From 5fa0b33664ed0826579cfc2d2cf40b028fa3d819 Mon Sep 17 00:00:00 2001
From: Andy <scene@scene.com>
Date: Sun, 8 Feb 2026 19:51:22 -0700
Subject: [PATCH] revert(monalisa): pass key via argv again

Reverts the env/stdin key passing change introduced in 6c83790, since ML-Worker builds in use expect the key as argv[1].
---
 unshackle/core/drm/monalisa.py | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/unshackle/core/drm/monalisa.py b/unshackle/core/drm/monalisa.py
index 01e0071..3b6f29a 100644
--- a/unshackle/core/drm/monalisa.py
+++ b/unshackle/core/drm/monalisa.py
@@ -234,11 +234,7 @@ class MonaLisa:
                 raise MonaLisa.Exceptions.DecryptionFailed(f"Segment file does not exist: {segment_path}")
 
             # Stage 1: ML-Worker decryption
-            # Do not pass secrets via argv (visible in process listings/logs).
-            # ML-Worker supports receiving the key out-of-band; we provide it via env + stdin.
-            cmd = [str(worker_path), "-", str(bbts_path), str(ents_path)]
-            worker_env = os.environ.copy()
-            worker_env["WORKER_KEY"] = self._key
+            cmd = [str(worker_path), str(self._key), str(bbts_path), str(ents_path)]
 
             startupinfo = None
             if sys.platform == "win32":
@@ -251,8 +247,6 @@ class MonaLisa:
                 stdout=subprocess.PIPE,
                 stderr=subprocess.PIPE,
                 text=True,
-                input=self._key,
-                env=worker_env,
                 startupinfo=startupinfo,
                 timeout=worker_timeout_s,
             )