Conversation
- keymaster get now accepts comma-separated keys (e.g., `get a,b,c`)
with a single Touch ID/password prompt for the entire batch
- Default output format is now JSON for `get` command
- Added --plain flag to preserve legacy raw-text output (single key only)
- keymasterd: new /keys/<k1>,<k2>,... endpoint returns JSON with one auth
- keymasterd-inetd: same multi-key support as keymasterd
- /key/<name> endpoint unchanged (plain text, backward compatible)
- Missing keys return {"value": null, "error": "not found"} instead of
failing the whole request
- Updated README.md with new usage examples
- Added CLAUDE.md development guide
https://claude.ai/code/session_01FQjN5DyMVBT3wLizVxAWS4
Both /key/ and /keys/ endpoints now accept an optional ?description=<text> query parameter that customizes the Touch ID / password prompt shown to the user, matching the CLI's --description flag. Updated keymasterd-inetd.swift with the same feature. Updated README.md and keymasterd help text with usage examples. https://claude.ai/code/session_01FQjN5DyMVBT3wLizVxAWS4
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b38d395653
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // For "get", split comma-separated keys | ||
| let keys: [String] | ||
| if action == "get" { | ||
| keys = keyArg.components(separatedBy: ",").map { $0.trimmingCharacters(in: .whitespaces) }.filter { !$0.isEmpty } |
There was a problem hiding this comment.
Spliting keyArg on every comma makes key names like team,prod impossible to fetch as a single secret. In JSON mode this silently reads the wrong keys, and in --plain mode it now hard-fails because the parsed key count is > 1, so existing comma-containing keys that were previously readable become unreachable through keymaster get.
Useful? React with 👍 / 👎.
| return httpResponse(status: 400, body: "Key name(s) required", contentType: "application/json") | ||
| } |
There was a problem hiding this comment.
This /keys validation path declares application/json but returns an unquoted plain-text body (Key name(s) required), which is invalid JSON. Any client that follows the documented JSON contract for /keys and always parses the response body as JSON will fail on these 400 cases instead of getting a structured error payload.
Useful? React with 👍 / 👎.
2 participants
get a,b,c)with a single Touch ID/password prompt for the entire batch
getcommandfailing the whole request
https://claude.ai/code/session_01FQjN5DyMVBT3wLizVxAWS4