lsm / neokai / 27726046174 / 27
82%
dev: 82%

DEFAULT BRANCH: dev
Ran
Files 244
Run time 15s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 73.855% (-0.008%) from 73.863%
27726046174.27

push

github

web-flow 
fix(credentials): keychain error UX + encrypted file fallback for screen/SSH (#2115)

* fix(providers): surface keychain guidance on create/update credential writes

Previously only `providers.delete` caught `KeychainUnavailableError`. When a
locked macOS Keychain blocked `providers.create` or `providers.update` (e.g.
daemon launched over SSH / headless), the tagged error propagated raw to the
RPC caller with no log entry and no normalisation.

Extract `rethrowKeychainError(err, action, providerId)` so all three mutation
handlers share one place that:
  - emits a structured `log.warn` (operators can correlate the failed action),
  - rethrows `new Error(KEYCHAIN_UNAVAILABLE_MESSAGE)` so the RPC layer
    serialises actionable UX guidance to the client.

`providers.create` keeps its existing compensating-delete behaviour: the
orphan provider row is removed before the actionable error surfaces, so
retries don't fail with 'already exists'. `providers.update` leaves the DB
row untouched when the credential write fails, so `authType` doesn't flip to
`api_key` while the key wasn't actually stored.

Adds two unit tests covering the create rollback + update no-op paths and
locking the existing delete path to the shared helper.

* feat(credentials): auto-fall back to encrypted file when macOS Keychain locked

Matches the credential-storage pattern used by Codex CLI (`~/.codex/auth.json`)
and Claude Code (`~/.claude/.credentials.json`): try the OS keychain first, fall
back to a 0600 encrypted file when the keychain is unavailable. Both peers do
this because the macOS `login.keychain-db` rejects writes from non-GUI security
sessions with `errSecInteractionNotAllowed` (exit code 36) — the same wall our
daemon hits when launched from screen / SSH / launchd. Native keychain APIs do
not bypass this; only GUI apps with bundle IDs get pre-authorized ACL access.

Behaviour changes:

1. `KeychainStatusCredentialStore` now accepts an optional `fallback` store
   and an op... (continued)

10714 of 15625 branches covered (68.57%)

Branch coverage included in aggregate %.

13693 of 17422 relevant lines covered (78.6%)

51.86 hits per line

Source Files on job web - 27726046174.27