TableProApp · datlechin · May 29, 2026 · May 29, 2026 · May 29, 2026 · May 29, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- A connection can read its password from a file, environment variable, or command at connect time instead of the Keychain, so scripts can provision a connection without entering the password by hand. (#1254)
+
 ### Fixed
 
 - Moving a connection into or out of a group now syncs across devices, instead of leaving it ungrouped on your other Macs.

diff --git a/TablePro/Core/Database/DatabaseDriver.swift b/TablePro/Core/Database/DatabaseDriver.swift
@@ -479,6 +479,9 @@ enum DatabaseDriverFactory {
             return try await resolveIAMPassword(for: connection, fields: fields)
         }
         if let override { return override }
+        if let passwordSource = connection.passwordSource {
+            return try await PasswordSourceResolver.resolve(passwordSource)
+        }
         if connection.usePgpass {
             let pgpassHost = connection.additionalFields["pgpassOriginalHost"] ?? connection.host
             let pgpassPort = connection.additionalFields["pgpassOriginalPort"]

diff --git a/TablePro/Core/Database/DatabaseManager+Tunnel.swift b/TablePro/Core/Database/DatabaseManager+Tunnel.swift
@@ -41,6 +41,7 @@ extension DatabaseManager {
             type: connection.type,
             sshConfig: SSHConfiguration(),
             sslConfig: tunnelSSL,
+            passwordSource: connection.passwordSource,
             additionalFields: effectiveFields
         )
     }

diff --git a/TablePro/Core/Storage/ConnectionStorage.swift b/TablePro/Core/Storage/ConnectionStorage.swift
@@ -278,6 +278,7 @@ final class ConnectionStorage {
             startupCommands: connection.startupCommands,
             sortOrder: connection.sortOrder,
             localOnly: connection.localOnly,
+            passwordSource: connection.passwordSource,
             additionalFields: connection.additionalFields.isEmpty ? nil : connection.additionalFields
         )
 
@@ -591,6 +592,9 @@ private struct StoredConnection: Codable {
     // Plugin-driven additional fields
     let additionalFields: [String: String]?
 
+    // Password source (file, env, or command) for connections provisioned outside the app
+    let passwordSource: PasswordSource?
+
     init(from connection: DatabaseConnection) {
         self.id = connection.id
         self.name = connection.name
@@ -676,6 +680,9 @@ private struct StoredConnection: Codable {
 
         // Plugin-driven additional fields
         self.additionalFields = connection.additionalFields.isEmpty ? nil : connection.additionalFields
+
+        // Password source (not synced to iCloud; see SyncRecordMapper)
+        self.passwordSource = connection.passwordSource
     }
 
     private enum CodingKeys: String, CodingKey {
@@ -698,6 +705,7 @@ private struct StoredConnection: Codable {
         case localOnly
         case isSample
         case isFavorite
+        case passwordSource
     }
 
     func encode(to encoder: Encoder) throws {
@@ -741,6 +749,7 @@ private struct StoredConnection: Codable {
         try container.encode(localOnly, forKey: .localOnly)
         try container.encode(isSample, forKey: .isSample)
         try container.encode(isFavorite, forKey: .isFavorite)
+        try container.encodeIfPresent(passwordSource, forKey: .passwordSource)
     }
 
     // Custom decoder to handle migration from old format
@@ -807,6 +816,7 @@ private struct StoredConnection: Codable {
         sshTunnelModeJson = try container.decodeIfPresent(Data.self, forKey: .sshTunnelModeJson)
         cloudflareTunnelModeJson = try container.decodeIfPresent(Data.self, forKey: .cloudflareTunnelModeJson)
         additionalFields = try container.decodeIfPresent([String: String].self, forKey: .additionalFields)
+        passwordSource = PasswordSource.resilientlyDecoded(from: container, forKey: .passwordSource)
         localOnly = try container.decodeIfPresent(Bool.self, forKey: .localOnly) ?? false
         isSample = try container.decodeIfPresent(Bool.self, forKey: .isSample) ?? false
         isFavorite = try container.decodeIfPresent(Bool.self, forKey: .isFavorite) ?? false
@@ -914,6 +924,7 @@ private struct StoredConnection: Codable {
             localOnly: localOnly,
             isSample: isSample,
             isFavorite: isFavorite,
+            passwordSource: passwordSource,
             additionalFields: mergedFields
         )
     }

diff --git a/TablePro/Core/Sync/SyncCoordinator.swift b/TablePro/Core/Sync/SyncCoordinator.swift
@@ -517,6 +517,7 @@ final class SyncCoordinator {
             }
             var merged = remoteConnection
             merged.localOnly = connections[index].localOnly
+            merged.passwordSource = connections[index].passwordSource
             connections[index] = merged
         } else {
             connections.append(remoteConnection)

diff --git a/TablePro/Core/Sync/SyncRecordMapper.swift b/TablePro/Core/Sync/SyncRecordMapper.swift
@@ -113,6 +113,8 @@ struct SyncRecordMapper {
         // the sync schema in the future, apply path contraction to its snapshot.
         // cloudflareTunnelMode is also NOT synced: it is device-local runtime
         // config and its service-token secrets live in the Keychain.
+        // passwordSource is also NOT synced: its file path, env var, or command
+        // is device-local and may not exist or resolve on another Mac.
         do {
             let sshData = try encoder.encode(Self.makePortable(connection.sshConfig))
             record["sshConfigJson"] = sshData as CKRecordValue

diff --git a/TablePro/Core/Utilities/Connection/PasswordSourceResolver.swift b/TablePro/Core/Utilities/Connection/PasswordSourceResolver.swift
@@ -0,0 +1,237 @@
+//
+//  PasswordSourceResolver.swift
+//  TablePro
+//
+
+import Foundation
+import os
+
+/// Resolves a connection password from an external source declared in connections.json.
+/// File and command sources require a non-sandboxed build; TablePro ships with the hardened
+/// runtime and no App Sandbox, so spawning a process and reading arbitrary files is allowed.
+enum PasswordSourceResolver {
+    private static let logger = Logger(subsystem: "com.TablePro", category: "PasswordSourceResolver")
+
+    private static let commandTimeoutSeconds: UInt64 = 30
+    private static let maxOutputBytes = 1_048_576
+
+    enum ResolutionError: LocalizedError {
+        case fileNotFound(path: String)
+        case fileUnreadable(path: String)
+        case environmentVariableNotSet(name: String)
+        case commandFailed(exitCode: Int32, stderr: String)
+        case commandTimedOut
+        case outputTooLarge
+        case emptyPassword
+
+        var errorDescription: String? {
+            switch self {
+            case let .fileNotFound(path):
+                return String(format: String(localized: "Password file not found: %@"), path)
+            case let .fileUnreadable(path):
+                return String(format: String(localized: "Could not read password file: %@"), path)
+            case let .environmentVariableNotSet(name):
+                return String(
+                    format: String(localized: """
+                    Environment variable %@ is not set in TablePro's environment. \
+                    Apps launched from the Dock do not inherit shell exports. Launch TablePro \
+                    from a terminal, or set the variable with launchctl setenv.
+                    """),
+                    name
+                )
+            case let .commandFailed(exitCode, stderr):
+                let message = stderr.trimmingCharacters(in: .whitespacesAndNewlines)
+                if message.isEmpty {
+                    return String(format: String(localized: "Password command failed with exit code %d"), exitCode)
+                }
+                return String(format: String(localized: "Password command failed (exit %d): %@"), exitCode, message)
+            case .commandTimedOut:
+                return String(localized: "Password command timed out after 30 seconds")
+            case .outputTooLarge:
+                return String(localized: "Password command produced too much output")
+            case .emptyPassword:
+                return String(localized: "The password source produced an empty password")
+            }
+        }
+    }
+
+    static func resolve(_ source: PasswordSource) async throws -> String {
+        switch source {
+        case let .file(path):
+            return try resolveFile(path: path)
+        case let .env(variable):
+            return try resolveEnvironment(variable: variable)
+        case let .command(shell):
+            return try await resolveCommand(shell: shell, timeoutSeconds: commandTimeoutSeconds)
+        }
+    }
+
+    private static func resolveFile(path: String) throws -> String {
+        let expandedPath = (path as NSString).expandingTildeInPath
+        guard FileManager.default.fileExists(atPath: expandedPath) else {
+            throw ResolutionError.fileNotFound(path: expandedPath)
+        }
+        warnIfPermissionsInsecure(path: expandedPath)
+        guard let contents = try? String(contentsOfFile: expandedPath, encoding: .utf8) else {
+            throw ResolutionError.fileUnreadable(path: expandedPath)
+        }
+        return try nonEmpty(contents.trimmingCharacters(in: .whitespacesAndNewlines))
+    }
+
+    private static func resolveEnvironment(variable: String) throws -> String {
+        guard let value = ProcessInfo.processInfo.environment[variable] else {
+            throw ResolutionError.environmentVariableNotSet(name: variable)
+        }
+        return try nonEmpty(value.trimmingCharacters(in: .whitespacesAndNewlines))
+    }
+
+    static func resolveCommand(shell: String, timeoutSeconds: UInt64) async throws -> String {
+        let output = try await Task.detached(priority: .userInitiated) { () throws -> String in
+            let process = Process()
+            process.executableURL = URL(fileURLWithPath: "/bin/bash")
+            process.arguments = ["-c", shell]
+            process.environment = augmentedEnvironment()
+            process.standardInput = FileHandle.nullDevice
+
+            let stdoutPipe = Pipe()
+            let stderrPipe = Pipe()
+            process.standardOutput = stdoutPipe
+            process.standardError = stderrPipe
+
+            let stdoutCollector = PipeDataCollector(maxBytes: maxOutputBytes)
+            let stderrCollector = PipeDataCollector(maxBytes: maxOutputBytes)
+            stdoutPipe.fileHandleForReading.readabilityHandler = { handle in
+                let chunk = handle.availableData
+                guard !chunk.isEmpty else { return }
+                stdoutCollector.append(chunk)
+                if stdoutCollector.overflowed, process.isRunning {
+                    process.terminate()
+                }
+            }
+            stderrPipe.fileHandleForReading.readabilityHandler = { handle in
+                let chunk = handle.availableData
+                if !chunk.isEmpty { stderrCollector.append(chunk) }
+            }
+
+            try process.run()
+
+            let didTimeout = AtomicFlag()
+            let timeoutTask = Task.detached {
+                try await Task.sleep(nanoseconds: timeoutSeconds * 1_000_000_000)
+                if process.isRunning {
+                    didTimeout.set()
+                    process.terminate()
+                }
+            }
+
+            process.waitUntilExit()
+            timeoutTask.cancel()
+
+            stdoutPipe.fileHandleForReading.readabilityHandler = nil
+            stderrPipe.fileHandleForReading.readabilityHandler = nil
+
+            if stdoutCollector.overflowed {
+                throw ResolutionError.outputTooLarge
+            }
+            if didTimeout.isSet {
+                throw ResolutionError.commandTimedOut
+            }
+            if process.terminationStatus != 0 {
+                throw ResolutionError.commandFailed(
+                    exitCode: process.terminationStatus,
+                    stderr: stderrCollector.string
+                )
+            }
+            return stdoutCollector.string
+        }.value
+
+        guard !output.contains("\0") else {
+            throw ResolutionError.emptyPassword
+        }
+        return try nonEmpty(output.trimmingCharacters(in: .whitespacesAndNewlines))
+    }
+
+    private static func augmentedEnvironment() -> [String: String] {
+        var environment = ProcessInfo.processInfo.environment
+        let toolPaths = ["/usr/local/bin", "/opt/homebrew/bin", "/usr/bin", "/bin", "/usr/sbin", "/sbin"]
+        var pathComponents = (environment["PATH"] ?? "").split(separator: ":").map(String.init)
+        for toolPath in toolPaths where !pathComponents.contains(toolPath) {
+            pathComponents.append(toolPath)
+        }
+        environment["PATH"] = pathComponents.joined(separator: ":")
+        return environment
+    }
+
+    private static func warnIfPermissionsInsecure(path: String) {
+        guard let attributes = try? FileManager.default.attributesOfItem(atPath: path),
+              let permissions = attributes[.posixPermissions] as? Int else {
+            return
+        }
+        if permissions & 0o077 != 0 {
+            logger.warning("Password file is group or world accessible; restrict it with chmod 600")
+        }
+    }
+
+    private static func nonEmpty(_ password: String) throws -> String {
+        guard !password.isEmpty else {
+            throw ResolutionError.emptyPassword
+        }
+        return password
+    }
+}
+
+private final class PipeDataCollector: @unchecked Sendable {
+    private let lock = NSLock()
+    private let maxBytes: Int
+    private var data = Data()
+    private var didOverflow = false
+
+    init(maxBytes: Int) {
+        self.maxBytes = maxBytes
+    }
+
+    func append(_ chunk: Data) {
+        lock.lock()
+        defer { lock.unlock() }
+        let remaining = maxBytes - data.count
+        guard remaining > 0 else {
+            didOverflow = true
+            return
+        }
+        if chunk.count > remaining {
+            data.append(chunk.prefix(remaining))
+            didOverflow = true
+        } else {
+            data.append(chunk)
+        }
+    }
+
+    var overflowed: Bool {
+        lock.lock()
+        defer { lock.unlock() }
+        return didOverflow
+    }
+
+    var string: String {
+        lock.lock()
+        defer { lock.unlock() }
+        return String(data: data, encoding: .utf8) ?? ""
+    }
+}
+
+private final class AtomicFlag: @unchecked Sendable {
+    private let lock = NSLock()
+    private var value = false
+
+    func set() {
+        lock.lock()
+        value = true
+        lock.unlock()
+    }
+
+    var isSet: Bool {
+        lock.lock()
+        defer { lock.unlock() }
+        return value
+    }
+}
diff --git a/TablePro/Models/Connection/DatabaseConnection.swift b/TablePro/Models/Connection/DatabaseConnection.swift
@@ -334,6 +334,7 @@ struct DatabaseConnection: Identifiable, Hashable {
     var localOnly: Bool = false
     var isSample: Bool = false
     var isFavorite: Bool = false
+    var passwordSource: PasswordSource?
 
     var mongoAuthSource: String? {
         get { additionalFields["mongoAuthSource"]?.nilIfEmpty }
@@ -430,6 +431,7 @@ struct DatabaseConnection: Identifiable, Hashable {
         localOnly: Bool = false,
         isSample: Bool = false,
         isFavorite: Bool = false,
+        passwordSource: PasswordSource? = nil,
         additionalFields: [String: String]? = nil
     ) {
         self.id = id
@@ -472,6 +474,7 @@ struct DatabaseConnection: Identifiable, Hashable {
         self.localOnly = localOnly
         self.isSample = isSample
         self.isFavorite = isFavorite
+        self.passwordSource = passwordSource
         if let additionalFields {
             self.additionalFields = additionalFields
         } else {
@@ -520,6 +523,7 @@ extension DatabaseConnection: Codable {
         case sshConfig, sslConfig, color, tagId, groupId, sshProfileId
         case sshTunnelMode, cloudflareTunnelMode, safeModeLevel, aiPolicy, aiRules, aiAlwaysAllowedTools, externalAccess, additionalFields
         case redisDatabase, startupCommands, sortOrder, localOnly, isSample, isFavorite
+        case passwordSource
     }
 
     init(from decoder: Decoder) throws {
@@ -549,6 +553,7 @@ extension DatabaseConnection: Codable {
         localOnly = try container.decodeIfPresent(Bool.self, forKey: .localOnly) ?? false
         isSample = try container.decodeIfPresent(Bool.self, forKey: .isSample) ?? false
         isFavorite = try container.decodeIfPresent(Bool.self, forKey: .isFavorite) ?? false
+        passwordSource = PasswordSource.resilientlyDecoded(from: container, forKey: .passwordSource)
         cloudflareTunnelMode = try container.decodeIfPresent(CloudflareTunnelMode.self, forKey: .cloudflareTunnelMode) ?? .disabled
 
         // Migrate from legacy fields if sshTunnelMode is not present
@@ -600,6 +605,7 @@ extension DatabaseConnection: Codable {
         try container.encode(localOnly, forKey: .localOnly)
         try container.encode(isSample, forKey: .isSample)
         try container.encode(isFavorite, forKey: .isFavorite)
+        try container.encodeIfPresent(passwordSource, forKey: .passwordSource)
     }
 }