Merge branch 'master' into call-test

Author: bombaywalla

.github/FUNDING.yml

@@ -1,3 +1,4 @@
 # These are supported funding model platforms
 
-github: ericdallo
+github: editor-code-assistant
+open_collective: editor-code-assistant

AGENTS.md

@@ -24,5 +24,18 @@ Code Style
 - Unit tests should have a single `deftest` for function to be tested with multiple `testing`s for each tested case.
 - Unit tests that use file paths and uris should rely on `h/file-path` and `h/file-uri` to avoid windows issues with slashes.
 
+Secrets Management
+- `src/eca/secrets/netrc.clj` - Netrc format parser (multi-line format: machine/login/password/port keywords)
+- `src/eca/secrets/authinfo.clj` - Authinfo format parser (single-line format: space-separated key-value pairs)
+- `src/eca/secrets.clj` - Main secrets manager for credential file operations:
+  - File discovery and priority order (.authinfo.gpg → .netrc.gpg → .authinfo → _authinfo → .netrc → _netrc)
+  - Cross-platform path construction using io/file (handles / vs \ separators automatically)
+  - GPG decryption with caching (5-second TTL) and timeout (30s, configurable via GPG_TIMEOUT env var)
+  - keyRc format parsing: [login@]machine[:port] (named after Unix "rc" config file tradition)
+  - Credential matching logic (exact login match when specified, first match otherwise)
+  - Permission validation (Unix: warns if not 0600; Windows: skipped)
+- Authentication flow: config `key` → credential files `keyRc` → env var `keyEnv` → OAuth
+- Security: passwords never logged; GPG decryption via clojure.java.process; cache with short TTL; subprocess timeout protection
+
 Notes
 - CI runs: bb test and bb integration-test. Ensure these pass locally before PRs.

CHANGELOG.md

@@ -2,7 +2,16 @@
 
 ## Unreleased
 
+## 0.66.1
+
+- Improve plan behavior prompt. #139
+
+## 0.66.0
+
+- Add support for secrets stored in authinfo and netrc files
 - Added tests for stopping concurrent tool calls. #147
+- Improve logging.
+- Improve performance of `chat/queryContext`.
 
 ## 0.65.0
 

README.md

@@ -93,3 +93,7 @@ For developer details, check [development docs](https://eca.dev/development).
 ## Support the project 💖
 
 Consider [sponsoring the project](https://github.com/sponsors/ericdallo) to help grow faster, the support helps to keep the project going, being updated and maintained!
+
+These are all the incredible people who helped make ECA better!
+
+[<img src="https://opencollective.com/editor-code-assistant/contributors.svg?width=890&button=false" alt="Code Contributors" style="max-width:100%;">](https://github.com/editor-code-assistant/eca/graphs/contributors)

deps-lock.json

@@ -8,6 +8,13 @@
       "git-dir": "https/github.com/borkdude/gh-release-artifact",
       "hash": "sha256-HllBWtwTtYYM0KjHB9UVDBjB57CtpvF+gncQseGXgf8="
     },
+    {
+      "lib": "br.dev.zz/parc",
+      "url": "https://github.com/souenzzo/parc",
+      "rev": "76f0714e6b93a053d67d473c33dfc279dfb94d23",
+      "git-dir": "https/github.com/souenzzo/parc",
+      "hash": "sha256-6ISYa9g5kOGkay3ums4Tys2/krPTIFqQKAtT8rfaZ4k="
+    },
     {
       "lib": "io.github.clojure/tools.build",
       "url": "https://github.com/clojure/tools.build.git",
@@ -2215,6 +2222,16 @@
       "mvn-repo": "https://repo1.maven.org/maven2/",
       "hash": "sha256-JUvpyKuMzDArR9fFaj/KEUl+WcMFvxX6YFTD3/TrkZ0="
     },
+    {
+      "mvn-path": "org/clojure/clojure/1.12.2/clojure-1.12.2.jar",
+      "mvn-repo": "https://repo1.maven.org/maven2/",
+      "hash": "sha256-pYv4B+zv7K6iIri4tH4UNo7o4yy0VAs//v/4yglTSA0="
+    },
+    {
+      "mvn-path": "org/clojure/clojure/1.12.2/clojure-1.12.2.pom",
+      "mvn-repo": "https://repo1.maven.org/maven2/",
+      "hash": "sha256-55suCRfnPnPCX7N5PzFV+PD4jYAvUMJf1Sl3l3rDQiA="
+    },
     {
       "mvn-path": "org/clojure/core.async/1.5.648/core.async-1.5.648.jar",
       "mvn-repo": "https://repo1.maven.org/maven2/",

deps.edn

@@ -1,12 +1,14 @@
 {:paths ["src" "resources"]
- :deps {org.clojure/clojure {:mvn/version "1.12.1"}
+ :deps {org.clojure/clojure {:mvn/version "1.12.2"}
         org.clojure/core.async {:mvn/version "1.8.741"}
         org.babashka/cli {:mvn/version "0.8.65"}
         com.github.clojure-lsp/jsonrpc4clj {:mvn/version "1.0.2"}
         io.modelcontextprotocol.sdk/mcp {:mvn/version "0.14.1"}
         borkdude/dynaload {:mvn/version "0.3.5"}
         babashka/fs {:mvn/version "0.5.26"}
         babashka/process {:mvn/version "0.6.23"}
+        br.dev.zz/parc {:git/url "https://github.com/souenzzo/parc"
+                        :git/sha "76f0714e6b93a053d67d473c33dfc279dfb94d23"}
         com.cognitect/transit-clj {:mvn/version "1.0.333"}
         hato/hato {:mvn/version "1.0.0"}
         ring/ring-codec {:mvn/version "1.3.0"}

docs/configuration.md

@@ -68,12 +68,12 @@ For MCP servers configuration, use the `mcpServers` config, examples:
           "command": "npx",
           "args": ["-y", "@modelcontextprotocol/server-memory"],
           // optional
-          "env": {"FOO": "bar"} 
+          "env": {"FOO": "bar"}
         }
       }
     }
     ```
-    
+
 === "HTTP-streamable"
 
     `~/.config/eca/config.json`
@@ -138,7 +138,7 @@ Check some examples:
       }
     }
     ```
-   
+
 === "Matching by a tool argument"
 
     __`argsMatchers`__ is a map of argument name by list of [java regex](https://www.regexplanet.com/advanced/java/index.html).
@@ -156,7 +156,7 @@ Check some examples:
       }
     }
     ```
-    
+
 === "Denying a tool"
 
     ```javascript
@@ -336,7 +336,7 @@ There are 3 possible ways to configure rules following this order of priority:
       "rules": [{"path": "my-rule.md"}]
     }
     ```
-    
+
 ## Behaviors / prompts
 
 ECA allows to totally customize the prompt sent to LLM via the `behavior` config, allowing to have multiple behaviors for different tasks or workflows.
@@ -379,6 +379,7 @@ To configure, add your OTLP collector config via `:otlp` map following [otlp aut
             urlEnv?: string;
             key?: string; // when provider supports api key.
             keyEnv?: string;
+            keyRc?: string; // credential file lookup in format [login@]machine[:port]
             completionUrlRelativePath?: string;
             models: {[key: string]: {
               extraPayload?: {[key: string]: any}

docs/models.md

@@ -32,15 +32,15 @@ Example:
   "providers": {
     "openai": {
       "key": "your-openai-key-here", // configuring a key
-      "models": { 
+      "models": {
         "o1": {} // adding models to a built-in provider
         "o3": {
           "extraPayload": { // adding to the payload sent to LLM
             "temperature": 0.5
           }
         }
       }
-    } 
+    }
   }
 }
 ```
@@ -68,6 +68,7 @@ Schema:
 | `urlEnv`                       | string | Environment variable name containing the API URL                                                    | No*      |
 | `url`                          | string | Direct API URL (use instead of `urlEnv`)                                                            | No*      |
 | `keyEnv`                       | string | Environment variable name containing the API key                                                    | No*      |
+| `keyRc`                        | string | Lookup specification to read the API key from Unix RC [credential files](#credential-file-authentication)                         | No*      |
 | `key`                          | string | Direct API key (use instead of `keyEnv`)                                                            | No*      |
 | `completionUrlRelativePath`    | string | Optional override for the completion endpoint path (see defaults below and examples like Azure)     | No       |
 | `models`                       | map    | Key: model name, value: its config                                                                  | Yes      |
@@ -121,27 +122,54 @@ Defaults by API type:
 
 Only set this when your provider uses a different path or expects query parameters at the endpoint (e.g., Azure API versioning).
 
+### Credential File Authentication
+
+Use `keyRc` in your provider config to read credentials from `~/.authinfo(.gpg)` or `~/.netrc(.gpg)` without storing keys directly in config or env vars.
+
+Example:
+
+```javascript
+{
+  "providers": {
+    "openai": {"keyRc": "api.openai.com"},
+    "anthropic": {"keyRc": "[email protected]"}
+  }
+}
+```
+
+keyRc lookup specification format: `[login@]machine[:port]` (e.g., `api.openai.com`, `[email protected]`, `api.custom.com:8443`).
+
+Further reading on credential file formats:
+- [Emacs authinfo documentation](https://www.gnu.org/software/emacs/manual/html_node/auth/Help-for-users.html)
+- [Curl Netrc documentation](https://everything.curl.dev/usingcurl/netrc)
+- [GNU Inetutils .netrc documentation](https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html)
+
+Notes:
+- Preferred files are GPG-encrypted (`~/.authinfo.gpg` / `~/.netrc.gpg`); plaintext variants are supported.
+- Authentication priority (short): `key` > `keyRc files` > `keyEnv` > OAuth.
+- All providers with API key auth can use credential files.
+
 ## Providers examples
 
 === "Anthropic"
-    
+
     1. Login to Anthropic via the chat command `/login`.
     2. Type 'anthropic' and send it.
     3. Type the chosen method
     4. Authenticate in your browser, copy the code.
     5. Paste and send the code and done!
 
 === "Github Copilot"
-    
+
     1. Login to Github copilot via the chat command `/login`.
     2. Type 'github-copilot' and send it.
     3. Authenticate in Github in your browser with the given code.
     4. Type anything in the chat to continue and done!
-    
+
     _Tip: check [Your Copilot plan](https://github.com/settings/copilot/features) to enable models to your account._
-    
+
 === "Google / Gemini"
-    
+
     1. Login to Google via the chat command `/login`.
     2. Type 'google' and send it.
     3. Choose 'manual' and type your Google/Gemini API key. (You need to create a key in [google studio](https://aistudio.google.com/api-keys))
@@ -165,7 +193,7 @@ Only set this when your provider uses a different path or expects query paramete
     ```
 
 === "OpenRouter"
-    
+
     [OpenRouter](https://openrouter.ai) provides access to many models through a unified API:
 
     1. Login via the chat command `/login`.
@@ -175,7 +203,7 @@ Only set this when your provider uses a different path or expects query paramete
     5. Done, it should be saved to your global config.
 
     or manually via config:
-    
+
     ```javascript
     {
       "providers": {
@@ -196,15 +224,15 @@ Only set this when your provider uses a different path or expects query paramete
 === "DeepSeek"
 
     [DeepSeek](https://deepseek.com) offers powerful reasoning and coding models:
-    
+
     1. Login via the chat command `/login`.
     2. Type 'deepseek' and send it.
     3. Specify your Deepseek API key.
     4. Inform at least a model, ex: `deepseek-chat`
     5. Done, it should be saved to your global config.
-    
+
     or manually via config:
-    
+
     ```javascript
     {
       "providers": {
@@ -215,7 +243,7 @@ Only set this when your provider uses a different path or expects query paramete
           "models": {
             "deepseek-chat": {},
             "deepseek-coder": {},
-            "deepseek-reasoner": {} 
+            "deepseek-reasoner": {}
            }
         }
       }
@@ -230,7 +258,7 @@ Only set this when your provider uses a different path or expects query paramete
     4. Specify your API url with your resource, ex: 'https://your-resource-name.openai.azure.com'.
     5. Inform at least a model, ex: `gpt-5`
     6. Done, it should be saved to your global config.
-    
+
     or manually via config:
 
     ```javascript
@@ -256,7 +284,7 @@ Only set this when your provider uses a different path or expects query paramete
     3. Specify your API key.
     4. Inform at least a model, ex: `GLM-4.5`
     5. Done, it should be saved to your global config.
-    
+
     or manually via config:
 
     ```javascript
@@ -278,7 +306,7 @@ Only set this when your provider uses a different path or expects query paramete
 === "Same model with different settings"
 
     For now, you can create different providers with same model names to achieve that:
-   
+
     ```javascript
     {
      "providers": {

flake.lock

@@ -16,9 +16,9 @@
         pkgs = nixpkgs.legacyPackages.${system};
         cljpkgs = clj-nix.packages."${system}";
 
-        jdk = pkgs.jdk24_headless;
+        jdk = pkgs.jdk21_headless;
         graalvm = pkgs.graalvmPackages.graalvm-ce;
-        clojure = pkgs.clojure.override { jdk = pkgs.jdk24_headless; };
+        clojure = pkgs.clojure.override { jdk = pkgs.jdk21_headless; };
 
       in
       {