Files
codex/codex-rs/keyring-store
T
Celia Chen 7cc80b39f1 feat: add auth-specific encrypted secret namespaces (#27535)
## Why

CLI auth and MCP OAuth credentials should use separate encrypted files
while sharing the existing local-secrets implementation and
OS-keyring-backed encryption key mechanism.

This is the second PR in the encrypted-auth stack:

1. #27504 — feature and config selection
2. This PR — auth-specific local-secrets namespaces
3. CLI auth implementation and activation
4. MCP OAuth implementation and activation

## What Changed

- Added `LocalSecretsNamespace` variants for shared secrets, CLI auth,
and MCP OAuth.
- Selected `local.age`, `cli_auth.age`, or `mcp_oauth.age` from the
namespace.
- Made atomic temporary filenames derive from the selected secrets
filename.
- Added namespaced `SecretsManager` construction and coverage proving
the auth namespaces write separate encrypted files.
- Made the default keyring store clonable for downstream namespaced auth
backends.

This PR does not activate either auth backend or change existing
credential behavior.

## Validation

- `just test -p codex-secrets` — 7 passed
- `just test -p codex-keyring-store` — package has no test binaries
- `just fmt`
7cc80b39f1 · 2026-06-12 19:52:49 +00:00
History
..