aesthetic.computer / core
Monorepo for Aesthetic.Computer aesthetic.computer
4
fork

Configure Feed

Select the types of activity you want to include in your feed.

plans: systray passphrase entry form (deferred, post-LACMA)

Captures the 2026-04-22 ask for a macOS-native passphrase prompt served
by the slab daemon so long-running agents can request vault decryption
without blocking on the terminal.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

prompt.ac/@jeffrey 5c532435 d3e88f30

+67
+67
plans/SYSTRAY-PASSPHRASE-ENTRY.md
··· 1 + # Systray passphrase entry form 2 + 3 + **Requested:** 2026-04-22 (during LACMA submission sprint) 4 + **Priority:** post-LACMA 5 + **Status:** Deferred (plan only, not implemented) 6 + 7 + ## Ask (verbatim) 8 + 9 + > can we add to our python daemon systray a passphrase entry form u can pop up 10 + > on macos here? 11 + 12 + ## Why 13 + 14 + Repeatedly: when a Claude agent or fish script needs to decrypt the vault 15 + (`aesthetic-computer-vault/home/.ssh/id_rsa.gpg`, GPG / age / whatever), 16 + the passphrase has to be typed at the terminal. In long-running agent 17 + sessions (like the LACMA submission sprint on 2026-04-22) that means 18 + the agent is blocked or the user has to context-switch to paste the 19 + passphrase into a non-secure text field. 20 + 21 + A native macOS passphrase prompt from the existing Python daemon's 22 + systray would solve both: the agent triggers it over IPC, the user 23 + types the passphrase into a real macOS password field (keychain- 24 + integrated, not logged), and the daemon hands the cleartext back to 25 + whatever requested it — or, better, holds it in-memory for N minutes 26 + and re-serves it without re-prompting. 27 + 28 + ## Sketch 29 + 30 + - **Daemon location:** probably `micro/machine/` or `ac-electron/` — 31 + check the tray app that already exists. Otherwise there's a Python 32 + component somewhere in `fedac/` or `ants/` that hosts the tray. 33 + - **UI:** macOS `NSAlert` with a `NSSecureTextField` accessory (via 34 + PyObjC / `pyobjus` / `rumps` — whichever the tray already uses). 35 + Alternate path: ship a tiny Swift helper binary and call it from 36 + Python. 37 + - **IPC:** 38 + - Unix domain socket at `~/.ac-daemon.sock` (or reuse whatever the 39 + tray already exposes). 40 + - Protocol: `{"op":"passphrase","label":"vault-ssh","timeout":600}` → 41 + `{"ok":true,"secret":"<phrase>","cached":true}`. 42 + - Requester blocks until user types or cancels. 43 + - **Cache:** in-memory with TTL (default 10 minutes). Clear on daemon 44 + restart or explicit `{"op":"forget"}`. Do NOT persist to disk. 45 + - **Zeroize:** overwrite the `bytes` object before GC (best-effort on 46 + Python; the point is to not leave it in a file). 47 + 48 + ## Integration points 49 + 50 + Once the daemon has the endpoint, wire: 51 + - `aesthetic-computer-vault/devault.fish` — currently uses `gpg` 52 + directly; swap to a helper that asks the daemon first. 53 + - `lith/deploy.fish` — SSH key step. 54 + - Any `npm run session:*` scripts that touch vault creds. 55 + 56 + ## Out of scope 57 + 58 + - Browser integration (a Chrome/Safari extension could call the 59 + daemon too, but save that for later). 60 + - Cross-device sync — this is machine-local only. 61 + 62 + ## Next time 63 + 64 + When picking this up, start by inventorying the current daemon: find 65 + its entry point, confirm it runs as a systray item, and see what IPC 66 + it already speaks. Only add the passphrase endpoint to an existing 67 + daemon — don't spawn a second tray.