From b2342a1e4f0d337364ca4e192cc6d455b4d5ffd8 Mon Sep 17 00:00:00 2001
From: Tristan Havelick <tristan@havelick.com>
Date: Fri, 13 Feb 2026 17:37:26 -0700
Subject: [PATCH] Prompt before unlocking macOS keychain in SSH sessions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 zsh/core.zsh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/zsh/core.zsh b/zsh/core.zsh
index 84e9360..b1b7d53 100644
--- a/zsh/core.zsh
+++ b/zsh/core.zsh
@@ -67,7 +67,9 @@ if is_wayland; then
 fi
 
 # macOS keychain auto-unlock for SSH sessions
-[[ "$(get_os_type)" == "macos" && -n "$SSH_CONNECTION" ]] && ! security show-keychain-info ~/Library/Keychains/login.keychain-db 2>/dev/null && security unlock-keychain ~/Library/Keychains/login.keychain-db
+if [[ "$(get_os_type)" == "macos" && -n "$SSH_CONNECTION" ]] && ! security show-keychain-info ~/Library/Keychains/login.keychain-db 2>/dev/null; then
+    read -q "?Keychain is locked. Unlock it? [y/N] " && echo && security unlock-keychain ~/Library/Keychains/login.keychain-db || echo
+fi
 
 # Keyboard layout (only matters on systems that use it)
 export XKB_DEFAULT_LAYOUT="us(colemak)"