Phase 5 spec §1.2 — deferred to Phase 6+.
OS keyring backend (!keyring indirection). v1 storage = plaintext + !env indirection (already shipped in Phase 4).
Scope
- New config-value indirection tag
!keyring NAME resolving via the OS keyring (Keychain on macOS, libsecret on Linux, Credential Manager on Windows).
nsc login --store keyring writes the captured token into the OS keyring under a deterministic service name and updates ~/.nsc/config.yaml to reference it via !keyring.
- Documentation page at
docs/guides/keyring.md (counterpart to the existing !env indirection guide).
Why deferred from v1
v1 ships plaintext + !env (already shipped in Phase 4). The keyring backend is a defense-in-depth improvement, not a v1 blocker.
Acceptance
- A profile configured with
!keyring my-token round-trips through nsc login --store keyring and a subsequent nsc ls devices request without the plaintext token ever touching ~/.nsc/config.yaml.
- E2E test under
tests/e2e/test_keyring_roundtrip.py (gated on availability of a keyring backend in CI).
Phase 5 spec §1.2 — deferred to Phase 6+.
Scope
!keyring NAMEresolving via the OS keyring (Keychain on macOS, libsecret on Linux, Credential Manager on Windows).nsc login --store keyringwrites the captured token into the OS keyring under a deterministic service name and updates~/.nsc/config.yamlto reference it via!keyring.docs/guides/keyring.md(counterpart to the existing!envindirection guide).Why deferred from v1
v1 ships plaintext +
!env(already shipped in Phase 4). The keyring backend is a defense-in-depth improvement, not a v1 blocker.Acceptance
!keyring my-tokenround-trips throughnsc login --store keyringand a subsequentnsc ls devicesrequest without the plaintext token ever touching~/.nsc/config.yaml.tests/e2e/test_keyring_roundtrip.py(gated on availability of a keyring backend in CI).