#109 provision_vcs_auth: collect Bitbucket API tokens via OOB secure input

[Anonymous]

Originally created by: kumaakh

Problem

provision_vcs_auth for Bitbucket requires the caller to pass api_token as a plain string parameter, which means the token appears in chat history and prompt logs.

register_member already handles this correctly — omitting password triggers an OOB secure prompt in a separate terminal window. provision_vcs_auth should do the same.

Expected behaviour

When api_token is omitted (or a sentinel like "" is passed), the fleet server opens a secure out-of-band password prompt — the same mechanism used by register_member — and reads the token interactively without it ever appearing in the conversation.

Suggested implementation

• Mirror the OOB prompt logic from register_member into provision_vcs_auth
• Apply to Bitbucket API tokens and Azure DevOps PATs (same exposure risk)
• Document in auth-bitbucket.md and auth-azdevops.md: "omit api_token for secure out-of-band entry"

Workaround (current)

User runs ! read -s -p "Token: " BB_TOKEN && echo ok in the Claude Code terminal, then PM calls provision_vcs_auth with api_token: "$BB_TOKEN" referencing the shell variable.

[Anonymous]

Originally posted by: kumaakh

Fixed in commit 211f043 (PR [#128] — feat/oob-improvements). All three providers in provision_vcs_auth (GitHub PAT, Bitbucket, Azure DevOps) now support OOB secure input — omit the credential field and a secure TTY prompt opens automatically. {{secure.NAME}} token resolution is also supported for all three fields.

[Anonymous]

Ticket changed by: kumaakh

• status: open --> closed