kc 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: acd1a1a4d4b98a8f4972a7be12a56485af6364a446ad9cc0981b92c0bae38e3b
-  data.tar.gz: 510e50ff16ddf681620775f0a1488615b5c68bafb8345d10e1447571762d68c9
+  metadata.gz: 8d9fd3f9d9435dac8fd474111770fdc9648407d6880a8399a4d642c99b528907
+  data.tar.gz: e45b7d10dde259a3d44f661848dcaf282b6b3779d99bf5f647e34f3e89eb4d07
 SHA512:
-  metadata.gz: 70d120e84e72ef0c79c63c72eb69c21f1a14950c52a8cbc9d4765a6c555a4c163bf441668892a2f642c4dc3136c6466c7d577416352630ba7f912feed258f897
-  data.tar.gz: 5d05fae5c846ee424b5627b04770b4a3b3c4af5b1614985f48d18226ffab562a92366511ef61f4bea1f289993016f1920703978bf9e4e983ef7875385c31ac5a
+  metadata.gz: b571902e2874562153524032e6ec2addcb26c8e6e84ebabd2ba6ab153aad5b1ecbab639faaa163caa9c1fc7d32088e7184a1efe87754da15e6d75df7155589c6
+  data.tar.gz: bbe081e64f7098788f833f3127c5ccdab1fe5c87881956dac76ac93a6680fa479f4610d4e1cde8152fabd560f333e75a7d878d9447cf0e16b77244074565a3ba

data/README.md

@@ -1,13 +1,13 @@
-# kc - Keychain Manager for direnv
+# kc - Keychain Manager
 
-A CLI tool to securely store and retrieve secrets from macOS Keychain with namespace support, designed to work seamlessly with direnv.
+A CLI tool to securely store and retrieve secrets from macOS Keychain with namespace support and automatic iCloud sync.
 
 ## Features
 
 - 🔐 Securely store any secrets in macOS Keychain
+- ☁️ **iCloud Keychain sync** - automatically sync secrets across all your Macs
 - 🏷️ **Namespace support** - organize secrets by type (env, ssh, token, etc.)
 - 🚀 Native implementation using FFI (no shell command overhead)
-- 🎯 Designed for direnv integration
 - 📦 Simple CLI interface
 - 📋 List and filter secrets by namespace
 
@@ -117,10 +117,24 @@ You can create custom namespaces as needed.
 
 ## How it works
 
-`kc` uses macOS Security framework via FFI to directly interact with the Keychain, avoiding shell command overhead. All entries are stored under:
+`kc` uses macOS Security framework via FFI to directly interact with the Keychain, avoiding shell command overhead. All entries are stored as **Internet Passwords** with:
 
-- Service name: `kc`
-- Account name: `<namespace>:<name>` (e.g., `env:myproject`)
+- Server: `kc`
+- Account: `<namespace>:<name>` (e.g., `env:myproject`)
+- Protocol: HTTPS
+
+### iCloud Keychain Sync
+
+All secrets saved by `kc` are automatically synchronized across your Macs via **iCloud Keychain** (if enabled in System Settings). This means:
+
+- 💾 Save a secret on one Mac → Access it instantly on all your other Macs
+- 🔄 Changes and deletions are synced automatically
+- 🔐 End-to-end encryption ensures your secrets remain secure during sync
+- 🌐 No manual export/import needed
+
+To verify sync is working, open **Keychain Access.app** and select the **iCloud** keychain. Look for entries with server name `kc`.
+
+**Note:** Internet Passwords (used by `kc`) are automatically synced by macOS when iCloud Keychain is enabled. You don't need to do anything special!
 
 ## Full Workflow Example
 
@@ -186,7 +200,7 @@ bundle exec rspec
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/aileron-inc/kc.
+Bug reports and pull requests are welcome on GitHub at https://github.com/aileron-inc/tools.
 
 ## License
 
@@ -194,4 +208,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
 
 ## Code of Conduct
 
-Everyone interacting in the Kc project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/aileron-inc/kc/blob/master/CODE_OF_CONDUCT.md).
+Everyone interacting in the Kc project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/aileron-inc/tools/blob/main/CODE_OF_CONDUCT.md).

data/kc.gemspec

@@ -1,41 +1,40 @@
-
-lib = File.expand_path("../lib", __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require "kc/version"
+require 'kc/version'
 
 Gem::Specification.new do |spec|
-  spec.name          = "kc"
+  spec.name          = 'kc'
   spec.version       = Kc::VERSION
-  spec.authors       = ["AILERON"]
-  spec.email         = ["masa@aileron.cc"]
+  spec.authors       = ['AILERON']
+  spec.email         = ['masa@aileron.cc']
 
-  spec.summary       = %q{Manage .env files in Mac Keychain with direnv}
-  spec.description   = %q{A CLI tool to save and load .env files from Mac Keychain, designed to work seamlessly with direnv}
-  spec.homepage      = "https://github.com/aileron/kc"
-  spec.license       = "MIT"
+  spec.summary       = 'Manage secrets in macOS Keychain with iCloud sync and namespace support'
+  spec.description   = 'A CLI tool to securely store and retrieve secrets from macOS Keychain with automatic iCloud sync across your Macs. Features namespace support for organizing different types of secrets (env files, SSH keys, API tokens, etc.) and works seamlessly with direnv.'
+  spec.homepage      = 'https://github.com/aileron/kc'
+  spec.license       = 'MIT'
 
   # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
   # to allow pushing to a single host or delete this section to allow pushing to any host.
   if spec.respond_to?(:metadata)
-    spec.metadata["homepage_uri"] = spec.homepage
-    spec.metadata["source_code_uri"] = "https://github.com/aileron/kc"
+    spec.metadata['homepage_uri'] = spec.homepage
+    spec.metadata['source_code_uri'] = 'https://github.com/aileron/kc'
   else
-    raise "RubyGems 2.0 or newer is required to protect against " \
-      "public gem pushes."
+    raise 'RubyGems 2.0 or newer is required to protect against ' \
+      'public gem pushes.'
   end
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
-  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   end
-  spec.bindir        = "exe"
+  spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
 
-  spec.add_dependency "ffi", "~> 1.15"
+  spec.add_dependency 'ffi', '~> 1.15'
 
-  spec.add_development_dependency "bundler"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec', '~> 3.0'
 end

data/lib/kc/keychain.rb

@@ -1,226 +1,308 @@
-require "ffi"
+require 'ffi'
 
 module Kc
   class Keychain
-    SERVICE_NAME = "kc"
+    SERVICE_NAME = 'kc'
 
-    module SecurityFramework
+    module CoreFoundation
       extend FFI::Library
-      ffi_lib "/System/Library/Frameworks/Security.framework/Security"
-
-      # OSStatus SecKeychainAddGenericPassword(
-      #   SecKeychainRef keychain,
-      #   UInt32 serviceNameLength,
-      #   const char *serviceName,
-      #   UInt32 accountNameLength,
-      #   const char *accountName,
-      #   UInt32 passwordLength,
-      #   const void *passwordData,
-      #   SecKeychainItemRef *itemRef
-      # )
-      attach_function :SecKeychainAddGenericPassword, [
-        :pointer,  # keychain (NULL for default)
-        :uint32,   # serviceNameLength
-        :string,   # serviceName
-        :uint32,   # accountNameLength
-        :string,   # accountName
-        :uint32,   # passwordLength
-        :pointer,  # passwordData
-        :pointer   # itemRef (can be NULL)
-      ], :int
-
-      # OSStatus SecKeychainFindGenericPassword(
-      #   CFTypeRef keychainOrArray,
-      #   UInt32 serviceNameLength,
-      #   const char *serviceName,
-      #   UInt32 accountNameLength,
-      #   const char *accountName,
-      #   UInt32 *passwordLength,
-      #   void **passwordData,
-      #   SecKeychainItemRef *itemRef
-      # )
-      attach_function :SecKeychainFindGenericPassword, [
-        :pointer,  # keychainOrArray (NULL for default)
-        :uint32,   # serviceNameLength
-        :string,   # serviceName
-        :uint32,   # accountNameLength
-        :string,   # accountName
-        :pointer,  # passwordLength (output)
-        :pointer,  # passwordData (output)
-        :pointer   # itemRef (output, can be NULL if not needed)
-      ], :int
-
-      # OSStatus SecKeychainItemDelete(SecKeychainItemRef itemRef)
-      attach_function :SecKeychainItemDelete, [:pointer], :int
-
-      # void SecKeychainItemFreeContent(SecKeychainAttributeList *attrList, void *data)
-      attach_function :SecKeychainItemFreeContent, [:pointer, :pointer], :int
-
-      # Constants for attribute tags
-      KSecAccountItemAttr = 0x61636374  # 'acct' in FourCC
-
-      # Attribute structure
-      class SecKeychainAttribute < FFI::Struct
-        layout :tag, :uint32,
-               :length, :uint32,
-               :data, :pointer
-      end
-
-      class SecKeychainAttributeList < FFI::Struct
-        layout :count, :uint32,
-               :attr, :pointer  # Array of SecKeychainAttribute
-      end
-
-      # OSStatus SecKeychainSearchCreateFromAttributes(
-      #   CFTypeRef keychainOrArray,
-      #   SecItemClass itemClass,
-      #   const SecKeychainAttributeList *attrList,
-      #   SecKeychainSearchRef *searchRef
-      # )
-      attach_function :SecKeychainSearchCreateFromAttributes, [
-        :pointer,  # keychainOrArray
-        :uint32,   # itemClass (kSecGenericPasswordItemClass = 'genp')
-        :pointer,  # attrList
-        :pointer   # searchRef (output)
-      ], :int
-
-      # OSStatus SecKeychainSearchCopyNext(
-      #   SecKeychainSearchRef searchRef,
-      #   SecKeychainItemRef *itemRef
-      # )
-      attach_function :SecKeychainSearchCopyNext, [
-        :pointer,  # searchRef
-        :pointer   # itemRef (output)
-      ], :int
-
-      # OSStatus SecKeychainItemCopyAttributesAndData(
-      #   SecKeychainItemRef itemRef,
-      #   SecKeychainAttributeInfo *info,
-      #   SecItemClass *itemClass,
-      #   SecKeychainAttributeList **attrList,
-      #   UInt32 *length,
-      #   void **outData
-      # )
-      attach_function :SecKeychainItemCopyAttributesAndData, [
-        :pointer,  # itemRef
-        :pointer,  # info (NULL for default keychain)
-        :pointer,  # itemClass (can be NULL)
-        :pointer,  # attrList (output)
-        :pointer,  # length (can be NULL)
-        :pointer   # outData (can be NULL)
-      ], :int
-
-      # OSStatus SecKeychainItemFreeAttributesAndData(
-      #   SecKeychainAttributeList *attrList,
-      #   void *data
-      # )
-      attach_function :SecKeychainItemFreeAttributesAndData, [:pointer, :pointer], :int
-
-      # void CFRelease(CFTypeRef cf)
+      ffi_lib '/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation'
+
+      # CFString functions
+      attach_function :CFStringCreateWithCString, %i[pointer string uint32], :pointer
+      attach_function :CFStringGetCString, %i[pointer pointer long uint32], :bool
+      attach_function :CFStringGetLength, [:pointer], :long
+
+      # CFData functions
+      attach_function :CFDataCreate, %i[pointer pointer long], :pointer
+      attach_function :CFDataGetLength, [:pointer], :long
+      attach_function :CFDataGetBytePtr, [:pointer], :pointer
+
+      # CFDictionary functions
+      attach_function :CFDictionaryCreateMutable, %i[pointer long pointer pointer], :pointer
+      attach_function :CFDictionarySetValue, %i[pointer pointer pointer], :void
+      attach_function :CFDictionaryGetValue, %i[pointer pointer], :pointer
+
+      # CFArray functions
+      attach_function :CFArrayGetCount, [:pointer], :long
+      attach_function :CFArrayGetValueAtIndex, %i[pointer long], :pointer
+
+      # CFNumber functions
+      attach_function :CFNumberCreate, %i[pointer int pointer], :pointer
+      attach_function :CFBooleanGetValue, [:pointer], :bool
+
+      # CFRelease
       attach_function :CFRelease, [:pointer], :void
+
+      # Constants
+      KCFStringEncodingUTF8 = 0x08000100
+      KCFNumberSInt32Type = 3
+
+      # Get Boolean constants using symbols
+      def self.kCFBooleanTrue
+        @kCFBooleanTrue ||= begin
+          ptr_ptr = FFI::DynamicLibrary.open(
+            '/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation',
+            FFI::DynamicLibrary::RTLD_LAZY | FFI::DynamicLibrary::RTLD_GLOBAL
+          ).find_symbol('kCFBooleanTrue')
+          FFI::Pointer.new(:pointer, ptr_ptr.address).read_pointer
+        end
+      end
+
+      def self.kCFBooleanFalse
+        @kCFBooleanFalse ||= begin
+          ptr_ptr = FFI::DynamicLibrary.open(
+            '/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation',
+            FFI::DynamicLibrary::RTLD_LAZY | FFI::DynamicLibrary::RTLD_GLOBAL
+          ).find_symbol('kCFBooleanFalse')
+          FFI::Pointer.new(:pointer, ptr_ptr.address).read_pointer
+        end
+      end
+    end
+
+    module SecurityFramework
+      extend FFI::Library
+      ffi_lib '/System/Library/Frameworks/Security.framework/Security'
+
+      # Modern SecItem API
+      attach_function :SecItemAdd, %i[pointer pointer], :int
+      attach_function :SecItemCopyMatching, %i[pointer pointer], :int
+      attach_function :SecItemUpdate, %i[pointer pointer], :int
+      attach_function :SecItemDelete, [:pointer], :int
+
+      # Error codes
+      ErrSecSuccess = 0
+      ErrSecItemNotFound = -25_300
+      ErrSecDuplicateItem = -25_299
+
+      # Helper to get constant addresses from library
+      def self.get_constant(name)
+        ptr = FFI::DynamicLibrary.open(
+          '/System/Library/Frameworks/Security.framework/Security',
+          FFI::DynamicLibrary::RTLD_LAZY | FFI::DynamicLibrary::RTLD_GLOBAL
+        ).find_variable(name)
+        ptr.read_pointer
+      end
     end
 
     class << self
+      # Helper methods for CoreFoundation
+      def create_cf_string(str)
+        CoreFoundation.CFStringCreateWithCString(nil, str, CoreFoundation::KCFStringEncodingUTF8)
+      end
+
+      def create_cf_data(data)
+        ptr = FFI::MemoryPointer.from_string(data)
+        CoreFoundation.CFDataCreate(nil, ptr, data.bytesize)
+      end
+
+      def create_cf_boolean(value)
+        value ? CoreFoundation.kCFBooleanTrue : CoreFoundation.kCFBooleanFalse
+      end
+
+      def cf_string_to_ruby(cf_string)
+        return nil if cf_string.null?
+
+        length = CoreFoundation.CFStringGetLength(cf_string)
+        buffer = FFI::MemoryPointer.new(:char, length * 4 + 1)
+        if CoreFoundation.CFStringGetCString(cf_string, buffer, buffer.size, CoreFoundation::KCFStringEncodingUTF8)
+          buffer.read_string
+        end
+      end
+
+      def cf_data_to_ruby(cf_data)
+        return nil if cf_data.null?
+
+        length = CoreFoundation.CFDataGetLength(cf_data)
+        ptr = CoreFoundation.CFDataGetBytePtr(cf_data)
+        ptr.read_bytes(length)
+      end
+
+      # Get Security framework constants
+      def kSecClass
+        @kSecClass ||= SecurityFramework.get_constant('kSecClass')
+      end
+
+      def kSecClassInternetPassword
+        @kSecClassInternetPassword ||= SecurityFramework.get_constant('kSecClassInternetPassword')
+      end
+
+      def kSecAttrServer
+        @kSecAttrServer ||= SecurityFramework.get_constant('kSecAttrServer')
+      end
+
+      def kSecAttrAccount
+        @kSecAttrAccount ||= SecurityFramework.get_constant('kSecAttrAccount')
+      end
+
+      def kSecAttrProtocol
+        @kSecAttrProtocol ||= SecurityFramework.get_constant('kSecAttrProtocol')
+      end
+
+      def kSecAttrProtocolHTTPS
+        @kSecAttrProtocolHTTPS ||= SecurityFramework.get_constant('kSecAttrProtocolHTTPS')
+      end
+
+      def kSecValueData
+        @kSecValueData ||= SecurityFramework.get_constant('kSecValueData')
+      end
+
+      def kSecReturnData
+        @kSecReturnData ||= SecurityFramework.get_constant('kSecReturnData')
+      end
+
+      def kSecMatchLimit
+        @kSecMatchLimit ||= SecurityFramework.get_constant('kSecMatchLimit')
+      end
+
+      def kSecMatchLimitAll
+        @kSecMatchLimitAll ||= SecurityFramework.get_constant('kSecMatchLimitAll')
+      end
+
+      def kSecReturnAttributes
+        @kSecReturnAttributes ||= SecurityFramework.get_constant('kSecReturnAttributes')
+      end
+
       def save(account_name, content)
-        # Try to delete existing entry first
+        # Try to delete existing entry first (update semantics)
         delete(account_name) rescue nil
 
-        # Add new entry
-        status = SecurityFramework.SecKeychainAddGenericPassword(
-          nil,                        # default keychain
-          SERVICE_NAME.bytesize,      # service name length
-          SERVICE_NAME,               # service name
-          account_name.bytesize,      # account name length
-          account_name,               # account name
-          content.bytesize,           # password length
-          FFI::MemoryPointer.from_string(content),  # password data
-          nil                         # don't need item ref
-        )
-
-        unless status.zero?
+        # Create query dictionary for Internet Password
+        # Note: Internet Passwords are automatically synced via iCloud Keychain when enabled
+        query = CoreFoundation.CFDictionaryCreateMutable(nil, 0, nil, nil)
+
+        server_str = create_cf_string(SERVICE_NAME)
+        account_str = create_cf_string(account_name)
+        data_obj = create_cf_data(content)
+
+        CoreFoundation.CFDictionarySetValue(query, kSecClass, kSecClassInternetPassword)
+        CoreFoundation.CFDictionarySetValue(query, kSecAttrServer, server_str)
+        CoreFoundation.CFDictionarySetValue(query, kSecAttrAccount, account_str)
+        CoreFoundation.CFDictionarySetValue(query, kSecAttrProtocol, kSecAttrProtocolHTTPS)
+        CoreFoundation.CFDictionarySetValue(query, kSecValueData, data_obj)
+
+        status = SecurityFramework.SecItemAdd(query, nil)
+
+        # Cleanup
+        CoreFoundation.CFRelease(server_str)
+        CoreFoundation.CFRelease(account_str)
+        CoreFoundation.CFRelease(data_obj)
+        CoreFoundation.CFRelease(query)
+
+        unless status == SecurityFramework::ErrSecSuccess
           raise Error, "Failed to save to keychain (status: #{status})"
         end
       end
 
       def load(account_name)
-        password_length = FFI::MemoryPointer.new(:uint32)
-        password_data = FFI::MemoryPointer.new(:pointer)
-
-        status = SecurityFramework.SecKeychainFindGenericPassword(
-          nil,                        # default keychain
-          SERVICE_NAME.bytesize,      # service name length
-          SERVICE_NAME,               # service name
-          account_name.bytesize,      # account name length
-          account_name,               # account name
-          password_length,            # password length (output)
-          password_data,              # password data (output)
-          nil                         # don't need item ref
-        )
-
-        unless status.zero?
-          raise Error, "Failed to load from keychain (status: #{status})"
-        end
+        # Create query dictionary for Internet Password
+        query = CoreFoundation.CFDictionaryCreateMutable(nil, 0, nil, nil)
+
+        server_str = create_cf_string(SERVICE_NAME)
+        account_str = create_cf_string(account_name)
 
-        # Read the password data
-        length = password_length.read_uint32
-        data_ptr = password_data.read_pointer
-        password = data_ptr.read_string(length)
+        CoreFoundation.CFDictionarySetValue(query, kSecClass, kSecClassInternetPassword)
+        CoreFoundation.CFDictionarySetValue(query, kSecAttrServer, server_str)
+        CoreFoundation.CFDictionarySetValue(query, kSecAttrAccount, account_str)
+        CoreFoundation.CFDictionarySetValue(query, kSecAttrProtocol, kSecAttrProtocolHTTPS)
+        CoreFoundation.CFDictionarySetValue(query, kSecReturnData, create_cf_boolean(true))
 
-        # Free the memory allocated by Security framework
-        SecurityFramework.SecKeychainItemFreeContent(nil, data_ptr)
+        result_ptr = FFI::MemoryPointer.new(:pointer)
+        status = SecurityFramework.SecItemCopyMatching(query, result_ptr)
 
-        password
+        # Cleanup query
+        CoreFoundation.CFRelease(server_str)
+        CoreFoundation.CFRelease(account_str)
+        CoreFoundation.CFRelease(query)
+
+        unless status == SecurityFramework::ErrSecSuccess
+          if status == SecurityFramework::ErrSecItemNotFound
+            raise Error, "Entry '#{account_name}' not found in keychain"
+          else
+            raise Error, "Failed to load from keychain (status: #{status})"
+          end
+        end
+
+        # Extract data
+        result = result_ptr.read_pointer
+        data = cf_data_to_ruby(result)
+        CoreFoundation.CFRelease(result)
+
+        data
       end
 
       def delete(account_name)
-        item_ref = FFI::MemoryPointer.new(:pointer)
-
-        status = SecurityFramework.SecKeychainFindGenericPassword(
-          nil,
-          SERVICE_NAME.bytesize,
-          SERVICE_NAME,
-          account_name.bytesize,
-          account_name,
-          nil,
-          nil,
-          item_ref
-        )
-
-        unless status.zero?
-          raise Error, "Entry '#{account_name}' not found in keychain"
-        end
+        # Create query dictionary for Internet Password
+        query = CoreFoundation.CFDictionaryCreateMutable(nil, 0, nil, nil)
+
+        server_str = create_cf_string(SERVICE_NAME)
+        account_str = create_cf_string(account_name)
+
+        CoreFoundation.CFDictionarySetValue(query, kSecClass, kSecClassInternetPassword)
+        CoreFoundation.CFDictionarySetValue(query, kSecAttrServer, server_str)
+        CoreFoundation.CFDictionarySetValue(query, kSecAttrAccount, account_str)
+        CoreFoundation.CFDictionarySetValue(query, kSecAttrProtocol, kSecAttrProtocolHTTPS)
 
-        delete_status = SecurityFramework.SecKeychainItemDelete(item_ref.read_pointer)
-        
-        unless delete_status.zero?
-          raise Error, "Failed to delete from keychain (status: #{delete_status})"
+        status = SecurityFramework.SecItemDelete(query)
+
+        # Cleanup
+        CoreFoundation.CFRelease(server_str)
+        CoreFoundation.CFRelease(account_str)
+        CoreFoundation.CFRelease(query)
+
+        unless status == SecurityFramework::ErrSecSuccess
+          if status == SecurityFramework::ErrSecItemNotFound
+            raise Error, "Entry '#{account_name}' not found in keychain"
+          else
+            raise Error, "Failed to delete from keychain (status: #{status})"
+          end
         end
       end
 
       def list(prefix = nil)
+        # Create query dictionary for Internet Password
+        query = CoreFoundation.CFDictionaryCreateMutable(nil, 0, nil, nil)
+
+        server_str = create_cf_string(SERVICE_NAME)
+
+        CoreFoundation.CFDictionarySetValue(query, kSecClass, kSecClassInternetPassword)
+        CoreFoundation.CFDictionarySetValue(query, kSecAttrServer, server_str)
+        CoreFoundation.CFDictionarySetValue(query, kSecAttrProtocol, kSecAttrProtocolHTTPS)
+        CoreFoundation.CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll)
+        CoreFoundation.CFDictionarySetValue(query, kSecReturnAttributes, create_cf_boolean(true))
+
+        result_ptr = FFI::MemoryPointer.new(:pointer)
+        status = SecurityFramework.SecItemCopyMatching(query, result_ptr)
+
+        # Cleanup query
+        CoreFoundation.CFRelease(server_str)
+        CoreFoundation.CFRelease(query)
+
+        if status == SecurityFramework::ErrSecItemNotFound
+          return []
+        end
+
+        unless status == SecurityFramework::ErrSecSuccess
+          raise Error, "Failed to list keychain items (status: #{status})"
+        end
+
+        # Parse results
+        result = result_ptr.read_pointer
+        count = CoreFoundation.CFArrayGetCount(result)
         accounts = []
-        
-        # Use security dump-keychain and parse output
-        # We need to look for entries with service="kc"
-        output = `security dump-keychain login.keychain-db 2>/dev/null`
-        
-        # Split by keychain entries
-        entries = output.split(/^keychain:/).drop(1)
-        
-        entries.each do |entry|
-          # Check if this entry has svce="kc"
-          if entry =~ /"svce"<blob>="#{SERVICE_NAME}"/
-            # Extract account name
-            if entry =~ /"acct"<blob>="([^"]+)"/
-              account_name = $1
-              # Filter by prefix if provided
-              if prefix.nil? || account_name.start_with?(prefix)
-                accounts << account_name
-              end
-            end
+
+        count.times do |i|
+          item = CoreFoundation.CFArrayGetValueAtIndex(result, i)
+          account_cf = CoreFoundation.CFDictionaryGetValue(item, kSecAttrAccount)
+          account_name = cf_string_to_ruby(account_cf)
+
+          if account_name && (prefix.nil? || account_name.start_with?(prefix))
+            accounts << account_name
           end
         end
 
+        CoreFoundation.CFRelease(result)
+
         accounts.sort.uniq
       end
     end

data/lib/kc/version.rb

@@ -1,3 +1,3 @@
 module Kc
-  VERSION = "0.1.0"
+  VERSION = '0.2.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kc
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - AILERON
@@ -65,8 +65,10 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
-description: A CLI tool to save and load .env files from Mac Keychain, designed to
-  work seamlessly with direnv
+description: A CLI tool to securely store and retrieve secrets from macOS Keychain
+  with automatic iCloud sync across your Macs. Features namespace support for organizing
+  different types of secrets (env files, SSH keys, API tokens, etc.) and works seamlessly
+  with direnv.
 email:
 - masa@aileron.cc
 executables:
@@ -113,5 +115,5 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 rubygems_version: 3.6.9
 specification_version: 4
-summary: Manage .env files in Mac Keychain with direnv
+summary: Manage secrets in macOS Keychain with iCloud sync and namespace support
 test_files: []