fix(dashboard): never print client secret to stdout

Client secret was printed via fmt.Printf on app creation, leaking it
to terminal scrollback, CI logs, and screen captures. Apply the same
secure delivery pattern used for API keys: clipboard or temp file with
0600 permissions. The secret is never written to stdout.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: AaronDDM

internal/cli/dashboard/apps.go

@@ -141,8 +141,12 @@ func newAppsCreateCmd() *cobra.Command {
 				fmt.Printf("  Environment:    %s\n", app.Environment)
 			}
 
-			_, _ = common.Yellow.Println("\n  Client Secret (shown once — save it now):")
-			fmt.Printf("  %s\n", app.ClientSecret)
+			if app.ClientSecret != "" {
+				_, _ = common.Yellow.Println("\n  Client Secret (available once — save it now):")
+				if err := handleSecretDelivery(app.ClientSecret, "Client Secret"); err != nil {
+					return err
+				}
+			}
 
 			fmt.Println("\nTo configure the CLI with this application:")
 			fmt.Printf("  nylas auth config --api-key <your-api-key> --region %s\n", app.Region)

internal/cli/dashboard/keys.go

@@ -226,6 +226,44 @@ func handleAPIKeyDelivery(apiKey, appID, region string) error {
 	return nil
 }
 
+// handleSecretDelivery prompts the user to choose how to receive a secret.
+// Secrets are never printed to stdout to prevent leaking in terminal history or logs.
+func handleSecretDelivery(secret, label string) error {
+	fmt.Printf("\nHow would you like to receive the %s?\n", label)
+	fmt.Println()
+	_, _ = common.Cyan.Println("  [1] Copy to clipboard (recommended)")
+	fmt.Println("  [2] Save to file")
+	fmt.Println()
+
+	choice, err := readLine("Choose [1-2]: ")
+	if err != nil {
+		return wrapDashboardError(err)
+	}
+
+	switch choice {
+	case "1", "":
+		if err := common.CopyToClipboard(secret); err != nil {
+			_, _ = common.Yellow.Printf("  Clipboard unavailable: %v\n", err)
+			_, _ = common.Dim.Println("  Try option [2] to save to a file instead")
+			return nil
+		}
+		_, _ = common.Green.Printf("✓ %s copied to clipboard\n", label)
+
+	case "2":
+		keyFile := filepath.Join(os.TempDir(), "nylas-client-secret.txt")
+		if err := os.WriteFile(keyFile, []byte(secret+"\n"), 0o600); err != nil { // #nosec G306
+			return wrapDashboardError(fmt.Errorf("failed to write file: %w", err))
+		}
+		_, _ = common.Green.Printf("✓ %s saved to: %s\n", label, keyFile)
+		_, _ = common.Dim.Println("  Read it, then delete the file")
+
+	default:
+		return dashboardError("invalid selection", "Choose 1-2")
+	}
+
+	return nil
+}
+
 // activateAPIKey stores the API key and configures the CLI to use it.
 func activateAPIKey(apiKey, clientID, region string) error {
 	configStore := config.NewDefaultFileStore()