TA-4530: Implement secure secret storage #301
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
promeris
reviewed
Jan 9, 2026
|
|
||
| **Best Practices:** | ||
| - Ensure your system keychain is properly configured and accessible | ||
| - If you see warnings about plaintext storage, consider re-creating the profile to enable secure storage |
Collaborator
There was a problem hiding this comment.
I see you mentioned a migration solution being intentionally skipped in the PR description, but I think it would be very straightforward to enable users on it without re-create. Something like content-cli profile secure <profile> and re-use logic the already implemented logic from this PR.
promeris
reviewed
Jan 9, 2026
Buqeta
previously approved these changes
Jan 9, 2026
ZgjimHaziri
reviewed
Jan 9, 2026
|
ZgjimHaziri
approved these changes
Jan 12, 2026
jetakasabaqi
approved these changes
Jan 12, 2026
Buqeta
approved these changes
Jan 12, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Implemented secure secret storage using keytar lib with fallback to the current plain text storage for cases where storing the secrets in the system keychain fails or is not available (eg. on linux due to libsecret dependency).
A warning will be shown to users when creating or using a profile with insecure secret storage.
Solutions for migrating existing profile secrets automatically or providing a helper command will be considered separately.
Relevant links
Checklist
Note
Introduces secure storage for profile secrets with automatic use of the system keychain and plaintext fallback when unavailable.
SecureSecretStorageServiceusingkeytarto save/retrieveapiToken,clientSecret, andrefreshTokenundercelonis-content-cli:<profile-name>Profilemodel updated (ProfileSecrets,secretsStoredSecurelyflag);storeProfilenow async, strips secrets when saved securely;findProfileloads secrets from keychain when flaggedProfileCommandService/ProfileServiceupdated to awaitstoreProfileand persist refreshed tokens securelypackage.jsonaddskeytar; extensive unit tests added for secure storage, fallback, and keytar-unavailable scenarios; lockfile updatedWritten by Cursor Bugbot for commit 9c60ea8. This will update automatically on new commits. Configure here.