From 8fdc89780762088aa35e230ab067f3542eb423f5 Mon Sep 17 00:00:00 2001
From: Danny Cosson <danny@zocomputer.com>
Date: Sat, 16 May 2026 22:09:01 -0700
Subject: [PATCH] Allow custom Touch ID prompt via AGE_PLUGIN_SE_PROMPT env var

When set, the value of AGE_PLUGIN_SE_PROMPT is used as the
LAContext.localizedReason shown in the authentication dialog
during decryption. Lets callers (e.g. CLIs invoking sops or age)
display a meaningful description of what's being approved.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 Sources/Crypto.swift | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Sources/Crypto.swift b/Sources/Crypto.swift
index 059a5ef..021ac5e 100644
--- a/Sources/Crypto.swift
+++ b/Sources/Crypto.swift
@@ -78,7 +78,14 @@ protocol SecureEnclaveMLKEM768PrivateKey {
 
 #if !os(Linux) && !os(Windows)
   class CryptoKitCrypto: Crypto {
-    let context = LAContext()
+    let context: LAContext = {
+      let ctx = LAContext()
+      if let prompt = ProcessInfo.processInfo.environment["AGE_PLUGIN_SE_PROMPT"],
+         !prompt.isEmpty {
+        ctx.localizedReason = prompt
+      }
+      return ctx
+    }()
 
     var isSecureEnclaveAvailable: Bool {
       return SecureEnclave.isAvailable