[GH-ISSUE #522] Keychain migration cleanup should remove stale global config credentials when local config is active #146

New issue

Closed

opened 2026-02-26 21:33:46 +03:00 by kerem · 3 comments

kerem commented 2026-02-26 21:33:46 +03:00

Owner

Copy link

Originally created by @rudrankriyam on GitHub (Feb 14, 2026).
Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/522

Summary

After successful keychain storage, config cleanup can miss credentials stored in global config when a repo-local config is active.

Why this matters

Users can end up with stale credentials left in ~/.asc/config.json even after migration, causing confusion and potential fallback use when keychain is bypassed/unavailable.

Current behavior

removeFromConfigIfPresent -> removeFromConfig uses config.Load() / config.Path(), which prefer local config if present.
This can skip cleanup in global config.

Expected behavior

Cleanup should be applied to all relevant config scopes (active + global), similar to clearConfigCredentials() behavior.

Reproduction

1. Store credentials in global config.
2. Enter repo with local .asc/config.json.
3. Run keychain-backed login/migration flow.
4. Observe global config credentials may remain.

Detailed implementation plan

• Refactor single-profile removal helper to support path-scoped removal.
• Apply removal to both active path and global path (when different).
• Preserve non-target credentials and file integrity.
• Add tests for mixed local/global scenarios.
• Ensure no regressions for ASC_CONFIG_PATH overrides.

Acceptance criteria

• Successful keychain storage removes matching stale config credentials from both active and global locations where applicable.
• Local-only and global-only setups continue to behave correctly.
• Multi-profile config behavior remains intact.

cc @cursor please implement this end-to-end.

Originally created by @rudrankriyam on GitHub (Feb 14, 2026). Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/522 ## Summary After successful keychain storage, config cleanup can miss credentials stored in global config when a repo-local config is active. ## Why this matters Users can end up with stale credentials left in `~/.asc/config.json` even after migration, causing confusion and potential fallback use when keychain is bypassed/unavailable. ## Current behavior `removeFromConfigIfPresent` -> `removeFromConfig` uses `config.Load()` / `config.Path()`, which prefer local config if present. This can skip cleanup in global config. ## Expected behavior Cleanup should be applied to all relevant config scopes (active + global), similar to `clearConfigCredentials()` behavior. ## Reproduction 1. Store credentials in global config. 2. Enter repo with local `.asc/config.json`. 3. Run keychain-backed login/migration flow. 4. Observe global config credentials may remain. ## Detailed implementation plan - [ ] Refactor single-profile removal helper to support path-scoped removal. - [ ] Apply removal to both active path and global path (when different). - [ ] Preserve non-target credentials and file integrity. - [ ] Add tests for mixed local/global scenarios. - [ ] Ensure no regressions for `ASC_CONFIG_PATH` overrides. ## Acceptance criteria - [ ] Successful keychain storage removes matching stale config credentials from both active and global locations where applicable. - [ ] Local-only and global-only setups continue to behave correctly. - [ ] Multi-profile config behavior remains intact. cc @cursor please implement this end-to-end.

kerem 2026-02-26 21:33:46 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-26 21:33:47 +03:00

Author

Owner

Copy link

@rudrankriyam commented on GitHub (Feb 14, 2026):

@cursor please implement this issue end-to-end using the checklist and acceptance criteria.

<!-- gh-comment-id:3900361668 --> @rudrankriyam commented on GitHub (Feb 14, 2026): @cursor please implement this issue end-to-end using the checklist and acceptance criteria.

kerem commented 2026-02-26 21:33:47 +03:00

Author

Owner

Copy link

@cursor[bot] commented on GitHub (Feb 14, 2026):

Implemented end-to-end on cursor/keychain-migration-cleanup-scope-50c1 and pushed in two commits:

• b6034f4 — Fix keychain migration cleanup across config scopes
• dcc4e25 — Remove unused config cleanup wrapper

What I changed:

• Refactored credential cleanup to be path-scoped and reusable:
  • Added removeFromConfigAt(name, path) so removal can target specific config files.
  • Added configCleanupPaths() to resolve active + global config paths (deduped when same).
• Updated removeFromConfigIfPresent to apply cleanup across all relevant scopes:
  • Removes matching stale credentials from active and global configs where applicable.
  • Preserves existing behavior for not-found/missing-file cases.
• Updated clearConfigCredentials() to use the same active+global path resolution helper.
• Added regression tests for mixed-scope and override behavior:
  • TestStoreCredentials_RemovesStaleGlobalCredentialWhenLocalConfigActive
  • TestStoreCredentials_RemovesStaleCredentialFromOverrideAndGlobalConfigs
  • Both assert non-target credentials are preserved and config files remain valid.

Validation performed:

• Reproduced bug with new tests (RED), then verified fix (GREEN).
• Ran focused regression suite:
  • go test ./internal/auth -run 'TestStoreCredentials(FallbackToConfig|_RemovesStaleGlobalCredentialWhenLocalConfigActive|_RemovesStaleCredentialFromOverrideAndGlobalConfigs)$' -count=1 ✅
• Ran required repo checks:
  • make format ✅
  • make lint ✅
  • make test ✅

 

<!-- gh-comment-id:3900361790 --> @cursor[bot] commented on GitHub (Feb 14, 2026): Implemented end-to-end on `cursor/keychain-migration-cleanup-scope-50c1` and pushed in two commits: - `b6034f4` — **Fix keychain migration cleanup across config scopes** - `dcc4e25` — **Remove unused config cleanup wrapper** What I changed: - Refactored credential cleanup to be **path-scoped** and reusable: - Added `removeFromConfigAt(name, path)` so removal can target specific config files. - Added `configCleanupPaths()` to resolve **active + global** config paths (deduped when same). - Updated `removeFromConfigIfPresent` to apply cleanup across all relevant scopes: - Removes matching stale credentials from active and global configs where applicable. - Preserves existing behavior for not-found/missing-file cases. - Updated `clearConfigCredentials()` to use the same active+global path resolution helper. - Added regression tests for mixed-scope and override behavior: - `TestStoreCredentials_RemovesStaleGlobalCredentialWhenLocalConfigActive` - `TestStoreCredentials_RemovesStaleCredentialFromOverrideAndGlobalConfigs` - Both assert non-target credentials are preserved and config files remain valid. Validation performed: - Reproduced bug with new tests (RED), then verified fix (GREEN). - Ran focused regression suite: - `go test ./internal/auth -run 'TestStoreCredentials(FallbackToConfig|_RemovesStaleGlobalCredentialWhenLocalConfigActive|_RemovesStaleCredentialFromOverrideAndGlobalConfigs)$' -count=1` ✅ - Ran required repo checks: - `make format` ✅ - `make lint` ✅ - `make test` ✅ <p><a href="https://github.com/rudrankriyam/App-Store-Connect-CLI/pull/530"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/view-pr-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/view-pr-light.png"><img alt="View PR" width="86" height="28" src="https://cursor.com/assets/images/view-pr-light.png"></picture></a></p> <p><a href="https://cursor.com/background-agent?bcId=bc-6575c373-004e-4fab-b340-34cc4de2d208"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a>&nbsp;<a href="https://cursor.com/agents?id=bc-6575c373-004e-4fab-b340-34cc4de2d208"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p>

kerem commented 2026-02-26 21:33:47 +03:00

Author

Owner

Copy link

@rudrankriyam commented on GitHub (Feb 14, 2026):

Fixed in #530 (merged to main).

<!-- gh-comment-id:3900689421 --> @rudrankriyam commented on GitHub (Feb 14, 2026): Fixed in #530 (merged to main).

kerem referenced this issue 2026-02-26 21:34:35 +03:00

[PR #146] [MERGED] Signing certificate handling #327

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.1

1.1.0

1.0.1

1.0.0

0.49.1

0.49.0

0.48.1

0.48.0

0.47.1

0.47.0

0.46.2

0.46.1

0.46.0

0.45.4

0.45.3

0.45.2

0.45.1

0.45.0

0.44.2

0.44.1

0.44.0

0.43.0

0.42.0

0.41.4

0.41.3

0.41.2

0.41.1

0.41.0

0.40.1

0.40.0

0.39.1

0.39.0

0.38.3

0.38.2

0.38.1

0.38.0

0.37.3

0.37.2

0.37.1

0.37.0

0.36.3

0.36.2

0.36.1

0.36.0

0.35.3

0.35.2

0.35.1

0.35.0

0.34.1

0.34.0

0.33.2

0.33.1

0.33.0

0.32.0

0.31.3

0.31.2

0.31.1

0.31.0

0.30.0

0.29.3

0.29.2

0.29.1

0.29.0

0.28.14

0.28.13

0.28.12

0.28.11

0.28.10

0.28.9

0.28.8

0.28.7

0.28.6

0.28.5

0.28.4

0.28.3

0.28.2

0.28.1

0.28.0

0.27.0

0.26.4

0.26.3

0.26.2

0.26.1

0.26.0

0.25.4

0.25.3

0.25.1

0.25.0

0.24.3

0.24.2

0.24.1

0.24.0

0.23.5

0.23.4

0.23.3

0.23.2

0.23.1

0.23.0

0.22.1

0.22.0

0.21.0

0.20.2

0.20.1

0.20.0

0.19.3

0.19.2

0.19.1

0.19.0

0.18.2

0.18.1

0.18.0

0.17.0

0.16.0

0.15.0

0.14.0

0.13.0

0.12.4

0.12.3

0.12.2

0.12.1

0.12.0

0.11.0

0.10.2

0.10.1

0.10.0

0.9.0

0.8.1

0.8.0

0.7.0

0.6.0

0.5.0

0.3.1

0.3.0

0.2.0

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Labels

Clear labels   

bug

  

bug

  

documentation

  

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

bug

documentation

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/App-Store-Connect-CLI#146

No description provided.