2.4 KiB
| name | description |
|---|---|
| private-password-storage | Store or update a private password or credential in the device-local macOS Keychain through a native secure popup, and check presence without retrieval. Use when a user asks to save, store, update, or verify a private credential securely on a Mac. |
Private Password Storage
Use the bundled helper so the credential enters only through a native
NSSecureTextField and goes directly to Security.framework.
Choose The Right Authentication Route
Prefer the provider's supported credential manager or login flow when one
exists. Keychain storage does not authenticate an application and cannot
satisfy OAuth, OTP, passkeys, browser sessions, or gcloud login by itself.
Never ask the user to paste a credential into chat.
Store Or Update
Run --store only after the user asks to open the secure popup:
.agents/skills/private-password-storage/scripts/private-password-storage \
--service "com.example.application" \
--account "operator@example.invalid" \
--label "Example application password" \
--store
The popup accepts normal typing, Cmd+V, and right-click Paste. Empty input
stays in the popup and is rejected. A successful write prints only stored.
The item is stored as kSecAttrAccessibleWhenUnlockedThisDeviceOnly with
synchronization disabled.
Check Presence
.agents/skills/private-password-storage/scripts/private-password-storage \
--service "com.example.application" \
--account "operator@example.invalid" \
--status
Status prints only present or absent. It never returns the credential.
Safety Contract
- Keep the credential out of process arguments, shell variables, files, logs, screenshots, terminal output, clipboard writes, and proof artifacts.
- Do not add retrieval, reveal, echo, export, or fingerprint modes.
- Do not use AppleScript,
osascript, System Events,pbcopy, or thesecurity add-generic-passwordCLI. - Treat service, account, and label as non-secret metadata; do not print them.
- Report only the helper status and whether a native popup was used.
Sanitized Canary
Use only a generated fake value and a service beginning with
dev.codex.private-password-storage.canary. plus an account beginning with
canary-. The test-only --delete-test-item action is prefix-guarded and
deletes only that exact service/account pair. Verify present, delete the
exact item, then verify absent. Do not retain the fake value anywhere.