Skip to content

[P3] Keychain integration for secrets (macOS keychain, Linux secret-service) #21

Open
#28
Open
[P3] Keychain integration for secrets (macOS keychain, Linux secret-service)#21
#28
Labels
area:infraCI, build, tooling, observabilityenhancementNew feature or requestpriority:p3Nice-to-have, low priorityready-for-agentAFK agent should pick this up
@Railly

Description

@Railly
Railly
opened on Apr 29, 2026

Context

Today all secrets (cert PFX password, SOL password, OAuth client_secret) are read from env vars. Works fine for shell scripts + agents, but power users want OS keychain.

Scope

  • macOS: `security` CLI wrapper (`security add-generic-password` / `security find-generic-password`)
  • Linux: `secret-tool` (libsecret) wrapper
  • Windows: deferred until Windows is supported anywhere
  • New `sunat keychain set/get/list/clear` commands
  • Fallback chain: env var → keychain → fail with clear error

Success criteria

  • `security find-generic-password -s sunat-cli -a CPE_CERT_PASSWORD -w` returns the value
  • env vars override keychain when both set (predictable for CI)
  • Documented in SKILL.md

Why P3

Env vars + dotfiles work. Keychain is nicer DX but not blocking.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:infraCI, build, tooling, observabilityenhancementNew feature or requestpriority:p3Nice-to-have, low priorityready-for-agentAFK agent should pick this up

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions