From 4373f358ac4cab5a0239e40a954468ca128b6157 Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Wed, 25 Jun 2025 23:19:41 +0000
Subject: [PATCH 01/15] feat: allow masking workspace parameter inputs

---
 coderd/apidoc/docs.go                         |   3 +
 coderd/apidoc/swagger.json                    |   3 +
 coderd/database/db2sdk/db2sdk.go              |   1 +
 codersdk/parameters.go                        |   1 +
 .../extending-templates/mask-input-example.md | 195 ++++++++++++++++++
 docs/reference/api/schemas.md                 |   4 +
 docs/reference/api/templates.md               |   1 +
 go.mod                                        |   2 +
 go.sum                                        |   4 +-
 site/src/api/typesGenerated.ts                |   1 +
 .../DynamicParameter.stories.tsx              |  39 ++++
 .../DynamicParameter/DynamicParameter.tsx     | 114 +++++++---
 12 files changed, 335 insertions(+), 33 deletions(-)
 create mode 100644 docs/admin/templates/extending-templates/mask-input-example.md

diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
index f08b7dfd7fc4d..96943fd9bcdd6 100644
--- a/coderd/apidoc/docs.go
+++ b/coderd/apidoc/docs.go
@@ -14057,6 +14057,9 @@ const docTemplate = `{
                 "label": {
                     "type": "string"
                 },
+                "mask_input": {
+                    "type": "boolean"
+                },
                 "placeholder": {
                     "type": "string"
                 }
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
index 8317f9ed90503..22281914281ea 100644
--- a/coderd/apidoc/swagger.json
+++ b/coderd/apidoc/swagger.json
@@ -12723,6 +12723,9 @@
 				"label": {
 					"type": "string"
 				},
+				"mask_input": {
+					"type": "boolean"
+				},
 				"placeholder": {
 					"type": "string"
 				}
diff --git a/coderd/database/db2sdk/db2sdk.go b/coderd/database/db2sdk/db2sdk.go
index c74e63bb86f59..5e9be4d61a57c 100644
--- a/coderd/database/db2sdk/db2sdk.go
+++ b/coderd/database/db2sdk/db2sdk.go
@@ -816,6 +816,7 @@ func PreviewParameter(param previewtypes.Parameter) codersdk.PreviewParameter {
 				Placeholder: param.Styling.Placeholder,
 				Disabled:    param.Styling.Disabled,
 				Label:       param.Styling.Label,
+				MaskInput:   param.Styling.MaskInput,
 			},
 			Mutable:      param.Mutable,
 			DefaultValue: PreviewHCLString(param.DefaultValue),
diff --git a/codersdk/parameters.go b/codersdk/parameters.go
index bdf48f2c6e8fa..1e15d0496c1fa 100644
--- a/codersdk/parameters.go
+++ b/codersdk/parameters.go
@@ -91,6 +91,7 @@ type PreviewParameterStyling struct {
 	Placeholder *string `json:"placeholder,omitempty"`
 	Disabled    *bool   `json:"disabled,omitempty"`
 	Label       *string `json:"label,omitempty"`
+	MaskInput   *bool   `json:"mask_input,omitempty"`
 }
 
 type PreviewParameterOption struct {
diff --git a/docs/admin/templates/extending-templates/mask-input-example.md b/docs/admin/templates/extending-templates/mask-input-example.md
new file mode 100644
index 0000000000000..2c6d5d8ea4260
--- /dev/null
+++ b/docs/admin/templates/extending-templates/mask-input-example.md
@@ -0,0 +1,195 @@
+# Mask Input Feature
+
+The `mask_input` styling option allows you to hide sensitive parameter values by converting all characters to asterisks (*). This feature is designed for template parameters that contain sensitive information like passwords, API keys, or other secrets.
+
+> **Note**: This feature is purely cosmetic and does not provide any security. The actual parameter values are still transmitted and stored normally. This is only meant to hide the characters visually in the UI.
+
+## Usage
+
+The `mask_input` option can be applied to parameters with `form_type` of `input` or `textarea`. Add it to the `styling` block of your parameter definition:
+
+```hcl
+variable "api_key" {
+  description = "API key for external service"
+  type        = string
+  sensitive   = true
+  
+  validation {
+    condition     = length(var.api_key) > 0
+    error_message = "API key cannot be empty."
+  }
+}
+
+resource "coder_parameter" "api_key" {
+  name         = "api_key"
+  display_name = "API Key"
+  description  = "Enter your API key for the external service"
+  type         = "string"
+  form_type    = "input"
+  mutable      = true
+  
+  styling = {
+    mask_input  = true
+    placeholder = "Enter your API key"
+  }
+}
+```
+
+## Examples
+
+### Masked Input Field
+
+```hcl
+resource "coder_parameter" "database_password" {
+  name         = "database_password"
+  display_name = "Database Password"
+  description  = "Password for database connection"
+  type         = "string"
+  form_type    = "input"
+  mutable      = true
+  
+  styling = {
+    mask_input = true
+  }
+}
+```
+
+### Masked Textarea Field
+
+```hcl
+resource "coder_parameter" "private_key" {
+  name         = "private_key"
+  display_name = "Private Key"
+  description  = "Private key for SSH access"
+  type         = "string"
+  form_type    = "textarea"
+  mutable      = true
+  
+  styling = {
+    mask_input  = true
+    placeholder = "Paste your private key here"
+  }
+}
+```
+
+### Complete Example with Multiple Sensitive Parameters
+
+```hcl
+terraform {
+  required_providers {
+    coder = {
+      source = "coder/coder"
+    }
+  }
+}
+
+variable "username" {
+  description = "Username for the service"
+  type        = string
+}
+
+variable "password" {
+  description = "Password for the service"
+  type        = string
+  sensitive   = true
+}
+
+variable "ssl_certificate" {
+  description = "SSL certificate content"
+  type        = string
+  sensitive   = true
+}
+
+resource "coder_parameter" "username" {
+  name         = "username"
+  display_name = "Username"
+  description  = "Enter your username"
+  type         = "string"
+  form_type    = "input"
+  mutable      = true
+  default_value = var.username
+}
+
+resource "coder_parameter" "password" {
+  name         = "password"
+  display_name = "Password"
+  description  = "Enter your password"
+  type         = "string"
+  form_type    = "input"
+  mutable      = true
+  default_value = var.password
+  
+  styling = {
+    mask_input  = true
+    placeholder = "Enter your password"
+  }
+}
+
+resource "coder_parameter" "ssl_certificate" {
+  name         = "ssl_certificate"
+  display_name = "SSL Certificate"
+  description  = "Paste your SSL certificate"
+  type         = "string"
+  form_type    = "textarea"
+  mutable      = true
+  default_value = var.ssl_certificate
+  
+  styling = {
+    mask_input  = true
+    placeholder = "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+  }
+}
+```
+
+## User Interface Behavior
+
+When `mask_input` is enabled:
+
+1. **Masked Display**: All characters in the input field are displayed as asterisks (*)
+2. **Show/Hide Toggle**: A eye icon button appears in the top-right corner of the field
+   - Click the eye icon to reveal the actual text
+   - Click again to hide it back to asterisks
+3. **Normal Functionality**: The field works normally for typing, copying, and pasting
+4. **Form Submission**: The actual unmasked value is submitted with the form
+
+## Limitations and Considerations
+
+- **No Security**: This feature provides no actual security - it's purely visual
+- **Number Fields**: Masking is automatically disabled for `number` type parameters
+- **Accessibility**: Screen readers will still read the actual values, not the masked version
+- **Development**: Use in conjunction with Terraform's `sensitive = true` for variables that contain secrets
+
+## Best Practices
+
+1. **Combine with Sensitive Variables**: Always mark sensitive parameters with `sensitive = true` in your Terraform variables
+2. **Use Descriptive Placeholders**: Provide helpful placeholder text to guide users
+3. **Validate Input**: Add appropriate validation rules for sensitive parameters
+4. **Documentation**: Clearly document what sensitive information is being collected
+
+```hcl
+variable "api_token" {
+  description = "API token for external service (keep this secret!)"
+  type        = string
+  sensitive   = true  # This prevents the value from appearing in Terraform logs
+  
+  validation {
+    condition     = can(regex("^[A-Za-z0-9]{32,}$", var.api_token))
+    error_message = "API token must be at least 32 alphanumeric characters."
+  }
+}
+
+resource "coder_parameter" "api_token" {
+  name         = "api_token"
+  display_name = "API Token"
+  description  = "Enter your API token (this will be hidden for security)"
+  type         = "string"
+  form_type    = "input"
+  mutable      = true
+  default_value = var.api_token
+  
+  styling = {
+    mask_input  = true
+    placeholder = "Enter your 32+ character API token"
+  }
+}
+```
diff --git a/docs/reference/api/schemas.md b/docs/reference/api/schemas.md
index e19c9d15da413..47acfe105439c 100644
--- a/docs/reference/api/schemas.md
+++ b/docs/reference/api/schemas.md
@@ -2890,6 +2890,7 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
       "styling": {
         "disabled": true,
         "label": "string",
+        "mask_input": true,
         "placeholder": "string"
       },
       "type": "string",
@@ -5020,6 +5021,7 @@ Git clone makes use of this by parsing the URL from: 'Username for "https://gith
   "styling": {
     "disabled": true,
     "label": "string",
+    "mask_input": true,
     "placeholder": "string"
   },
   "type": "string",
@@ -5089,6 +5091,7 @@ Git clone makes use of this by parsing the URL from: 'Username for "https://gith
 {
   "disabled": true,
   "label": "string",
+  "mask_input": true,
   "placeholder": "string"
 }
 ```
@@ -5099,6 +5102,7 @@ Git clone makes use of this by parsing the URL from: 'Username for "https://gith
 |---------------|---------|----------|--------------|-------------|
 | `disabled`    | boolean | false    |              |             |
 | `label`       | string  | false    |              |             |
+| `mask_input`  | boolean | false    |              |             |
 | `placeholder` | string  | false    |              |             |
 
 ## codersdk.PreviewParameterValidation
diff --git a/docs/reference/api/templates.md b/docs/reference/api/templates.md
index dc4605532ff41..cf99922877ab3 100644
--- a/docs/reference/api/templates.md
+++ b/docs/reference/api/templates.md
@@ -2697,6 +2697,7 @@ curl -X POST http://coder-server:8080/api/v2/templateversions/{templateversion}/
       "styling": {
         "disabled": true,
         "label": "string",
+        "mask_input": true,
         "placeholder": "string"
       },
       "type": "string",
diff --git a/go.mod b/go.mod
index 5325b190b1380..c7d5b7f1d5d18 100644
--- a/go.mod
+++ b/go.mod
@@ -75,6 +75,8 @@ replace github.com/spf13/afero => github.com/aslilac/afero v0.0.0-20250403163713
 // TODO: replace once we cut release.
 replace github.com/coder/terraform-provider-coder/v2 => github.com/coder/terraform-provider-coder/v2 v2.7.1-0.20250623193313-e890833351e2
 
+replace github.com/coder/preview => github.com/coder/preview v1.0.2-0.20250625231609-10623f47565b
+
 require (
 	cdr.dev/slog v1.6.2-0.20241112041820-0ec81e6e67bb
 	cloud.google.com/go/compute/metadata v0.7.0
diff --git a/go.sum b/go.sum
index 14b86b4d38b4a..54abd58445bbd 100644
--- a/go.sum
+++ b/go.sum
@@ -916,8 +916,8 @@ github.com/coder/pq v1.10.5-0.20240813183442-0c420cb5a048 h1:3jzYUlGH7ZELIH4XggX
 github.com/coder/pq v1.10.5-0.20240813183442-0c420cb5a048/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/coder/pretty v0.0.0-20230908205945-e89ba86370e0 h1:3A0ES21Ke+FxEM8CXx9n47SZOKOpgSE1bbJzlE4qPVs=
 github.com/coder/pretty v0.0.0-20230908205945-e89ba86370e0/go.mod h1:5UuS2Ts+nTToAMeOjNlnHFkPahrtDkmpydBen/3wgZc=
-github.com/coder/preview v1.0.1 h1:f6q+RjNelwnkyXfGbmVlb4dcUOQ0z4mPsb2kuQpFHuU=
-github.com/coder/preview v1.0.1/go.mod h1:efDWGlO/PZPrvdt5QiDhMtTUTkPxejXo9c0wmYYLLjM=
+github.com/coder/preview v1.0.2-0.20250625231609-10623f47565b h1:nka6oEgL/+GR78IcdwgG6CNDEpgLD1JFGts8h7yLD5w=
+github.com/coder/preview v1.0.2-0.20250625231609-10623f47565b/go.mod h1:efDWGlO/PZPrvdt5QiDhMtTUTkPxejXo9c0wmYYLLjM=
 github.com/coder/quartz v0.2.1 h1:QgQ2Vc1+mvzewg2uD/nj8MJ9p9gE+QhGJm+Z+NGnrSE=
 github.com/coder/quartz v0.2.1/go.mod h1:vsiCc+AHViMKH2CQpGIpFgdHIEQsxwm8yCscqKmzbRA=
 github.com/coder/retry v1.5.1 h1:iWu8YnD8YqHs3XwqrqsjoBTAVqT9ml6z9ViJ2wlMiqc=
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
index b2117cf15c987..8971c93dddad6 100644
--- a/site/src/api/typesGenerated.ts
+++ b/site/src/api/typesGenerated.ts
@@ -1825,6 +1825,7 @@ export interface PreviewParameterStyling {
 	readonly placeholder?: string;
 	readonly disabled?: boolean;
 	readonly label?: string;
+	readonly mask_input?: boolean;
 }
 
 // From codersdk/parameters.go
diff --git a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.stories.tsx b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.stories.tsx
index db3fa2f404c53..707c065142268 100644
--- a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.stories.tsx
+++ b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.stories.tsx
@@ -230,3 +230,42 @@ export const AllBadges: Story = {
 		isPreset: true,
 	},
 };
+
+export const MaskedInput: Story = {
+	args: {
+		parameter: {
+			...MockPreviewParameter,
+			form_type: "input",
+			styling: {
+				...MockPreviewParameter.styling,
+				mask_input: true,
+			},
+		},
+	},
+};
+
+export const MaskedTextArea: Story = {
+	args: {
+		parameter: {
+			...MockPreviewParameter,
+			form_type: "textarea",
+			styling: {
+				...MockPreviewParameter.styling,
+				mask_input: true,
+			},
+		},
+	},
+};
+
+export const MaskedInputWithPlaceholder: Story = {
+	args: {
+		parameter: {
+			...MockPreviewParameter,
+			form_type: "input",
+			styling: {
+				placeholder: "Enter your secret value",
+				mask_input: true,
+			},
+		},
+	},
+};
diff --git a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
index fa72142d52837..3a31c1ca1a5a0 100644
--- a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
+++ b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
@@ -5,6 +5,7 @@ import type {
 	WorkspaceBuildParameter,
 } from "api/typesGenerated";
 import { Badge } from "components/Badge/Badge";
+import { Button } from "components/Button/Button";
 import { Checkbox } from "components/Checkbox/Checkbox";
 import { ExternalImage } from "components/ExternalImage/ExternalImage";
 import { Input } from "components/Input/Input";
@@ -36,6 +37,8 @@ import { useDebouncedValue } from "hooks/debounce";
 import { useEffectEvent } from "hooks/hookPolyfills";
 import {
 	CircleAlert,
+	Eye,
+	EyeOff,
 	Hourglass,
 	Info,
 	LinkIcon,
@@ -265,6 +268,12 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 	const [localValue, setLocalValue] = useState(
 		value !== undefined ? value : validValue(parameter.value),
 	);
+	const [showMaskedInput, setShowMaskedInput] = useState(false);
+
+	// Helper function to mask all characters with *
+	const maskValue = (val: string): string => {
+		return "*".repeat(val.length);
+	};
 	const debouncedLocalValue = useDebouncedValue(localValue, 500);
 	const onChangeEvent = useEffectEvent(onChange);
 	// prevDebouncedValueRef is to prevent calling the onChangeEvent on the initial render
@@ -308,23 +317,44 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 
 	switch (parameter.form_type) {
 		case "textarea": {
+			const shouldMask = parameter.styling?.mask_input && !showMaskedInput;
+			const displayValue = shouldMask ? maskValue(localValue) : localValue;
+
 			return (
-				<Textarea
-					ref={textareaRef}
-					id={id}
-					className="overflow-y-auto max-h-[500px]"
-					value={localValue}
-					onChange={(e) => {
-						const target = e.currentTarget;
-						target.style.height = "auto";
-						target.style.height = `${target.scrollHeight}px`;
-
-						setLocalValue(e.target.value);
-					}}
-					disabled={disabled}
-					placeholder={parameter.styling?.placeholder}
-					required={parameter.required}
-				/>
+				<div className="relative">
+					<Textarea
+						ref={textareaRef}
+						id={id}
+						className="overflow-y-auto max-h-[500px]"
+						value={displayValue}
+						onChange={(e) => {
+							const target = e.currentTarget;
+							target.style.height = "auto";
+							target.style.height = `${target.scrollHeight}px`;
+
+							setLocalValue(e.target.value);
+						}}
+						disabled={disabled}
+						placeholder={parameter.styling?.placeholder}
+						required={parameter.required}
+					/>
+					{parameter.styling?.mask_input && (
+						<Button
+							type="button"
+							variant="subtle"
+							size="sm"
+							className="absolute top-2 right-2 h-6 w-6 p-0"
+							onClick={() => setShowMaskedInput(!showMaskedInput)}
+							disabled={disabled}
+						>
+							{showMaskedInput ? (
+								<EyeOff className="h-4 w-4" />
+							) : (
+								<Eye className="h-4 w-4" />
+							)}
+						</Button>
+					)}
+				</div>
 			);
 		}
 
@@ -345,19 +375,43 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 				}
 			}
 
+			const shouldMask =
+				parameter.styling?.mask_input &&
+				!showMaskedInput &&
+				parameter.type !== "number";
+			const displayValue = shouldMask ? maskValue(localValue) : localValue;
+
 			return (
-				<Input
-					id={id}
-					type={inputType}
-					value={localValue}
-					onChange={(e) => {
-						setLocalValue(e.target.value);
-					}}
-					disabled={disabled}
-					required={parameter.required}
-					placeholder={parameter.styling?.placeholder}
-					{...inputProps}
-				/>
+				<div className="relative">
+					<Input
+						id={id}
+						type={inputType}
+						value={displayValue}
+						onChange={(e) => {
+							setLocalValue(e.target.value);
+						}}
+						disabled={disabled}
+						required={parameter.required}
+						placeholder={parameter.styling?.placeholder}
+						{...inputProps}
+					/>
+					{parameter.styling?.mask_input && parameter.type !== "number" && (
+						<Button
+							type="button"
+							variant="subtle"
+							size="sm"
+							className="absolute top-1/2 right-2 h-6 w-6 p-0 -translate-y-1/2"
+							onClick={() => setShowMaskedInput(!showMaskedInput)}
+							disabled={disabled}
+						>
+							{showMaskedInput ? (
+								<EyeOff className="h-4 w-4" />
+							) : (
+								<Eye className="h-4 w-4" />
+							)}
+						</Button>
+					)}
+				</div>
 			);
 		}
 	}
@@ -450,9 +504,7 @@ const ParameterField: FC<ParameterFieldProps> = ({
 
 			return (
 				<MultiSelectCombobox
-					inputProps={{
-						id: id,
-					}}
+					inputProps={{ id }}
 					options={options}
 					defaultOptions={selectedOptions}
 					onChange={(newValues) => {

From 441b8aa8649a7e7c2f6667fc622bf3512b9a9077 Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Thu, 26 Jun 2025 18:18:26 +0000
Subject: [PATCH 02/15] fix coder/preview version

---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index c7d5b7f1d5d18..7b6e5faab8f94 100644
--- a/go.mod
+++ b/go.mod
@@ -75,7 +75,7 @@ replace github.com/spf13/afero => github.com/aslilac/afero v0.0.0-20250403163713
 // TODO: replace once we cut release.
 replace github.com/coder/terraform-provider-coder/v2 => github.com/coder/terraform-provider-coder/v2 v2.7.1-0.20250623193313-e890833351e2
 
-replace github.com/coder/preview => github.com/coder/preview v1.0.2-0.20250625231609-10623f47565b
+replace github.com/coder/preview => github.com/coder/preview v1.0.2
 
 require (
 	cdr.dev/slog v1.6.2-0.20241112041820-0ec81e6e67bb
diff --git a/go.sum b/go.sum
index 54abd58445bbd..bf38f2e146fd9 100644
--- a/go.sum
+++ b/go.sum
@@ -916,8 +916,8 @@ github.com/coder/pq v1.10.5-0.20240813183442-0c420cb5a048 h1:3jzYUlGH7ZELIH4XggX
 github.com/coder/pq v1.10.5-0.20240813183442-0c420cb5a048/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/coder/pretty v0.0.0-20230908205945-e89ba86370e0 h1:3A0ES21Ke+FxEM8CXx9n47SZOKOpgSE1bbJzlE4qPVs=
 github.com/coder/pretty v0.0.0-20230908205945-e89ba86370e0/go.mod h1:5UuS2Ts+nTToAMeOjNlnHFkPahrtDkmpydBen/3wgZc=
-github.com/coder/preview v1.0.2-0.20250625231609-10623f47565b h1:nka6oEgL/+GR78IcdwgG6CNDEpgLD1JFGts8h7yLD5w=
-github.com/coder/preview v1.0.2-0.20250625231609-10623f47565b/go.mod h1:efDWGlO/PZPrvdt5QiDhMtTUTkPxejXo9c0wmYYLLjM=
+github.com/coder/preview v1.0.2 h1:ZFfox0PgXcIouB9iWGcZyOtdL0h2a4ju1iPw/dMqsg4=
+github.com/coder/preview v1.0.2/go.mod h1:efDWGlO/PZPrvdt5QiDhMtTUTkPxejXo9c0wmYYLLjM=
 github.com/coder/quartz v0.2.1 h1:QgQ2Vc1+mvzewg2uD/nj8MJ9p9gE+QhGJm+Z+NGnrSE=
 github.com/coder/quartz v0.2.1/go.mod h1:vsiCc+AHViMKH2CQpGIpFgdHIEQsxwm8yCscqKmzbRA=
 github.com/coder/retry v1.5.1 h1:iWu8YnD8YqHs3XwqrqsjoBTAVqT9ml6z9ViJ2wlMiqc=

From 18f5d12e441debb52fa3737b6156f4f1dca60bc4 Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Thu, 26 Jun 2025 22:47:56 +0000
Subject: [PATCH 03/15] =?UTF-8?q?=F0=9F=A7=B9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../extending-templates/mask-input-example.md | 195 ------------------
 go.mod                                        |   4 +-
 2 files changed, 1 insertion(+), 198 deletions(-)
 delete mode 100644 docs/admin/templates/extending-templates/mask-input-example.md

diff --git a/docs/admin/templates/extending-templates/mask-input-example.md b/docs/admin/templates/extending-templates/mask-input-example.md
deleted file mode 100644
index 2c6d5d8ea4260..0000000000000
--- a/docs/admin/templates/extending-templates/mask-input-example.md
+++ /dev/null
@@ -1,195 +0,0 @@
-# Mask Input Feature
-
-The `mask_input` styling option allows you to hide sensitive parameter values by converting all characters to asterisks (*). This feature is designed for template parameters that contain sensitive information like passwords, API keys, or other secrets.
-
-> **Note**: This feature is purely cosmetic and does not provide any security. The actual parameter values are still transmitted and stored normally. This is only meant to hide the characters visually in the UI.
-
-## Usage
-
-The `mask_input` option can be applied to parameters with `form_type` of `input` or `textarea`. Add it to the `styling` block of your parameter definition:
-
-```hcl
-variable "api_key" {
-  description = "API key for external service"
-  type        = string
-  sensitive   = true
-  
-  validation {
-    condition     = length(var.api_key) > 0
-    error_message = "API key cannot be empty."
-  }
-}
-
-resource "coder_parameter" "api_key" {
-  name         = "api_key"
-  display_name = "API Key"
-  description  = "Enter your API key for the external service"
-  type         = "string"
-  form_type    = "input"
-  mutable      = true
-  
-  styling = {
-    mask_input  = true
-    placeholder = "Enter your API key"
-  }
-}
-```
-
-## Examples
-
-### Masked Input Field
-
-```hcl
-resource "coder_parameter" "database_password" {
-  name         = "database_password"
-  display_name = "Database Password"
-  description  = "Password for database connection"
-  type         = "string"
-  form_type    = "input"
-  mutable      = true
-  
-  styling = {
-    mask_input = true
-  }
-}
-```
-
-### Masked Textarea Field
-
-```hcl
-resource "coder_parameter" "private_key" {
-  name         = "private_key"
-  display_name = "Private Key"
-  description  = "Private key for SSH access"
-  type         = "string"
-  form_type    = "textarea"
-  mutable      = true
-  
-  styling = {
-    mask_input  = true
-    placeholder = "Paste your private key here"
-  }
-}
-```
-
-### Complete Example with Multiple Sensitive Parameters
-
-```hcl
-terraform {
-  required_providers {
-    coder = {
-      source = "coder/coder"
-    }
-  }
-}
-
-variable "username" {
-  description = "Username for the service"
-  type        = string
-}
-
-variable "password" {
-  description = "Password for the service"
-  type        = string
-  sensitive   = true
-}
-
-variable "ssl_certificate" {
-  description = "SSL certificate content"
-  type        = string
-  sensitive   = true
-}
-
-resource "coder_parameter" "username" {
-  name         = "username"
-  display_name = "Username"
-  description  = "Enter your username"
-  type         = "string"
-  form_type    = "input"
-  mutable      = true
-  default_value = var.username
-}
-
-resource "coder_parameter" "password" {
-  name         = "password"
-  display_name = "Password"
-  description  = "Enter your password"
-  type         = "string"
-  form_type    = "input"
-  mutable      = true
-  default_value = var.password
-  
-  styling = {
-    mask_input  = true
-    placeholder = "Enter your password"
-  }
-}
-
-resource "coder_parameter" "ssl_certificate" {
-  name         = "ssl_certificate"
-  display_name = "SSL Certificate"
-  description  = "Paste your SSL certificate"
-  type         = "string"
-  form_type    = "textarea"
-  mutable      = true
-  default_value = var.ssl_certificate
-  
-  styling = {
-    mask_input  = true
-    placeholder = "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
-  }
-}
-```
-
-## User Interface Behavior
-
-When `mask_input` is enabled:
-
-1. **Masked Display**: All characters in the input field are displayed as asterisks (*)
-2. **Show/Hide Toggle**: A eye icon button appears in the top-right corner of the field
-   - Click the eye icon to reveal the actual text
-   - Click again to hide it back to asterisks
-3. **Normal Functionality**: The field works normally for typing, copying, and pasting
-4. **Form Submission**: The actual unmasked value is submitted with the form
-
-## Limitations and Considerations
-
-- **No Security**: This feature provides no actual security - it's purely visual
-- **Number Fields**: Masking is automatically disabled for `number` type parameters
-- **Accessibility**: Screen readers will still read the actual values, not the masked version
-- **Development**: Use in conjunction with Terraform's `sensitive = true` for variables that contain secrets
-
-## Best Practices
-
-1. **Combine with Sensitive Variables**: Always mark sensitive parameters with `sensitive = true` in your Terraform variables
-2. **Use Descriptive Placeholders**: Provide helpful placeholder text to guide users
-3. **Validate Input**: Add appropriate validation rules for sensitive parameters
-4. **Documentation**: Clearly document what sensitive information is being collected
-
-```hcl
-variable "api_token" {
-  description = "API token for external service (keep this secret!)"
-  type        = string
-  sensitive   = true  # This prevents the value from appearing in Terraform logs
-  
-  validation {
-    condition     = can(regex("^[A-Za-z0-9]{32,}$", var.api_token))
-    error_message = "API token must be at least 32 alphanumeric characters."
-  }
-}
-
-resource "coder_parameter" "api_token" {
-  name         = "api_token"
-  display_name = "API Token"
-  description  = "Enter your API token (this will be hidden for security)"
-  type         = "string"
-  form_type    = "input"
-  mutable      = true
-  default_value = var.api_token
-  
-  styling = {
-    mask_input  = true
-    placeholder = "Enter your 32+ character API token"
-  }
-}
-```
diff --git a/go.mod b/go.mod
index 7b6e5faab8f94..0e64f030c1c78 100644
--- a/go.mod
+++ b/go.mod
@@ -75,8 +75,6 @@ replace github.com/spf13/afero => github.com/aslilac/afero v0.0.0-20250403163713
 // TODO: replace once we cut release.
 replace github.com/coder/terraform-provider-coder/v2 => github.com/coder/terraform-provider-coder/v2 v2.7.1-0.20250623193313-e890833351e2
 
-replace github.com/coder/preview => github.com/coder/preview v1.0.2
-
 require (
 	cdr.dev/slog v1.6.2-0.20241112041820-0ec81e6e67bb
 	cloud.google.com/go/compute/metadata v0.7.0
@@ -485,7 +483,7 @@ require (
 require (
 	github.com/coder/agentapi-sdk-go v0.0.0-20250505131810-560d1d88d225
 	github.com/coder/aisdk-go v0.0.9
-	github.com/coder/preview v1.0.1
+	github.com/coder/preview v1.0.2
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/mark3labs/mcp-go v0.32.0
 )

From cac18e9ecbe6fb661b17a5820a1c5d92a1961141 Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Thu, 26 Jun 2025 22:52:06 +0000
Subject: [PATCH 04/15] fix story

---
 .../DynamicParameter/DynamicParameter.stories.tsx    | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.stories.tsx b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.stories.tsx
index 707c065142268..72e9f240e38a5 100644
--- a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.stories.tsx
+++ b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.stories.tsx
@@ -8,18 +8,16 @@ const meta: Meta<typeof DynamicParameter> = {
 	parameters: {
 		layout: "centered",
 	},
+	args: {
+		parameter: MockPreviewParameter,
+		onChange: () => {},
+	},
 };
 
 export default meta;
 type Story = StoryObj<typeof DynamicParameter>;
 
-export const TextInput: Story = {
-	args: {
-		parameter: {
-			...MockPreviewParameter,
-		},
-	},
-};
+export const TextInput: Story = {};
 
 export const TextArea: Story = {
 	args: {

From 0237854bd7820a0a54d38d2863406be9c33f39d0 Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Thu, 26 Jun 2025 22:56:55 +0000
Subject: [PATCH 05/15] lil

---
 .../DynamicParameter/DynamicParameter.stories.tsx  | 14 +-------------
 .../DynamicParameter/DynamicParameter.tsx          |  2 +-
 2 files changed, 2 insertions(+), 14 deletions(-)

diff --git a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.stories.tsx b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.stories.tsx
index 72e9f240e38a5..6eb5f2f77d2a2 100644
--- a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.stories.tsx
+++ b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.stories.tsx
@@ -236,6 +236,7 @@ export const MaskedInput: Story = {
 			form_type: "input",
 			styling: {
 				...MockPreviewParameter.styling,
+				placeholder: "Tell me a secret",
 				mask_input: true,
 			},
 		},
@@ -254,16 +255,3 @@ export const MaskedTextArea: Story = {
 		},
 	},
 };
-
-export const MaskedInputWithPlaceholder: Story = {
-	args: {
-		parameter: {
-			...MockPreviewParameter,
-			form_type: "input",
-			styling: {
-				placeholder: "Enter your secret value",
-				mask_input: true,
-			},
-		},
-	},
-};
diff --git a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
index 3a31c1ca1a5a0..d2a6d512ec4ac 100644
--- a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
+++ b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
@@ -272,7 +272,7 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 
 	// Helper function to mask all characters with *
 	const maskValue = (val: string): string => {
-		return "*".repeat(val.length);
+		return "\u2022".repeat(val.length);
 	};
 	const debouncedLocalValue = useDebouncedValue(localValue, 500);
 	const onChangeEvent = useEffectEvent(onChange);

From 8a6b2f5550f2da47d77bf5392070383cf219d3f8 Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Thu, 26 Jun 2025 23:05:23 +0000
Subject: [PATCH 06/15] uh huh

---
 .../DynamicParameter/DynamicParameter.tsx     | 213 +++++++++---------
 site/src/pages/TaskPage/TaskPage.tsx          |   2 +-
 .../{ellipsizeText.test.ts => text.test.ts}   |   8 +-
 site/src/utils/{ellipsizeText.ts => text.ts}  |   8 +
 4 files changed, 120 insertions(+), 111 deletions(-)
 rename site/src/utils/{ellipsizeText.test.ts => text.test.ts} (72%)
 rename site/src/utils/{ellipsizeText.ts => text.ts} (58%)

diff --git a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
index d2a6d512ec4ac..f1aa2baa43e88 100644
--- a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
+++ b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
@@ -46,6 +46,7 @@ import {
 	TriangleAlert,
 } from "lucide-react";
 import { type FC, useEffect, useId, useRef, useState } from "react";
+import { maskText } from "utils/text";
 import type { AutofillBuildParameter } from "utils/richParameters";
 import * as Yup from "yup";
 
@@ -269,11 +270,6 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 		value !== undefined ? value : validValue(parameter.value),
 	);
 	const [showMaskedInput, setShowMaskedInput] = useState(false);
-
-	// Helper function to mask all characters with *
-	const maskValue = (val: string): string => {
-		return "\u2022".repeat(val.length);
-	};
 	const debouncedLocalValue = useDebouncedValue(localValue, 500);
 	const onChangeEvent = useEffectEvent(onChange);
 	// prevDebouncedValueRef is to prevent calling the onChangeEvent on the initial render
@@ -318,7 +314,7 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 	switch (parameter.form_type) {
 		case "textarea": {
 			const shouldMask = parameter.styling?.mask_input && !showMaskedInput;
-			const displayValue = shouldMask ? maskValue(localValue) : localValue;
+			const displayValue = shouldMask ? maskText(localValue) : localValue;
 
 			return (
 				<div className="relative">
@@ -379,7 +375,7 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 				parameter.styling?.mask_input &&
 				!showMaskedInput &&
 				parameter.type !== "number";
-			const displayValue = shouldMask ? maskValue(localValue) : localValue;
+			const displayValue = shouldMask ? maskText(localValue) : localValue;
 
 			return (
 				<div className="relative">
@@ -786,120 +782,119 @@ export const useValidationSchemaForDynamicParameters = (
 		.of(
 			Yup.object().shape({
 				name: Yup.string().required(),
-				value: Yup.string()
-					.test("verify with template", (val, ctx) => {
-						const name = ctx.parent.name;
-						const parameter = parameters.find(
-							(parameter) => parameter.name === name,
-						);
-						if (parameter) {
-							switch (parameter.type) {
-								case "number": {
-									const minValidation = parameter.validations.find(
-										(v) => v.validation_min !== null,
-									);
-									const maxValidation = parameter.validations.find(
-										(v) => v.validation_max !== null,
-									);
+				value: Yup.string().test("verify with template", (val, ctx) => {
+					const name = ctx.parent.name;
+					const parameter = parameters.find(
+						(parameter) => parameter.name === name,
+					);
+					if (parameter) {
+						switch (parameter.type) {
+							case "number": {
+								const minValidation = parameter.validations.find(
+									(v) => v.validation_min !== null,
+								);
+								const maxValidation = parameter.validations.find(
+									(v) => v.validation_max !== null,
+								);
+
+								if (
+									minValidation &&
+									minValidation.validation_min !== null &&
+									!maxValidation &&
+									Number(val) < minValidation.validation_min
+								) {
+									return ctx.createError({
+										path: ctx.path,
+										message:
+											parameterError(parameter, val) ??
+											`Value must be greater than ${minValidation.validation_min}.`,
+									});
+								}
 
-									if (
-										minValidation &&
-										minValidation.validation_min !== null &&
-										!maxValidation &&
-										Number(val) < minValidation.validation_min
-									) {
-										return ctx.createError({
-											path: ctx.path,
-											message:
-												parameterError(parameter, val) ??
-												`Value must be greater than ${minValidation.validation_min}.`,
-										});
-									}
+								if (
+									!minValidation &&
+									maxValidation &&
+									maxValidation.validation_max !== null &&
+									Number(val) > maxValidation.validation_max
+								) {
+									return ctx.createError({
+										path: ctx.path,
+										message:
+											parameterError(parameter, val) ??
+											`Value must be less than ${maxValidation.validation_max}.`,
+									});
+								}
 
-									if (
-										!minValidation &&
-										maxValidation &&
-										maxValidation.validation_max !== null &&
-										Number(val) > maxValidation.validation_max
-									) {
-										return ctx.createError({
-											path: ctx.path,
-											message:
-												parameterError(parameter, val) ??
-												`Value must be less than ${maxValidation.validation_max}.`,
-										});
-									}
+								if (
+									minValidation &&
+									minValidation.validation_min !== null &&
+									maxValidation &&
+									maxValidation.validation_max !== null &&
+									(Number(val) < minValidation.validation_min ||
+										Number(val) > maxValidation.validation_max)
+								) {
+									return ctx.createError({
+										path: ctx.path,
+										message:
+											parameterError(parameter, val) ??
+											`Value must be between ${minValidation.validation_min} and ${maxValidation.validation_max}.`,
+									});
+								}
 
-									if (
-										minValidation &&
-										minValidation.validation_min !== null &&
-										maxValidation &&
-										maxValidation.validation_max !== null &&
-										(Number(val) < minValidation.validation_min ||
-											Number(val) > maxValidation.validation_max)
-									) {
-										return ctx.createError({
-											path: ctx.path,
-											message:
-												parameterError(parameter, val) ??
-												`Value must be between ${minValidation.validation_min} and ${maxValidation.validation_max}.`,
-										});
-									}
+								const monotonic = parameter.validations.find(
+									(v) =>
+										v.validation_monotonic !== null &&
+										v.validation_monotonic !== "",
+								);
 
-									const monotonic = parameter.validations.find(
-										(v) =>
-											v.validation_monotonic !== null &&
-											v.validation_monotonic !== "",
+								if (monotonic && lastBuildParameters) {
+									const lastBuildParameter = lastBuildParameters.find(
+										(last: { name: string }) => last.name === name,
 									);
-
-									if (monotonic && lastBuildParameters) {
-										const lastBuildParameter = lastBuildParameters.find(
-											(last: { name: string }) => last.name === name,
-										);
-										if (lastBuildParameter) {
-											switch (monotonic.validation_monotonic) {
-												case "increasing":
-													if (Number(lastBuildParameter.value) > Number(val)) {
-														return ctx.createError({
-															path: ctx.path,
-															message: `Value must only ever increase (last value was ${lastBuildParameter.value})`,
-														});
-													}
-													break;
-												case "decreasing":
-													if (Number(lastBuildParameter.value) < Number(val)) {
-														return ctx.createError({
-															path: ctx.path,
-															message: `Value must only ever decrease (last value was ${lastBuildParameter.value})`,
-														});
-													}
-													break;
-											}
+									if (lastBuildParameter) {
+										switch (monotonic.validation_monotonic) {
+											case "increasing":
+												if (Number(lastBuildParameter.value) > Number(val)) {
+													return ctx.createError({
+														path: ctx.path,
+														message: `Value must only ever increase (last value was ${lastBuildParameter.value})`,
+													});
+												}
+												break;
+											case "decreasing":
+												if (Number(lastBuildParameter.value) < Number(val)) {
+													return ctx.createError({
+														path: ctx.path,
+														message: `Value must only ever decrease (last value was ${lastBuildParameter.value})`,
+													});
+												}
+												break;
 										}
 									}
-									break;
 								}
-								case "string": {
-									const regex = parameter.validations.find(
-										(v) =>
-											v.validation_regex !== null && v.validation_regex !== "",
-									);
-									if (!regex || !regex.validation_regex) {
-										return true;
-									}
+								break;
+							}
+							case "string": {
+								const regex = parameter.validations.find(
+									(v) =>
+										v.validation_regex !== null && v.validation_regex !== "",
+								);
+								if (!regex || !regex.validation_regex) {
+									return true;
+								}
 
-									if (val && !new RegExp(regex.validation_regex).test(val)) {
-										return ctx.createError({
-											path: ctx.path,
-											message: parameterError(parameter, val),
-										});
-									}
-									break;
+								if (val && !new RegExp(regex.validation_regex).test(val)) {
+									return ctx.createError({
+										path: ctx.path,
+										message: parameterError(parameter, val),
+									});
 								}
+								break;
 							}
 						}
-						return true;
-					}),
+					}
+					return true;
+				}),
 			}),
 		)
 		.required();
diff --git a/site/src/pages/TaskPage/TaskPage.tsx b/site/src/pages/TaskPage/TaskPage.tsx
index c340a96cfef11..1e3dbe3e41335 100644
--- a/site/src/pages/TaskPage/TaskPage.tsx
+++ b/site/src/pages/TaskPage/TaskPage.tsx
@@ -14,7 +14,7 @@ import { Helmet } from "react-helmet-async";
 import { useQuery } from "react-query";
 import { useParams } from "react-router-dom";
 import { Link as RouterLink } from "react-router-dom";
-import { ellipsizeText } from "utils/ellipsizeText";
+import { ellipsizeText } from "utils/text";
 import { pageTitle } from "utils/page";
 import {
 	ActiveTransition,
diff --git a/site/src/utils/ellipsizeText.test.ts b/site/src/utils/text.test.ts
similarity index 72%
rename from site/src/utils/ellipsizeText.test.ts
rename to site/src/utils/text.test.ts
index bc6e7752214e3..5be79cfc1b6ab 100644
--- a/site/src/utils/ellipsizeText.test.ts
+++ b/site/src/utils/text.test.ts
@@ -1,4 +1,4 @@
-import { ellipsizeText } from "./ellipsizeText";
+import { ellipsizeText, maskText } from "./text";
 import type { Nullable } from "./nullable";
 
 describe("ellipsizeText", () => {
@@ -19,3 +19,9 @@ describe("ellipsizeText", () => {
 		},
 	);
 });
+
+describe("maskText", () => {
+	test("masks text", () => {
+		expect(maskText("hello, computer!")).toBe("\u2022".repeat(16));
+	});
+});
diff --git a/site/src/utils/ellipsizeText.ts b/site/src/utils/text.ts
similarity index 58%
rename from site/src/utils/ellipsizeText.ts
rename to site/src/utils/text.ts
index 6291ed61732dc..2c59d30a4b0e0 100644
--- a/site/src/utils/ellipsizeText.ts
+++ b/site/src/utils/text.ts
@@ -12,3 +12,11 @@ export const ellipsizeText = (
 		? text
 		: `${text.substr(0, maxLength - 3)}...`;
 };
+
+/**
+ * Returns a string of the same length, using the unicode "bullet" character as
+ * a replacement for each character, like a password input would.
+ */
+export function maskText(val: string): string {
+	return "\u2022".repeat(val.length);
+}

From 1f3ed2818e5122d83759c314bcda90906b70fd56 Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Thu, 26 Jun 2025 23:08:19 +0000
Subject: [PATCH 07/15] STOP IT

---
 .../DynamicParameter/DynamicParameter.tsx     | 205 +++++++++---------
 site/src/pages/TaskPage/TaskPage.tsx          |   2 +-
 site/src/utils/text.test.ts                   |   2 +-
 3 files changed, 105 insertions(+), 104 deletions(-)

diff --git a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
index f1aa2baa43e88..86e2a412b730a 100644
--- a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
+++ b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
@@ -46,8 +46,8 @@ import {
 	TriangleAlert,
 } from "lucide-react";
 import { type FC, useEffect, useId, useRef, useState } from "react";
-import { maskText } from "utils/text";
 import type { AutofillBuildParameter } from "utils/richParameters";
+import { maskText } from "utils/text";
 import * as Yup from "yup";
 
 interface DynamicParameterProps {
@@ -782,119 +782,120 @@ export const useValidationSchemaForDynamicParameters = (
 		.of(
 			Yup.object().shape({
 				name: Yup.string().required(),
-				value: Yup.string().test("verify with template", (val, ctx) => {
-					const name = ctx.parent.name;
-					const parameter = parameters.find(
-						(parameter) => parameter.name === name,
-					);
-					if (parameter) {
-						switch (parameter.type) {
-							case "number": {
-								const minValidation = parameter.validations.find(
-									(v) => v.validation_min !== null,
-								);
-								const maxValidation = parameter.validations.find(
-									(v) => v.validation_max !== null,
-								);
-
-								if (
-									minValidation &&
-									minValidation.validation_min !== null &&
-									!maxValidation &&
-									Number(val) < minValidation.validation_min
-								) {
-									return ctx.createError({
-										path: ctx.path,
-										message:
-											parameterError(parameter, val) ??
-											`Value must be greater than ${minValidation.validation_min}.`,
-									});
-								}
+				value: Yup.string()
+					.test("verify with template", (val, ctx) => {
+						const name = ctx.parent.name;
+						const parameter = parameters.find(
+							(parameter) => parameter.name === name,
+						);
+						if (parameter) {
+							switch (parameter.type) {
+								case "number": {
+									const minValidation = parameter.validations.find(
+										(v) => v.validation_min !== null,
+									);
+									const maxValidation = parameter.validations.find(
+										(v) => v.validation_max !== null,
+									);
 
-								if (
-									!minValidation &&
-									maxValidation &&
-									maxValidation.validation_max !== null &&
-									Number(val) > maxValidation.validation_max
-								) {
-									return ctx.createError({
-										path: ctx.path,
-										message:
-											parameterError(parameter, val) ??
-											`Value must be less than ${maxValidation.validation_max}.`,
-									});
-								}
+									if (
+										minValidation &&
+										minValidation.validation_min !== null &&
+										!maxValidation &&
+										Number(val) < minValidation.validation_min
+									) {
+										return ctx.createError({
+											path: ctx.path,
+											message:
+												parameterError(parameter, val) ??
+												`Value must be greater than ${minValidation.validation_min}.`,
+										});
+									}
 
-								if (
-									minValidation &&
-									minValidation.validation_min !== null &&
-									maxValidation &&
-									maxValidation.validation_max !== null &&
-									(Number(val) < minValidation.validation_min ||
-										Number(val) > maxValidation.validation_max)
-								) {
-									return ctx.createError({
-										path: ctx.path,
-										message:
-											parameterError(parameter, val) ??
-											`Value must be between ${minValidation.validation_min} and ${maxValidation.validation_max}.`,
-									});
-								}
+									if (
+										!minValidation &&
+										maxValidation &&
+										maxValidation.validation_max !== null &&
+										Number(val) > maxValidation.validation_max
+									) {
+										return ctx.createError({
+											path: ctx.path,
+											message:
+												parameterError(parameter, val) ??
+												`Value must be less than ${maxValidation.validation_max}.`,
+										});
+									}
 
-								const monotonic = parameter.validations.find(
-									(v) =>
-										v.validation_monotonic !== null &&
-										v.validation_monotonic !== "",
-								);
+									if (
+										minValidation &&
+										minValidation.validation_min !== null &&
+										maxValidation &&
+										maxValidation.validation_max !== null &&
+										(Number(val) < minValidation.validation_min ||
+											Number(val) > maxValidation.validation_max)
+									) {
+										return ctx.createError({
+											path: ctx.path,
+											message:
+												parameterError(parameter, val) ??
+												`Value must be between ${minValidation.validation_min} and ${maxValidation.validation_max}.`,
+										});
+									}
 
-								if (monotonic && lastBuildParameters) {
-									const lastBuildParameter = lastBuildParameters.find(
-										(last: { name: string }) => last.name === name,
+									const monotonic = parameter.validations.find(
+										(v) =>
+											v.validation_monotonic !== null &&
+											v.validation_monotonic !== "",
 									);
-									if (lastBuildParameter) {
-										switch (monotonic.validation_monotonic) {
-											case "increasing":
-												if (Number(lastBuildParameter.value) > Number(val)) {
-													return ctx.createError({
-														path: ctx.path,
-														message: `Value must only ever increase (last value was ${lastBuildParameter.value})`,
-													});
-												}
-												break;
-											case "decreasing":
-												if (Number(lastBuildParameter.value) < Number(val)) {
-													return ctx.createError({
-														path: ctx.path,
-														message: `Value must only ever decrease (last value was ${lastBuildParameter.value})`,
-													});
-												}
-												break;
+
+									if (monotonic && lastBuildParameters) {
+										const lastBuildParameter = lastBuildParameters.find(
+											(last: { name: string }) => last.name === name,
+										);
+										if (lastBuildParameter) {
+											switch (monotonic.validation_monotonic) {
+												case "increasing":
+													if (Number(lastBuildParameter.value) > Number(val)) {
+														return ctx.createError({
+															path: ctx.path,
+															message: `Value must only ever increase (last value was ${lastBuildParameter.value})`,
+														});
+													}
+													break;
+												case "decreasing":
+													if (Number(lastBuildParameter.value) < Number(val)) {
+														return ctx.createError({
+															path: ctx.path,
+															message: `Value must only ever decrease (last value was ${lastBuildParameter.value})`,
+														});
+													}
+													break;
+											}
 										}
 									}
+									break;
 								}
-								break;
-							}
-							case "string": {
-								const regex = parameter.validations.find(
-									(v) =>
-										v.validation_regex !== null && v.validation_regex !== "",
-								);
-								if (!regex || !regex.validation_regex) {
-									return true;
-								}
+								case "string": {
+									const regex = parameter.validations.find(
+										(v) =>
+											v.validation_regex !== null && v.validation_regex !== "",
+									);
+									if (!regex || !regex.validation_regex) {
+										return true;
+									}
 
-								if (val && !new RegExp(regex.validation_regex).test(val)) {
-									return ctx.createError({
-										path: ctx.path,
-										message: parameterError(parameter, val),
-									});
+									if (val && !new RegExp(regex.validation_regex).test(val)) {
+										return ctx.createError({
+											path: ctx.path,
+											message: parameterError(parameter, val),
+										});
+									}
+									break;
 								}
-								break;
 							}
 						}
-					}
-					return true;
-				}),
+						return true;
+					}),
 			}),
 		)
 		.required();
diff --git a/site/src/pages/TaskPage/TaskPage.tsx b/site/src/pages/TaskPage/TaskPage.tsx
index 1e3dbe3e41335..c598da24f91f6 100644
--- a/site/src/pages/TaskPage/TaskPage.tsx
+++ b/site/src/pages/TaskPage/TaskPage.tsx
@@ -14,8 +14,8 @@ import { Helmet } from "react-helmet-async";
 import { useQuery } from "react-query";
 import { useParams } from "react-router-dom";
 import { Link as RouterLink } from "react-router-dom";
-import { ellipsizeText } from "utils/text";
 import { pageTitle } from "utils/page";
+import { ellipsizeText } from "utils/text";
 import {
 	ActiveTransition,
 	WorkspaceBuildProgress,
diff --git a/site/src/utils/text.test.ts b/site/src/utils/text.test.ts
index 5be79cfc1b6ab..9f3a195b3d343 100644
--- a/site/src/utils/text.test.ts
+++ b/site/src/utils/text.test.ts
@@ -1,5 +1,5 @@
-import { ellipsizeText, maskText } from "./text";
 import type { Nullable } from "./nullable";
+import { ellipsizeText, maskText } from "./text";
 
 describe("ellipsizeText", () => {
 	it.each([

From 8d1821af2ecf4022dcf819a53c856b936cb47329 Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Thu, 26 Jun 2025 23:26:00 +0000
Subject: [PATCH 08/15] oh boy

---
 .../DynamicParameter/DynamicParameter.tsx     | 39 ++++++++-----------
 site/src/utils/text.ts                        |  8 ----
 2 files changed, 16 insertions(+), 31 deletions(-)

diff --git a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
index 86e2a412b730a..e4ac1e37eea5e 100644
--- a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
+++ b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
@@ -47,7 +47,6 @@ import {
 } from "lucide-react";
 import { type FC, useEffect, useId, useRef, useState } from "react";
 import type { AutofillBuildParameter } from "utils/richParameters";
-import { maskText } from "utils/text";
 import * as Yup from "yup";
 
 interface DynamicParameterProps {
@@ -82,7 +81,7 @@ export const DynamicParameter: FC<DynamicParameterProps> = ({
 			/>
 			<div className="max-w-lg">
 				{parameter.form_type === "input" ||
-				parameter.form_type === "textarea" ? (
+					parameter.form_type === "textarea" ? (
 					<DebouncedParameterField
 						id={id}
 						parameter={parameter}
@@ -313,16 +312,13 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 
 	switch (parameter.form_type) {
 		case "textarea": {
-			const shouldMask = parameter.styling?.mask_input && !showMaskedInput;
-			const displayValue = shouldMask ? maskText(localValue) : localValue;
-
 			return (
 				<div className="relative">
 					<Textarea
 						ref={textareaRef}
 						id={id}
 						className="overflow-y-auto max-h-[500px]"
-						value={displayValue}
+						value={localValue}
 						onChange={(e) => {
 							const target = e.currentTarget;
 							target.style.height = "auto";
@@ -355,7 +351,12 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 		}
 
 		case "input": {
-			const inputType = parameter.type === "number" ? "number" : "text";
+			const inputType =
+				parameter.type === "number"
+					? "number"
+					: parameter.styling?.mask_input && !showMaskedInput
+						? "password"
+						: "text";
 			const inputProps: Record<string, unknown> = {};
 
 			if (parameter.type === "number") {
@@ -371,18 +372,12 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 				}
 			}
 
-			const shouldMask =
-				parameter.styling?.mask_input &&
-				!showMaskedInput &&
-				parameter.type !== "number";
-			const displayValue = shouldMask ? maskText(localValue) : localValue;
-
 			return (
 				<div className="relative">
 					<Input
 						id={id}
 						type={inputType}
-						value={displayValue}
+						value={localValue}
 						onChange={(e) => {
 							setLocalValue(e.target.value);
 						}}
@@ -686,11 +681,10 @@ const ParameterDiagnostics: FC<ParameterDiagnosticsProps> = ({
 				return (
 					<div
 						key={`parameter-diagnostic-${diagnostic.summary}-${index}`}
-						className={`text-xs px-1 ${
-							diagnostic.severity === "error"
+						className={`text-xs px-1 ${diagnostic.severity === "error"
 								? "text-content-destructive"
 								: "text-content-warning"
-						}`}
+							}`}
 					>
 						<p className="font-medium">{diagnostic.summary}</p>
 						{diagnostic.detail && <p className="m-0">{diagnostic.detail}</p>}
@@ -745,7 +739,7 @@ const isValidParameterOption = (
 			if (Array.isArray(parsed)) {
 				values = parsed;
 			}
-		} catch (e) {
+		} catch {
 			return false;
 		}
 
@@ -947,11 +941,10 @@ export const Diagnostics: FC<DiagnosticsProps> = ({ diagnostics }) => {
 				<div
 					key={`diagnostic-${diagnostic.summary}-${index}`}
 					className={`text-xs font-semibold flex flex-col rounded-md border px-3.5 py-3.5 border-solid
-                        ${
-													diagnostic.severity === "error"
-														? "text-content-primary border-border-destructive bg-content-destructive/15"
-														: "text-content-primary border-border-warning bg-content-warning/15"
-												}`}
+	                        ${diagnostic.severity === "error"
+							? "text-content-primary border-border-destructive bg-content-destructive/15"
+							: "text-content-primary border-border-warning bg-content-warning/15"
+						}`}
 				>
 					<div className="flex flex-row items-start">
 						{diagnostic.severity === "error" && (
diff --git a/site/src/utils/text.ts b/site/src/utils/text.ts
index 2c59d30a4b0e0..6291ed61732dc 100644
--- a/site/src/utils/text.ts
+++ b/site/src/utils/text.ts
@@ -12,11 +12,3 @@ export const ellipsizeText = (
 		? text
 		: `${text.substr(0, maxLength - 3)}...`;
 };
-
-/**
- * Returns a string of the same length, using the unicode "bullet" character as
- * a replacement for each character, like a password input would.
- */
-export function maskText(val: string): string {
-	return "\u2022".repeat(val.length);
-}

From 8050cda16cd8ffd2d5dd9647140ecf4d52c6a552 Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Thu, 26 Jun 2025 23:49:31 +0000
Subject: [PATCH 09/15] oh boy

---
 .../DynamicParameter/DynamicParameter.tsx     | 22 +++++++++++++------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
index e4ac1e37eea5e..2597b992c76a9 100644
--- a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
+++ b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
@@ -48,6 +48,7 @@ import {
 import { type FC, useEffect, useId, useRef, useState } from "react";
 import type { AutofillBuildParameter } from "utils/richParameters";
 import * as Yup from "yup";
+import { cn } from "utils/cn";
 
 interface DynamicParameterProps {
 	parameter: PreviewParameter;
@@ -317,7 +318,12 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 					<Textarea
 						ref={textareaRef}
 						id={id}
-						className="overflow-y-auto max-h-[500px]"
+						className={cn(
+							"overflow-y-auto max-h-[500px]",
+							parameter.styling?.mask_input &&
+							!showMaskedInput &&
+							"[-webkit-text-security:disc]",
+						)}
 						value={localValue}
 						onChange={(e) => {
 							const target = e.currentTarget;
@@ -335,8 +341,9 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 							type="button"
 							variant="subtle"
 							size="sm"
-							className="absolute top-2 right-2 h-6 w-6 p-0"
-							onClick={() => setShowMaskedInput(!showMaskedInput)}
+							className="absolute top-1 right-1 h-6 w-6 p-0"
+							onMouseDown={() => setShowMaskedInput(true)}
+							onMouseUp={() => setShowMaskedInput(false)}
 							disabled={disabled}
 						>
 							{showMaskedInput ? (
@@ -391,8 +398,9 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 							type="button"
 							variant="subtle"
 							size="sm"
-							className="absolute top-1/2 right-2 h-6 w-6 p-0 -translate-y-1/2"
-							onClick={() => setShowMaskedInput(!showMaskedInput)}
+							className="absolute top-1/2 right-1 h-6 w-6 p-0"
+							onMouseDown={() => setShowMaskedInput(true)}
+							onMouseUp={() => setShowMaskedInput(false)}
 							disabled={disabled}
 						>
 							{showMaskedInput ? (
@@ -682,8 +690,8 @@ const ParameterDiagnostics: FC<ParameterDiagnosticsProps> = ({
 					<div
 						key={`parameter-diagnostic-${diagnostic.summary}-${index}`}
 						className={`text-xs px-1 ${diagnostic.severity === "error"
-								? "text-content-destructive"
-								: "text-content-warning"
+							? "text-content-destructive"
+							: "text-content-warning"
 							}`}
 					>
 						<p className="font-medium">{diagnostic.summary}</p>

From 2ad7afade9c4cf4c94986fa5e130942ee12cabbf Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Thu, 26 Jun 2025 23:53:05 +0000
Subject: [PATCH 10/15] go back

---
 .../DynamicParameter/DynamicParameter.tsx     | 26 ++++++++++---------
 site/src/pages/TaskPage/TaskPage.tsx          |  2 +-
 .../{text.test.ts => ellipsizeText.test.ts}   |  8 +-----
 site/src/utils/{text.ts => ellipsizeText.ts}  |  0
 4 files changed, 16 insertions(+), 20 deletions(-)
 rename site/src/utils/{text.test.ts => ellipsizeText.test.ts} (72%)
 rename site/src/utils/{text.ts => ellipsizeText.ts} (100%)

diff --git a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
index 2597b992c76a9..c1dae5003d7c0 100644
--- a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
+++ b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
@@ -46,9 +46,9 @@ import {
 	TriangleAlert,
 } from "lucide-react";
 import { type FC, useEffect, useId, useRef, useState } from "react";
+import { cn } from "utils/cn";
 import type { AutofillBuildParameter } from "utils/richParameters";
 import * as Yup from "yup";
-import { cn } from "utils/cn";
 
 interface DynamicParameterProps {
 	parameter: PreviewParameter;
@@ -82,7 +82,7 @@ export const DynamicParameter: FC<DynamicParameterProps> = ({
 			/>
 			<div className="max-w-lg">
 				{parameter.form_type === "input" ||
-					parameter.form_type === "textarea" ? (
+				parameter.form_type === "textarea" ? (
 					<DebouncedParameterField
 						id={id}
 						parameter={parameter}
@@ -321,8 +321,8 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 						className={cn(
 							"overflow-y-auto max-h-[500px]",
 							parameter.styling?.mask_input &&
-							!showMaskedInput &&
-							"[-webkit-text-security:disc]",
+								!showMaskedInput &&
+								"[-webkit-text-security:disc]",
 						)}
 						value={localValue}
 						onChange={(e) => {
@@ -689,10 +689,11 @@ const ParameterDiagnostics: FC<ParameterDiagnosticsProps> = ({
 				return (
 					<div
 						key={`parameter-diagnostic-${diagnostic.summary}-${index}`}
-						className={`text-xs px-1 ${diagnostic.severity === "error"
-							? "text-content-destructive"
-							: "text-content-warning"
-							}`}
+						className={`text-xs px-1 ${
+							diagnostic.severity === "error"
+								? "text-content-destructive"
+								: "text-content-warning"
+						}`}
 					>
 						<p className="font-medium">{diagnostic.summary}</p>
 						{diagnostic.detail && <p className="m-0">{diagnostic.detail}</p>}
@@ -949,10 +950,11 @@ export const Diagnostics: FC<DiagnosticsProps> = ({ diagnostics }) => {
 				<div
 					key={`diagnostic-${diagnostic.summary}-${index}`}
 					className={`text-xs font-semibold flex flex-col rounded-md border px-3.5 py-3.5 border-solid
-	                        ${diagnostic.severity === "error"
-							? "text-content-primary border-border-destructive bg-content-destructive/15"
-							: "text-content-primary border-border-warning bg-content-warning/15"
-						}`}
+	                        ${
+														diagnostic.severity === "error"
+															? "text-content-primary border-border-destructive bg-content-destructive/15"
+															: "text-content-primary border-border-warning bg-content-warning/15"
+													}`}
 				>
 					<div className="flex flex-row items-start">
 						{diagnostic.severity === "error" && (
diff --git a/site/src/pages/TaskPage/TaskPage.tsx b/site/src/pages/TaskPage/TaskPage.tsx
index c598da24f91f6..a95067b4bc346 100644
--- a/site/src/pages/TaskPage/TaskPage.tsx
+++ b/site/src/pages/TaskPage/TaskPage.tsx
@@ -15,7 +15,7 @@ import { useQuery } from "react-query";
 import { useParams } from "react-router-dom";
 import { Link as RouterLink } from "react-router-dom";
 import { pageTitle } from "utils/page";
-import { ellipsizeText } from "utils/text";
+import { ellipsizeText } from "utils/ellipsizeText";
 import {
 	ActiveTransition,
 	WorkspaceBuildProgress,
diff --git a/site/src/utils/text.test.ts b/site/src/utils/ellipsizeText.test.ts
similarity index 72%
rename from site/src/utils/text.test.ts
rename to site/src/utils/ellipsizeText.test.ts
index 9f3a195b3d343..fba5b1e13d3d5 100644
--- a/site/src/utils/text.test.ts
+++ b/site/src/utils/ellipsizeText.test.ts
@@ -1,5 +1,5 @@
 import type { Nullable } from "./nullable";
-import { ellipsizeText, maskText } from "./text";
+import { ellipsizeText } from "./ellipsizeText";
 
 describe("ellipsizeText", () => {
 	it.each([
@@ -19,9 +19,3 @@ describe("ellipsizeText", () => {
 		},
 	);
 });
-
-describe("maskText", () => {
-	test("masks text", () => {
-		expect(maskText("hello, computer!")).toBe("\u2022".repeat(16));
-	});
-});
diff --git a/site/src/utils/text.ts b/site/src/utils/ellipsizeText.ts
similarity index 100%
rename from site/src/utils/text.ts
rename to site/src/utils/ellipsizeText.ts

From bc5d70a01af8acedfad6340a7803b22e0398c18a Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Thu, 26 Jun 2025 23:54:52 +0000
Subject: [PATCH 11/15] fixixixixing

---
 site/src/pages/TaskPage/TaskPage.tsx | 2 +-
 site/src/utils/ellipsizeText.test.ts | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/site/src/pages/TaskPage/TaskPage.tsx b/site/src/pages/TaskPage/TaskPage.tsx
index a95067b4bc346..c340a96cfef11 100644
--- a/site/src/pages/TaskPage/TaskPage.tsx
+++ b/site/src/pages/TaskPage/TaskPage.tsx
@@ -14,8 +14,8 @@ import { Helmet } from "react-helmet-async";
 import { useQuery } from "react-query";
 import { useParams } from "react-router-dom";
 import { Link as RouterLink } from "react-router-dom";
-import { pageTitle } from "utils/page";
 import { ellipsizeText } from "utils/ellipsizeText";
+import { pageTitle } from "utils/page";
 import {
 	ActiveTransition,
 	WorkspaceBuildProgress,
diff --git a/site/src/utils/ellipsizeText.test.ts b/site/src/utils/ellipsizeText.test.ts
index fba5b1e13d3d5..bc6e7752214e3 100644
--- a/site/src/utils/ellipsizeText.test.ts
+++ b/site/src/utils/ellipsizeText.test.ts
@@ -1,5 +1,5 @@
-import type { Nullable } from "./nullable";
 import { ellipsizeText } from "./ellipsizeText";
+import type { Nullable } from "./nullable";
 
 describe("ellipsizeText", () => {
 	it.each([

From 61f89a67d89cd07a2af9004bc43c78773ded3b9d Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Thu, 26 Jun 2025 23:58:00 +0000
Subject: [PATCH 12/15] cleanup

---
 .../workspaces/DynamicParameter/DynamicParameter.tsx | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
index c1dae5003d7c0..713bd5e68088b 100644
--- a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
+++ b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
@@ -949,12 +949,12 @@ export const Diagnostics: FC<DiagnosticsProps> = ({ diagnostics }) => {
 			{diagnostics.map((diagnostic, index) => (
 				<div
 					key={`diagnostic-${diagnostic.summary}-${index}`}
-					className={`text-xs font-semibold flex flex-col rounded-md border px-3.5 py-3.5 border-solid
-	                        ${
-														diagnostic.severity === "error"
-															? "text-content-primary border-border-destructive bg-content-destructive/15"
-															: "text-content-primary border-border-warning bg-content-warning/15"
-													}`}
+					className={cn(
+						"text-xs font-semibold flex flex-col rounded-md border px-3.5 py-3.5 border-solid",
+						diagnostic.severity === "error"
+							? "text-content-primary border-border-destructive bg-content-destructive/15"
+							: "text-content-primary border-border-warning bg-content-warning/15",
+					)}
 				>
 					<div className="flex flex-row items-start">
 						{diagnostic.severity === "error" && (

From 90b389e50533eab6920c343228cd7360f94c0fa6 Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Fri, 27 Jun 2025 20:41:30 +0000
Subject: [PATCH 13/15] tweak button styles

---
 .../DynamicParameter/DynamicParameter.tsx         | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
index 593b1a9b319a6..dcc10066d6ce6 100644
--- a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
+++ b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
@@ -24,6 +24,7 @@ import {
 	SelectValue,
 } from "components/Select/Select";
 import { Slider } from "components/Slider/Slider";
+import { Stack } from "components/Stack/Stack";
 import { Switch } from "components/Switch/Switch";
 import { TagInput } from "components/TagInput/TagInput";
 import { Textarea } from "components/Textarea/Textarea";
@@ -314,7 +315,7 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 	switch (parameter.form_type) {
 		case "textarea": {
 			return (
-				<div className="relative">
+				<Stack direction="row" spacing={0} alignItems="center">
 					<Textarea
 						ref={textareaRef}
 						id={id}
@@ -340,8 +341,7 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 						<Button
 							type="button"
 							variant="subtle"
-							size="sm"
-							className="absolute top-1 right-1 h-6 w-6 p-0"
+							size="icon"
 							onMouseDown={() => setShowMaskedInput(true)}
 							onMouseUp={() => setShowMaskedInput(false)}
 							disabled={disabled}
@@ -353,7 +353,7 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 							)}
 						</Button>
 					)}
-				</div>
+				</Stack>
 			);
 		}
 
@@ -380,7 +380,7 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 			}
 
 			return (
-				<div className="relative">
+				<Stack direction="row" spacing={0} alignItems="center">
 					<Input
 						id={id}
 						type={inputType}
@@ -397,8 +397,7 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 						<Button
 							type="button"
 							variant="subtle"
-							size="sm"
-							className="absolute top-1/2 right-1 h-6 w-6 p-0"
+							size="icon"
 							onMouseDown={() => setShowMaskedInput(true)}
 							onMouseUp={() => setShowMaskedInput(false)}
 							disabled={disabled}
@@ -410,7 +409,7 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 							)}
 						</Button>
 					)}
-				</div>
+				</Stack>
 			);
 		}
 	}

From 7c75046f1e5e1e04e99cf1bdde6fb2cfd10c7f5e Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Tue, 1 Jul 2025 22:02:34 +0000
Subject: [PATCH 14/15] fix mouse off bug

---
 .../DynamicParameter/DynamicParameter.tsx       | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
index dcc10066d6ce6..c8eeb050a6233 100644
--- a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
+++ b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
@@ -83,7 +83,7 @@ export const DynamicParameter: FC<DynamicParameterProps> = ({
 			/>
 			<div className="max-w-lg">
 				{parameter.form_type === "input" ||
-				parameter.form_type === "textarea" ? (
+					parameter.form_type === "textarea" ? (
 					<DebouncedParameterField
 						id={id}
 						parameter={parameter}
@@ -322,8 +322,8 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 						className={cn(
 							"overflow-y-auto max-h-[500px]",
 							parameter.styling?.mask_input &&
-								!showMaskedInput &&
-								"[-webkit-text-security:disc]",
+							!showMaskedInput &&
+							"[-webkit-text-security:disc]",
 						)}
 						value={localValue}
 						onChange={(e) => {
@@ -343,6 +343,7 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 							variant="subtle"
 							size="icon"
 							onMouseDown={() => setShowMaskedInput(true)}
+							onMouseOut={() => setShowMaskedInput(false)}
 							onMouseUp={() => setShowMaskedInput(false)}
 							disabled={disabled}
 						>
@@ -399,6 +400,7 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 							variant="subtle"
 							size="icon"
 							onMouseDown={() => setShowMaskedInput(true)}
+							onMouseOut={() => setShowMaskedInput(false)}
 							onMouseUp={() => setShowMaskedInput(false)}
 							disabled={disabled}
 						>
@@ -689,11 +691,10 @@ const ParameterDiagnostics: FC<ParameterDiagnosticsProps> = ({
 				return (
 					<div
 						key={`parameter-diagnostic-${diagnostic.summary}-${index}`}
-						className={`text-xs px-1 ${
-							diagnostic.severity === "error"
-								? "text-content-destructive"
-								: "text-content-warning"
-						}`}
+						className={`text-xs px-1 ${diagnostic.severity === "error"
+							? "text-content-destructive"
+							: "text-content-warning"
+							}`}
 					>
 						<p className="font-medium">{diagnostic.summary}</p>
 						{diagnostic.detail && <p className="m-0">{diagnostic.detail}</p>}

From 8412c8d3e487b1690e77336b016e2b136adf7f99 Mon Sep 17 00:00:00 2001
From: McKayla Washburn <mckayla@hey.com>
Date: Tue, 1 Jul 2025 22:09:52 +0000
Subject: [PATCH 15/15] :|

---
 .../DynamicParameter/DynamicParameter.tsx         | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
index c8eeb050a6233..5665129eadba3 100644
--- a/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
+++ b/site/src/modules/workspaces/DynamicParameter/DynamicParameter.tsx
@@ -83,7 +83,7 @@ export const DynamicParameter: FC<DynamicParameterProps> = ({
 			/>
 			<div className="max-w-lg">
 				{parameter.form_type === "input" ||
-					parameter.form_type === "textarea" ? (
+				parameter.form_type === "textarea" ? (
 					<DebouncedParameterField
 						id={id}
 						parameter={parameter}
@@ -322,8 +322,8 @@ const DebouncedParameterField: FC<DebouncedParameterFieldProps> = ({
 						className={cn(
 							"overflow-y-auto max-h-[500px]",
 							parameter.styling?.mask_input &&
-							!showMaskedInput &&
-							"[-webkit-text-security:disc]",
+								!showMaskedInput &&
+								"[-webkit-text-security:disc]",
 						)}
 						value={localValue}
 						onChange={(e) => {
@@ -691,10 +691,11 @@ const ParameterDiagnostics: FC<ParameterDiagnosticsProps> = ({
 				return (
 					<div
 						key={`parameter-diagnostic-${diagnostic.summary}-${index}`}
-						className={`text-xs px-1 ${diagnostic.severity === "error"
-							? "text-content-destructive"
-							: "text-content-warning"
-							}`}
+						className={`text-xs px-1 ${
+							diagnostic.severity === "error"
+								? "text-content-destructive"
+								: "text-content-warning"
+						}`}
 					>
 						<p className="font-medium">{diagnostic.summary}</p>
 						{diagnostic.detail && <p className="m-0">{diagnostic.detail}</p>}