Security

How Arris stores your credentials securely using the macOS Keychain.

macOS Keychain

Arris uses the macOS Keychain as its credential store. Every password, private key passphrase, and bearer token is saved to the Keychain via the system's native Security framework. Credentials are encrypted at rest by macOS and protected by your login password or Touch ID.

This means your secrets are never written to plain text files, config files, or SQLite databases on disk. Even if someone gains access to the Arris application data directory, they cannot extract passwords without Keychain access.

You can inspect Arris's Keychain entry in the macOS Keychain Access app. All secrets live in a single item under the lowercase arris service (account secrets). Keeping everything in one item means macOS prompts for access at most once, instead of once per connection.

Keychain access on first launch

The first time Arris accesses the Keychain, macOS may prompt you to allow access. Click Always Allow to avoid repeated prompts, or Allow to grant one-time access.

What goes in Keychain

Arris stores the following sensitive values in the macOS Keychain:

Connection passwords: the database password for each saved connection.
SSH private key passphrases: if your SSH key is passphrase-protected, the passphrase is stored so you are not prompted on every connection.
MCP bearer token: the token that authenticates the built-in MCP server.

All three are held in the single arris Keychain item as an encrypted vault, with passwords and passphrases keyed by the connection's unique identifier. Renaming or reorganizing connections in the sidebar does not affect credential storage.

What stays on disk

Non-secret connection metadata is stored per project, in a JSON file inside the project's .arris directory at <project-root>/.arris/connections.json. Each project keeps its own connection list, so connections defined in one project do not leak into another. This file contains:

Host and port — the server address for each connection.
Database name — the default database or catalog.
Username — the database user (not considered a secret in most environments).
Connection options — SSL mode, SSH tunnel host/port/user, display name, color tint, and other non-sensitive settings.

No passwords, private keys, or tokens appear in this file. You can safely back it up, version-control it, or share it with teammates — credentials will need to be re-entered on each machine.