Summary
cr keeps triggering macOS credential-manager prompts after Homebrew upgrades, even after the user chooses Always Allow.
Recent investigation shows:
- darwin release binaries are being code-signed correctly with a stable designated requirement
- Homebrew installs each cask version under a versioned
Caskroom path
- Keychain ACLs on
codereview/* generic-password items can retain stale trusted-application paths and stale partition_id entries across upgrades
config show and other read paths can also prompt unnecessarily because credential presence checks currently read secret data instead of using metadata/ref-only existence checks
Desired outcome
For codereview-cli, complete one end-to-end fix/verification cycle before applying the pattern to sibling CLIs.
The ticket is only complete when we have:
- an implementation that addresses unnecessary prompt amplification in
cr
- focused tests for the changed behavior
- a merged release build
- a real post-merge install/upgrade verification on the Homebrew-installed CLI
- a clear conclusion, based on empirical evidence, about what self-signed signing can and cannot fix for Keychain ACL / partition behavior
Scope
- implement the
codereview-cli side of the fix train first
- use
cli-common changes as needed
- do not start the other affected CLIs until the installed
cr build has been verified after merge/release/upgrade
Acceptance criteria
cr config show does not read secret values just to determine credential presence
- the chosen fix path is covered by tests
- release artifacts are built and published successfully
brew upgrade --cask open-cli-collective/tap/codereview-cli is run against the merged release
- the installed binary and the corresponding Keychain item state are inspected after upgrade
- the ticket records whether the post-upgrade behavior is actually fixed, partially mitigated, or still blocked by self-signed
partition_id behavior
Notes for implementation
- prefer evidence over assumptions when dealing with Keychain ACLs
- if self-signed auto-repair cannot survive upgrade in practice, document the limitation plainly and stop short of claiming a durable fix
- stale local Keychain garbage from repeated manual
Always Allow attempts can be cleaned up as a post-merge local step, but that cleanup is not itself the product fix
Summary
crkeeps triggering macOS credential-manager prompts after Homebrew upgrades, even after the user choosesAlways Allow.Recent investigation shows:
Caskroompathcodereview/*generic-password items can retain stale trusted-application paths and stalepartition_identries across upgradesconfig showand other read paths can also prompt unnecessarily because credential presence checks currently read secret data instead of using metadata/ref-only existence checksDesired outcome
For
codereview-cli, complete one end-to-end fix/verification cycle before applying the pattern to sibling CLIs.The ticket is only complete when we have:
crScope
codereview-cliside of the fix train firstcli-commonchanges as neededcrbuild has been verified after merge/release/upgradeAcceptance criteria
cr config showdoes not read secret values just to determine credential presencebrew upgrade --cask open-cli-collective/tap/codereview-cliis run against the merged releasepartition_idbehaviorNotes for implementation
Always Allowattempts can be cleaned up as a post-merge local step, but that cleanup is not itself the product fix