Claude-skill-registry keychain-secure
macOS Keychain credential management with GF(3) balanced operations
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/keychain-secure" ~/.claude/skills/majiayu000-claude-skill-registry-keychain-secure && rm -rf "$T"
manifest:
skills/data/keychain-secure/SKILL.mdsource content
Keychain Secure Skill: GF(3) Balanced Credential Management
Status: ✅ Production Ready Trit: -1 (MINUS - validator/security) Color: #2626D8 (Blue) Principle: Store(+1) + Retrieve(0) + Validate(-1) = 0 Frame: Never env vars, always Keychain
Overview
Keychain Secure provides secure credential storage on macOS with GF(3) conservation. Every credential lifecycle is balanced:
Create (+1) → Transport (0) → Consume/Verify (-1) = 0 ✓
GF(3) Triads
keychain-secure (-1) ⊗ mdm-cobordism (0) ⊗ gay-mcp (+1) = 0 ✓ [Credential Chain] keychain-secure (-1) ⊗ unworld (0) ⊗ oapply-colimit (+1) = 0 ✓ [Derivation] keychain-secure (-1) ⊗ acsets (0) ⊗ koopman-generator (+1) = 0 ✓ [Pattern]
Why Not Environment Variables?
| Storage | Security | Problem |
|---|---|---|
| ❌ None | Visible in |
| ❌ Minimal | Readable, often committed to git |
| Keychain | ✅ Encrypted | Hardware-backed, ACL-protected |
Rule: Secrets belong in Keychain, never in environment.
Commands
Store Credential (+1 Generator)
# Interactive (prompts for password) security add-generic-password \ -s "service-name" \ -a "$USER" \ -w # Non-interactive (⚠️ visible in process list briefly) security add-generic-password \ -s "service-name" \ -a "$USER" \ -w "secret-value" \ -U # Update if exists
Retrieve Credential (0 Coordinator)
# Get password value security find-generic-password \ -s "service-name" \ -a "$USER" \ -w # Use in command substitution export API_KEY=$(security find-generic-password -s "openai" -a "$USER" -w)
Delete Credential (-1 Validator)
security delete-generic-password \ -s "service-name" \ -a "$USER"
Verify Credential (-1 Validator)
# Check if credential exists and is retrievable security find-generic-password -s "service-name" -a "$USER" -w >/dev/null 2>&1 \ && echo "valid" || echo "invalid"
GF(3) Balanced Operations
Pattern 1: Store-Retrieve-Validate
# +1: Store security add-generic-password -s "test" -a "$USER" -w "secret123" -U # 0: Retrieve RETRIEVED=$(security find-generic-password -s "test" -a "$USER" -w) # -1: Validate [ "$RETRIEVED" = "secret123" ] && echo "GF(3) = 0 ✓"
Pattern 2: Create-Use-Rotate
# +1: Create new credential security add-generic-password -s "api-key-v2" -a "$USER" -w "$NEW_KEY" # 0: Use credential (transport) curl -H "Authorization: Bearer $(security find-generic-password -s 'api-key-v2' -a '$USER' -w)" ... # -1: Delete old credential security delete-generic-password -s "api-key-v1" -a "$USER"
Python API
from mdm_mcp_server import Keychain, Trit, verify_gf3 # Store (+1) ok, trit = Keychain.store("openai", "api-key", "sk-...") assert trit == Trit.PLUS # Retrieve (0) secret, trit = Keychain.retrieve("openai", "api-key") assert trit == Trit.ERGODIC # Delete (-1) ok, trit = Keychain.delete("openai", "api-key") assert trit == Trit.MINUS # GF(3) balanced operation ok, trits = Keychain.store_then_verify("service", "account", "secret") assert verify_gf3(trits) # [+1, 0, -1] = 0 ✓
Ruby API
require 'keychain_secure' # Store with GF(3) tracking KeychainSecure.store( service: 'openai', account: ENV['USER'], secret: 'sk-...', trit: :plus # +1 ) # Balanced lifecycle KeychainSecure.balanced_lifecycle( service: 'api-key', account: ENV['USER'] ) do |secret| # Use secret here (trit: 0) make_api_call(secret) end # Automatic validation on block exit (trit: -1)
Access Control
Restrict to Specific Apps
security add-generic-password \ -s "my-service" \ -a "$USER" \ -w "secret" \ -T "/usr/bin/security" \ -T "/Applications/MyApp.app"
Require User Confirmation
# Set ACL to require confirmation security set-generic-password-partition-list \ -s "my-service" \ -a "$USER" \ -S "apple:"
Integration with MDM
# MDM enrollment with Keychain-backed credentials from mdm_mcp_server import W1_GENERATE_KEY, Keychain # Store MDM push certificate Keychain.store("mdm-push-cert", "apns", push_cert_pem) # Retrieve for APNS connection push_cert, _ = Keychain.retrieve("mdm-push-cert", "apns")
Common Services
| Service | Account | Description |
|---|---|---|
| | OpenAI API key |
| | Claude API key |
| | Personal access token |
| | MDM push certificate |
| | SCEP challenge password |
Security Best Practices
- Use Access Groups for app-to-app sharing
- Set ACLs to require user presence for sensitive items
- Rotate credentials periodically (create new, delete old)
- Never log secrets — even to debug logs
- Verify GF(3) — ensures complete credential lifecycle
Anti-Patterns
# ❌ BAD: Secret in command line (visible in ps) curl -H "Authorization: Bearer sk-abc123" ... # ✅ GOOD: Secret from Keychain curl -H "Authorization: Bearer $(security find-generic-password -s 'openai' -a '$USER' -w)" ... # ❌ BAD: Secret in environment export OPENAI_API_KEY="sk-abc123" # ✅ GOOD: Retrieve when needed OPENAI_API_KEY=$(security find-generic-password -s 'openai' -a "$USER" -w)
Skill Name: keychain-secure Type: Credential Management / Security Trit: -1 (MINUS) Color: #2626D8 (Blue) GF(3): Store(+1) + Retrieve(0) + Validate(-1) = 0 Env Vars: Never for secrets
Scientific Skill Interleaving
This skill connects to the K-Dense-AI/claude-scientific-skills ecosystem:
Graph Theory
- networkx [○] via bicomodule
- Universal graph hub
Bibliography References
: 734 citations in bib.duckdbgeneral
Cat# Integration
This skill maps to Cat# = Comod(P) as a bicomodule in the equipment structure:
Trit: 0 (ERGODIC) Home: Prof Poly Op: ◁ Kan Role: Adj Color: #26D826
GF(3) Naturality
The skill participates in triads satisfying:
(-1) + (0) + (+1) ≡ 0 (mod 3)
This ensures compositional coherence in the Cat# equipment structure.