Skip to content

v0.1.9: diagnostic keychain status + CLI --clear-keychain flag#7

Merged
hculap merged 1 commit into
mainfrom
feat/v0.1.9-logout-improvements
May 19, 2026
Merged

v0.1.9: diagnostic keychain status + CLI --clear-keychain flag#7
hculap merged 1 commit into
mainfrom
feat/v0.1.9-logout-improvements

Conversation

@hculap
Copy link
Copy Markdown
Owner

@hculap hculap commented May 19, 2026

Why

v0.1.8 `logout(clear_keychain=True)` returned a bland "keychain entry NOT removed" no matter what actually happened. A Claude Desktop user got confused because the same message covered three very different states:

  1. There was no entry to remove (already cleared earlier)
  2. delete_password raised
  3. config had no email so the tool didn't even know what to look up

What

New `keychain_status` field in both the MCP `logout` tool result and the CLI `emodul auth logout --json` output:

status meaning next step
`skipped` clear_keychain was False
`no_email` requested but config has no email run `security find-generic-password -s emodul` manually
`not_found` email valid, no keychain entry often: already removed in earlier session
`deleted` entry existed and was removed
`error` delete_password raised manual: `security delete-generic-password -s emodul -a `

Both surfaces `get_password()` before attempting delete so they can correctly classify `not_found` vs `error`.

CLI symmetry

`emodul auth logout --clear-keychain` now does both steps in one shot:

```bash

Before: two commands

emodul auth logout
emodul auth forget-password

After: one command, same effect

emodul auth logout --clear-keychain
```

`forget-password` stays for backward compat.

Verified

  • CLI: tested all 3 reachable paths (`skipped`, `no_email`, real config preserved)
  • MCP: tested `not_found` path via stdio client with synthetic email
  • Real keychain entry left untouched throughout the test (verified by post-test `get_password`)
  • Ruff clean

Release

After merge: tag v0.1.9 → OIDC publish.

@hculap
feat(auth): diagnostic keychain status + --clear-keychain CLI flag
34173e5 
In v0.1.8, MCP logout(clear_keychain=True) returned the bland message
"keychain entry NOT removed" regardless of whether the entry was missing,
the delete raised, or config had no email to look up. An agent in
Claude Desktop reported confusion: the entry was actually still there
because the call had nothing to delete from an earlier (forgotten) state.

This release distinguishes the cases via a new `keychain_status` field
returned by both the MCP logout tool and the CLI `emodul auth logout`:

  - "skipped"   — clear_keychain was False; we never tried
  - "no_email"  — clear_keychain requested but config has no email
                  (manual recovery hint via `security find-generic-password`)
  - "not_found" — email valid, no keychain entry (often: already removed)
  - "deleted"   — entry existed and was removed
  - "error"     — delete_password raised; manual recovery hint included

Also adds CLI symmetry: `emodul auth logout --clear-keychain` now does
both steps in one shot instead of requiring `auth logout` followed by
`auth forget-password`. The standalone `forget-password` command stays
for backward compat.

Both surfaces (CLI and MCP) now `get_password()` before attempting delete
so they can correctly classify "not_found" vs "error". This costs one
extra keychain lookup per logout call but makes the diagnostics
trustworthy.
@hculap hculap merged commit 105befc into main May 19, 2026
9 checks passed
@hculap hculap deleted the feat/v0.1.9-logout-improvements branch May 19, 2026 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hculap