Fix PoP cache isolation bug causing repeated login prompts

.bingo/go.mod

@@ -1 +1,3 @@
-module _ // Fake go.mod auto-created by 'bingo' for go -moddir compatibility with non-Go projects. Commit this file, together with other .mod files.
+module _ // Fake go.mod auto-created by 'bingo' for go -moddir compatibility with non-Go projects. Commit this file, together with other .mod files.
+
+go 1.24.7

pkg/internal/pop/cache/darwin.go

@@ -3,12 +3,19 @@
 package cache
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
+
 	"github.com/AzureAD/microsoft-authentication-extensions-for-go/cache/accessor"
 )
 
 // storage creates a platform-specific accessor for macOS
 func storage(cachePath string) (accessor.Accessor, error) {
-	// Use "kubelogin-pop" as the service name in macOS Keychain
-	// "MSALCache" becomes the account identifier within that service
-	return accessor.New("kubelogin-pop", accessor.WithAccount("MSALCache"))
+	// Use a hash of the full cache path as the account identifier to ensure uniqueness
+	// This prevents cache conflicts when multiple cache directories are used
+	// (e.g., different clusters with different --cache-dir settings)
+	// We use a hash because macOS Keychain has limitations on account name length
+	hash := sha256.Sum256([]byte(cachePath))
+	account := hex.EncodeToString(hash[:16]) // Use first 16 bytes for reasonable uniqueness
+	return accessor.New("kubelogin-pop", accessor.WithAccount(account))
 }

pkg/internal/pop/cache/linux.go

@@ -67,8 +67,9 @@ func newKeyring(p string) (*keyring, error) {
 	if persistentRing, err := unix.KeyctlInt(unix.KEYCTL_GET_PERSISTENT, -1, ringID, 0, 0); err == nil {
 		ringID = persistentRing
 	}
-	// Use the actual filename as the keyring description to ensure each file has its own encryption key
-	description := filepath.Base(p)
+	// Use the full path as the keyring description to ensure each cache directory has its own encryption key
+	// This prevents cache conflicts when multiple cache directories are used (e.g., different clusters)
+	description := p
 	return &keyring{description: description, file: p, ringID: ringID}, nil
 }
 

pkg/internal/pop/cache/linux_test.go

@@ -140,9 +140,8 @@ func TestKeyringDescription(t *testing.T) {
 		k, err := newKeyring(path)
 		require.NoError(t, err)
 
-		// Verify description is the filename
-		expectedDesc := filepath.Base(path)
-		require.Equal(t, expectedDesc, k.description)
+		// Verify description is the full path (changed to prevent cache conflicts)
+		require.Equal(t, path, k.description)
 
 		// Verify each path gets a unique description
 		require.False(t, descriptions[k.description], "description %q should be unique", k.description)