@capawesome/cli 4.13.0 → 4.14.0

package/CHANGELOG.md

@@ -2,6 +2,16 @@
 
 All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines.
 
+## [4.14.0](https://github.com/capawesome-team/cli/compare/v4.13.0...v4.14.0) (2026-06-22)
+
+
+### Features
+
+* hint that failure summary can take up to a minute ([9e75e4f](https://github.com/capawesome-team/cli/commit/9e75e4f211aedae075a9509059a8fd2c7fb5c1f5))
+* store authentication token in OS secure storage ([#175](https://github.com/capawesome-team/cli/issues/175)) ([337213d](https://github.com/capawesome-team/cli/commit/337213d4de900fef6ac52b9c0ae0166cdeded630))
+* **telemetry:** add crash report notice and opt-out ([#173](https://github.com/capawesome-team/cli/issues/173)) ([0027ff2](https://github.com/capawesome-team/cli/commit/0027ff258ef18a293646330fd3d46b29e7b0c324))
+* **telemetry:** attach user ID to crash reports ([#174](https://github.com/capawesome-team/cli/issues/174)) ([eeef34a](https://github.com/capawesome-team/cli/commit/eeef34a1aadbdd2a9b8f013e765155cdb1ea9b44))
+
 ## [4.13.0](https://github.com/capawesome-team/cli/compare/v4.12.0...v4.13.0) (2026-06-09)
 
 

package/README.md

@@ -32,6 +32,18 @@ The Capawesome Cloud CLI ships with command documentation that is accessible wit
 npx @capawesome/cli --help
 ```
 
+## Telemetry
+
+The Capawesome Cloud CLI sends crash reports to help us identify and fix bugs. No usage analytics are collected.
+
+To opt out, set the following environment variable:
+
+```bash
+export CAPAWESOME_TELEMETRY_DISABLED=1
+```
+
+Learn more in the [Telemetry documentation](https://capawesome.io/docs/cloud/cli/telemetry/).
+
 ## Development
 
 ### Getting Started

package/dist/commands/login.js

@@ -4,6 +4,7 @@ import sessionsService from '../services/sessions.js';
 import usersService from '../services/users.js';
 import { isInteractive } from '../utils/environment.js';
 import { prompt } from '../utils/prompt.js';
+import credentialStore from '../utils/credential-store.js';
 import userConfig from '../utils/user-config.js';
 import { defineCommand, defineOptions } from '@robingenz/zli';
 import { AxiosError } from 'axios';
@@ -81,15 +82,19 @@ export default defineCommand({
         }
         // Sign in with the provided token
         consola.start('Signing in...');
-        userConfig.write({
-            token: sessionIdOrToken,
-        });
+        // Drop the previous user ID but keep other flags,
+        // so a crash during sign-in isn't attributed to the previous account
+        const { token: _previousToken, userId: _previousUserId, ...persistentConfig } = userConfig.read();
+        userConfig.write(persistentConfig);
+        credentialStore.setToken(sessionIdOrToken);
         try {
-            await usersService.me();
+            const user = await usersService.me();
+            userConfig.write({ ...persistentConfig, userId: user.id });
             consola.success(`Successfully signed in.`);
         }
         catch (error) {
-            userConfig.write({});
+            // Clear the credentials on failure while preserving the other flags
+            credentialStore.deleteToken();
             if (error instanceof AxiosError && error.response?.status === 401) {
                 consola.error(`Invalid token. Please provide a valid token. You can create a token at ${consoleBaseUrl}/settings/tokens.`);
                 process.exit(1);

package/dist/commands/login.test.js

@@ -2,6 +2,7 @@ import { DEFAULT_API_BASE_URL, DEFAULT_CONSOLE_BASE_URL } from '../config/consts
 import configService from '../services/config.js';
 import sessionCodesService from '../services/session-code.js';
 import sessionsService from '../services/sessions.js';
+import credentialStore from '../utils/credential-store.js';
 import { prompt } from '../utils/prompt.js';
 import userConfig from '../utils/user-config.js';
 import consola from 'consola';
@@ -11,6 +12,7 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 import loginCommand from './login.js';
 // Mock dependencies
 vi.mock('@/utils/user-config.js');
+vi.mock('@/utils/credential-store.js');
 vi.mock('@/services/session-code.js');
 vi.mock('@/services/sessions.js');
 vi.mock('@/services/config.js');
@@ -20,11 +22,9 @@ vi.mock('@/utils/prompt.js');
 vi.mock('@/utils/environment.js', () => ({
     isInteractive: () => true,
 }));
-vi.mock('@/utils/environment.js', () => ({
-    isInteractive: () => true,
-}));
 describe('login', () => {
     const mockUserConfig = vi.mocked(userConfig);
+    const mockCredentialStore = vi.mocked(credentialStore);
     const mockSessionCodesService = vi.mocked(sessionCodesService);
     const mockSessionsService = vi.mocked(sessionsService);
     const mockConfigService = vi.mocked(configService);
@@ -35,6 +35,9 @@ describe('login', () => {
         vi.clearAllMocks();
         mockUserConfig.write.mockImplementation(() => { });
         mockUserConfig.read.mockReturnValue({});
+        mockCredentialStore.setToken.mockImplementation(() => { });
+        mockCredentialStore.deleteToken.mockImplementation(() => { });
+        mockCredentialStore.getToken.mockReturnValue(null);
         // Mock config service to return consistent URLs
         mockConfigService.getValueForKey.mockImplementation((key) => {
             if (key === 'CONSOLE_BASE_URL')
@@ -54,18 +57,38 @@ describe('login', () => {
     it('should use the provided token for authentication', async () => {
         const testToken = 'valid-token-123';
         const options = { token: testToken };
-        // Mock userConfig.read to return our test token after it's written
-        mockUserConfig.read.mockReturnValue({ token: testToken });
+        // Mock credentialStore.getToken to return our test token after it's written
+        mockCredentialStore.getToken.mockReturnValue(testToken);
         // Set up nock to intercept the /v1/users/me request
         const scope = nock(DEFAULT_API_BASE_URL)
             .get('/v1/users/me')
             .matchHeader('Authorization', `Bearer ${testToken}`)
             .reply(200, { id: 'user-123', email: 'test@example.com' });
         await loginCommand.action(options, undefined);
-        expect(mockUserConfig.write).toHaveBeenCalledWith({ token: testToken });
+        expect(mockCredentialStore.setToken).toHaveBeenCalledWith(testToken);
         expect(scope.isDone()).toBe(true);
         expect(mockConsola.success).toHaveBeenCalledWith('Successfully signed in.');
     });
+    it('should preserve other config flags and replace the previous user ID', async () => {
+        const testToken = 'valid-token-123';
+        const options = { token: testToken };
+        mockCredentialStore.getToken.mockReturnValue(testToken);
+        mockUserConfig.read.mockReturnValue({
+            token: 'previous-token',
+            userId: 'previous-user',
+            telemetryNoticeShown: true,
+        });
+        const scope = nock(DEFAULT_API_BASE_URL)
+            .get('/v1/users/me')
+            .matchHeader('Authorization', `Bearer ${testToken}`)
+            .reply(200, { id: 'user-123', email: 'test@example.com' });
+        await loginCommand.action(options, undefined);
+        // The previous user ID is dropped before the new account is confirmed.
+        expect(mockUserConfig.write).toHaveBeenNthCalledWith(1, { telemetryNoticeShown: true });
+        // The new user ID is stored while other flags are preserved.
+        expect(mockUserConfig.write).toHaveBeenNthCalledWith(2, { telemetryNoticeShown: true, userId: 'user-123' });
+        expect(scope.isDone()).toBe(true);
+    });
     it('should open the browser', async () => {
         const options = {};
         mockPrompt
@@ -76,8 +99,8 @@ describe('login', () => {
             code: 'ABCD1234',
         });
         mockSessionsService.create.mockResolvedValue({ id: 'session-123' });
-        // Mock userConfig.read to return the session token
-        mockUserConfig.read.mockReturnValue({ token: 'session-123' });
+        // Mock credentialStore.getToken to return the session token
+        mockCredentialStore.getToken.mockReturnValue('session-123');
         // Set up nock to intercept the /v1/users/me request
         const scope = nock(DEFAULT_API_BASE_URL)
             .get('/v1/users/me')
@@ -106,16 +129,16 @@ describe('login', () => {
     it('should throw an error because the provided token is invalid', async () => {
         const invalidToken = 'invalid-token';
         const options = { token: invalidToken };
-        // Mock userConfig.read to return our invalid token after it's written
-        mockUserConfig.read.mockReturnValue({ token: invalidToken });
+        // Mock credentialStore.getToken to return our invalid token after it's written
+        mockCredentialStore.getToken.mockReturnValue(invalidToken);
         // Set up nock to intercept the /v1/users/me request and return 401
         const scope = nock(DEFAULT_API_BASE_URL)
             .get('/v1/users/me')
             .matchHeader('Authorization', `Bearer ${invalidToken}`)
             .reply(401, { message: 'Unauthorized' });
         await expect(loginCommand.action(options, undefined)).rejects.toThrow('Process exited with code 1');
-        expect(mockUserConfig.write).toHaveBeenCalledWith({ token: invalidToken });
-        expect(mockUserConfig.write).toHaveBeenCalledWith({}); // Clears token on error
+        expect(mockCredentialStore.setToken).toHaveBeenCalledWith(invalidToken);
+        expect(mockCredentialStore.deleteToken).toHaveBeenCalled(); // Clears token on error
         expect(scope.isDone()).toBe(true);
         expect(mockConsola.error).toHaveBeenCalledWith(`Invalid token. Please provide a valid token. You can create a token at ${DEFAULT_CONSOLE_BASE_URL}/settings/tokens.`);
     });

package/dist/commands/logout.js

@@ -2,6 +2,7 @@ import { defineCommand } from '@robingenz/zli';
 import consola from 'consola';
 import authorizationService from '../services/authorization-service.js';
 import sessionsService from '../services/sessions.js';
+import credentialStore from '../utils/credential-store.js';
 import userConfig from '../utils/user-config.js';
 export default defineCommand({
     description: 'Sign out from the Capawesome Cloud Console.',
@@ -10,7 +11,10 @@ export default defineCommand({
         if (token && !token.startsWith('ca_')) {
             await sessionsService.delete({ id: token }).catch(() => { });
         }
-        userConfig.write({});
+        credentialStore.deleteToken();
+        // Clear the user ID but keep other flags (e.g. the telemetry notice).
+        const { token: _token, userId: _userId, ...persistentConfig } = userConfig.read();
+        userConfig.write(persistentConfig);
         consola.success('Successfully signed out.');
     },
 });

package/dist/commands/logout.test.js

@@ -1,5 +1,6 @@
 import { DEFAULT_API_BASE_URL } from '../config/consts.js';
 import authorizationService from '../services/authorization-service.js';
+import credentialStore from '../utils/credential-store.js';
 import userConfig from '../utils/user-config.js';
 import consola from 'consola';
 import nock from 'nock';
@@ -7,41 +8,51 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 import logoutCommand from './logout.js';
 // Mock dependencies
 vi.mock('@/services/authorization-service.js');
+vi.mock('@/utils/credential-store.js');
 vi.mock('@/utils/user-config.js');
 vi.mock('consola');
 describe('logout', () => {
     const mockAuthorizationService = vi.mocked(authorizationService);
+    const mockCredentialStore = vi.mocked(credentialStore);
     const mockUserConfig = vi.mocked(userConfig);
     const mockConsola = vi.mocked(consola);
     beforeEach(() => {
         vi.clearAllMocks();
+        mockCredentialStore.deleteToken.mockImplementation(() => { });
         mockUserConfig.write.mockImplementation(() => { });
+        mockUserConfig.read.mockReturnValue({});
     });
     afterEach(() => {
         nock.cleanAll();
         vi.restoreAllMocks();
     });
-    it('should delete session and clear user config with session token', async () => {
+    it('should delete session and clear credentials with session token', async () => {
         const sessionToken = 'session-123';
         mockAuthorizationService.getCurrentAuthorizationToken.mockReturnValue(sessionToken);
         // Set up nock to intercept the DELETE request
         const scope = nock(DEFAULT_API_BASE_URL).delete('/v1/sessions/session-123').reply(200);
         await logoutCommand.action({}, undefined);
         expect(scope.isDone()).toBe(true);
-        expect(mockUserConfig.write).toHaveBeenCalledWith({});
+        expect(mockCredentialStore.deleteToken).toHaveBeenCalled();
         expect(mockConsola.success).toHaveBeenCalledWith('Successfully signed out.');
     });
-    it('should only clear user config with API token', async () => {
+    it('should only clear credentials with API token', async () => {
         const apiToken = 'ca_abc123';
         mockAuthorizationService.getCurrentAuthorizationToken.mockReturnValue(apiToken);
         await logoutCommand.action({}, undefined);
-        expect(mockUserConfig.write).toHaveBeenCalledWith({});
+        expect(mockCredentialStore.deleteToken).toHaveBeenCalled();
         expect(mockConsola.success).toHaveBeenCalledWith('Successfully signed out.');
     });
+    it('should clear the user ID but preserve other flags', async () => {
+        mockAuthorizationService.getCurrentAuthorizationToken.mockReturnValue('ca_abc123');
+        mockUserConfig.read.mockReturnValue({ token: 'ca_abc123', userId: 'user-1', telemetryNoticeShown: true });
+        await logoutCommand.action({}, undefined);
+        expect(mockUserConfig.write).toHaveBeenCalledWith({ telemetryNoticeShown: true });
+    });
     it('should handle no token gracefully', async () => {
         mockAuthorizationService.getCurrentAuthorizationToken.mockReturnValue(null);
         await logoutCommand.action({}, undefined);
-        expect(mockUserConfig.write).toHaveBeenCalledWith({});
+        expect(mockCredentialStore.deleteToken).toHaveBeenCalled();
         expect(mockConsola.success).toHaveBeenCalledWith('Successfully signed out.');
     });
 });

package/dist/commands/whoami.js

@@ -1,12 +1,12 @@
+import authorizationService from '../services/authorization-service.js';
 import usersService from '../services/users.js';
-import userConfig from '../utils/user-config.js';
 import { defineCommand } from '@robingenz/zli';
 import { AxiosError } from 'axios';
 import consola from 'consola';
 export default defineCommand({
     description: 'Show current user',
     action: async (options, args) => {
-        const { token } = userConfig.read();
+        const token = authorizationService.getCurrentAuthorizationToken();
         if (token) {
             try {
                 const user = await usersService.me();

package/dist/commands/whoami.test.js

@@ -1,12 +1,12 @@
 import { DEFAULT_API_BASE_URL } from '../config/consts.js';
-import userConfig from '../utils/user-config.js';
+import authorizationService from '../services/authorization-service.js';
 import nock from 'nock';
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 import whoamiCommand from './whoami.js';
 // Mock only the dependencies we need to control
-vi.mock('@/utils/user-config.js');
+vi.mock('@/services/authorization-service.js');
 describe('whoami', () => {
-    const mockUserConfig = vi.mocked(userConfig);
+    const mockAuthorizationService = vi.mocked(authorizationService);
     beforeEach(() => {
         vi.clearAllMocks();
         vi.spyOn(process, 'exit').mockImplementation(() => undefined);
@@ -17,8 +17,8 @@ describe('whoami', () => {
     });
     it('should send Bearer token in Authorization header when checking current user', async () => {
         const testToken = 'user-token-456';
-        // Mock userConfig.read to return our test token
-        mockUserConfig.read.mockReturnValue({ token: testToken });
+        // Mock the authorization service to return our test token
+        mockAuthorizationService.getCurrentAuthorizationToken.mockReturnValue(testToken);
         // Set up nock to intercept the /v1/users/me request
         const scope = nock(DEFAULT_API_BASE_URL)
             .get('/v1/users/me')

package/dist/index.js

@@ -1,7 +1,9 @@
 #!/usr/bin/env node
 import configService from './services/config.js';
+import telemetryService from './services/telemetry.js';
 import updateService from './services/update.js';
 import { getMessageFromUnknownError, UserError } from './utils/error.js';
+import userConfig from './utils/user-config.js';
 import { defineConfig, processConfig, ZliError } from '@robingenz/zli';
 import * as Sentry from '@sentry/node';
 import { AxiosError } from 'axios';
@@ -103,6 +105,10 @@ const captureException = async (error) => {
     if (error instanceof ZodError) {
         return;
     }
+    // Respect telemetry opt-out
+    if (!telemetryService.isEnabled()) {
+        return;
+    }
     const environment = await configService.getValueForKey('ENVIRONMENT');
     if (environment !== 'production') {
         return;
@@ -111,6 +117,15 @@ const captureException = async (error) => {
         dsn: 'https://19f30f2ec4b91899abc33818568ceb42@o4507446340747264.ingest.de.sentry.io/4508506426966096',
         release: `capawesome-team-cli@${pkg.version}`,
     });
+    try {
+        const { userId } = userConfig.read();
+        if (userId) {
+            Sentry.setUser({ id: userId });
+        }
+    }
+    catch {
+        // Still report the crash even if the user ID can't be read.
+    }
     if (process.argv.slice(2).length > 0) {
         Sentry.setTag('cli_command', process.argv.slice(2)[0]);
     }
@@ -134,6 +149,8 @@ catch (error) {
         // Suggest opening an issue
         consola.log('If you think this is a bug, please open an issue at:');
         consola.log('  https://github.com/capawesome-team/cli/issues/new/choose');
+        // Show the telemetry notice
+        telemetryService.showNoticeIfNeeded();
         // Check for updates
         await updateService.checkForUpdate();
         // Exit with a non-zero code
@@ -141,6 +158,8 @@ catch (error) {
     }
 }
 finally {
+    // Show the telemetry notice
+    telemetryService.showNoticeIfNeeded();
     // Check for updates
     await updateService.checkForUpdate();
 }

package/dist/services/authorization-service.js

@@ -1,11 +1,11 @@
-import userConfig from '../utils/user-config.js';
+import credentialStore from '../utils/credential-store.js';
 class AuthorizationServiceImpl {
-    userConfig;
-    constructor(userConfig) {
-        this.userConfig = userConfig;
+    credentialStore;
+    constructor(credentialStore) {
+        this.credentialStore = credentialStore;
     }
     getCurrentAuthorizationToken() {
-        const token = this.userConfig.read().token || process.env.CAPAWESOME_CLOUD_TOKEN || process.env.CAPAWESOME_TOKEN || null;
+        const token = this.credentialStore.getToken() || process.env.CAPAWESOME_CLOUD_TOKEN || process.env.CAPAWESOME_TOKEN || null;
         // Trim to remove newline characters that may be included when pasting a token,
         // which would cause an invalid character error in the Authorization header.
         const trimmedToken = token?.trim();
@@ -15,5 +15,5 @@ class AuthorizationServiceImpl {
         return !!this.getCurrentAuthorizationToken();
     }
 }
-const authorizationService = new AuthorizationServiceImpl(userConfig);
+const authorizationService = new AuthorizationServiceImpl(credentialStore);
 export default authorizationService;

package/dist/services/telemetry.js

@@ -0,0 +1,31 @@
+import { isInteractive } from '../utils/environment.js';
+import userConfig from '../utils/user-config.js';
+import consola from 'consola';
+const TELEMETRY_DISABLED_VALUES = ['1', 'true'];
+class TelemetryServiceImpl {
+    isEnabled() {
+        const value = process.env.CAPAWESOME_TELEMETRY_DISABLED?.toLowerCase();
+        return !value || !TELEMETRY_DISABLED_VALUES.includes(value);
+    }
+    showNoticeIfNeeded() {
+        if (!this.isEnabled() || !isInteractive()) {
+            return;
+        }
+        try {
+            const config = userConfig.read();
+            if (config.telemetryNoticeShown) {
+                return;
+            }
+            console.log(''); // Add an empty line for better readability
+            consola.info('Capawesome CLI sends crash reports to help us fix bugs.\n' +
+                'To opt out: export CAPAWESOME_TELEMETRY_DISABLED=1\n' +
+                'Learn more: https://capawesome.io/docs/cloud/cli/telemetry/');
+            userConfig.write({ ...config, telemetryNoticeShown: true });
+        }
+        catch {
+            // Never let the telemetry notice break the CLI.
+        }
+    }
+}
+const telemetryService = new TelemetryServiceImpl();
+export default telemetryService;

package/dist/services/telemetry.test.js

@@ -0,0 +1,67 @@
+import consola from 'consola';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import { isInteractive } from '../utils/environment.js';
+import userConfig from '../utils/user-config.js';
+import telemetryService from './telemetry.js';
+vi.mock('@/utils/environment.js');
+vi.mock('@/utils/user-config.js');
+vi.mock('consola');
+describe('telemetryService', () => {
+    const mockIsInteractive = vi.mocked(isInteractive);
+    const mockRead = vi.mocked(userConfig.read);
+    const mockWrite = vi.mocked(userConfig.write);
+    beforeEach(() => {
+        vi.clearAllMocks();
+        delete process.env.CAPAWESOME_TELEMETRY_DISABLED;
+        mockIsInteractive.mockReturnValue(true);
+        mockRead.mockReturnValue({});
+    });
+    afterEach(() => {
+        delete process.env.CAPAWESOME_TELEMETRY_DISABLED;
+    });
+    describe('isEnabled', () => {
+        it('should be enabled by default', () => {
+            expect(telemetryService.isEnabled()).toBe(true);
+        });
+        it.each(['1', 'true', 'TRUE'])('should be disabled when CAPAWESOME_TELEMETRY_DISABLED is "%s"', (value) => {
+            process.env.CAPAWESOME_TELEMETRY_DISABLED = value;
+            expect(telemetryService.isEnabled()).toBe(false);
+        });
+        it('should stay enabled for other values', () => {
+            process.env.CAPAWESOME_TELEMETRY_DISABLED = '0';
+            expect(telemetryService.isEnabled()).toBe(true);
+        });
+    });
+    describe('showNoticeIfNeeded', () => {
+        it('should show the notice once and persist the flag', () => {
+            mockRead.mockReturnValue({ token: 'abc' });
+            telemetryService.showNoticeIfNeeded();
+            expect(consola.info).toHaveBeenCalledOnce();
+            expect(mockWrite).toHaveBeenCalledWith({ token: 'abc', telemetryNoticeShown: true });
+        });
+        it('should not show the notice when it was already shown', () => {
+            mockRead.mockReturnValue({ telemetryNoticeShown: true });
+            telemetryService.showNoticeIfNeeded();
+            expect(consola.info).not.toHaveBeenCalled();
+            expect(mockWrite).not.toHaveBeenCalled();
+        });
+        it('should not show the notice when telemetry is disabled', () => {
+            process.env.CAPAWESOME_TELEMETRY_DISABLED = '1';
+            telemetryService.showNoticeIfNeeded();
+            expect(consola.info).not.toHaveBeenCalled();
+            expect(mockWrite).not.toHaveBeenCalled();
+        });
+        it('should not show the notice in non-interactive environments', () => {
+            mockIsInteractive.mockReturnValue(false);
+            telemetryService.showNoticeIfNeeded();
+            expect(consola.info).not.toHaveBeenCalled();
+            expect(mockWrite).not.toHaveBeenCalled();
+        });
+        it('should not throw when reading or writing the config fails', () => {
+            mockRead.mockImplementation(() => {
+                throw new Error('read failed');
+            });
+            expect(() => telemetryService.showNoticeIfNeeded()).not.toThrow();
+        });
+    });
+});

package/dist/utils/credential-store.js

@@ -0,0 +1,84 @@
+import userConfig from '../utils/user-config.js';
+import { Entry } from '@napi-rs/keyring';
+const SERVICE_NAME = 'capawesome-cli';
+const ACCOUNT_NAME = 'token';
+/**
+ * Stores the authentication token in the operating system's secure storage
+ * (macOS Keychain, Windows Credential Manager, Linux Secret Service) when
+ * available and falls back to the plaintext user config file otherwise
+ * (e.g. headless CI environments without a keyring backend).
+ */
+class CredentialStoreImpl {
+    keyringAvailable = null;
+    getToken() {
+        if (!this.isKeyringAvailable()) {
+            return userConfig.read().token ?? null;
+        }
+        const token = this.createEntry().getPassword();
+        if (token) {
+            return token;
+        }
+        return this.migrateFileToken();
+    }
+    setToken(token) {
+        if (!this.isKeyringAvailable()) {
+            this.writeFileToken(token);
+            return;
+        }
+        this.createEntry().setPassword(token);
+        this.clearFileToken();
+    }
+    deleteToken() {
+        if (this.isKeyringAvailable()) {
+            try {
+                this.createEntry().deletePassword();
+            }
+            catch {
+                // Ignore errors when there is no credential to delete.
+            }
+        }
+        this.clearFileToken();
+    }
+    createEntry() {
+        return new Entry(SERVICE_NAME, ACCOUNT_NAME);
+    }
+    isKeyringAvailable() {
+        if (this.keyringAvailable === null) {
+            try {
+                // Probe the backend with a read. This throws if no keyring backend is
+                // available, but returns null for a missing credential.
+                this.createEntry().getPassword();
+                this.keyringAvailable = true;
+            }
+            catch {
+                this.keyringAvailable = false;
+            }
+        }
+        return this.keyringAvailable;
+    }
+    /**
+     * Moves a token stored in the plaintext config file into the keyring and
+     * removes the plaintext copy. Returns the migrated token or null.
+     */
+    migrateFileToken() {
+        const fileToken = userConfig.read().token;
+        if (!fileToken) {
+            return null;
+        }
+        this.setToken(fileToken);
+        return fileToken;
+    }
+    writeFileToken(token) {
+        const config = userConfig.read();
+        userConfig.write({ ...config, token });
+    }
+    clearFileToken() {
+        const { token, ...rest } = userConfig.read();
+        if (token === undefined) {
+            return;
+        }
+        userConfig.write(rest);
+    }
+}
+const credentialStore = new CredentialStoreImpl();
+export default credentialStore;

package/dist/utils/credential-store.test.js

@@ -0,0 +1,84 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+const { mockGetPassword, mockSetPassword, mockDeletePassword, mockRead, mockWrite } = vi.hoisted(() => ({
+    mockGetPassword: vi.fn(),
+    mockSetPassword: vi.fn(),
+    mockDeletePassword: vi.fn(),
+    mockRead: vi.fn(),
+    mockWrite: vi.fn(),
+}));
+vi.mock('@napi-rs/keyring', () => ({
+    Entry: vi.fn(function () {
+        return {
+            getPassword: mockGetPassword,
+            setPassword: mockSetPassword,
+            deletePassword: mockDeletePassword,
+        };
+    }),
+}));
+vi.mock('@/utils/user-config.js', () => ({
+    default: { read: mockRead, write: mockWrite },
+}));
+const loadCredentialStore = async () => {
+    const module = await import('./credential-store.js');
+    return module.default;
+};
+describe('credentialStore', () => {
+    beforeEach(() => {
+        vi.clearAllMocks();
+        vi.resetModules();
+        mockRead.mockReturnValue({});
+    });
+    describe('when the keyring is available', () => {
+        beforeEach(() => {
+            mockGetPassword.mockReturnValue(null);
+        });
+        it('should return the token from the keyring', async () => {
+            mockGetPassword.mockReturnValue('keyring-token');
+            const credentialStore = await loadCredentialStore();
+            expect(credentialStore.getToken()).toBe('keyring-token');
+        });
+        it('should return null when no token is stored', async () => {
+            const credentialStore = await loadCredentialStore();
+            expect(credentialStore.getToken()).toBeNull();
+        });
+        it('should migrate a plaintext token from the config file into the keyring', async () => {
+            mockRead.mockReturnValue({ token: 'file-token', userId: 'user-1' });
+            const credentialStore = await loadCredentialStore();
+            expect(credentialStore.getToken()).toBe('file-token');
+            expect(mockSetPassword).toHaveBeenCalledWith('file-token');
+            expect(mockWrite).toHaveBeenCalledWith({ userId: 'user-1' });
+        });
+        it('should store the token in the keyring and strip the plaintext copy', async () => {
+            mockRead.mockReturnValue({ token: 'old-token', userId: 'user-1' });
+            const credentialStore = await loadCredentialStore();
+            credentialStore.setToken('new-token');
+            expect(mockSetPassword).toHaveBeenCalledWith('new-token');
+            expect(mockWrite).toHaveBeenCalledWith({ userId: 'user-1' });
+        });
+        it('should delete the token from the keyring', async () => {
+            const credentialStore = await loadCredentialStore();
+            credentialStore.deleteToken();
+            expect(mockDeletePassword).toHaveBeenCalled();
+        });
+    });
+    describe('when the keyring is unavailable', () => {
+        beforeEach(() => {
+            mockGetPassword.mockImplementation(() => {
+                throw new Error('no keyring backend');
+            });
+        });
+        it('should return the token from the config file', async () => {
+            mockRead.mockReturnValue({ token: 'file-token' });
+            const credentialStore = await loadCredentialStore();
+            expect(credentialStore.getToken()).toBe('file-token');
+            expect(mockSetPassword).not.toHaveBeenCalled();
+        });
+        it('should store the token in the config file while preserving other fields', async () => {
+            mockRead.mockReturnValue({ userId: 'user-1' });
+            const credentialStore = await loadCredentialStore();
+            credentialStore.setToken('file-token');
+            expect(mockWrite).toHaveBeenCalledWith({ userId: 'user-1', token: 'file-token' });
+            expect(mockSetPassword).not.toHaveBeenCalled();
+        });
+    });
+});

package/dist/utils/job-failure-summary.js

@@ -10,6 +10,7 @@ import consola from 'consola';
  */
 export const printJobFailureSummary = async (options) => {
     const { jobId } = options;
+    consola.info('Hang tight, this can take up to a minute.');
     consola.start('Generating failure summary with Capawesome Cloud Assist...');
     const { summary } = await jobsService.generateFailureSummary({ jobId });
     consola.success('Failure summary generated by Capawesome Cloud Assist:');

package/package.json

@@ -1,12 +1,13 @@
 {
   "name": "@capawesome/cli",
-  "version": "4.13.0",
+  "version": "4.14.0",
   "description": "The Capawesome Cloud Command Line Interface (CLI) to manage Live Updates and more.",
   "type": "module",
   "scripts": {
     "build": "rimraf ./dist && tsc && tsc-alias",
     "start": "npm run build && node ./dist/index.js",
     "test": "vitest run",
+    "test:coverage": "vitest run --coverage",
     "test:watch": "vitest --watch",
     "test:ui": "vitest --ui",
     "lint": "npm run prettier -- --check",
@@ -53,14 +54,15 @@
   ],
   "dependencies": {
     "@clack/prompts": "0.7.0",
+    "@napi-rs/keyring": "1.3.0",
     "@robingenz/zli": "0.2.0",
-    "@sentry/node": "8.55.0",
+    "@sentry/node": "10.58.0",
     "adm-zip": "0.5.16",
     "axios": "1.16.0",
     "axios-retry": "4.5.0",
     "c12": "3.3.3",
     "consola": "3.3.0",
-    "form-data": "4.0.4",
+    "form-data": "4.0.6",
     "globby": "16.1.1",
     "http-proxy-agent": "7.0.2",
     "https-proxy-agent": "7.0.6",
@@ -78,6 +80,7 @@
     "@types/mime": "3.0.4",
     "@types/node": "24.2.1",
     "@types/semver": "7.5.8",
+    "@vitest/coverage-v8": "4.1.7",
     "@vitest/ui": "4.1.7",
     "commit-and-tag-version": "12.6.1",
     "nock": "14.0.10",