Secure API storage

[GauravJangra9988]

Description

Changed the storage of API keys from local config.json to OS credential manager.
Shifted the storage utilities like CheckConfig, CreateConfigFile, GetConfigPath to storeUtils

Type of Change

• [x ] Bug fix (non-breaking change which fixes an issue)
• [ x] New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• [x ] Code refactoring
• [x ] Performance improvement
• Other (please describe):

Related Issue

Fixes #(issue number)
#94

Changes Made

• Switched from local API key storage (config.json) to OS credential manager
• Shifted the storage utilities like CheckConfig, CreateConfigFile, GetConfigPath to storeUtils

Testing

• [ x] Tested with Gemini API
• Tested with Grok API
• [x ] Tested on Windows
• Tested on Linux
• Tested on macOS
• Added/updated tests (if applicable)

Checklist

• [x ] My code follows the project's code style
• [x ] I have performed a self-review of my code
• [ x] I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• [x ] My changes generate no new warnings or errors
• [x ] I have tested this in a real Git repository
• [ x] I have read the CONTRIBUTING.md guidelines

Screenshots (if applicable)

Now config.json stores only Saved LLM and default LLM

Additional Notes

Tested with windows, need to test in other OS like MacOS and Linux

---

For Hacktoberfest Participants

• [ x] This PR is submitted as part of Hacktoberfest 2025

Thank you for your contribution! 🎉

Summary by CodeRabbit

• New Features

  • Securely stores LLM API keys in your system keychain (Keychain/Keyring/Credential Manager).
  • Automatic credential store initialization on startup.
  • Improved, cross‑platform configuration file handling.

• Improvements

  • More reliable model management (save/update/delete, default selection) via the CLI.
  • No changes to existing command usage.

• Chores

  • Added dependencies to support OS keychain integration.

Note: You may be prompted to re-enter your API key the first time after updating.

[coderabbitai]

Walkthrough

Refactors store access from package-level functions to an injected StoreMethods instance backed by OS keyring. Threads the Store through CLI commands (LLM setup/update and commit message creation). Adds keyring initialization in main and introduces utility functions for config path handling. Updates go.mod to include keyring dependencies.

Changes

Cohort / File(s)	Summary
Store refactor + keyring integration cmd/cli/store/store.go, utils/storeUtils.go, go.mod	Introduces StoreMethods wrapping keyring; migrates Save/DefaultLLMKey/DeleteModel/UpdateAPIKey to methods; adopts StoreUtils for config paths; changes Config.LLMProviders type; adds github.com/99designs/keyring and indirect deps.
CLI store injection cmd/cli/createMsg.go, cmd/cli/llmSetup.go, cmd/cli/root.go	Adds Store parameter to CreateCommitMsg, SetupLLM, UpdateLLM; updates internal calls to use injected Store; introduces global Store var and StoreInit; updates command handlers.
App initialization cmd/commit-msg/main.go	Initializes keyring via store.KeyringInit(); passes Store to CLI via cmd.StoreInit(); retains cmd.Execute().

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant Main as cmd/commit-msg/main.go
  participant Store as store.KeyringInit()
  participant CLI as cmd.StoreInit(...)
  participant Cmd as cobra commands
  participant LLM as SetupLLM/UpdateLLM/CreateCommitMsg
  participant KR as OS Keyring

  User->>Main: Run commit-msg
  Main->>Store: KeyringInit()
  Store-->>Main: *StoreMethods
  Main->>CLI: StoreInit(*StoreMethods)
  Main->>Cmd: Execute()

  rect rgba(200,230,255,0.2)
    note over Cmd,LLM: Store injected into command flows
    Cmd->>LLM: SetupLLM(Store) / UpdateLLM(Store)
    LLM->>KR: Save/Update/Delete API Key
    KR-->>LLM: Result
    Cmd->>LLM: CreateCommitMsg(Store, dryRun, autoCommit)
    LLM->>KR: DefaultLLMKey()
    KR-->>LLM: API Key
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Cli interface #46 — Also refactors CLI and store paths, introducing StoreMethods and threading Store through CreateCommitMsg/SetupLLM/UpdateLLM (overlapping functions and types).

Suggested labels

enhancement, bug, go, hacktoberfest, hacktoberfest-accepted

Suggested reviewers

• DFanso

Poem

Thump-thump, I hop through keys and rings,
Stashing secrets where the keychain sings.
Threads of Store now neatly sewn,
Commands all whisper, “we’re not alone.”
Config burrow mapped just right—
Commit notes bloom by moonlit byte.
🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title “Secure API storage” succinctly captures the primary change of migrating API key storage from a local file to the OS credential manager to enhance security and aligns directly with the PR’s focus on securing credentials. It is clear, concise, and descriptive enough for a teammate to understand the main purpose of the changeset at a glance.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

cmd/cli/llmSetup.go (1)

16-69: Guard against nil Store to avoid panics

SetupLLM now dereferences Store immediately. If StoreInit is skipped (tests, alternate entrypoints, future reuse), this will panic before Cobra can surface a friendly error. Add a nil check up front (same for UpdateLLM) and return a descriptive error instead. For example:

 func SetupLLM(Store *store.StoreMethods) error {
+	if Store == nil {
+		return errors.New("credential store not initialized")
+	}

Apply the same guard in UpdateLLM to keep both code paths safe.

cmd/cli/createMsg.go (1)

26-36: Handle nil Store before calling DefaultLLMKey

CreateCommitMsg dereferences Store right away. If the caller forgot to run StoreInit (easy in tests or other entrypoints), this panics instead of producing a user-friendly message. Add a guard before the first use:

 func CreateCommitMsg(Store *store.StoreMethods, dryRun bool, autoCommit bool) {
+	if Store == nil {
+		pterm.Error.Println("Credential store not initialized. Run: commit llm setup")
+		os.Exit(1)
+	}

This keeps the CLI resilient and aligned with the other error paths.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9739e70 and 9d457df.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (7)

• cmd/cli/createMsg.go (1 hunks)
• cmd/cli/llmSetup.go (6 hunks)
• cmd/cli/root.go (4 hunks)
• cmd/cli/store/store.go (15 hunks)
• cmd/commit-msg/main.go (1 hunks)
• go.mod (2 hunks)
• utils/storeUtils.go (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (5)

cmd/cli/createMsg.go (2)

cmd/cli/root.go (1)

• Store (14-14)

cmd/cli/store/store.go (1)

• StoreMethods (19-21)

cmd/commit-msg/main.go (2)

cmd/cli/store/store.go (1)

• KeyringInit (24-32)

cmd/cli/root.go (2)

• StoreInit (17-19)
• Execute (33-38)

cmd/cli/llmSetup.go (2)

cmd/cli/root.go (1)

• Store (14-14)

cmd/cli/store/store.go (1)

• StoreMethods (19-21)

cmd/cli/root.go (3)

cmd/cli/store/store.go (1)

• StoreMethods (19-21)

cmd/cli/llmSetup.go (2)

• SetupLLM (16-72)
• UpdateLLM (76-173)

cmd/cli/createMsg.go (1)

• CreateCommitMsg (26-250)

cmd/cli/store/store.go (2)

pkg/types/types.go (2)

• Config (60-63)
• LLMProvider (5-5)

utils/storeUtils.go (3)

• GetConfigPath (30-68)
• CheckConfig (9-17)
• CreateConfigFile (19-28)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build Go Binary (windows-latest)

[DFanso]

LGTM 🎊