Skip to content

fix: keychain stores -U flag as password instead of actual secret#21

Merged
kaushalpaneri merged 1 commit into
mainfrom
fix/issue-18
Mar 23, 2026
Merged

fix: keychain stores -U flag as password instead of actual secret#21
kaushalpaneri merged 1 commit into
mainfrom
fix/issue-18

Conversation

@kaushalpaneri

Copy link
Copy Markdown
Contributor

Summary

Fixes #18. The security add-generic-password command had -w followed by -U, causing macOS to interpret -U as the password value instead of reading the actual secret from stdin. Moved -U before -w so -w is the last argument and correctly reads from stdin.

Changes

Source

  • src/crux_cli/secrets.py: Reordered flags in MacOSKeychainBackend.set() — moved -U before -w so the password is read from stdin, not interpreted as the literal string "-U"

Tests

  • tests/unit/test_secrets_backends.py: Added test_keychain_set_w_flag_is_last regression test that verifies -w is the last argument and -U precedes it

Docs

No doc changes

Config

No config changes

Breaking Changes

None

Security Considerations

This fix ensures secrets are correctly stored in the macOS keychain. Previously, the actual secret was silently discarded and -U was stored instead — a security-relevant data loss bug.

Test Plan

  • All unit tests pass (uv run pytest tests/unit/ -v) — 368 passed
  • All integration tests pass (uv run pytest tests/integration/ -v)
  • Ruff clean (uv run ruff check src/ tests/)
  • No secrets in committed files
  • Regression test verifies -w is last and -U precedes it

Closes #18

🤖 Generated with Claude Code

…oses #18)

Move -U (update) flag before -w in the security add-generic-password
command so -w is the last argument and correctly reads the password
from stdin. Previously -U followed -w, causing macOS security to
interpret -U as the password value.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

@kaushalpaneri kaushalpaneri left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Review Summary

# Severity Category Finding
No findings

All 15 CI checks pass. One-line fix with regression test.

Code Review: The fix correctly moves -U (update flag) before -w in the security add-generic-password command. With -w as the last argument, macOS security reads the password from stdin as intended. The regression test verifies both that -w is last and that -U precedes it.

Security Review: This fix resolves a security-relevant data loss bug — secrets were silently discarded. No new attack surface introduced.

Documentation Review: No doc changes needed for an internal bug fix.

Verdict: APPROVE — clean fix, well-tested regression guard.

@kaushalpaneri kaushalpaneri merged commit 7158a75 into main Mar 23, 2026
15 checks passed
@kaushalpaneri kaushalpaneri deleted the fix/issue-18 branch March 23, 2026 04:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

crux mcp auth stores '-U' instead of actual secret value

1 participant