Merge pull request #146 from editor-code-assistant/netrc

Add support for secrets stored in authinfo and netrc files

Author: ericdallo

AGENTS.md

@@ -24,5 +24,18 @@ Code Style
 - Unit tests should have a single `deftest` for function to be tested with multiple `testing`s for each tested case.
 - Unit tests that use file paths and uris should rely on `h/file-path` and `h/file-uri` to avoid windows issues with slashes.
 
+Secrets Management
+- `src/eca/secrets/netrc.clj` - Netrc format parser (multi-line format: machine/login/password/port keywords)
+- `src/eca/secrets/authinfo.clj` - Authinfo format parser (single-line format: space-separated key-value pairs)
+- `src/eca/secrets.clj` - Main secrets manager for credential file operations:
+  - File discovery and priority order (.authinfo.gpg → .netrc.gpg → .authinfo → _authinfo → .netrc → _netrc)
+  - Cross-platform path construction using io/file (handles / vs \ separators automatically)
+  - GPG decryption with caching (5-second TTL) and timeout (30s, configurable via GPG_TIMEOUT env var)
+  - keyRc format parsing: [login@]machine[:port] (named after Unix "rc" config file tradition)
+  - Credential matching logic (exact login match when specified, first match otherwise)
+  - Permission validation (Unix: warns if not 0600; Windows: skipped)
+- Authentication flow: config `key` → credential files `keyRc` → env var `keyEnv` → OAuth
+- Security: passwords never logged; GPG decryption via clojure.java.process; cache with short TTL; subprocess timeout protection
+
 Notes
 - CI runs: bb test and bb integration-test. Ensure these pass locally before PRs.

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Unreleased
 
+- Add support for secrets stored in authinfo and netrc files
 - Added tests for stopping concurrent tool calls. #147
 - Improve logging.
 

deps-lock.json

@@ -8,6 +8,13 @@
       "git-dir": "https/github.com/borkdude/gh-release-artifact",
       "hash": "sha256-HllBWtwTtYYM0KjHB9UVDBjB57CtpvF+gncQseGXgf8="
     },
+    {
+      "lib": "br.dev.zz/parc",
+      "url": "https://github.com/souenzzo/parc",
+      "rev": "76f0714e6b93a053d67d473c33dfc279dfb94d23",
+      "git-dir": "https/github.com/souenzzo/parc",
+      "hash": "sha256-6ISYa9g5kOGkay3ums4Tys2/krPTIFqQKAtT8rfaZ4k="
+    },
     {
       "lib": "io.github.clojure/tools.build",
       "url": "https://github.com/clojure/tools.build.git",

deps.edn

@@ -7,6 +7,8 @@
         borkdude/dynaload {:mvn/version "0.3.5"}
         babashka/fs {:mvn/version "0.5.26"}
         babashka/process {:mvn/version "0.6.23"}
+        br.dev.zz/parc {:git/url "https://github.com/souenzzo/parc"
+                        :git/sha "76f0714e6b93a053d67d473c33dfc279dfb94d23"}
         com.cognitect/transit-clj {:mvn/version "1.0.333"}
         hato/hato {:mvn/version "1.0.0"}
         ring/ring-codec {:mvn/version "1.3.0"}

docs/configuration.md

@@ -68,12 +68,12 @@ For MCP servers configuration, use the `mcpServers` config, examples:
           "command": "npx",
           "args": ["-y", "@modelcontextprotocol/server-memory"],
           // optional
-          "env": {"FOO": "bar"} 
+          "env": {"FOO": "bar"}
         }
       }
     }
     ```
-    
+
 === "HTTP-streamable"
 
     `~/.config/eca/config.json`
@@ -138,7 +138,7 @@ Check some examples:
       }
     }
     ```
-   
+
 === "Matching by a tool argument"
 
     __`argsMatchers`__ is a map of argument name by list of [java regex](https://www.regexplanet.com/advanced/java/index.html).
@@ -156,7 +156,7 @@ Check some examples:
       }
     }
     ```
-    
+
 === "Denying a tool"
 
     ```javascript
@@ -336,7 +336,7 @@ There are 3 possible ways to configure rules following this order of priority:
       "rules": [{"path": "my-rule.md"}]
     }
     ```
-    
+
 ## Behaviors / prompts
 
 ECA allows to totally customize the prompt sent to LLM via the `behavior` config, allowing to have multiple behaviors for different tasks or workflows.
@@ -379,6 +379,7 @@ To configure, add your OTLP collector config via `:otlp` map following [otlp aut
             urlEnv?: string;
             key?: string; // when provider supports api key.
             keyEnv?: string;
+            keyRc?: string; // credential file lookup in format [login@]machine[:port]
             completionUrlRelativePath?: string;
             models: {[key: string]: {
               extraPayload?: {[key: string]: any}

docs/models.md

@@ -32,15 +32,15 @@ Example:
   "providers": {
     "openai": {
       "key": "your-openai-key-here", // configuring a key
-      "models": { 
+      "models": {
         "o1": {} // adding models to a built-in provider
         "o3": {
           "extraPayload": { // adding to the payload sent to LLM
             "temperature": 0.5
           }
         }
       }
-    } 
+    }
   }
 }
 ```
@@ -68,6 +68,7 @@ Schema:
 | `urlEnv`                       | string | Environment variable name containing the API URL                                                    | No*      |
 | `url`                          | string | Direct API URL (use instead of `urlEnv`)                                                            | No*      |
 | `keyEnv`                       | string | Environment variable name containing the API key                                                    | No*      |
+| `keyRc`                        | string | Lookup specification to read the API key from Unix RC [credential files](#credential-file-authentication)                         | No*      |
 | `key`                          | string | Direct API key (use instead of `keyEnv`)                                                            | No*      |
 | `completionUrlRelativePath`    | string | Optional override for the completion endpoint path (see defaults below and examples like Azure)     | No       |
 | `models`                       | map    | Key: model name, value: its config                                                                  | Yes      |
@@ -121,27 +122,54 @@ Defaults by API type:
 
 Only set this when your provider uses a different path or expects query parameters at the endpoint (e.g., Azure API versioning).
 
+### Credential File Authentication
+
+Use `keyRc` in your provider config to read credentials from `~/.authinfo(.gpg)` or `~/.netrc(.gpg)` without storing keys directly in config or env vars.
+
+Example:
+
+```javascript
+{
+  "providers": {
+    "openai": {"keyRc": "api.openai.com"},
+    "anthropic": {"keyRc": "[email protected]"}
+  }
+}
+```
+
+keyRc lookup specification format: `[login@]machine[:port]` (e.g., `api.openai.com`, `[email protected]`, `api.custom.com:8443`).
+
+Further reading on credential file formats:
+- [Emacs authinfo documentation](https://www.gnu.org/software/emacs/manual/html_node/auth/Help-for-users.html)
+- [Curl Netrc documentation](https://everything.curl.dev/usingcurl/netrc)
+- [GNU Inetutils .netrc documentation](https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html)
+
+Notes:
+- Preferred files are GPG-encrypted (`~/.authinfo.gpg` / `~/.netrc.gpg`); plaintext variants are supported.
+- Authentication priority (short): `key` > `keyRc files` > `keyEnv` > OAuth.
+- All providers with API key auth can use credential files.
+
 ## Providers examples
 
 === "Anthropic"
-    
+
     1. Login to Anthropic via the chat command `/login`.
     2. Type 'anthropic' and send it.
     3. Type the chosen method
     4. Authenticate in your browser, copy the code.
     5. Paste and send the code and done!
 
 === "Github Copilot"
-    
+
     1. Login to Github copilot via the chat command `/login`.
     2. Type 'github-copilot' and send it.
     3. Authenticate in Github in your browser with the given code.
     4. Type anything in the chat to continue and done!
-    
+
     _Tip: check [Your Copilot plan](https://github.com/settings/copilot/features) to enable models to your account._
-    
+
 === "Google / Gemini"
-    
+
     1. Login to Google via the chat command `/login`.
     2. Type 'google' and send it.
     3. Choose 'manual' and type your Google/Gemini API key. (You need to create a key in [google studio](https://aistudio.google.com/api-keys))
@@ -165,7 +193,7 @@ Only set this when your provider uses a different path or expects query paramete
     ```
 
 === "OpenRouter"
-    
+
     [OpenRouter](https://openrouter.ai) provides access to many models through a unified API:
 
     1. Login via the chat command `/login`.
@@ -175,7 +203,7 @@ Only set this when your provider uses a different path or expects query paramete
     5. Done, it should be saved to your global config.
 
     or manually via config:
-    
+
     ```javascript
     {
       "providers": {
@@ -196,15 +224,15 @@ Only set this when your provider uses a different path or expects query paramete
 === "DeepSeek"
 
     [DeepSeek](https://deepseek.com) offers powerful reasoning and coding models:
-    
+
     1. Login via the chat command `/login`.
     2. Type 'deepseek' and send it.
     3. Specify your Deepseek API key.
     4. Inform at least a model, ex: `deepseek-chat`
     5. Done, it should be saved to your global config.
-    
+
     or manually via config:
-    
+
     ```javascript
     {
       "providers": {
@@ -215,7 +243,7 @@ Only set this when your provider uses a different path or expects query paramete
           "models": {
             "deepseek-chat": {},
             "deepseek-coder": {},
-            "deepseek-reasoner": {} 
+            "deepseek-reasoner": {}
            }
         }
       }
@@ -230,7 +258,7 @@ Only set this when your provider uses a different path or expects query paramete
     4. Specify your API url with your resource, ex: 'https://your-resource-name.openai.azure.com'.
     5. Inform at least a model, ex: `gpt-5`
     6. Done, it should be saved to your global config.
-    
+
     or manually via config:
 
     ```javascript
@@ -256,7 +284,7 @@ Only set this when your provider uses a different path or expects query paramete
     3. Specify your API key.
     4. Inform at least a model, ex: `GLM-4.5`
     5. Done, it should be saved to your global config.
-    
+
     or manually via config:
 
     ```javascript
@@ -278,7 +306,7 @@ Only set this when your provider uses a different path or expects query paramete
 === "Same model with different settings"
 
     For now, you can create different providers with same model names to achieve that:
-   
+
     ```javascript
     {
      "providers": {

src/eca/features/commands.clj

@@ -11,6 +11,7 @@
    [eca.features.tools.mcp :as f.mcp]
    [eca.llm-api :as llm-api]
    [eca.messenger :as messenger]
+   [eca.secrets :as secrets]
    [eca.shared :as shared :refer [multi-str update-some]])
   (:import
    [java.lang ProcessHandle]))
@@ -133,7 +134,9 @@
               (map-indexed vector args)))))
 
 (defn ^:private doctor-msg [db config]
-  (let [model (llm-api/default-model db config)]
+  (let [model (llm-api/default-model db config)
+        cred-check (secrets/check-credential-files)
+        existing-files (filter :exists (:files cred-check))]
     (multi-str (str "ECA version: " (config/eca-version))
                ""
                (str "Server cmd: " (.orElse (.commandLine (.info (ProcessHandle/current))) nil))
@@ -158,7 +161,26 @@
                                                       (str s key "=" val "\n")
                                                       s))
                                                   "\n"
-                                                  (System/getenv))))))
+                                                  (System/getenv)))
+               ""
+               (if (seq existing-files)
+                 (str "Credential files (GPG available: " (:gpg-available cred-check) "):"
+                      (reduce
+                       (fn [s file-info]
+                         (str s "\n  " (:path file-info) ":"
+                              (when (contains? file-info :readable)
+                                (str "\n    Readable: " (:readable file-info)))
+                              (when (contains? file-info :permissions-secure)
+                                (str "\n    Permissions: " (if (:permissions-secure file-info) "secure" "INSECURE (should be 0600)")))
+                              (when (:credentials-count file-info)
+                                (str "\n    Credentials: " (:credentials-count file-info)))
+                              (when (:parse-error file-info)
+                                (str "\n    Parse error: " (:parse-error file-info)))
+                              (when (:suggestion file-info)
+                                (str "\n    " (:suggestion file-info)))))
+                       ""
+                       existing-files))
+                 (str "Credential files: None found (GPG available: " (:gpg-available cred-check) ")")))))
 
 (defn handle-command! [command args {:keys [chat-id db* config messenger full-model instructions metrics]}]
   (let [db @db*

src/eca/llm_util.clj

@@ -3,7 +3,8 @@
    [cheshire.core :as json]
    [clojure.string :as string]
    [eca.config :as config]
-   [eca.logger :as logger])
+   [eca.logger :as logger]
+   [eca.secrets :as secrets])
   (:import
    [java.io BufferedReader]
    [java.nio.charset StandardCharsets]
@@ -96,7 +97,10 @@
 (defn provider-api-key [provider provider-auth config]
   (or (get-in config [:providers (name provider) :key])
       (:api-key provider-auth)
-      (some-> (get-in config [:providers (name provider) :keyEnv]) config/get-env)))
+      (when-let [key-rc (get-in config [:providers (name provider) :keyRc])]
+        (secrets/get-credential key-rc))
+      (some-> (get-in config [:providers (name provider) :keyEnv])
+              config/get-env)))
 
 (defn provider-api-url [provider config]
   (or (get-in config [:providers (name provider) :url])