ConfD suppresses the echo only if it prompts for a value, so the behavior in the first part is correct. And it indeed should hide the value from audit log, so the beavior in the second part is not correct.
Do you have some customizations in your audit logging, such as through the ConfD event notifications? The line from the audit log looks strange:
If you enter the leaf path and its value in two separate lines, ConfD (normally) logs the two in two separate log lines, not in one; maybe the line was generated for another command?
The value looks strange, was it indeed supposed to contain literal double quote, string "secret", backslash, string "000", double quote? This is the only (legal) value that would make it to the audit log as \"secret\\000\" - provided it is ConfD that generates the log.
Next I tried to reproduce the same in confd-7.3 as well. In confd-7.3 the expected type error is not there. (So there must be some issues in older confd versions which were fixed later). However with confd-7.3 as well, my original issue persists.
There was a bug that makes tailf:suppress-echo not to do what it should sometimes, apparently the combination with tailf:typepoint is an instance of this; fixed in later ConfD releases (I see it works fine in 7.3.6 and 7.5). I suppose the CHANGES entry you should look for is this:
cli: When CLI used its auto-wizard and started prompting for input, the
input value was not always logged in the audit-log. If it was logged, it
did not always suppress the value when it should. Now we assert values
are suppressed and identify where CLI was missing out on producing
No, I am not aware of any such extension. If really needed, you can “override” the leaf by a CLI C-API command of the same name whose implementation uses maapi_cli_prompt* to read the value and modifies the leaf - you can control whether the value is echoed back, and it does not appear in the audit.log file.