Add --no-persist-password option to configure#253
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces macOS Keychain integration to securely store and retrieve the Time Capsule device password, adding --keychain and --no-persist-password options to the configuration flow. A critical bug was identified in configure.py where the password is cleared from the values dictionary before store_password_in_keychain is called, which prevents the password from being saved to the Keychain. A fix was suggested to preserve the password in a local variable before clearing the dictionary.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| if args.keychain: | ||
| store_password_in_keychain(values.get("TC_HOST", ""), values.get("TC_PASSWORD", ""), json_output=args.json) |
There was a problem hiding this comment.
When --keychain is specified, persist_password is set to False. This means result.values returned by run_configure_flow will not contain TC_PASSWORD.
Because values.clear() is called and then updated with result.values inside the while True loop (around lines 616-617), the password is wiped from the values dictionary. Consequently, values.get("TC_PASSWORD") is empty when store_password_in_keychain is called after the loop, causing the password to never be stored in the macOS Keychain.
To fix this, you should preserve the password before clearing the values dictionary, or store it in the keychain before breaking the loop. For example, you can capture the password in a local variable inside the loop:
password_to_store = values.get("TC_PASSWORD", "")
values.clear()
values.update(result.values)And then use password_to_store when calling store_password_in_keychain:
if args.keychain:
store_password_in_keychain(values.get("TC_HOST", ""), password_to_store, json_output=args.json)Addresses review feedback on jamesyc#253. The keychain store read TC_PASSWORD from values after values.clear()/update(result.values); it worked only because result.values happens to retain the password (the non-persist pop runs on a copy). Capture the password before the clear so the store does not depend on that, and add a regression test. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Thanks for the review. On the flagged critical: I verified that |
|
Adding Some users script this on a raspberry pi, so this is of practical concern. I do not want anything mac-only for a core command like I'm fine with |
Per maintainer feedback on jamesyc#253: drop the macOS-only Keychain integration (keeps configure cross-platform) and keep only --no-persist-password, which writes the config without saving TC_PASSWORD. Later commands then prompt or read the password from --password-env/--password-stdin. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
6b752b0 to
58cf611
Compare
|
Slimmed to just |
What
Adds
configure --no-persist-password, which writes the config without savingTC_PASSWORDto.env. Later commands then prompt for it or read it from--password-env/--password-stdin.Why
For users who don't want the device password persisted in
.env. This reuses the existingpersist_passwordplumbing (the app already exposes it; the CLI just hardcodedTrue).Per your feedback, I dropped the
--keychainintegration entirely — you're right that a macOS-only path doesn't belong on a core cross-platform command likeconfigure(people script it on Raspberry Pis). No new modules, no platform-specific code.Changes
--no-persist-passwordflag; threadspersist_passwordinto the existing configure flow.--no-persist-passwordomitsTC_PASSWORDfrom the written config (contrasted with the existing test showing it's saved by default).🤖 Generated with Claude Code