claude-dev-cli 0.3.0__py3-none-any.whl → 0.4.0__py3-none-any.whl

claude_dev_cli/cli.py

@@ -182,6 +182,49 @@ def config_add(
             make_default=default
         )
         console.print(f"[green]✓[/green] Added API config: {name}")
+        
+        # Show storage method
+        storage_method = config.secure_storage.get_storage_method()
+        if storage_method == "keyring":
+            console.print("[dim]🔐 Stored securely in system keyring[/dim]")
+        else:
+            console.print("[dim]🔒 Stored in encrypted file (keyring unavailable)[/dim]")
+    except Exception as e:
+        console.print(f"[red]Error: {e}[/red]")
+        sys.exit(1)
+
+
+@config.command('migrate-keys')
+@click.pass_context
+def config_migrate_keys(ctx: click.Context) -> None:
+    """Manually migrate API keys to secure storage."""
+    console = ctx.obj['console']
+    
+    try:
+        config = Config()
+        
+        # Check if any keys need migration
+        api_configs = config._data.get("api_configs", [])
+        plaintext_keys = {c["name"]: c.get("api_key", "") 
+                         for c in api_configs 
+                         if c.get("api_key")}
+        
+        if not plaintext_keys:
+            console.print("[green]✓[/green] All keys are already in secure storage.")
+            storage_method = config.secure_storage.get_storage_method()
+            console.print(f"[dim]Using: {storage_method}[/dim]")
+            return
+        
+        console.print(f"[yellow]Found {len(plaintext_keys)} plaintext key(s)[/yellow]")
+        console.print("Migrating to secure storage...\n")
+        
+        # Trigger migration
+        config._auto_migrate_keys()
+        
+        console.print(f"[green]✓[/green] Migrated {len(plaintext_keys)} key(s) to secure storage.")
+        storage_method = config.secure_storage.get_storage_method()
+        console.print(f"[dim]Using: {storage_method}[/dim]")
+        
     except Exception as e:
         console.print(f"[red]Error: {e}[/red]")
         sys.exit(1)
@@ -201,6 +244,14 @@ def config_list(ctx: click.Context) -> None:
         console.print("Run 'cdc config add' to add one.")
         return
     
+    # Show storage method
+    storage_method = config.secure_storage.get_storage_method()
+    storage_display = {
+        "keyring": "🔐 System Keyring (Secure)",
+        "encrypted_file": "🔒 Encrypted File (Fallback)"
+    }.get(storage_method, storage_method)
+    console.print(f"\n[dim]Storage: {storage_display}[/dim]\n")
+    
     for cfg in api_configs:
         default_marker = " [bold green](default)[/bold green]" if cfg.default else ""
         console.print(f"• {cfg.name}{default_marker}")

claude_dev_cli/config.py

@@ -6,6 +6,8 @@ from pathlib import Path
 from typing import Dict, Optional, List
 from pydantic import BaseModel, Field
 
+from claude_dev_cli.secure_storage import SecureStorage
+
 
 class APIConfig(BaseModel):
     """Configuration for a Claude API key."""
@@ -28,17 +30,23 @@ class ProjectProfile(BaseModel):
 class Config:
     """Manages configuration for Claude Dev CLI."""
     
-    CONFIG_DIR = Path.home() / ".claude-dev-cli"
-    CONFIG_FILE = CONFIG_DIR / "config.json"
-    USAGE_LOG = CONFIG_DIR / "usage.jsonl"
-    
     def __init__(self) -> None:
         """Initialize configuration."""
-        self.config_dir = self.CONFIG_DIR
-        self.config_file = self.CONFIG_FILE
-        self.usage_log = self.USAGE_LOG
+        # Determine home directory (respects HOME env var for testing)
+        home = Path(os.environ.get("HOME", str(Path.home())))
+        
+        self.config_dir = home / ".claude-dev-cli"
+        self.config_file = self.config_dir / "config.json"
+        self.usage_log = self.config_dir / "usage.jsonl"
+        
         self._ensure_config_dir()
         self._data: Dict = self._load_config()
+        
+        # Initialize secure storage
+        self.secure_storage = SecureStorage(self.config_dir)
+        
+        # Auto-migrate if plaintext keys exist
+        self._auto_migrate_keys()
     
     def _ensure_config_dir(self) -> None:
         """Ensure configuration directory exists."""
@@ -68,6 +76,22 @@ class Config:
         with open(self.config_file, 'w') as f:
             json.dump(data, f, indent=2)
     
+    def _auto_migrate_keys(self) -> None:
+        """Automatically migrate plaintext API keys to secure storage."""
+        api_configs = self._data.get("api_configs", [])
+        migrated = False
+        
+        for config in api_configs:
+            if "api_key" in config and config["api_key"]:
+                # Migrate this key to secure storage
+                self.secure_storage.store_key(config["name"], config["api_key"])
+                # Remove from plaintext config
+                config["api_key"] = ""  # Empty string indicates key is in secure storage
+                migrated = True
+        
+        if migrated:
+            self._save_config()
+    
     def add_api_config(
         self,
         name: str,
@@ -91,14 +115,18 @@ class Config:
             if config["name"] == name:
                 raise ValueError(f"API config with name '{name}' already exists")
         
+        # Store API key in secure storage
+        self.secure_storage.store_key(name, api_key)
+        
         # If this is the first config or make_default is True, set as default
         if make_default or not api_configs:
             for config in api_configs:
                 config["default"] = False
         
+        # Store metadata without the actual key (empty string indicates secure storage)
         api_config = APIConfig(
             name=name,
-            api_key=api_key,
+            api_key="",  # Empty string indicates key is in secure storage
             description=description,
             default=make_default or not api_configs
         )
@@ -111,21 +139,53 @@ class Config:
         """Get API configuration by name or default."""
         api_configs = self._data.get("api_configs", [])
         
+        config_data = None
         if name:
             for config in api_configs:
                 if config["name"] == name:
-                    return APIConfig(**config)
+                    config_data = config
+                    break
         else:
             # Return default
             for config in api_configs:
                 if config.get("default", False):
-                    return APIConfig(**config)
+                    config_data = config
+                    break
         
-        return None
+        if not config_data:
+            return None
+        
+        # Retrieve actual API key from secure storage
+        api_key = self.secure_storage.get_key(config_data["name"])
+        if not api_key:
+            # Fallback to plaintext if not in secure storage (shouldn't happen after migration)
+            api_key = config_data.get("api_key", "")
+        
+        # Return config with actual key
+        return APIConfig(
+            name=config_data["name"],
+            api_key=api_key,
+            description=config_data.get("description"),
+            default=config_data.get("default", False)
+        )
     
     def list_api_configs(self) -> List[APIConfig]:
         """List all API configurations."""
-        return [APIConfig(**c) for c in self._data.get("api_configs", [])]
+        configs = []
+        for c in self._data.get("api_configs", []):
+            # Retrieve actual API key from secure storage
+            api_key = self.secure_storage.get_key(c["name"])
+            if not api_key:
+                # Fallback to plaintext
+                api_key = c.get("api_key", "")
+            
+            configs.append(APIConfig(
+                name=c["name"],
+                api_key=api_key,
+                description=c.get("description"),
+                default=c.get("default", False)
+            ))
+        return configs
     
     def add_project_profile(
         self,

claude_dev_cli/core.py

@@ -13,13 +13,21 @@ class ClaudeClient:
     """Claude API client with multi-key routing and usage tracking."""
     
     def __init__(self, config: Optional[Config] = None, api_config_name: Optional[str] = None):
-        """Initialize Claude client."""
+        """Initialize Claude client.
+        
+        API routing hierarchy (highest to lowest priority):
+        1. Explicit api_config_name parameter
+        2. Project-specific .claude-dev-cli file
+        3. Default API config
+        """
         self.config = config or Config()
         
-        # Determine which API config to use
-        project_profile = self.config.get_project_profile()
-        if project_profile:
-            api_config_name = project_profile.api_config
+        # Determine which API config to use based on hierarchy
+        if not api_config_name:
+            # Check for project profile if no explicit config provided
+            project_profile = self.config.get_project_profile()
+            if project_profile:
+                api_config_name = project_profile.api_config
         
         self.api_config = self.config.get_api_config(api_config_name)
         if not self.api_config:

claude_dev_cli/plugins/diff_editor/viewer.py

@@ -1,6 +1,8 @@
 """Interactive diff viewer with multiple keybinding modes."""
 
 import difflib
+import subprocess
+import tempfile
 from pathlib import Path
 from typing import List, Optional, Tuple
 import os
@@ -11,6 +13,13 @@ from rich.syntax import Syntax
 from rich.table import Table
 from rich.text import Text
 
+try:
+    from pygments import lexers
+    from pygments.util import ClassNotFound
+    PYGMENTS_AVAILABLE = True
+except ImportError:
+    PYGMENTS_AVAILABLE = False
+
 
 class Hunk:
     """Represents a single diff hunk."""
@@ -69,6 +78,12 @@ class DiffViewer:
         self.hunks = self._generate_hunks()
         self.current_hunk_idx = 0
         self.filename = proposed_path.name
+        
+        # Detect lexer for syntax highlighting
+        self.lexer_name = self._detect_lexer()
+        
+        # History stack for undo support
+        self.history: List[Tuple[int, Optional[bool]]] = []
     
     def _detect_keybinding_mode(self) -> str:
         """Auto-detect keybinding preference from environment."""
@@ -80,6 +95,17 @@ class DiffViewer:
             return "nvim"
         return "fresh"
     
+    def _detect_lexer(self) -> Optional[str]:
+        """Detect appropriate lexer for syntax highlighting based on filename."""
+        if not PYGMENTS_AVAILABLE:
+            return None
+        
+        try:
+            lexer = lexers.get_lexer_for_filename(str(self.proposed_path))
+            return lexer.name
+        except ClassNotFound:
+            return None
+    
     def _generate_hunks(self) -> List[Hunk]:
         """Generate hunks from diff."""
         hunks = []
@@ -199,14 +225,28 @@ class DiffViewer:
         # Show original (if any deletions)
         if hunk.original_lines:
             self.console.print("\n[bold red]━━━ Original (-):[/bold red]")
-            for line in hunk.original_lines:
-                self.console.print(f"[red]- {line}[/red]", end="")
+            code = "".join(hunk.original_lines)
+            if self.lexer_name and code.strip():
+                syntax = Syntax(code, self.lexer_name, theme="monokai", line_numbers=False)
+                # Wrap in red for deletions
+                for line in code.splitlines():
+                    self.console.print(f"[red]- {line}[/red]")
+            else:
+                for line in hunk.original_lines:
+                    self.console.print(f"[red]- {line}[/red]", end="")
         
         # Show proposed (if any additions)
         if hunk.proposed_lines:
             self.console.print("\n[bold green]━━━ Proposed (+):[/bold green]")
-            for line in hunk.proposed_lines:
-                self.console.print(f"[green]+ {line}[/green]", end="")
+            code = "".join(hunk.proposed_lines)
+            if self.lexer_name and code.strip():
+                syntax = Syntax(code, self.lexer_name, theme="monokai", line_numbers=False)
+                # Wrap in green for additions
+                for line in code.splitlines():
+                    self.console.print(f"[green]+ {line}[/green]")
+            else:
+                for line in hunk.proposed_lines:
+                    self.console.print(f"[green]+ {line}[/green]", end="")
         
         # Context
         context = hunk.get_context()
@@ -233,6 +273,77 @@ class DiffViewer:
         
         self.console.print(prompt)
     
+    def _edit_hunk(self, hunk: Hunk) -> Optional[List[str]]:
+        """Open hunk in editor for inline editing.
+        
+        Returns:
+            Edited lines or None if cancelled
+        """
+        # Get editor from environment
+        editor = os.environ.get("EDITOR", os.environ.get("VISUAL", "nano"))
+        
+        # Create temp file with proposed lines
+        with tempfile.NamedTemporaryFile(mode="w", suffix=".tmp", delete=False) as f:
+            f.write("".join(hunk.proposed_lines))
+            temp_path = f.name
+        
+        try:
+            # Open in editor
+            result = subprocess.run([editor, temp_path])
+            
+            if result.returncode == 0:
+                # Read edited content
+                with open(temp_path) as f:
+                    content = f.read()
+                return content.splitlines(keepends=True)
+            else:
+                self.console.print("[yellow]Edit cancelled[/yellow]")
+                return None
+        finally:
+            # Clean up temp file
+            Path(temp_path).unlink(missing_ok=True)
+    
+    def _split_hunk(self, hunk: Hunk, hunk_idx: int) -> None:
+        """Split a hunk into smaller hunks.
+        
+        For now, splits by line - each line becomes its own hunk.
+        More advanced splitting could be added later.
+        """
+        if len(hunk.proposed_lines) <= 1 and len(hunk.original_lines) <= 1:
+            self.console.print("[yellow]Hunk is too small to split[/yellow]")
+            return
+        
+        new_hunks = []
+        
+        # Split proposed lines into individual hunks
+        if hunk.proposed_lines:
+            for i, line in enumerate(hunk.proposed_lines):
+                new_hunks.append(Hunk(
+                    original_lines=[],
+                    proposed_lines=[line],
+                    original_start=hunk.original_start,
+                    proposed_start=hunk.proposed_start + i
+                ))
+        
+        # Split original lines into deletions
+        if hunk.original_lines and not hunk.proposed_lines:
+            for i, line in enumerate(hunk.original_lines):
+                new_hunks.append(Hunk(
+                    original_lines=[line],
+                    proposed_lines=[],
+                    original_start=hunk.original_start + i,
+                    proposed_start=hunk.proposed_start
+                ))
+        
+        if new_hunks:
+            # Replace current hunk with split hunks
+            self.hunks = (
+                self.hunks[:hunk_idx] +
+                new_hunks +
+                self.hunks[hunk_idx + 1:]
+            )
+            self.console.print(f"[green]✓ Split into {len(new_hunks)} hunks[/green]")
+    
     def run(self) -> Optional[str]:
         """Run the interactive diff viewer.
         
@@ -258,16 +369,30 @@ class DiffViewer:
             
             # Process choice
             if choice in kb["accept"]:
+                # Save history before changing
+                self.history.append((self.current_hunk_idx, hunk.accepted))
                 hunk.accepted = True
                 self.current_hunk_idx += 1
             elif choice in kb["reject"]:
+                # Save history before changing
+                self.history.append((self.current_hunk_idx, hunk.accepted))
                 hunk.accepted = False
                 self.current_hunk_idx += 1
             elif choice in kb["edit"]:
-                self.console.print("[yellow]Edit mode not yet implemented[/yellow]")
-                self.console.input("Press Enter to continue...")
+                # Enter edit mode for this hunk
+                edited_lines = self._edit_hunk(hunk)
+                if edited_lines is not None:
+                    # Save history
+                    self.history.append((self.current_hunk_idx, hunk.accepted))
+                    # Update hunk with edited content
+                    hunk.proposed_lines = edited_lines
+                    hunk.accepted = True
+                    self.console.print("[green]✓ Hunk updated with edits[/green]")
+                    self.console.input("Press Enter to continue...")
+                    self.current_hunk_idx += 1
             elif choice in kb["split"]:
-                self.console.print("[yellow]Split mode not yet implemented[/yellow]")
+                # Split current hunk
+                self._split_hunk(hunk, self.current_hunk_idx)
                 self.console.input("Press Enter to continue...")
             elif choice in kb["next"]:
                 if self.current_hunk_idx < len(self.hunks) - 1:
@@ -283,6 +408,17 @@ class DiffViewer:
                 for h in self.hunks[self.current_hunk_idx:]:
                     h.accepted = False
                 break
+            elif choice in kb["undo"]:
+                if self.history:
+                    # Restore previous state
+                    hunk_idx, prev_state = self.history.pop()
+                    self.hunks[hunk_idx].accepted = prev_state
+                    self.current_hunk_idx = hunk_idx
+                    self.console.print("[yellow]↶ Undone last action[/yellow]")
+                    self.console.input("Press Enter to continue...")
+                else:
+                    self.console.print("[yellow]No actions to undo[/yellow]")
+                    self.console.input("Press Enter to continue...")
             elif choice in kb["quit"]:
                 self.console.print("[yellow]Quitting without applying changes[/yellow]")
                 return None

claude_dev_cli/secure_storage.py

@@ -0,0 +1,219 @@
+"""Secure storage for API keys using system keyring.
+
+Supports:
+- macOS: Keychain
+- Linux: Secret Service API (GNOME Keyring, KWallet)
+- Windows: Windows Credential Locker
+
+Falls back to encrypted file storage if keyring is unavailable.
+"""
+
+import json
+import os
+from pathlib import Path
+from typing import Optional
+
+try:
+    import keyring
+    from keyring.errors import KeyringError
+    KEYRING_AVAILABLE = True
+except ImportError:
+    KEYRING_AVAILABLE = False
+
+from cryptography.fernet import Fernet
+
+
+class SecureStorage:
+    """Secure storage for API keys with cross-platform support."""
+    
+    SERVICE_NAME = "claude-dev-cli"
+    
+    def __init__(self, config_dir: Path, force_encrypted_file: bool = False):
+        """Initialize secure storage.
+        
+        Args:
+            config_dir: Directory to store encrypted fallback files
+            force_encrypted_file: Force use of encrypted file storage (for testing)
+        """
+        self.config_dir = config_dir
+        self.encrypted_file = config_dir / "keys.enc"
+        self.key_file = config_dir / ".keyfile"
+        
+        # Check if we should use keyring (disabled in test environments)
+        # Detect test environment by checking for pytest or TESTING env var
+        in_test = (
+            force_encrypted_file or
+            'pytest' in os.environ.get('_', '') or
+            os.environ.get('PYTEST_CURRENT_TEST') is not None or
+            os.environ.get('TESTING') == '1'
+        )
+        
+        if in_test:
+            # Always use encrypted file in tests to avoid Keychain prompts
+            self.use_keyring = False
+        else:
+            # Check if keyring backend is available in production
+            self.use_keyring = KEYRING_AVAILABLE and self._test_keyring()
+        
+        if not self.use_keyring:
+            # Initialize fallback encryption
+            self._ensure_encryption_key()
+    
+    def _test_keyring(self) -> bool:
+        """Test if keyring backend is working.
+        
+        Returns:
+            True if keyring is functional, False otherwise
+        """
+        try:
+            # Try to get/set a test value
+            test_key = f"{self.SERVICE_NAME}_test"
+            keyring.set_password(self.SERVICE_NAME, test_key, "test")
+            result = keyring.get_password(self.SERVICE_NAME, test_key)
+            keyring.delete_password(self.SERVICE_NAME, test_key)
+            return result == "test"
+        except (KeyringError, Exception):
+            return False
+    
+    def _ensure_encryption_key(self) -> None:
+        """Ensure encryption key exists for fallback storage."""
+        if not self.key_file.exists():
+            # Generate a new encryption key
+            key = Fernet.generate_key()
+            self.key_file.write_bytes(key)
+            # Secure the key file (Unix-like systems)
+            if hasattr(os, 'chmod'):
+                os.chmod(self.key_file, 0o600)
+    
+    def _get_cipher(self) -> Fernet:
+        """Get Fernet cipher for fallback encryption."""
+        key = self.key_file.read_bytes()
+        return Fernet(key)
+    
+    def _load_encrypted_keys(self) -> dict:
+        """Load keys from encrypted fallback file."""
+        if not self.encrypted_file.exists():
+            return {}
+        
+        try:
+            cipher = self._get_cipher()
+            encrypted_data = self.encrypted_file.read_bytes()
+            decrypted_data = cipher.decrypt(encrypted_data)
+            return json.loads(decrypted_data.decode())
+        except Exception:
+            # If decryption fails, return empty dict
+            return {}
+    
+    def _save_encrypted_keys(self, keys: dict) -> None:
+        """Save keys to encrypted fallback file."""
+        cipher = self._get_cipher()
+        data = json.dumps(keys).encode()
+        encrypted_data = cipher.encrypt(data)
+        self.encrypted_file.write_bytes(encrypted_data)
+        
+        # Secure the encrypted file
+        if hasattr(os, 'chmod'):
+            os.chmod(self.encrypted_file, 0o600)
+    
+    def store_key(self, name: str, api_key: str) -> None:
+        """Store an API key securely.
+        
+        Args:
+            name: Name/identifier for the API key
+            api_key: The API key to store
+        """
+        if self.use_keyring:
+            try:
+                keyring.set_password(self.SERVICE_NAME, name, api_key)
+                return
+            except KeyringError:
+                # Fall back to encrypted file if keyring fails
+                pass
+        
+        # Use encrypted file storage
+        keys = self._load_encrypted_keys()
+        keys[name] = api_key
+        self._save_encrypted_keys(keys)
+    
+    def get_key(self, name: str) -> Optional[str]:
+        """Retrieve an API key.
+        
+        Args:
+            name: Name/identifier for the API key
+            
+        Returns:
+            The API key or None if not found
+        """
+        if self.use_keyring:
+            try:
+                return keyring.get_password(self.SERVICE_NAME, name)
+            except KeyringError:
+                # Fall back to encrypted file
+                pass
+        
+        # Use encrypted file storage
+        keys = self._load_encrypted_keys()
+        return keys.get(name)
+    
+    def delete_key(self, name: str) -> bool:
+        """Delete an API key.
+        
+        Args:
+            name: Name/identifier for the API key
+            
+        Returns:
+            True if deleted, False if not found
+        """
+        if self.use_keyring:
+            try:
+                keyring.delete_password(self.SERVICE_NAME, name)
+                return True
+            except KeyringError:
+                # Fall back to encrypted file
+                pass
+        
+        # Use encrypted file storage
+        keys = self._load_encrypted_keys()
+        if name in keys:
+            del keys[name]
+            self._save_encrypted_keys(keys)
+            return True
+        return False
+    
+    def list_keys(self) -> list[str]:
+        """List all stored key names.
+        
+        Returns:
+            List of key names
+        """
+        if self.use_keyring:
+            # Keyring doesn't provide a list operation
+            # We need to maintain a separate index
+            # For now, fall through to encrypted file
+            pass
+        
+        keys = self._load_encrypted_keys()
+        return list(keys.keys())
+    
+    def get_storage_method(self) -> str:
+        """Get the current storage method being used.
+        
+        Returns:
+            'keyring' or 'encrypted_file'
+        """
+        return "keyring" if self.use_keyring else "encrypted_file"
+    
+    def migrate_from_plaintext(self, plaintext_keys: dict[str, str]) -> int:
+        """Migrate keys from plaintext config to secure storage.
+        
+        Args:
+            plaintext_keys: Dictionary of name -> api_key
+            
+        Returns:
+            Number of keys migrated
+        """
+        count = 0
+        for name, api_key in plaintext_keys.items():
+            self.store_key(name, api_key)
+            count += 1
+        return count

{claude_dev_cli-0.3.0.dist-info → claude_dev_cli-0.4.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: claude-dev-cli
-Version: 0.3.0
+Version: 0.4.0
 Summary: A powerful CLI tool for developers using Claude AI with multi-API routing, test generation, code review, and usage tracking
 Author-email: Julio <thinmanj@users.noreply.github.com>
 License: MIT
@@ -26,14 +26,19 @@ Requires-Dist: anthropic>=0.18.0
 Requires-Dist: click>=8.1.0
 Requires-Dist: rich>=13.0.0
 Requires-Dist: pydantic>=2.0.0
+Requires-Dist: keyring>=24.0.0
+Requires-Dist: cryptography>=41.0.0
 Provides-Extra: toon
 Requires-Dist: toon-format>=0.9.0; extra == "toon"
+Provides-Extra: plugins
+Requires-Dist: pygments>=2.0.0; extra == "plugins"
 Provides-Extra: dev
 Requires-Dist: pytest>=7.0.0; extra == "dev"
 Requires-Dist: black>=23.0.0; extra == "dev"
 Requires-Dist: ruff>=0.1.0; extra == "dev"
 Requires-Dist: mypy>=1.0.0; extra == "dev"
 Requires-Dist: toon-format>=0.9.0; extra == "dev"
+Requires-Dist: pygments>=2.0.0; extra == "dev"
 Dynamic: license-file
 
 # Claude Dev CLI
@@ -43,9 +48,10 @@ A powerful command-line tool for developers using Claude AI with multi-API routi
 ## Features
 
 ### 🔑 Multi-API Key Management
+- **Secure Storage**: API keys stored in system keyring (macOS Keychain, Linux Secret Service, Windows Credential Locker)
 - Route tasks to different Claude API keys (personal, client, enterprise)
 - Automatic API selection based on project configuration
-- Environment variable support for secure key management
+- Automatic migration from plaintext to secure storage
 
 ### 🧪 Developer Tools
 - **Test Generation**: Automatic pytest test generation for Python code
@@ -95,13 +101,17 @@ pip install claude-dev-cli[toon]
 # Add your personal API key
 export PERSONAL_ANTHROPIC_API_KEY="sk-ant-..."
 cdc config add personal --default --description "My personal API key"
+# 🔐 Stored securely in system keyring
 
 # Add client's API key
 export CLIENT_ANTHROPIC_API_KEY="sk-ant-..."
 cdc config add client --description "Client's Enterprise API"
 
-# List configured APIs
+# List configured APIs (shows storage method)
 cdc config list
+
+# Manually migrate existing keys (automatic on first run)
+cdc config migrate-keys
 ```
 
 ### 2. Basic Usage
@@ -183,22 +193,37 @@ cat large_data.json | cdc toon encode | cdc ask "analyze this data"
 
 ## Configuration
 
+### Secure API Key Storage
+
+**🔐 Your API keys are stored securely and never in plain text.**
+
+- **macOS**: Keychain
+- **Linux**: Secret Service API (GNOME Keyring, KWallet)
+- **Windows**: Windows Credential Locker
+- **Fallback**: Encrypted file (if keyring unavailable)
+
+Keys are automatically migrated from plaintext on first run. You can also manually migrate:
+
+```bash
+cdc config migrate-keys
+```
+
 ### Global Configuration
 
-Configuration is stored in `~/.claude-dev-cli/config.json`:
+Configuration metadata is stored in `~/.claude-dev-cli/config.json` (API keys are NOT in this file):
 
 ```json
 {
   "api_configs": [
     {
       "name": "personal",
-      "api_key": "sk-ant-...",
+      "api_key": "",  // Empty - actual key in secure storage
       "description": "My personal API key",
       "default": true
     },
     {
       "name": "client",
-      "api_key": "sk-ant-...",
+      "api_key": "",  // Empty - actual key in secure storage
       "description": "Client's Enterprise API",
       "default": false
     }

{claude_dev_cli-0.3.0.dist-info → claude_dev_cli-0.4.0.dist-info}/RECORD

@@ -1,8 +1,9 @@
 claude_dev_cli/__init__.py,sha256=2ulyIQ3E-s6wBTKyeXAlqHMVA73zUGdaaNUsFiJ-nqs,469
-claude_dev_cli/cli.py,sha256=ekJpBU3d0k9DrE5VoJdKGNgPBsmdB4415up_Yhx_fw0,16174
+claude_dev_cli/cli.py,sha256=KeBRudNvKU7RzO_m1w50WyiKwAMEp3U9LNal0R_FEGk,18194
 claude_dev_cli/commands.py,sha256=RKGx2rv56PM6eErvA2uoQ20hY8babuI5jav8nCUyUOk,3964
-claude_dev_cli/config.py,sha256=YwJjVkW9S1O_iq_2O6YCjYtuFWUCmP18zA7esKDwkKU,5776
-claude_dev_cli/core.py,sha256=97rR9BuNfnhJxFrd7dTdApGyPh6MeGNArcRmaiOY69I,4443
+claude_dev_cli/config.py,sha256=RGX0sKplHUsrJJmU-4FuWWjoTbQVgWaMT8DgRUofrR4,8134
+claude_dev_cli/core.py,sha256=yaLjEixDvPzvUy4fJ2UB7nMpPPLyKACjR-RuM-1OQBY,4780
+claude_dev_cli/secure_storage.py,sha256=TK3WOaU7a0yTOtzdP_t_28fDRp2lovANNAC6MBdm4nQ,7096
 claude_dev_cli/templates.py,sha256=lKxH943ySfUKgyHaWa4W3LVv91SgznKgajRtSRp_4UY,2260
 claude_dev_cli/toon_utils.py,sha256=S3px2UvmNEaltmTa5K-h21n2c0CPvYjZc9mc7kHGqNQ,2828
 claude_dev_cli/usage.py,sha256=32rs0_dUn6ihha3vCfT3rwnvel_-sED7jvLpO7gu-KQ,7446
@@ -10,10 +11,10 @@ claude_dev_cli/plugins/__init__.py,sha256=BdiZlylBzEgnwK2tuEdn8cITxhAZRVbTnDbWhd
 claude_dev_cli/plugins/base.py,sha256=H4HQet1I-a3WLCfE9F06Lp8NuFvVoIlou7sIgyJFK-c,1417
 claude_dev_cli/plugins/diff_editor/__init__.py,sha256=gqR5S2TyIVuq-sK107fegsutQ7Z-sgAIEbtc71FhXIM,101
 claude_dev_cli/plugins/diff_editor/plugin.py,sha256=M1bUoqpasD3ZNQo36Fu_8g92uySPZyG_ujMbj5UplsU,3073
-claude_dev_cli/plugins/diff_editor/viewer.py,sha256=wm8TG-aOrCV0f1NaL-Jwi93UaksfApESQpjmPPRIQTs,11597
-claude_dev_cli-0.3.0.dist-info/licenses/LICENSE,sha256=DGueuJwMJtMwgLO5mWlS0TaeBrFwQuNpNZ22PU9J2bw,1062
-claude_dev_cli-0.3.0.dist-info/METADATA,sha256=lR6Z4dFk6UaXzPHBwLX9hi7eiKEHaI9I0Hcg1yVCR9w,10325
-claude_dev_cli-0.3.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-claude_dev_cli-0.3.0.dist-info/entry_points.txt,sha256=zymgUIIVpFTARkFmxAuW2A4BQsNITh_L0uU-XunytHg,85
-claude_dev_cli-0.3.0.dist-info/top_level.txt,sha256=m7MF6LOIuTe41IT5Fgt0lc-DK1EgM4gUU_IZwWxK0pg,15
-claude_dev_cli-0.3.0.dist-info/RECORD,,
+claude_dev_cli/plugins/diff_editor/viewer.py,sha256=1IOXIKw_01ppJx5C1dQt9Kr6U1TdAHT8_iUT5r_q0NM,17169
+claude_dev_cli-0.4.0.dist-info/licenses/LICENSE,sha256=DGueuJwMJtMwgLO5mWlS0TaeBrFwQuNpNZ22PU9J2bw,1062
+claude_dev_cli-0.4.0.dist-info/METADATA,sha256=tfugybDPK3KyZTBcm8PHlEeb_ZidSWtRaKAwIBfIn70,11288
+claude_dev_cli-0.4.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+claude_dev_cli-0.4.0.dist-info/entry_points.txt,sha256=zymgUIIVpFTARkFmxAuW2A4BQsNITh_L0uU-XunytHg,85
+claude_dev_cli-0.4.0.dist-info/top_level.txt,sha256=m7MF6LOIuTe41IT5Fgt0lc-DK1EgM4gUU_IZwWxK0pg,15
+claude_dev_cli-0.4.0.dist-info/RECORD,,