Skip to content

refactor(provider): use go-keyring for cross-platform credential storage#34

Merged
priyanshujain merged 12 commits intomasterfrom
cross-platform-keyring
Mar 9, 2026
Merged

refactor(provider): use go-keyring for cross-platform credential storage#34
priyanshujain merged 12 commits intomasterfrom
cross-platform-keyring

Conversation

@priyanshujain
Copy link
Copy Markdown
Collaborator

@priyanshujain priyanshujain commented Mar 9, 2026
edited
Loading

Summary

  • Replace hand-rolled macOS Keychain CLI calls with zalando/go-keyring for cross-platform credential storage
  • Native credential stores on all platforms: macOS Keychain, Linux Secret Service (GNOME Keyring/KDE Wallet), Windows Credential Manager
  • Keyring errors propagate directly — no silent fallback to plain-text files
  • Headless/CI environments use environment variables (ANTHROPIC_API_KEY, etc.) via the existing ResolveAPIKey env var path
  • Rename KeychainLoad/KeychainStore to LoadCredential/StoreCredential (platform-neutral naming)
  • Pure Go, no CGO — cross-compiles with CGO_ENABLED=0 for all targets

Test plan

  • go test ./provider/ — all 38 tests pass
  • Cross-compiles for linux/amd64, windows/amd64, darwin/arm64
  • Keyring errors propagate (not swallowed)
  • LoadCredential/StoreCredential round-trip via mocked keyring
  • Verify existing macOS Keychain credentials are still readable after upgrade
  • Verify credential storage works on Linux desktop with GNOME Keyring

@priyanshujain
chore(deps): add zalando/go-keyring for cross-platform credential sto…
40a1a2c 
…rage
@priyanshujain
refactor(provider): use go-keyring with file-based fallback
5ed73e9 
Replace hand-rolled macOS Keychain calls and plain-file-only storage
on Linux/Windows with zalando/go-keyring. The library uses native
credential stores (Keychain, Secret Service, WinCred) on all three
platforms. On headless/Docker environments where no keyring daemon is
available, we fall back to the existing ~/.obk/secrets/ file store.
@priyanshujain
test(provider): add keyring success and fallback tests
191a2c7
@priyanshujain
docs(provider): clarify intentional keyring error handling in fallback
2ab1ad4
@priyanshujain
Merge remote-tracking branch 'origin/master' into cross-platform-keyring
8e03d99
@priyanshujain
refactor(provider): rename KeychainLoad/KeychainStore to LoadCredenti…
70b4abf 
…al/StoreCredential
@priyanshujain
refactor(cli): use renamed StoreCredential function
4aa753a
@priyanshujain
fix(provider): propagate operational keyring errors instead of silent…
7ec44e2 
… fallback
@priyanshujain
test(provider): add exported API and operational error propagation tests
65e30d9
@priyanshujain
refactor(provider): remove file-based fallback, use keyring only
e5a91bc 
Drop the silent file-based fallback (~/.obk/secrets/) from credential
storage. Errors from the OS keyring are now propagated directly.
Headless/CI environments should use environment variables instead,
which ResolveAPIKey already supports.
@priyanshujain
test(provider): rewrite credential tests for keyring-only storage
32b7872
@priyanshujain
docs: add credential storage design doc and learnings
d615702
@priyanshujain priyanshujain merged commit 0541aa4 into master Mar 9, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@priyanshujain