Skip to content

Comments

feat: store post-processing API keys in OS keychain#814

Open
VirenMohindra wants to merge 1 commit intocjpais:mainfrom
VirenMohindra:vm/secure-api-key-storage
Open

feat: store post-processing API keys in OS keychain#814
VirenMohindra wants to merge 1 commit intocjpais:mainfrom
VirenMohindra:vm/secure-api-key-storage

Conversation

@VirenMohindra
Copy link
Contributor

@VirenMohindra VirenMohindra commented Feb 13, 2026
edited
Loading

Before Submitting This PR

Please confirm you have done the following:

Human Written Description

  • UI displays persisted keys without having to "re-enter" them
  • API keys for post-processing providers are currently stored as plaintext in settings_store.json, which means any process with file read access can read them. this moves them into the OS-native credential store (macOS keychain, windows credential manager, linux secret service) so they're protected at rest. existing keys also get silently migrated on first launch and the UI now shows a masked hint instead of the full key

Related Issues/Discussions

Community Feedback

Testing

  • set an API key in the current version (plaintext in JSON), launch the updated version, verify settings_store.json no longer contains the key value
  • verify the key is in macOS keychain (keychain access app -> search "com.handy.app")
  • verify post-processing still works with the migrated key
  • provider dropdown shows all providers
  • switching to a provider with a saved key shows ••••••••xxxx
  • clicking edit allows re-entering a key
  • clicking clear removes the saved key
  • switching providers and back retains the saved key
  • enter a new API key, verify it shows masked after saving, verify post-processing works
  • provider with no key shows empty input, post-processing gracefully skips
  • bun run lint and cargo clippy pass

Screenshots/Videos (if applicable)

persisted-key empty placeholder navigating back to persisted key
persisted-key empty placeholder navigating back to persisted key

AI Assistance

  • No AI was used in this PR
  • AI was used (please describe below)

If AI was used:

  • Tools used: Claude Code
  • How extensively: full implementation from approved plan, with extensive testing

@VirenMohindra
feat: store post-processing API keys in OS keychain
36a2026 
move API keys from plaintext settings_store.json into the OS-native
credential store (macOS keychain, windows credential manager, linux
secret service) via the keyring crate.

- add keyring wrapper module for set/get/delete/hint operations
- auto-migrate existing plaintext keys on first launch
- show masked hint (••••••••xxxx) instead of full key in UI
- keys persist per-provider across provider switching
@VirenMohindra VirenMohindra force-pushed the vm/secure-api-key-storage branch from f02ad46 to 36a2026 Compare February 13, 2026 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@VirenMohindra