Extract the OS keyring into core/keyring_store#215
Merged
Conversation
config.py sat at exactly the 500-line gate with no headroom. Split the OS keyring access — the one external secret dependency — into a new core/keyring_store.py: KEYRING_SERVICE plus set_secret/get_secret/ restore_secret/delete_secret/usable, the single importer of `keyring`. config.py (500 -> 442) now reads and writes secrets through that wrapper and no longer imports keyring directly, so the documented "secrets live in the keyring, not the dotfile" boundary is structural. config.keyring_usable stays as a thin delegator so the auth-state facade (doctor/login and their tests) is unchanged. The two clear_* paths collapse onto the shared delete_secret. Tests that reached into config's keyring internals repointed to keyring_store (config.keyring -> keyring_store.keyring, config.KEYRING_SERVICE -> keyring_store.KEYRING_SERVICE). No behavior change. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018Bkx51XDcYBdnot1EF8h9U
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
core/config.pysat at exactly the 500-line gate with zero headroom (the next addition would break the max-file-length check). This splits the OS keyring access — the one external secret dependency — onto its natural seam.What changed
core/keyring_store.py— the single importer ofkeyring, holdingKEYRING_SERVICEplusset_secret/get_secret/restore_secret/delete_secret/usable.core/config.py(500 → 442) — reads and writes secrets through that wrapper and no longer importskeyringdirectly, so the documented "secrets live in the keyring, not the dotfile" boundary is now structural.config.keyring_usablestays as a thin delegator so the auth-state facade (doctor/loginand their tests) is unchanged. The twoclear_*paths collapse onto the shareddelete_secret.keyring_store(config.keyring→keyring_store.keyring,config.KEYRING_SERVICE→keyring_store.KEYRING_SERVICE).No behavior change. Full
scripts/check.shgate passes — 100% patch coverage, mutation gate, CodeQL, import-linter contracts (the new module lands in thecorelayer).🤖 Generated with Claude Code
https://claude.ai/code/session_018Bkx51XDcYBdnot1EF8h9U
Generated by Claude Code