Default -ViewSecretValue to true; reject <hidden-by-infisical> placeholder

Get-InfisicalSecrets and Get-InfisicalSecret now return real secret values by default. Pass -ViewSecretValue:False to opt in to the server's hidden response. InfisicalSecretMapper detects the <hidden-by-infisical> placeholder and the secretValueHidden flag; in either case SecretValue is set to null instead of pushing the literal placeholder into a SecureString, so downstream auth/export/dictionary consumers can never silently use the placeholder as if it were a real secret.

CHANGELOG.md

@@ -6,6 +6,14 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) loos
 
 ## Unreleased
 
+## 2026.06.03.0131
+
+- Build produced from commit 7be0b7b42008.
+- **Behavior change**: `Get-InfisicalSecrets` and `Get-InfisicalSecret` now default `-ViewSecretValue` to `$true`. Real secret values are returned by default. To request the redacted/hidden response, pass `-ViewSecretValue:$false`.
+- `InfisicalSecretMapper` now treats the server-side `<hidden-by-infisical>` placeholder as a hidden marker rather than a value: when `secretValueHidden=true` (or the placeholder string is detected) `SecretValue` is set to `null` instead of stuffing the literal into a `SecureString`. This prevents downstream consumers (auth, exports, dictionary conversion) from silently using `<hidden-by-infisical>` as if it were a real secret.
+
+## Unreleased (carried forward)
+
 ## 2026.06.03.0113
 
 - Build produced from commit 09c577ebd0fd.

Module/PSInfisicalAPI/PSInfisicalAPI.psd1

@@ -1,6 +1,6 @@
 @{
     RootModule           = 'PSInfisicalAPI.psm1'
-    ModuleVersion        = '2026.06.03.0113'
+    ModuleVersion        = '2026.06.03.0131'
     GUID                 = 'b8a2f3d4-7c51-4d2f-9e6a-1f0c8b3d4e51'
     Author               = 'Grace Solutions'
     CompanyName          = 'Grace Solutions'
@@ -27,7 +27,7 @@
             LicenseUri   = 'https://www.gnu.org/licenses/agpl-3.0.html'
             ProjectUri   = 'https://prod.git.gracesolution.info/gsadmin/PSInfisicalAPI'
             ReleaseNotes = 'See CHANGELOG.md in the project repository for release history.'
-            CommitHash   = '09c577ebd0fd'
+            CommitHash   = '7be0b7b42008'
         }
     }
 }

docs/DesignSpec.md

@@ -971,7 +971,7 @@ SecretPath: Current connection DefaultSecretPath or /
 Recursive: false
 IncludeImports: false
 ExpandSecretReferences: false
-ViewSecretValue: false
+ViewSecretValue: true
 ```
 
 ## Behavior
@@ -1040,7 +1040,7 @@ ProjectId: Current connection ProjectId
 Environment: Current connection Environment
 SecretPath: Current connection DefaultSecretPath or /
 Type: Shared
-ViewSecretValue: false
+ViewSecretValue: true
 ExpandSecretReferences: false
 IncludeImports: false
 ```

src/PSInfisicalAPI/Cmdlets/GetInfisicalSecretCmdlet.cs

@@ -19,7 +19,7 @@ namespace PSInfisicalAPI.Cmdlets
         [Parameter] public string ApiVersion { get; set; }
         [Parameter] public int? Version { get; set; }
         [Parameter] public InfisicalSecretType Type { get; set; } = InfisicalSecretType.Shared;
-        [Parameter] public SwitchParameter ViewSecretValue { get; set; }
+        [Parameter] public SwitchParameter ViewSecretValue { get; set; } = SwitchParameter.Present;
         [Parameter] public SwitchParameter ExpandSecretReferences { get; set; }
         [Parameter] public SwitchParameter IncludeImports { get; set; }
 

src/PSInfisicalAPI/Cmdlets/GetInfisicalSecretsCmdlet.cs

@@ -20,7 +20,7 @@ namespace PSInfisicalAPI.Cmdlets
         [Parameter] public SwitchParameter IncludeImports { get; set; }
         [Parameter] public SwitchParameter IncludePersonalOverrides { get; set; }
         [Parameter] public SwitchParameter ExpandSecretReferences { get; set; }
-        [Parameter] public SwitchParameter ViewSecretValue { get; set; }
+        [Parameter] public SwitchParameter ViewSecretValue { get; set; } = SwitchParameter.Present;
         [Parameter] public Hashtable MetadataFilter { get; set; }
         [Parameter] public string[] TagSlugs { get; set; }
 

src/PSInfisicalAPI/Secrets/InfisicalSecretMapper.cs

@@ -15,6 +15,8 @@ namespace PSInfisicalAPI.Secrets
                 return null;
             }
 
+            bool hidden = dto.SecretValueHidden || IsHiddenPlaceholder(dto.SecretValue);
+
             InfisicalSecret secret = new InfisicalSecret
             {
                 Id = dto.Id,
@@ -24,8 +26,8 @@ namespace PSInfisicalAPI.Secrets
                 Version = dto.Version,
                 Type = ParseType(dto.Type),
                 SecretName = dto.SecretKey,
-                SecretValue = SecureStringUtility.ToReadOnlySecureString(dto.SecretValue),
+                SecretValue = hidden ? null : SecureStringUtility.ToReadOnlySecureString(dto.SecretValue),
-                SecretValueHidden = dto.SecretValueHidden,
+                SecretValueHidden = hidden,
                 SecretPath = dto.SecretPath,
                 SecretComment = dto.SecretComment,
                 CreatedAtUtc = ParseTimestamp(dto.CreatedAt),
@@ -41,6 +43,11 @@ namespace PSInfisicalAPI.Secrets
             return secret;
         }
 
+        private static bool IsHiddenPlaceholder(string value)
+        {
+            return string.Equals(value, "<hidden-by-infisical>", StringComparison.Ordinal);
+        }
+
         public static InfisicalSecret[] MapMany(IEnumerable<InfisicalSecretResponseDto> items)
         {
             if (items == null)