Skip to content

Phase 6: keyring backend (!keyring NAME config tag, nsc login --store keyring) #1

Description

@thomaschristory

Phase 5 spec §1.2 — deferred to Phase 6+.

OS keyring backend (!keyring indirection). v1 storage = plaintext + !env indirection (already shipped in Phase 4).

Scope

  • New config-value indirection tag !keyring NAME resolving via the OS keyring (Keychain on macOS, libsecret on Linux, Credential Manager on Windows).
  • nsc login --store keyring writes the captured token into the OS keyring under a deterministic service name and updates ~/.nsc/config.yaml to reference it via !keyring.
  • Documentation page at docs/guides/keyring.md (counterpart to the existing !env indirection guide).

Why deferred from v1

v1 ships plaintext + !env (already shipped in Phase 4). The keyring backend is a defense-in-depth improvement, not a v1 blocker.

Acceptance

  • A profile configured with !keyring my-token round-trips through nsc login --store keyring and a subsequent nsc ls devices request without the plaintext token ever touching ~/.nsc/config.yaml.
  • E2E test under tests/e2e/test_keyring_roundtrip.py (gated on availability of a keyring backend in CI).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions