setup nuke: require stdout TTY so confirmation summary is visible

Redirecting stdout could hide the destructive summary while stdin stayed
interactive. Check stdout().is_terminal() before stdin, bail with a clear
message, and document in README, manual, and CLI help. Integration test
expects the stdout requirement when both streams are piped.

Made-with: Cursor

Author: AliSoftware

README.md

@@ -111,7 +111,7 @@ Use `decrypt --non-interactive` in CI with `A8C_SECRETS_IDENTITY` (or a key file
 
 ### Terminals, prompts, and private keys on stdout
 - **`setup init`** and **`keys rotate`** require **stdout** connected to a terminal so new private keys are not accidentally written to a file or pipe. `keys rotate` also needs **stdin** for its menus and confirmations.
-- **`setup nuke`** and **`rm`** (without `--non-interactive`) require **stdin** for confirmation prompts.
+- **`setup nuke`** requires **stdout** and **stdin** connected to a terminal (you must see the destructive summary before confirming). **`rm`** (without `--non-interactive`) requires **stdin** for confirmation prompts.
 - **`decrypt`** orphan handling uses **stdin** for the orphan prompt (unless `--non-interactive` is set or stdin is not an interactive terminal — see above).
 - **`edit`** is for interactive use (`$EDITOR`, optional create prompt).
 

src/cli.rs

@@ -260,7 +260,8 @@ Deletes .a8c-secrets/ from the repo, the private key at
 ~/.a8c-secrets/keys/<host>/<org>/<name>.key, and all decrypted files at
 ~/.a8c-secrets/<host>/<org>/<name>/. Requires typing the repo identifier to confirm.
 
-Requires stdin connected to a terminal to type the repo identifier confirmation.")]
+Requires stdout connected to a terminal so the destructive summary is visible (do not
+redirect stdout). Requires stdin connected to a terminal to type the confirmation.")]
     Nuke,
 
     /// Output shell completion script

src/commands/setup/nuke.rs

@@ -8,11 +8,19 @@ use crate::keys;
 
 /// Remove repo and local `a8c-secrets` data for the current repository.
 ///
+/// Requires stdout and stdin to be terminals so the destructive summary and confirmation
+/// prompt are visible and typed interactively.
+///
 /// # Errors
 ///
 /// Returns an error if repo/config discovery fails, user input fails, or any
 /// of the cleanup file operations fail.
 pub fn run() -> Result<()> {
+    if !std::io::stdout().is_terminal() {
+        anyhow::bail!(
+            "`a8c-secrets setup nuke` must not redirect stdout — it prints a destructive summary and confirmation prompt. Run it in a terminal so you can see what you are confirming."
+        );
+    }
     if !std::io::stdin().is_terminal() {
         anyhow::bail!(
             "`a8c-secrets setup nuke` requires stdin connected to a terminal for confirmation."

src/manual.rs

@@ -73,7 +73,8 @@ GETTING STARTED
 
     setup init and keys rotate require stdout connected to a terminal (private keys
     are printed; do not redirect). keys rotate also needs stdin for prompts. setup
-    nuke and rm (without --non-interactive) need stdin for confirmation. edit uses
+    nuke needs stdout and stdin (see the destructive summary before typing the repo id).
+    rm (without --non-interactive) needs stdin for confirmation. edit uses
     $EDITOR and prompts; intended for interactive use.
 
     If stdout is not a terminal, private key blocks are redacted in output (defense in

tests/commands_integration.rs

@@ -794,13 +794,13 @@ fn setup_nuke_fails_without_tty_and_preserves_repo_secrets_key_and_decrypted() {
         .expect("wait_with_output on setup nuke");
     assert!(
         !out.status.success(),
-        "setup nuke should fail when stdin is not a terminal"
+        "setup nuke should fail when stdout/stdin are not terminals"
     );
     let combined =
         String::from_utf8_lossy(&out.stderr).to_string() + &String::from_utf8_lossy(&out.stdout);
     assert!(
-        combined.contains("stdin") && combined.contains("terminal"),
-        "expected stdin terminal requirement message, got: {combined}"
+        combined.contains("stdout") && combined.contains("terminal"),
+        "expected stdout terminal requirement message, got: {combined}"
     );
     assert!(
         repo_dir.join(".a8c-secrets").exists(),