npx claudepluginhub plurigrid/asi --plugin asiThis skill uses the workspace's default tool permissions.
**Status**: ✅ Production Ready
Implements secure credential storage using OS-native keychains on Windows, macOS, Linux. Guides TDD workflow for Python, TypeScript, Rust, Go with security principles.
Models macOS MDM authentication as cobordisms for credential derivation, using Keychain operations and GF(3) state transitions in Python.
Guides secure storage/retrieval of credentials in iOS/macOS keychain using SecItem API. Debugs errors like errSecDuplicateItem, manages access groups, biometrics, and app sharing.
Share bugs, ideas, or general feedback.
Status: ✅ Production Ready Trit: -1 (MINUS - validator/security) Color: #2626D8 (Blue) Principle: Store(+1) + Retrieve(0) + Validate(-1) = 0 Frame: Never env vars, always Keychain
Keychain Secure provides secure credential storage on macOS with GF(3) conservation. Every credential lifecycle is balanced:
Create (+1) → Transport (0) → Consume/Verify (-1) = 0 ✓
keychain-secure (-1) ⊗ mdm-cobordism (0) ⊗ gay-mcp (+1) = 0 ✓ [Credential Chain]
keychain-secure (-1) ⊗ unworld (0) ⊗ oapply-colimit (+1) = 0 ✓ [Derivation]
keychain-secure (-1) ⊗ acsets (0) ⊗ koopman-generator (+1) = 0 ✓ [Pattern]
| Storage | Security | Problem |
|---|---|---|
export API_KEY=... | ❌ None | Visible in ps, logs, shell history |
.env file | ❌ Minimal | Readable, often committed to git |
| Keychain | ✅ Encrypted | Hardware-backed, ACL-protected |
Rule: Secrets belong in Keychain, never in environment.
# Interactive (prompts for password)
security add-generic-password \
-s "service-name" \
-a "$USER" \
-w
# Non-interactive (⚠️ visible in process list briefly)
security add-generic-password \
-s "service-name" \
-a "$USER" \
-w "secret-value" \
-U # Update if exists
# Get password value
security find-generic-password \
-s "service-name" \
-a "$USER" \
-w
# Use in command substitution
export API_KEY=$(security find-generic-password -s "openai" -a "$USER" -w)
security delete-generic-password \
-s "service-name" \
-a "$USER"
# Check if credential exists and is retrievable
security find-generic-password -s "service-name" -a "$USER" -w >/dev/null 2>&1 \
&& echo "valid" || echo "invalid"
# +1: Store
security add-generic-password -s "test" -a "$USER" -w "secret123" -U
# 0: Retrieve
RETRIEVED=$(security find-generic-password -s "test" -a "$USER" -w)
# -1: Validate
[ "$RETRIEVED" = "secret123" ] && echo "GF(3) = 0 ✓"
# +1: Create new credential
security add-generic-password -s "api-key-v2" -a "$USER" -w "$NEW_KEY"
# 0: Use credential (transport)
curl -H "Authorization: Bearer $(security find-generic-password -s 'api-key-v2' -a '$USER' -w)" ...
# -1: Delete old credential
security delete-generic-password -s "api-key-v1" -a "$USER"
from mdm_mcp_server import Keychain, Trit, verify_gf3
# Store (+1)
ok, trit = Keychain.store("openai", "api-key", "sk-...")
assert trit == Trit.PLUS
# Retrieve (0)
secret, trit = Keychain.retrieve("openai", "api-key")
assert trit == Trit.ERGODIC
# Delete (-1)
ok, trit = Keychain.delete("openai", "api-key")
assert trit == Trit.MINUS
# GF(3) balanced operation
ok, trits = Keychain.store_then_verify("service", "account", "secret")
assert verify_gf3(trits) # [+1, 0, -1] = 0 ✓
require 'keychain_secure'
# Store with GF(3) tracking
KeychainSecure.store(
service: 'openai',
account: ENV['USER'],
secret: 'sk-...',
trit: :plus # +1
)
# Balanced lifecycle
KeychainSecure.balanced_lifecycle(
service: 'api-key',
account: ENV['USER']
) do |secret|
# Use secret here (trit: 0)
make_api_call(secret)
end
# Automatic validation on block exit (trit: -1)
security add-generic-password \
-s "my-service" \
-a "$USER" \
-w "secret" \
-T "/usr/bin/security" \
-T "/Applications/MyApp.app"
# Set ACL to require confirmation
security set-generic-password-partition-list \
-s "my-service" \
-a "$USER" \
-S "apple:"
# MDM enrollment with Keychain-backed credentials
from mdm_mcp_server import W1_GENERATE_KEY, Keychain
# Store MDM push certificate
Keychain.store("mdm-push-cert", "apns", push_cert_pem)
# Retrieve for APNS connection
push_cert, _ = Keychain.retrieve("mdm-push-cert", "apns")
| Service | Account | Description |
|---|---|---|
openai | api-key | OpenAI API key |
anthropic | api-key | Claude API key |
github | pat | Personal access token |
mdm-push-cert | apns | MDM push certificate |
scep-challenge | enrollment | SCEP challenge password |
# ❌ BAD: Secret in command line (visible in ps)
curl -H "Authorization: Bearer sk-abc123" ...
# ✅ GOOD: Secret from Keychain
curl -H "Authorization: Bearer $(security find-generic-password -s 'openai' -a '$USER' -w)" ...
# ❌ BAD: Secret in environment
export OPENAI_API_KEY="sk-abc123"
# ✅ GOOD: Retrieve when needed
OPENAI_API_KEY=$(security find-generic-password -s 'openai' -a "$USER" -w)
Skill Name: keychain-secure Type: Credential Management / Security Trit: -1 (MINUS) Color: #2626D8 (Blue) GF(3): Store(+1) + Retrieve(0) + Validate(-1) = 0 Env Vars: Never for secrets
This skill connects to the K-Dense-AI/claude-scientific-skills ecosystem:
general: 734 citations in bib.duckdbThis skill maps to Cat# = Comod(P) as a bicomodule in the equipment structure:
Trit: 0 (ERGODIC)
Home: Prof
Poly Op: ◁
Kan Role: Adj
Color: #26D826
The skill participates in triads satisfying:
(-1) + (0) + (+1) ≡ 0 (mod 3)
This ensures compositional coherence in the Cat# equipment structure.