github.com/charmbracelet/gum

Gum is a command-line tool rather than a traditional Go library, which fundamentally shapes how you use it. Instead of importing packages, you shell out to the gum binary to create interactive prompts, spinners, and formatted output. This design makes it incredibly versatile for shell scripts but means Go projects require exec calls rather than native function calls.

The day-to-day experience is surprisingly pleasant for shell scripting. Each component (input, choose, filter, confirm, etc.) is a separate subcommand with intuitive flags. Error handling is straightforward since you're just parsing stdout/stderr. The styling options are comprehensive without being overwhelming, and the default themes look professional out of the box.

For Go projects specifically, the DX is less ideal since you lose type safety and have to manage subprocess execution. Documentation is clear with good examples, but there's no API reference since it's CLI-focused. The getting-started guide works well, though migration notes between versions could be more explicit about breaking changes in flag naming.

Gum is a shell-focused CLI tool for building interactive prompts and forms, primarily designed for Bash/shell scripts rather than Go libraries. When embedded in Go applications, you're essentially wrapping shell commands, which introduces execution overhead and potential command injection risks if user input isn't carefully sanitized before passing to gum subcommands.

The library doesn't provide input validation primitives beyond basic type constraints (numbers, date formats). You're responsible for all sanitization and validation logic. Error handling is primitive - most failures return generic exit codes without structured errors, making debugging difficult. There's no built-in protection against terminal escape sequence injection, so accepting raw user input requires external validation.

From a security perspective, gum is minimal - it has few dependencies and a small attack surface. However, it's not designed with security-by-default principles. Authentication/authorization concepts don't apply here. For production applications handling sensitive data, consider native Go libraries like survey or promptui that give you more control over validation pipelines and don't require shelling out.

Gum is fundamentally different from typical Go packages - it's a collection of CLI tools you shell out to, not a library you import. Each command (gum choose, gum input, gum confirm, etc.) is a standalone binary that handles one type of user interaction beautifully. You invoke them via exec.Command() and parse stdout/stderr. This approach is both its strength and limitation.

The DX is surprisingly good for shell-based tooling. Each command has clear, consistent flags and helpful usage text. Error messages are straightforward, and the visual output is polished with great color and styling options. However, there's no autocomplete, type safety, or compile-time validation since you're essentially building shell commands as strings. Debugging requires running commands manually to understand behavior.

For quick CLI prototypes or shell scripts wrapped in Go, it's fantastic - you get production-quality prompts without writing UI code. For complex applications requiring tight integration, error handling, or programmatic control flow, consider bubbletea (Charm's actual Go library) instead.