@telepat/snoopy 0.1.8 → 0.1.10

package/README.md

@@ -102,6 +102,7 @@ Note:
 - Snoopy uses Reddit public JSON endpoints by default.
 - Optional Reddit OAuth fallback credentials can be configured in `snoopy settings` for environments where unauthenticated access is blocked.
 - `snoopy settings` shows a full settings menu so you can jump directly to any setting and save once.
+- If keychain storage is unavailable, configure secrets with environment variables (`SNOOPY_OPENROUTER_API_KEY`, `SNOOPY_REDDIT_CLIENT_SECRET`).
 
 1. Start interactive setup and create your first job:
 

package/dist/src/cli/commands/doctor.js

@@ -3,7 +3,7 @@ import { getDb } from '../../services/db/sqlite.js';
 import { JobsRepository } from '../../services/db/repositories/jobsRepo.js';
 import { RunsRepository } from '../../services/db/repositories/runsRepo.js';
 import { extractErrorEntries, readRunLog } from '../../services/logging/logReader.js';
-import { getOpenRouterApiKey } from '../../services/security/secretStore.js';
+import { getOpenRouterApiKey, isKeytarAvailable } from '../../services/security/secretStore.js';
 import { getStartupStatus } from '../../services/startup/index.js';
 import { ensureAppDirs } from '../../utils/paths.js';
 import { printCommandScreen, printError, printInfo, printKeyValue, printMuted, printSection, printSuccess, printWarning } from '../ui/consoleUi.js';
@@ -51,6 +51,7 @@ export async function runDoctor() {
     const jobs = jobsRepo.list();
     const enabledJobs = jobs.filter((job) => job.enabled).length;
     const apiKey = await getOpenRouterApiKey();
+    const keytarAvailable = await isKeytarAvailable();
     const startup = getStartupStatus();
     const daemon = getDaemonHealth();
     printKeyValue('Platform', process.platform);
@@ -67,7 +68,12 @@ export async function runDoctor() {
     }
     else {
         printWarning('OpenRouter API key: missing');
-        printMuted('  → Run: snoopy settings  to configure your OpenRouter API key');
+        if (keytarAvailable) {
+            printMuted('  → Run: snoopy settings  to configure your OpenRouter API key');
+        }
+        else {
+            printMuted('  → Export SNOOPY_OPENROUTER_API_KEY to configure your OpenRouter API key');
+        }
     }
     printInfo(`Jobs: ${jobs.length} total, ${enabledJobs} enabled`);
     if (daemon.ok) {

package/dist/src/cli/commands/job.js

@@ -4,7 +4,7 @@ import { JobAddFlow } from '../flows/jobAddFlow.js';
 import { JobsRepository } from '../../services/db/repositories/jobsRepo.js';
 import { SettingsRepository } from '../../services/db/repositories/settingsRepo.js';
 import { RunsRepository } from '../../services/db/repositories/runsRepo.js';
-import { deleteOpenRouterApiKey, getOpenRouterApiKey, setOpenRouterApiKey } from '../../services/security/secretStore.js';
+import { deleteOpenRouterApiKey, getOpenRouterApiKey, isKeytarAvailable, setOpenRouterApiKey } from '../../services/security/secretStore.js';
 import { getStartupStatus, installStartup } from '../../services/startup/index.js';
 import { ensureDaemonRunning, requestDaemonReload } from '../../services/daemonControl.js';
 import { JobRunner } from '../../services/scheduler/jobRunner.js';
@@ -28,11 +28,11 @@ function formatRunDuration(startedAt, finishedAt) {
     }
     return `${Math.round((endMs - startMs) / 1000)}s`;
 }
-async function runAddFlow(hasApiKey, existingApiKey, startupAlreadyEnabled) {
+async function runAddFlow(hasApiKey, existingApiKey, keytarAvailable, startupAlreadyEnabled) {
     const settingsRepo = new SettingsRepository();
     const initialSettings = settingsRepo.getAppSettings();
     let result = null;
-    const app = render(_jsx(JobAddFlow, { hasApiKey: hasApiKey, existingApiKey: existingApiKey, startupAlreadyEnabled: startupAlreadyEnabled, initialSettings: initialSettings, onApiKeyCaptured: (apiKey) => {
+    const app = render(_jsx(JobAddFlow, { hasApiKey: hasApiKey, existingApiKey: existingApiKey, canPersistApiKey: keytarAvailable, startupAlreadyEnabled: startupAlreadyEnabled, initialSettings: initialSettings, onApiKeyCaptured: (apiKey) => {
             return setOpenRouterApiKey(apiKey);
         }, onAuthFailure: () => {
             return deleteOpenRouterApiKey();
@@ -99,16 +99,19 @@ export async function runInitialJobAndEnable(jobRef, options = {}) {
 export async function addJob() {
     const jobsRepo = new JobsRepository();
     const settingsRepo = new SettingsRepository();
+    const keytarAvailable = await isKeytarAvailable();
     const existingApiKey = await getOpenRouterApiKey();
     const hasApiKey = Boolean(existingApiKey);
     const startupStatus = getStartupStatus();
-    const flowResult = await runAddFlow(hasApiKey, existingApiKey, startupStatus.enabled);
+    const flowResult = await runAddFlow(hasApiKey, existingApiKey, keytarAvailable, startupStatus.enabled);
     if (!flowResult) {
         printWarning('Job creation cancelled.');
         return;
     }
     if (flowResult.apiKey) {
-        await setOpenRouterApiKey(flowResult.apiKey);
+        if (keytarAvailable) {
+            await setOpenRouterApiKey(flowResult.apiKey);
+        }
     }
     const currentSettings = settingsRepo.getAppSettings();
     settingsRepo.setAppSettings({

package/dist/src/cli/commands/settings.js

@@ -2,15 +2,16 @@ import { jsx as _jsx } from "react/jsx-runtime";
 import { render } from 'ink';
 import { SettingsFlow } from '../flows/settingsFlow.js';
 import { SettingsRepository } from '../../services/db/repositories/settingsRepo.js';
-import { getOpenRouterApiKey, setOpenRouterApiKey } from '../../services/security/secretStore.js';
-import { printSuccess, printWarning } from '../ui/consoleUi.js';
+import { getOpenRouterApiKey, isKeytarAvailable, setOpenRouterApiKey } from '../../services/security/secretStore.js';
+import { printInfo, printSuccess, printWarning } from '../ui/consoleUi.js';
 export async function openSettings() {
     const settingsRepo = new SettingsRepository();
     const current = settingsRepo.getAppSettings();
+    const keytarAvailable = await isKeytarAvailable();
     const currentRedditCredentials = await settingsRepo.getRedditCredentialState();
     const currentApiKey = await getOpenRouterApiKey();
     let result = null;
-    const app = render(_jsx(SettingsFlow, { current: current, currentRedditCredentials: currentRedditCredentials, currentApiKey: currentApiKey, onDone: (value) => {
+    const app = render(_jsx(SettingsFlow, { current: current, keytarAvailable: keytarAvailable, currentRedditCredentials: currentRedditCredentials, currentApiKey: currentApiKey, onDone: (value) => {
             result = value;
         } }));
     await app.waitUntilExit();
@@ -19,11 +20,22 @@ export async function openSettings() {
         printWarning('Settings unchanged.');
         return;
     }
+    if (!keytarAvailable && (finalResult.apiKey || finalResult.redditCredentials?.clientSecret)) {
+        printWarning('Keychain storage is unavailable. Secret values entered in settings were not saved.');
+        printInfo('Use environment variables instead:');
+        printInfo('  SNOOPY_OPENROUTER_API_KEY');
+        printInfo('  SNOOPY_REDDIT_CLIENT_SECRET');
+    }
     if (finalResult.apiKey) {
-        await setOpenRouterApiKey(finalResult.apiKey);
+        if (keytarAvailable) {
+            await setOpenRouterApiKey(finalResult.apiKey);
+        }
     }
     if (finalResult.redditCredentials) {
-        await settingsRepo.setRedditCredentials(finalResult.redditCredentials);
+        const redditCredentials = keytarAvailable
+            ? finalResult.redditCredentials
+            : { ...finalResult.redditCredentials, clientSecret: undefined };
+        await settingsRepo.setRedditCredentials(redditCredentials);
     }
     settingsRepo.setAppSettings(finalResult.settings);
     printSuccess('Settings saved.');

package/dist/src/cli/flows/jobAddFlow.d.ts

@@ -16,11 +16,12 @@ interface JobAddResult {
 interface JobAddFlowProps {
     hasApiKey: boolean;
     existingApiKey: string | null;
+    canPersistApiKey: boolean;
     startupAlreadyEnabled: boolean;
     initialSettings: AppSettings;
     onApiKeyCaptured?: (apiKey: string) => Promise<void> | void;
     onAuthFailure?: () => Promise<void> | void;
     onDone: (result: JobAddResult) => void;
 }
-export declare function JobAddFlow({ hasApiKey, existingApiKey, startupAlreadyEnabled, initialSettings, onApiKeyCaptured, onAuthFailure, onDone }: JobAddFlowProps): React.JSX.Element;
+export declare function JobAddFlow({ hasApiKey, existingApiKey, canPersistApiKey, startupAlreadyEnabled, initialSettings, onApiKeyCaptured, onAuthFailure, onDone }: JobAddFlowProps): React.JSX.Element;
 export {};

package/dist/src/cli/flows/jobAddFlow.js

@@ -12,7 +12,7 @@ import { uiTheme } from '../../ui/theme.js';
 function FlowFrame({ transcript, children, statusText, statusTone = 'info' }) {
     return (_jsxs(AppFrame, { subtitle: "Add job wizard", statusText: statusText, statusTone: statusTone, hints: ['Enter: confirm', 'Esc: cancel current step'], children: [transcript.length > 0 ? (_jsx(Panel, { title: "Session Transcript", children: transcript.map((entry, index) => (_jsxs(Text, { color: entry.muted ? uiTheme.ink.textMuted : uiTheme.ink.textPrimary, children: [_jsxs(Text, { color: uiTheme.ink.accent, children: [entry.label, ":"] }), " ", entry.value] }, `${entry.label}-${index}`))) })) : null, children] }));
 }
-export function JobAddFlow({ hasApiKey, existingApiKey, startupAlreadyEnabled, initialSettings, onApiKeyCaptured, onAuthFailure, onDone }) {
+export function JobAddFlow({ hasApiKey, existingApiKey, canPersistApiKey, startupAlreadyEnabled, initialSettings, onApiKeyCaptured, onAuthFailure, onDone }) {
     const defaultModel = initialSettings.model.trim() || DEFAULT_MODEL;
     const { exit } = useApp();
     const [stage, setStage] = useState('criteria');
@@ -63,7 +63,7 @@ export function JobAddFlow({ hasApiKey, existingApiKey, startupAlreadyEnabled, i
         void run();
     }, [answers, apiKey, criteria, defaultModel, existingApiKey, hasApiKey, model, onAuthFailure, stage]);
     useEffect(() => {
-        if (stage !== 'error') {
+        if (stage !== 'error' && stage !== 'apiKeyEnvHelp') {
             return;
         }
         const timeoutId = setTimeout(() => {
@@ -100,14 +100,30 @@ export function JobAddFlow({ hasApiKey, existingApiKey, startupAlreadyEnabled, i
         return (_jsx(FlowFrame, { transcript: transcript, statusText: "Define monitoring criteria", statusTone: "info", children: _jsx(Panel, { title: "Step 1: Criteria", children: _jsx(TextPrompt, { label: "Describe the conversations you want to monitor", onSubmit: (value) => {
                         setCriteria(value);
                         appendTranscript('Criteria', value);
-                        setStage(hasApiKey ? 'model' : 'apiKey');
+                        if (hasApiKey) {
+                            setStage('model');
+                            return;
+                        }
+                        setStage(canPersistApiKey ? 'apiKey' : 'apiKeyEnvHelp');
                     } }) }) }));
     }
+    if (stage === 'apiKeyEnvHelp') {
+        return (_jsx(FlowFrame, { transcript: transcript, statusText: "OpenRouter API key required", statusTone: "warning", children: _jsxs(Panel, { title: "Step 2: Authentication", children: [_jsx(Text, { color: uiTheme.ink.warning, children: "Keychain storage is unavailable on this system." }), _jsx(Text, { children: "Set your API key with environment variable:" }), _jsx(Text, { color: uiTheme.ink.accent, children: "SNOOPY_OPENROUTER_API_KEY=<your-key>" }), _jsx(Text, { color: uiTheme.ink.textMuted, children: "After setting it, run snoopy job add again." }), _jsx(Text, { color: uiTheme.ink.textMuted, children: "Exiting..." })] }) }));
+    }
     if (stage === 'apiKey') {
-        return (_jsx(FlowFrame, { transcript: transcript, statusText: "First-time setup required", statusTone: "warning", children: _jsxs(Panel, { title: "Step 2: Authentication", children: [_jsx(Text, { color: uiTheme.ink.warning, children: "First-time setup: OpenRouter API key required." }), _jsx(TextPrompt, { label: "Paste OpenRouter API key", secret: true, onSubmit: (value) => {
+        return (_jsx(FlowFrame, { transcript: transcript, statusText: "First-time setup required", statusTone: "warning", children: _jsxs(Panel, { title: "Step 2: Authentication", children: [_jsx(Text, { color: uiTheme.ink.warning, children: "First-time setup: OpenRouter API key required." }), _jsx(TextPrompt, { label: "Paste OpenRouter API key", secret: true, onSubmit: async (value) => {
                             setApiKey(value);
                             appendTranscript('OpenRouter API key', '********');
-                            void onApiKeyCaptured?.(value);
+                            try {
+                                await onApiKeyCaptured?.(value);
+                            }
+                            catch (error) {
+                                const message = error instanceof Error ? error.message : 'Could not save OpenRouter API key.';
+                                setErrorMessage(message);
+                                appendTranscript('OpenRouter', message, true);
+                                setStage('error');
+                                return;
+                            }
                             setStage('model');
                         } })] }) }));
     }

package/dist/src/cli/flows/settingsFlow.d.ts

@@ -7,9 +7,10 @@ interface SettingsResult {
 }
 interface SettingsFlowProps {
     current: AppSettings;
+    keytarAvailable: boolean;
     currentRedditCredentials: RedditCredentialState;
     currentApiKey: string | null;
     onDone: (result: SettingsResult) => void;
 }
-export declare function SettingsFlow({ current, currentRedditCredentials, currentApiKey, onDone }: SettingsFlowProps): React.JSX.Element;
+export declare function SettingsFlow({ current, keytarAvailable, currentRedditCredentials, currentApiKey, onDone }: SettingsFlowProps): React.JSX.Element;
 export {};

package/dist/src/cli/flows/settingsFlow.js

@@ -57,7 +57,7 @@ function keyToDraftField(key) {
             return 'redditClientId';
     }
 }
-export function SettingsFlow({ current, currentRedditCredentials, currentApiKey, onDone }) {
+export function SettingsFlow({ current, keytarAvailable, currentRedditCredentials, currentApiKey, onDone }) {
     const { exit } = useApp();
     const [mode, setMode] = useState('menu');
     const [cursor, setCursor] = useState(0);
@@ -69,10 +69,11 @@ export function SettingsFlow({ current, currentRedditCredentials, currentApiKey,
     const menuItems = useMemo(() => buildSettingsMenuItems({
         draft,
         draftSecrets,
+        keytarAvailable,
         currentApiKey,
         hasCurrentRedditClientSecret: currentRedditCredentials.hasClientSecret,
         clearedFields
-    }), [currentApiKey, currentRedditCredentials.hasClientSecret, draft, draftSecrets, clearedFields]);
+    }), [keytarAvailable, currentApiKey, currentRedditCredentials.hasClientSecret, draft, draftSecrets, clearedFields]);
     useInput((_, key) => {
         if (mode === 'edit' && editingKey === 'notificationsEnabled') {
             if (key.return) {
@@ -127,7 +128,10 @@ export function SettingsFlow({ current, currentRedditCredentials, currentApiKey,
         setMode('edit');
     });
     if (mode === 'menu') {
-        return (_jsx(SettingsFrame, { statusText: menuError ?? 'Ready', statusTone: menuError ? 'danger' : 'info', children: _jsxs(Panel, { title: "Settings Menu", children: [_jsx(Text, { color: uiTheme.ink.accent, children: "Choose a setting to edit. Press Enter to select." }), _jsx(Text, { color: uiTheme.ink.textMuted, children: "Use Up/Down arrows to navigate. Esc or Cancel exits without saving." }), _jsx(Box, { flexDirection: "column", marginTop: 1, children: menuItems.map((item, index) => {
+        const storageStatus = keytarAvailable
+            ? 'Keychain storage available for secret fields.'
+            : 'Keychain storage unavailable. Use SNOOPY_OPENROUTER_API_KEY and SNOOPY_REDDIT_CLIENT_SECRET.';
+        return (_jsx(SettingsFrame, { statusText: menuError ?? storageStatus, statusTone: menuError ? 'danger' : 'info', children: _jsxs(Panel, { title: "Settings Menu", children: [_jsx(Text, { color: uiTheme.ink.accent, children: "Choose a setting to edit. Press Enter to select." }), _jsx(Text, { color: uiTheme.ink.textMuted, children: "Use Up/Down arrows to navigate. Esc or Cancel exits without saving." }), _jsx(Box, { flexDirection: "column", marginTop: 1, children: menuItems.map((item, index) => {
                             const isCursor = index === cursor;
                             const value = item.summary ? `: ${item.summary}` : '';
                             return (_jsxs(Text, { color: isCursor ? uiTheme.ink.focus : uiTheme.ink.textPrimary, inverse: isCursor, children: [isCursor ? '>' : ' ', " ", item.label, value] }, item.key));
@@ -154,7 +158,8 @@ export function SettingsFlow({ current, currentRedditCredentials, currentApiKey,
         : draft[keyToDraftField(editingKey)];
     const fieldHasCurrentValue = Boolean(initialValue);
     const helpText = fieldHasCurrentValue ? 'Press Enter with empty value to clear' : 'Press Enter to continue';
-    return (_jsx(SettingsFrame, { statusText: "Editing setting", statusTone: "info", children: _jsxs(Panel, { title: "Edit Setting", children: [_jsx(TextPrompt, { label: labelForSettingKey(editingKey), initialValue: initialValue, secret: isSecret, onSubmit: (value) => {
+    const showSecretEnvHint = isSecret && !keytarAvailable;
+    return (_jsx(SettingsFrame, { statusText: "Editing setting", statusTone: "info", children: _jsxs(Panel, { title: "Edit Setting", children: [showSecretEnvHint ? (_jsx(Text, { color: uiTheme.ink.warning, children: "Keychain storage is unavailable. Save is disabled for this secret; configure env vars instead." })) : null, _jsx(TextPrompt, { label: labelForSettingKey(editingKey), initialValue: initialValue, secret: isSecret, onSubmit: (value) => {
                         if (value === '' && fieldHasCurrentValue && editingKey !== 'model') {
                             setMode('confirmClear');
                             return;

package/dist/src/cli/flows/settingsFlowModel.d.ts

@@ -18,6 +18,7 @@ export interface SettingsDraftSecrets {
 interface BuildMenuItemsInput {
     draft: SettingsDraft;
     draftSecrets: SettingsDraftSecrets;
+    keytarAvailable: boolean;
     currentApiKey: string | null;
     hasCurrentRedditClientSecret: boolean;
     clearedFields?: Set<EditableSettingKey>;
@@ -42,6 +43,6 @@ type SaveResult = {
 };
 export declare function maskSecret(value: string, visibleChars?: number): string;
 export declare function createSettingsDraft(current: AppSettings, currentRedditCredentials: RedditCredentialState): SettingsDraft;
-export declare function buildSettingsMenuItems({ draft, draftSecrets, currentApiKey, hasCurrentRedditClientSecret, clearedFields }: BuildMenuItemsInput): SettingsMenuItem[];
+export declare function buildSettingsMenuItems({ draft, draftSecrets, keytarAvailable, currentApiKey, hasCurrentRedditClientSecret, clearedFields }: BuildMenuItemsInput): SettingsMenuItem[];
 export declare function buildSettingsSaveResult(draft: SettingsDraft, draftSecrets: SettingsDraftSecrets, currentRedditCredentials: RedditCredentialState, clearedFields?: Set<EditableSettingKey>): SaveResult;
 export {};

package/dist/src/cli/flows/settingsFlowModel.js

@@ -36,11 +36,12 @@ export function createSettingsDraft(current, currentRedditCredentials) {
         redditClientId: currentRedditCredentials.clientId
     };
 }
-export function buildSettingsMenuItems({ draft, draftSecrets, currentApiKey, hasCurrentRedditClientSecret, clearedFields = new Set() }) {
+export function buildSettingsMenuItems({ draft, draftSecrets, keytarAvailable, currentApiKey, hasCurrentRedditClientSecret, clearedFields = new Set() }) {
+    const sourceLabel = keytarAvailable ? 'keychain' : 'env';
     const apiKeySummary = draftSecrets.apiKey
         ? `Will update (${maskSecret(draftSecrets.apiKey)})`
         : currentApiKey
-            ? `Configured (${maskSecret(currentApiKey)})`
+            ? `Configured via ${sourceLabel} (${maskSecret(currentApiKey)})`
             : 'Missing';
     const redditClientIdSummary = clearedFields.has('redditClientId')
         ? 'Cleared'
@@ -51,7 +52,7 @@ export function buildSettingsMenuItems({ draft, draftSecrets, currentApiKey, has
     const redditClientSecretSummary = draftSecrets.redditClientSecret
         ? 'Will update (hidden)'
         : hasCurrentRedditClientSecret
-            ? 'Configured (hidden)'
+            ? `Configured via ${sourceLabel} (hidden)`
             : 'Missing';
     return [
         { key: 'apiKey', label: 'OpenRouter API key', summary: apiKeySummary, editable: true },

package/dist/src/services/db/repositories/jobsRepo.js

@@ -48,6 +48,12 @@ export class JobsRepository {
                 // Ignore filesystem cleanup failures and continue DB cleanup.
             }
         }
+        this.db
+            .prepare(`DELETE FROM comment_thread_nodes
+         WHERE scan_item_id IN (
+           SELECT id FROM scan_items WHERE job_id = ?
+         )`)
+            .run(jobId);
         this.db.prepare('DELETE FROM scan_items WHERE job_id = ?').run(jobId);
         this.db.prepare('DELETE FROM job_runs WHERE job_id = ?').run(jobId);
         this.db.prepare('DELETE FROM jobs WHERE id = ?').run(jobId);

package/dist/src/services/db/repositories/settingsRepo.d.ts

@@ -7,7 +7,6 @@ export declare class SettingsRepository {
     getAppSettings(): AppSettings;
     setAppSettings(settings: AppSettings): void;
     private getOrCreateRedditAppName;
-    private migrateLegacyRedditClientSecret;
     getRedditCredentialState(): Promise<RedditCredentialState>;
     getRedditCredentials(): Promise<RedditCredentials | null>;
     setRedditCredentials(update: RedditCredentialsUpdate | RedditCredentials): Promise<void>;

package/dist/src/services/db/repositories/settingsRepo.js

@@ -84,19 +84,7 @@ export class SettingsRepository {
         this.set('reddit_app_name', generated);
         return generated;
     }
-    async migrateLegacyRedditClientSecret() {
-        const legacySecret = this.get('reddit_client_secret')?.trim() ?? '';
-        if (!legacySecret) {
-            return;
-        }
-        const existingSecret = await getRedditClientSecret();
-        if (!existingSecret) {
-            await setRedditClientSecret(legacySecret);
-        }
-        this.delete('reddit_client_secret');
-    }
     async getRedditCredentialState() {
-        await this.migrateLegacyRedditClientSecret();
         const appName = this.getOrCreateRedditAppName();
         const clientId = this.get('reddit_client_id')?.trim() ?? '';
         const clientSecret = await getRedditClientSecret();
@@ -107,7 +95,6 @@ export class SettingsRepository {
         };
     }
     async getRedditCredentials() {
-        await this.migrateLegacyRedditClientSecret();
         const appName = this.getOrCreateRedditAppName();
         const clientId = this.get('reddit_client_id')?.trim() ?? '';
         const clientSecret = (await getRedditClientSecret())?.trim() ?? '';

package/dist/src/services/security/secretStore.d.ts

@@ -1,3 +1,7 @@
+export declare class KeytarUnavailableError extends Error {
+    constructor(message?: string);
+}
+export declare function isKeytarAvailable(): Promise<boolean>;
 export declare function setOpenRouterApiKey(apiKey: string): Promise<void>;
 export declare function deleteOpenRouterApiKey(): Promise<void>;
 export declare function getOpenRouterApiKey(): Promise<string | null>;

package/dist/src/services/security/secretStore.js

@@ -1,12 +1,15 @@
-import crypto from 'node:crypto';
-import fs from 'node:fs';
-import path from 'node:path';
-import { ensureAppDirs } from '../../utils/paths.js';
 const SERVICE_NAME = 'snoopy';
 const OPENROUTER_ACCOUNT_NAME = 'openrouter_api_key';
 const REDDIT_CLIENT_SECRET_ACCOUNT_NAME = 'reddit_client_secret';
-const FILE_NAME = 'secrets.enc';
+const OPENROUTER_ENV_NAME = 'SNOOPY_OPENROUTER_API_KEY';
+const REDDIT_CLIENT_SECRET_ENV_NAME = 'SNOOPY_REDDIT_CLIENT_SECRET';
 let keytarClientPromise;
+export class KeytarUnavailableError extends Error {
+    constructor(message = 'Keychain storage is unavailable on this system.') {
+        super(message);
+        this.name = 'KeytarUnavailableError';
+    }
+}
 async function getKeytarClient() {
     if (keytarClientPromise) {
         return keytarClientPromise;
@@ -30,110 +33,27 @@ async function getKeytarClient() {
     })();
     return keytarClientPromise;
 }
-function getFallbackPath() {
-    const paths = ensureAppDirs();
-    return path.join(paths.rootDir, FILE_NAME);
-}
-function getMachineKey() {
-    return crypto
-        .createHash('sha256')
-        .update(`${process.platform}:${process.arch}:${process.env.USER ?? process.env.USERNAME ?? 'user'}`)
-        .digest();
-}
-function encrypt(value) {
-    const iv = crypto.randomBytes(16);
-    const key = getMachineKey();
-    const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
-    const encrypted = Buffer.concat([cipher.update(value, 'utf8'), cipher.final()]);
-    return `${iv.toString('hex')}:${encrypted.toString('hex')}`;
-}
-function decrypt(value) {
-    const [ivHex, contentHex] = value.split(':');
-    if (!ivHex || !contentHex) {
-        throw new Error('Invalid encrypted payload');
-    }
-    const iv = Buffer.from(ivHex, 'hex');
-    const content = Buffer.from(contentHex, 'hex');
-    const decipher = crypto.createDecipheriv('aes-256-cbc', getMachineKey(), iv);
-    const decrypted = Buffer.concat([decipher.update(content), decipher.final()]);
-    return decrypted.toString('utf8');
+function readEnvSecret(name) {
+    const value = process.env[name]?.trim();
+    return value ? value : null;
 }
-function readFallbackSecrets() {
-    const filePath = getFallbackPath();
-    if (!fs.existsSync(filePath)) {
-        return {};
-    }
-    try {
-        const decrypted = decrypt(fs.readFileSync(filePath, 'utf8'));
-        const parsed = JSON.parse(decrypted);
-        if (parsed && typeof parsed === 'object') {
-            return parsed;
-        }
-    }
-    catch {
-        // Legacy fallback stored only OpenRouter API key as a plaintext payload before encryption.
-    }
-    try {
-        const legacyValue = decrypt(fs.readFileSync(filePath, 'utf8'));
-        return legacyValue ? { openrouter_api_key: legacyValue } : {};
-    }
-    catch {
-        return {};
-    }
-}
-function writeFallbackSecrets(secrets) {
-    const sanitized = {
-        openrouter_api_key: secrets.openrouter_api_key?.trim() ? secrets.openrouter_api_key : undefined,
-        reddit_client_secret: secrets.reddit_client_secret?.trim() ? secrets.reddit_client_secret : undefined
-    };
-    if (!sanitized.openrouter_api_key && !sanitized.reddit_client_secret) {
-        const filePath = getFallbackPath();
-        if (fs.existsSync(filePath)) {
-            fs.unlinkSync(filePath);
-        }
-        return;
-    }
-    const payload = encrypt(JSON.stringify(sanitized));
-    fs.writeFileSync(getFallbackPath(), payload, { mode: 0o600 });
-}
-function setFallbackSecret(key, value) {
-    const current = readFallbackSecrets();
-    current[key] = value;
-    writeFallbackSecrets(current);
-}
-function getFallbackSecret(key) {
-    const current = readFallbackSecrets();
-    return current[key] ?? null;
-}
-function deleteFallbackSecret(key) {
-    const current = readFallbackSecrets();
-    delete current[key];
-    writeFallbackSecrets(current);
+export async function isKeytarAvailable() {
+    const keytarClient = await getKeytarClient();
+    return Boolean(keytarClient);
 }
 export async function setOpenRouterApiKey(apiKey) {
     const keytarClient = await getKeytarClient();
-    if (keytarClient) {
-        try {
-            await keytarClient.setPassword(SERVICE_NAME, OPENROUTER_ACCOUNT_NAME, apiKey);
-            return;
-        }
-        catch {
-            // Fall through to encrypted file fallback.
-        }
+    if (!keytarClient) {
+        throw new KeytarUnavailableError(`Unable to save OpenRouter API key because keychain storage is unavailable. Set ${OPENROUTER_ENV_NAME} instead.`);
     }
-    setFallbackSecret('openrouter_api_key', apiKey);
+    await keytarClient.setPassword(SERVICE_NAME, OPENROUTER_ACCOUNT_NAME, apiKey);
 }
 export async function deleteOpenRouterApiKey() {
     const keytarClient = await getKeytarClient();
-    if (keytarClient) {
-        try {
-            await keytarClient.deletePassword(SERVICE_NAME, OPENROUTER_ACCOUNT_NAME);
-        }
-        catch {
-            // Ignore keychain deletion failures and continue with file cleanup.
-        }
+    if (!keytarClient) {
+        return;
     }
-    deleteFallbackSecret('openrouter_api_key');
+    await keytarClient.deletePassword(SERVICE_NAME, OPENROUTER_ACCOUNT_NAME);
 }
 export async function getOpenRouterApiKey() {
     const keytarClient = await getKeytarClient();
@@ -145,23 +65,17 @@ export async function getOpenRouterApiKey() {
             }
         }
         catch {
-            // Fallback to encrypted file when keytar is unavailable.
+            // Fall through to env fallback if keytar read fails.
         }
     }
-    return getFallbackSecret('openrouter_api_key');
+    return readEnvSecret(OPENROUTER_ENV_NAME);
 }
 export async function setRedditClientSecret(secret) {
     const keytarClient = await getKeytarClient();
-    if (keytarClient) {
-        try {
-            await keytarClient.setPassword(SERVICE_NAME, REDDIT_CLIENT_SECRET_ACCOUNT_NAME, secret);
-            return;
-        }
-        catch {
-            // Fall through to encrypted file fallback.
-        }
+    if (!keytarClient) {
+        throw new KeytarUnavailableError(`Unable to save Reddit client secret because keychain storage is unavailable. Set ${REDDIT_CLIENT_SECRET_ENV_NAME} instead.`);
     }
-    setFallbackSecret('reddit_client_secret', secret);
+    await keytarClient.setPassword(SERVICE_NAME, REDDIT_CLIENT_SECRET_ACCOUNT_NAME, secret);
 }
 export async function getRedditClientSecret() {
     const keytarClient = await getKeytarClient();
@@ -173,21 +87,16 @@ export async function getRedditClientSecret() {
             }
         }
         catch {
-            // Fallback to encrypted file when keytar is unavailable.
+            // Fall through to env fallback if keytar read fails.
         }
     }
-    return getFallbackSecret('reddit_client_secret');
+    return readEnvSecret(REDDIT_CLIENT_SECRET_ENV_NAME);
 }
 export async function deleteRedditClientSecret() {
     const keytarClient = await getKeytarClient();
-    if (keytarClient) {
-        try {
-            await keytarClient.deletePassword(SERVICE_NAME, REDDIT_CLIENT_SECRET_ACCOUNT_NAME);
-        }
-        catch {
-            // Ignore keychain deletion failures and continue with file cleanup.
-        }
+    if (!keytarClient) {
+        return;
     }
-    deleteFallbackSecret('reddit_client_secret');
+    await keytarClient.deletePassword(SERVICE_NAME, REDDIT_CLIENT_SECRET_ACCOUNT_NAME);
 }
 //# sourceMappingURL=secretStore.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@telepat/snoopy",
-  "version": "0.1.8",
+  "version": "0.1.10",
   "description": "Snoopy CLI for Reddit conversation monitoring jobs.",
   "type": "module",
   "main": "dist/src/index.js",