Goodboy

A free macOS app that moves passwords between password managers, browsers, and iCloud. You pick a source, pick a destination, and Goodboy handles the reading, converting, and writing. Credentials live in RAM during the transfer and are never saved to disk.

Domain: gboy.app

1. What Goodboy Does

Password managers don't talk to each other. If you switch from 1Password to Bitwarden, run iCloud Keychain on your Mac and Chrome on your Pixel, or want your KeePassXC vault to mirror what's in Apple Passwords, you're stuck wrestling with CSV exports that lose your one-time-password seeds and passkeys along the way.

Goodboy treats this as an infrastructure problem. It connects directly to the major password ecosystems on macOS, pulls credentials into SecuredBox — an encrypted, in-memory workspace that never touches disk — and writes them back out to any supported destination, or exports to a universal interchange format that every other manager can import.

The flagship capability is Apple passkey export. Apple locks passkeys inside iCloud Keychain with no standard way out. Goodboy is the only macOS tool that reads them and converts them to KeePassXC or Bitwarden JSON.

Everything runs locally. No account, no telemetry, no server, no subscription. The engine, the CLI, and the MCP server are open source.

2. Sources (Read From)

Source	What You Get	How
iCloud / Apple Passwords	Passwords, OTP, passkeys	Apple Credential Exchange Protocol (CXP)
Chrome (multi-profile)	Passwords	Direct read from local Chromium DB
Brave	Passwords	Direct read from local Chromium DB
Edge	Passwords	Direct read from local Chromium DB
Opera	Passwords	Direct read from local Chromium DB
Vivaldi / Arc	Passwords	Direct read from local Chromium DB
1Password	Passwords, OTP, custom fields, notes	Official `op` CLI
Bitwarden	Passwords, OTP, custom fields	Official `bw` CLI
ProtonPass	Passwords, OTP, custom fields, notes	Official `pass-cli`
KeePassXC	Passwords, OTP, passkeys, notes	`keepassxc-cli`

Each Chrome profile is a separate device (Goodboy auto-discovers them all). Each KeePassXC database is a separate device.

3. Destinations (Write To)

Destination	What It Accepts
Chrome	Passwords only — OTP and passkeys are dropped (warned in advance)
KeePassXC	Passwords, OTP, passkeys, notes
iCloud / Apple Passwords	Passwords, OTP, passkeys
Universal Bitwarden JSON file	Passwords, OTP, passkeys, notes, folders — every manager imports this

The Bitwarden JSON file is the universal escape hatch. 1Password, Bitwarden, Dashlane, NordPass, KeePassXC, and others can all import it. Default path: ~/Downloads/goodboy-export.json.

4. How a Transfer Works

Pick a source. Goodboy reads everything from it into SecuredBox (RAM only).
See what you have. The unified data grid shows every credential — domain, username, password, OTP, passkeys — with filters for "Has OTP" and "Passkeys". You can search, inspect, and select individual items.
Pick a destination. Goodboy runs a preflight check against the destination's schema and tells you exactly what will transfer cleanly and what will be lost. Nothing is written until you approve.
Write. Selected credentials are pushed. Memory clears.

You can pull from multiple sources before writing — everything accumulates in SecuredBox until you push.

Field preservation matrix

Field	Chrome	KeePassXC	iCloud	Bitwarden JSON
URL	Yes	Yes	Yes	Yes
Username	Yes	Yes	Yes	Yes
Password	Yes	Yes	Yes	Yes
OTP	No	Yes	Yes	Yes
Passkeys	No	Yes	Yes	Yes
Notes	No	Yes	No	Yes
Folders	No	Yes (groups)	No	Yes
Custom fields	No	No	No	Yes

Goodboy warns you before any data is lost.

5. Auto-Discovery

On launch, Goodboy scans the Mac and adds every source it finds to the sidebar — Chrome profiles, Chromium browsers (Brave, Edge, Opera, Vivaldi, Arc), recently opened KeePassXC databases, and iCloud Keychain (macOS 26+). Sources that need credentials show a Setup badge.

6. Device Setup

Most sources work out of the box — browsers and KeePassXC are auto-discovered, and iCloud uses Apple's own export flow. Password managers that run their own CLI (1Password, Bitwarden, ProtonPass) need a one-time setup so Goodboy can authenticate on your behalf. Pick your source below.

Click Connect in device settings. Goodboy reads the browser's encryption key from the macOS Keychain — one-time setup.

Enter the master password you chose when creating the .kdbx database. Goodboy auto-detects which database to use from KeePassXC's recently opened list. If your database uses a key file, provide the path.

Open 1Password → Settings → Developer.
Enable "Integrate with 1Password CLI".
Click Connect in Goodboy and approve the biometric prompt.

The 1Password desktop app must be running during the transfer — it brokers authentication, so Goodboy never sees your master password. The op CLI is a separate install: brew install 1password-cli.

Service account token (optional). For headless use (CLI, MCP), authenticate with a token instead of biometric. Create one at start.1password.com → Developer Tools → Infrastructure Secrets → Service Accounts. The token (starts with ops_) is shown once — paste it into device settings.

Install the CLI: brew install bitwarden-cli. Then in device settings:

Master password (required) — the same password you use at vault.bitwarden.com. Even with API credentials, Goodboy needs this to decrypt.
API Client ID + Secret (required if not already logged in) — find these at vault.bitwarden.com → Settings → Security → Keys → View API Key.
Server URL (optional) — select if your vault is on vault.bitwarden.eu or a self-hosted instance.

Install the CLI: brew install protonpass/tap/pass-cli. These are your regular Proton credentials — same as proton.me:

Proton email + password (required).
2FA code (if enabled) — one-time code from your authenticator app. Entered fresh each session, never saved.
Mailbox password (rare) — only for older Proton accounts with two-password mode. If you've never heard of this, you don't have one.

All credentials are stored in the macOS Keychain, encrypted at rest. They never touch Goodboy's database.

7. App Interface

Sidebar — Sources (every discovered device, with item counts) and Filters (All Items, Has OTP, Passkeys).

Data grid — Unified view of every credential pulled into SecuredBox. Columns: Name (domain), User, Password (masked, click eye to reveal), Source. Multi-select with shift/cmd-click. Search field in the toolbar.

Export popover — Triggered from the share button. Lists every available destination as a row with brand glyph and target identifier (e.g. "Chrome — russo.roy.home@gmail.com", "KeePass CLI — Passwords.kdbx"). Each Chrome profile and each KeePassXC database is a first-class destination.

Detail panel — Side panel with all fields for the selected item: URL, username, password, OTP URI, passkey info, notes, extras.

Status bar — Item count, selection count (5 of 649 selected), last log line from the engine.

8. Security Model

What	Where	Cleared
Credentials in flight (SecuredBox)	RAM only	When app quits or user clicks Clear
App operational params (master passwords, API keys)	macOS Keychain (SecItem)	When user removes the device
App settings, device list, logs	SQLite at `~/Library/Application Support/Goodboy/goodboy.db`	Delete the file

No network calls. No cloud. No analytics. No account.
Engine + CLI + MCP server are open source. The app is built on the same engine.
Bitwarden JSON export is the only file Goodboy writes containing credentials, and only when the user explicitly chooses that destination.

9. CLI and MCP Server

Goodboy ships a command-line interface for scripting and automation:

goodboy devices          # list all devices and their status (JSON)
goodboy validate <id>    # check if a device is ready
goodboy run <src> [dest] # run a transfer
goodboy flows            # list valid source → destination pairs
goodboy protools         # list all connectors

It also ships an MCP server — a JSON-RPC interface that lets AI assistants like Claude drive Goodboy directly. The server exposes 16 tools across five categories:

Category	Tools	What they do
Discovery	`goodboy_protools`, `goodboy_devices`, `goodboy_validate`, `goodboy_flows`	List connectors, discover devices, preflight-check readiness, enumerate valid source→dest pairs
Flows	`goodboy_run`	Pull from a source, push to a destination, or both in one call
SecuredBox	`goodboy_securedbox`, `_dump`, `_delete`, `_clear`	Inspect, dump, selectively delete, or clear the in-memory credential staging area
Device management	`goodboy_device_create`, `_edit`, `_delete`	Create, configure, or remove devices
Keychain & Chrome	`goodboy_keychain_set`, `_dev`, `goodboy_chrome_profiles`, `_status`	Store operational params in the macOS Keychain, seed browser keys, inspect Chrome profiles

The desktop app, CLI, and MCP server all share one engine and one device database.

10. Audience and Positioning

Target user. Technically literate, privacy-conscious. Developers, IT professionals, KeePassXC users, and people who deliberately run mixed Apple/Google or Apple/Linux environments. They care about local-first software, dislike subscriptions, and are skeptical of cloud password services. They are comfortable installing a Mac app from a developer site and want a tool that respects their data and gets out of the way.

Positioning. Goodboy is not a password manager. It does not replace 1Password, Bitwarden, KeePassXC, or iCloud — it connects them. The core promise is liberation from vendor lock-in: your credentials belong to you, and you should be able to move them between any two systems you choose. Goodboy works with every password manager and competes with none.

Free and local. There is no account, no subscription, and no server. Everything runs on your Mac. A future Pro upgrade ($29 one-time) will add power-user features like background sync, headless Chrome write, and saved flows.

Goodboy makes passwords flow.