redis-developer
diff --git a/‎Cargo.lock‎
Lines changed: 11 additions & 0 deletions b/‎Cargo.lock‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 38 additions & 3 deletions b/‎README.md‎
Lines changed: 38 additions & 3 deletions
diff --git a/‎crates/redisctl/Cargo.toml‎
Lines changed: 4 additions & 0 deletions b/‎crates/redisctl/Cargo.toml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎crates/redisctl/src/cli.rs‎
Lines changed: 5 additions & 0 deletions b/‎crates/redisctl/src/cli.rs‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎crates/redisctl/src/config.rs‎
Lines changed: 70 additions & 0 deletions b/‎crates/redisctl/src/config.rs‎
Lines changed: 70 additions & 0 deletions
diff --git a/‎crates/redisctl/src/connection.rs‎
Lines changed: 12 additions & 8 deletions b/‎crates/redisctl/src/connection.rs‎
Lines changed: 12 additions & 8 deletions
@@ -48,19 +48,54 @@ export REDIS_ENTERPRISE_PASSWORD="your-password"
 Or use profiles for multiple environments:
 
 ```bash
-# Create a profile
+# Create a profile with plaintext storage (default)
 redisctl profile set cloud-prod \
-  --cloud-api-key="$REDIS_CLOUD_API_KEY" \
-  --cloud-secret-key="$REDIS_CLOUD_SECRET_KEY"
+  --deployment cloud \
+  --api-key "$REDIS_CLOUD_API_KEY" \
+  --api-secret "$REDIS_CLOUD_SECRET_KEY"
+
+# Create a profile with secure OS keyring storage (recommended)
+redisctl profile set cloud-secure \
+  --deployment cloud \
+  --api-key "$REDIS_CLOUD_API_KEY" \
+  --api-secret "$REDIS_CLOUD_SECRET_KEY" \
+  --use-keyring  # Requires 'secure-storage' feature
 
 # Use the profile
 redisctl --profile cloud-prod cloud database list
 ```
 
+### Profile Storage
+
 Profiles are stored in:
 - **Linux/macOS**: `~/.config/redisctl/config.toml`
 - **Windows**: `%APPDATA%\redis\redisctl\config.toml`
 
+### Secure Credential Storage
+
+When compiled with the `secure-storage` feature, redisctl can store sensitive credentials in your OS keyring:
+
+- **macOS**: Keychain
+- **Windows**: Windows Credential Store
+- **Linux**: Secret Service (GNOME Keyring, KWallet)
+
+To use secure storage:
+```bash
+# Install with secure storage support
+cargo install redisctl --features secure-storage
+
+# Create profile with keyring storage
+redisctl profile set prod \
+  --deployment cloud \
+  --api-key "your-key" \
+  --api-secret "your-secret" \
+  --use-keyring
+
+# The config file will contain references like:
+# api_key = "keyring:prod-api-key"
+# api_secret = "keyring:prod-api-secret"
+```
+
 Example configuration file:
 ```toml
 default_profile = "cloud-prod"
 
@@ -49,6 +49,9 @@ toml = { workspace = true }
 directories = { workspace = true }
 shellexpand = "3.1"
 
+# Secure storage
+keyring = { version = "3.6", optional = true }
+
 [target.'cfg(unix)'.dependencies]
 pager = "0.16"
 
@@ -58,6 +61,7 @@ default = ["full"]
 full = ["cloud", "enterprise"]
 cloud = []
 enterprise = []
+secure-storage = ["dep:keyring"]
 
 [dev-dependencies]
 assert_cmd = "2.0"
 
@@ -201,6 +201,11 @@ pub enum ProfileCommands {
         /// Allow insecure connections (for Enterprise profiles)
         #[arg(long)]
         insecure: bool,
+
+        /// Store credentials in OS keyring instead of config file
+        #[cfg(feature = "secure-storage")]
+        #[arg(long)]
+        use_keyring: bool,
     },
 
     /// Remove a profile
 
@@ -15,6 +15,8 @@ use std::fs;
 use std::path::PathBuf;
 use tracing::{debug, info, trace};
 
+use crate::credential_store::CredentialStore;
+
 /// Main configuration structure
 #[derive(Debug, Serialize, Deserialize, Default, Clone)]
 pub struct Config {
@@ -116,6 +118,74 @@ impl Profile {
             }
         )
     }
+
+    /// Get resolved Cloud credentials (with keyring support)
+    pub fn resolve_cloud_credentials(&self) -> Result<Option<(String, String, String)>> {
+        match &self.credentials {
+            ProfileCredentials::Cloud {
+                api_key,
+                api_secret,
+                api_url,
+            } => {
+                let store = CredentialStore::new();
+
+                // Resolve each credential with environment variable fallback
+                let resolved_key = store
+                    .get_credential(api_key, Some("REDIS_CLOUD_API_KEY"))
+                    .context("Failed to resolve API key")?;
+                let resolved_secret = store
+                    .get_credential(api_secret, Some("REDIS_CLOUD_API_SECRET"))
+                    .context("Failed to resolve API secret")?;
+                let resolved_url = store
+                    .get_credential(api_url, Some("REDIS_CLOUD_API_URL"))
+                    .context("Failed to resolve API URL")?;
+
+                Ok(Some((resolved_key, resolved_secret, resolved_url)))
+            }
+            _ => Ok(None),
+        }
+    }
+
+    /// Get resolved Enterprise credentials (with keyring support)
+    #[allow(clippy::type_complexity)]
+    pub fn resolve_enterprise_credentials(
+        &self,
+    ) -> Result<Option<(String, String, Option<String>, bool)>> {
+        match &self.credentials {
+            ProfileCredentials::Enterprise {
+                url,
+                username,
+                password,
+                insecure,
+            } => {
+                let store = CredentialStore::new();
+
+                // Resolve each credential with environment variable fallback
+                let resolved_url = store
+                    .get_credential(url, Some("REDIS_ENTERPRISE_URL"))
+                    .context("Failed to resolve URL")?;
+                let resolved_username = store
+                    .get_credential(username, Some("REDIS_ENTERPRISE_USER"))
+                    .context("Failed to resolve username")?;
+                let resolved_password = password
+                    .as_ref()
+                    .map(|p| {
+                        store
+                            .get_credential(p, Some("REDIS_ENTERPRISE_PASSWORD"))
+                            .context("Failed to resolve password")
+                    })
+                    .transpose()?;
+
+                Ok(Some((
+                    resolved_url,
+                    resolved_username,
+                    resolved_password,
+                    *insecure,
+                )))
+            }
+            _ => Ok(None),
+        }
+    }
 }
 
 impl Config {
 
@@ -73,18 +73,20 @@ impl ConnectionManager {
                     });
                 }
 
+                // Use the new resolve method which handles keyring lookup
                 let (api_key, api_secret, api_url) = profile
-                    .cloud_credentials()
+                    .resolve_cloud_credentials()
+                    .context("Failed to resolve Cloud credentials")?
                     .context("Profile is not configured for Redis Cloud")?;
 
                 // Check for partial overrides before consuming the Options
                 let has_overrides =
                     env_api_key.is_some() || env_api_secret.is_some() || env_api_url.is_some();
 
                 // Allow partial environment variable overrides
-                let key = env_api_key.unwrap_or_else(|| api_key.to_string());
-                let secret = env_api_secret.unwrap_or_else(|| api_secret.to_string());
-                let url = env_api_url.unwrap_or_else(|| api_url.to_string());
+                let key = env_api_key.unwrap_or(api_key);
+                let secret = env_api_secret.unwrap_or(api_secret);
+                let url = env_api_url.unwrap_or(api_url);
 
                 if has_overrides {
                     debug!("Applied partial environment variable overrides");
@@ -173,8 +175,10 @@ impl ConnectionManager {
                     });
                 }
 
+                // Use the new resolve method which handles keyring lookup
                 let (url, username, password, insecure) = profile
-                    .enterprise_credentials()
+                    .resolve_enterprise_credentials()
+                    .context("Failed to resolve Enterprise credentials")?
                     .context("Profile is not configured for Redis Enterprise")?;
 
                 // Check for partial overrides before consuming the Options
@@ -184,9 +188,9 @@ impl ConnectionManager {
                     || env_insecure.is_some();
 
                 // Allow partial environment variable overrides
-                let final_url = env_url.unwrap_or_else(|| url.to_string());
-                let final_user = env_user.unwrap_or_else(|| username.to_string());
-                let final_password = env_password.or_else(|| password.map(|p| p.to_string()));
+                let final_url = env_url.unwrap_or(url);
+                let final_user = env_user.unwrap_or(username);
+                let final_password = env_password.or(password);
                 let final_insecure = env_insecure
                     .as_ref()
                     .map(|s| s.to_lowercase() == "true" || s == "1")