (\u001b) starts one;
+        // we consume until a final byte (CSI: 0x40..0x7E) or run out of
+        // patience (16 bytes).
+        if (inEscape) {
+          escapeDepth++;
+          if ((escapeDepth === 1 && ch !== '[') ||
+              (escapeDepth > 1 && ch >= '@' && ch <= '~') ||
+              escapeDepth > 16) {
+            inEscape = false;
+            escapeDepth = 0;
+          }
+          continue;
+        }
+        if (ch === '') { inEscape = true; escapeDepth = 0; continue; }
+
+        // Line terminators — the resolve path. Bug #1 handled here via the
+        // explicit CRLF drain inside the same chunk.
+        if (ch === '\n' || ch === '\r' || ch === '') {
+          let consumeUpTo = i + 1;
+          if (ch === '\r' && chunk[i + 1] === '\n') consumeUpTo++;
+          cleanup();
+          carryOver(chunk, consumeUpTo);
           resolve(buffer);
           return;
         }
-        if (ch === '\u0003') {
-          stdin.setRawMode(false);
-          stdin.removeListener('data', onData);
-          process.stdout.write('\n');
-          process.kill(process.pid, 'SIGINT');
+
+        // Bug #3: Ctrl-C during a secret prompt → soft cancel, not SIGINT.
+        if (ch === '') {
+          cleanup();
+          carryOver(chunk, i + 1);
+          resolve('');
           return;
         }
-        if (ch === '\u007f' || ch === '\b') {
+
+        // Backspace / DEL.
+        if (ch === '' || ch === '\b') {
           if (buffer.length > 0) {
             buffer = buffer.slice(0, -1);
             process.stdout.write('\b \b');
           }
           continue;
         }
+
+        // Drop any other control character silently; never let them into
+        // the password buffer.
+        if (ch < ' ' && ch !== '\t') continue;
+
         buffer += ch;
         process.stdout.write('*');
       }