Add support for secrets stored in authinfo and netrc files

I would like to mamange my ECA config and commands with Guix and don't
want any secrets in those files. I could use keyEnv for this, but all
my other secrets are already in `~/.authinfo.gpg` which I would like
to use.

This PR adds support for reading secrets from the `~/.authinfo` and
`~/.netrc` files. It supports GPG encrypted and Windows variants.

Author: r0man

AGENTS.md

@@ -24,5 +24,18 @@ Code Style
 - Unit tests should have a single `deftest` for function to be tested with multiple `testing`s for each tested case.
 - Unit tests that use file paths and uris should rely on `h/file-path` and `h/file-uri` to avoid windows issues with slashes.
 
+Secrets Management
+- `src/eca/secrets/netrc.clj` - Netrc format parser (multi-line format: machine/login/password/port keywords)
+- `src/eca/secrets/authinfo.clj` - Authinfo format parser (single-line format: space-separated key-value pairs)
+- `src/eca/secrets.clj` - Main secrets manager for credential file operations:
+  - File discovery and priority order (.authinfo.gpg → .netrc.gpg → .authinfo → _authinfo → .netrc → _netrc)
+  - Cross-platform path construction using io/file (handles / vs \ separators automatically)
+  - GPG decryption with caching (5-second TTL) and timeout (30s, configurable via GPG_TIMEOUT env var)
+  - keyRc format parsing: [login@]machine[:port] (named after Unix "rc" config file tradition)
+  - Credential matching logic (exact login match when specified, first match otherwise)
+  - Permission validation (Unix: warns if not 0600; Windows: skipped)
+- Authentication flow: config `key` → credential files `keyRc` → env var `keyEnv` → OAuth
+- Security: passwords never logged; GPG decryption via clojure.java.process; cache with short TTL; subprocess timeout protection
+
 Notes
 - CI runs: bb test and bb integration-test. Ensure these pass locally before PRs.

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+- Add support for secrets stored in authinfo and netrc files
+
 ## 0.64.1
 
 - Fix duplicated arguments on `toolCallPrepare` for openai-chat API models. https://github.com/editor-code-assistant/eca-emacs/issues/56

docs/configuration.md

@@ -52,6 +52,33 @@ There are multiples ways to configure ECA:
 
 For providers and models configuration check the [dedicated models section](./models.md#custom-providers).
 
+### Credential Files (netrc/authinfo)
+
+Providers can use `keyRc` to read credentials from `.netrc` or `.authinfo` files (named after the Unix "rc" configuration file tradition):
+
+```javascript
+{
+  "providers": {
+    "openai": {
+      "keyRc": "api.openai.com"
+    },
+    "anthropic": {
+      "keyRc": "[email protected]"  // with login for multi-account
+    }
+  }
+}
+```
+
+The value of `keyRc` is the machine name to look up in credential files. Supports format: `[login@]machine[:port]`
+
+**Benefits:**
+- Secure credential storage (especially with `.authinfo.gpg` encryption)
+- Standardized format used by many Unix tools (curl, git, etc.)
+- Multi-account support via login prefixes
+- Single location for managing credentials across multiple tools
+
+See [Credential File Authentication](./models.md#credential-file-authentication) for file formats, GPG encryption setup, and detailed configuration examples.
+
 ## Tools
 
 ### MCP
@@ -379,6 +406,7 @@ To configure, add your OTLP collector config via `:otlp` map following [otlp aut
             urlEnv?: string;
             key?: string; // when provider supports api key.
             keyEnv?: string;
+            keyRc?: string; // credential file lookup in format [login@]machine[:port]
             completionUrlRelativePath?: string;
             models: {[key: string]: {
               extraPayload?: {[key: string]: any}

docs/models.md

@@ -50,6 +50,171 @@ Example:
 - `OPENAI_API_KEY` for OpenAI
 - `ANTHROPIC_API_KEY` for Anthropic
 
+### Credential File Authentication
+
+ECA supports reading API credentials from `.authinfo` and `.netrc` files via the `keyRc` configuration, providing a secure and standardized way to manage authentication credentials without storing them in configuration files or environment variables.
+
+> **Why "keyRc"?** The name follows the `key*` naming convention (like `key` and `keyEnv`) and references the Unix "rc" (run commands) file tradition. Files like `.bashrc`, `.vimrc`, and `.netrc` use the "rc" suffix to indicate configuration files that are read at startup or runtime.
+
+**Configuration:**
+
+Add `keyRc` to your provider configuration:
+
+```javascript
+{
+  "providers": {
+    "openai": {
+      "url": "https://api.openai.com",
+      "keyRc": "api.openai.com"  // simple machine name
+    },
+    "anthropic": {
+      "url": "https://api.anthropic.com",
+      "keyRc": "[email protected]"  // with login for multi-account
+    }
+  }
+}
+```
+
+**keyRc Format:**
+
+The `keyRc` value supports multiple formats for flexible credential matching:
+
+- `"machine"` - Simple machine name (e.g., `"api.openai.com"`)
+- `"login@machine"` - Specific login for multi-account scenarios (e.g., `"[email protected]"`)
+- `"machine:port"` - Machine with specific port (e.g., `"api.custom.com:8443"`)
+- `"login@machine:port"` - Full format with login and port (e.g., `"[email protected]:443"`)
+
+**Supported Files (checked in order):**
+
+ECA checks credential files in the following priority order:
+
+1. `~/.authinfo.gpg` - GPG-encrypted authinfo (most secure)
+2. `~/.netrc.gpg` - GPG-encrypted netrc
+3. `~/.authinfo` - Plaintext authinfo format (Unix/macOS)
+4. `~/_authinfo` - Plaintext authinfo format (Windows)
+5. `~/.netrc` - Plaintext netrc format (Unix/macOS)
+6. `~/_netrc` - Plaintext netrc format (Windows)
+
+The first matching credential found is used.
+
+**File Formats:**
+
+*Netrc format* (multi-line):
+```
+machine api.openai.com
+login apikey
+password sk-proj-...
+
+machine api.anthropic.com
+login work
+password sk-ant-...
+```
+
+*Authinfo format* (single-line):
+```
+machine api.openai.com login apikey password sk-proj-... port 443
+machine api.anthropic.com login work password sk-ant-... port 443
+```
+
+**Requirements:**
+
+- The `login` field is **required** for all credential entries
+- Entries without a `login` field will be ignored
+- The `port` field is optional
+
+**GPG Encryption:**
+
+To use encrypted credentials, you can encrypt either authinfo or netrc format files:
+
+*Encrypting authinfo format:*
+```bash
+# Create/edit authinfo file
+echo "machine api.openai.com login apikey password sk-..." > ~/.authinfo
+
+# Encrypt it with GPG
+gpg --output ~/.authinfo.gpg --symmetric ~/.authinfo
+
+# Remove plaintext (optional but recommended)
+rm ~/.authinfo
+```
+
+*Encrypting netrc format:*
+```bash
+# Create/edit netrc file
+cat > ~/.netrc << 'EOF'
+machine api.openai.com
+login apikey
+password sk-...
+EOF
+
+# Encrypt it with GPG
+gpg --output ~/.netrc.gpg --symmetric ~/.netrc
+
+# Remove plaintext (optional but recommended)
+rm ~/.netrc
+```
+
+ECA will automatically decrypt `.authinfo.gpg` or `.netrc.gpg` files using the `gpg` command. Make sure `gpg` is installed and `gpg-agent` is configured for passphrase caching.
+
+**GPG Timeout:**
+
+GPG decryption has a 30-second timeout by default to prevent hanging on slow or unresponsive GPG processes. You can customize this via the `GPG_TIMEOUT` environment variable (in seconds):
+
+```bash
+# Set custom timeout (e.g., 60 seconds)
+export GPG_TIMEOUT=60
+```
+
+**Authentication Priority Order:**
+
+When resolving credentials, ECA checks sources in this order:
+
+1. **Config file** - explicit `key` in provider config (highest priority)
+2. **Credential files** - `keyRc` setting pointing to machine name
+3. **Environment variable** - value from `keyEnv` setting
+4. **OAuth flow** - for providers that support it (e.g., GitHub Copilot)
+
+This ensures explicit configuration takes precedence while providing credential files as a convenient option.
+
+**Security:**
+
+- Plaintext files (`.authinfo`, `.netrc`) should have restricted permissions (0600 on Unix)
+- ECA will warn if permissions are too open
+- `.authinfo.gpg` provides encryption at rest for maximum security
+- Keep credential files out of version control
+- Passwords are never logged or leaked in error messages
+- GPG subprocess has timeout protection (30s default) to prevent hanging
+
+**Multi-Account Support:**
+
+You can store multiple credentials for the same provider using different login values:
+
+```
+machine api.anthropic.com login work password sk-ant-work-...
+machine api.anthropic.com login personal password sk-ant-personal-...
+```
+
+Then specify which account to use in your config:
+
+```javascript
+{
+  "providers": {
+    "anthropic-work": {
+      "url": "https://api.anthropic.com",
+      "keyRc": "[email protected]"
+    },
+    "anthropic-personal": {
+      "url": "https://api.anthropic.com",
+      "keyRc": "[email protected]"
+    }
+  }
+}
+```
+
+**Supported Providers:**
+
+All providers with API key authentication can use credential files, including OpenAI, Anthropic, Google, custom providers, and more.
+
 ## Custom providers
 
 ECA allows you to configure custom LLM providers that follow API schemas similar to OpenAI or Anthropic. This is useful when you want to use: