From 272a93b2962a61a7daa512ea93d5fe5a19bae126 Mon Sep 17 00:00:00 2001
From: Stephen Braverman <stephen.braverman@armis.com>
Date: Mon, 23 Mar 2026 14:39:41 -0400
Subject: [PATCH] [PPSC-602] fix: add warning before printing token to stdout
 (CWE-522)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/cmd/auth.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/internal/cmd/auth.go b/internal/cmd/auth.go
index 6b5c47c..145d477 100644
--- a/internal/cmd/auth.go
+++ b/internal/cmd/auth.go
@@ -3,6 +3,7 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"os"
 	"time"
 
 	"github.com/spf13/cobra"
@@ -58,7 +59,10 @@ func runAuth(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to get token: %w", err)
 	}
 
-	// Print the raw token without any prefix (useful for piping to other tools)
+	// Print the raw token without any prefix (useful for piping to other tools).
+	// CWE-522: Token output is the intentional purpose of this command.
+	// Warning is sent to stderr so it doesn't interfere with piped usage.
+	fmt.Fprintln(os.Stderr, "Warning: token output below. Avoid storing in logs or shell history.")
 	fmt.Println(token)
 	return nil
 }