PyPI - codeframe-ai - Versions diffs - 0.9.0__py3-none-any.whl - Mend

codeframe-ai 0.9.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (197) hide show

codeframe/__init__.py +11 -0
codeframe/__main__.py +20 -0
codeframe/adapters/__init__.py +5 -0
codeframe/adapters/e2b/__init__.py +13 -0
codeframe/adapters/e2b/adapter.py +342 -0
codeframe/adapters/e2b/budget.py +71 -0
codeframe/adapters/e2b/credential_scanner.py +134 -0
codeframe/adapters/llm/__init__.py +92 -0
codeframe/adapters/llm/anthropic.py +414 -0
codeframe/adapters/llm/base.py +444 -0
codeframe/adapters/llm/mock.py +281 -0
codeframe/adapters/llm/openai.py +483 -0
codeframe/agents/__init__.py +8 -0
codeframe/agents/dependency_resolver.py +714 -0
codeframe/auth/__init__.py +16 -0
codeframe/auth/api_key_router.py +238 -0
codeframe/auth/api_keys.py +156 -0
codeframe/auth/dependencies.py +358 -0
codeframe/auth/manager.py +178 -0
codeframe/auth/models.py +30 -0
codeframe/auth/router.py +93 -0
codeframe/auth/schemas.py +15 -0
codeframe/auth/scopes.py +53 -0
codeframe/cli/__init__.py +12 -0
codeframe/cli/__main__.py +20 -0
codeframe/cli/api_client.py +275 -0
codeframe/cli/app.py +5688 -0
codeframe/cli/auth.py +122 -0
codeframe/cli/auth_commands.py +958 -0
codeframe/cli/commands/__init__.py +5 -0
codeframe/cli/config_commands.py +79 -0
codeframe/cli/dashboard_commands.py +67 -0
codeframe/cli/engines_commands.py +205 -0
codeframe/cli/env_commands.py +409 -0
codeframe/cli/helpers.py +56 -0
codeframe/cli/hooks_commands.py +208 -0
codeframe/cli/import_commands.py +129 -0
codeframe/cli/pr_commands.py +549 -0
codeframe/cli/proof_commands.py +415 -0
codeframe/cli/stats_commands.py +311 -0
codeframe/cli/telemetry_runtime.py +153 -0
codeframe/cli/validators.py +123 -0
codeframe/config/rate_limits.py +165 -0
codeframe/core/__init__.py +15 -0
codeframe/core/adapters/__init__.py +43 -0
codeframe/core/adapters/agent_adapter.py +114 -0
codeframe/core/adapters/builtin.py +326 -0
codeframe/core/adapters/claude_code.py +62 -0
codeframe/core/adapters/codex.py +393 -0
codeframe/core/adapters/git_utils.py +40 -0
codeframe/core/adapters/kilocode.py +126 -0
codeframe/core/adapters/opencode.py +48 -0
codeframe/core/adapters/streaming_chat.py +483 -0
codeframe/core/adapters/subprocess_adapter.py +213 -0
codeframe/core/adapters/verification_wrapper.py +269 -0
codeframe/core/agent.py +2183 -0
codeframe/core/agents_config.py +569 -0
codeframe/core/api_key_service.py +211 -0
codeframe/core/artifacts.py +428 -0
codeframe/core/blocker_detection.py +218 -0
codeframe/core/blockers.py +433 -0
codeframe/core/checkpoints.py +481 -0
codeframe/core/conductor.py +2255 -0
codeframe/core/config.py +827 -0
codeframe/core/config_watcher.py +268 -0
codeframe/core/context.py +542 -0
codeframe/core/context_packager.py +234 -0
codeframe/core/credentials.py +735 -0
codeframe/core/dependency_analyzer.py +229 -0
codeframe/core/dependency_graph.py +290 -0
codeframe/core/diagnostic_agent.py +712 -0
codeframe/core/diagnostics.py +616 -0
codeframe/core/editor.py +556 -0
codeframe/core/engine_registry.py +256 -0
codeframe/core/engine_stats.py +231 -0
codeframe/core/environment.py +697 -0
codeframe/core/events.py +375 -0
codeframe/core/executor.py +1005 -0
codeframe/core/fix_tracker.py +480 -0
codeframe/core/gates.py +1322 -0
codeframe/core/git.py +477 -0
codeframe/core/github_connect_service.py +178 -0
codeframe/core/github_integration_config.py +118 -0
codeframe/core/github_issues_service.py +449 -0
codeframe/core/hooks.py +184 -0
codeframe/core/importers/__init__.py +1 -0
codeframe/core/importers/ralph.py +540 -0
codeframe/core/installer.py +650 -0
codeframe/core/models.py +1026 -0
codeframe/core/notifications_config.py +183 -0
codeframe/core/planner.py +437 -0
codeframe/core/prd.py +670 -0
codeframe/core/prd_discovery.py +1118 -0
codeframe/core/prd_stress_test.py +499 -0
codeframe/core/progress.py +126 -0
codeframe/core/proof/__init__.py +34 -0
codeframe/core/proof/capture.py +79 -0
codeframe/core/proof/evidence.py +56 -0
codeframe/core/proof/ledger.py +574 -0
codeframe/core/proof/models.py +162 -0
codeframe/core/proof/obligations.py +103 -0
codeframe/core/proof/runner.py +233 -0
codeframe/core/proof/scope.py +81 -0
codeframe/core/proof/stubs.py +156 -0
codeframe/core/quick_fixes.py +558 -0
codeframe/core/react_agent.py +1650 -0
codeframe/core/reconciliation.py +183 -0
codeframe/core/replay.py +788 -0
codeframe/core/review.py +285 -0
codeframe/core/runtime.py +1134 -0
codeframe/core/sandbox/__init__.py +27 -0
codeframe/core/sandbox/context.py +98 -0
codeframe/core/sandbox/worktree.py +20 -0
codeframe/core/schedule.py +396 -0
codeframe/core/stall_detector.py +71 -0
codeframe/core/stall_monitor.py +134 -0
codeframe/core/state_machine.py +121 -0
codeframe/core/streaming.py +502 -0
codeframe/core/task_tree.py +400 -0
codeframe/core/tasks.py +1022 -0
codeframe/core/telemetry.py +232 -0
codeframe/core/templates.py +221 -0
codeframe/core/tools.py +942 -0
codeframe/core/workspace.py +887 -0
codeframe/core/worktrees.py +276 -0
codeframe/git/__init__.py +5 -0
codeframe/git/github_integration.py +505 -0
codeframe/lib/__init__.py +0 -0
codeframe/lib/audit_logger.py +248 -0
codeframe/lib/metrics_tracker.py +800 -0
codeframe/lib/quality/__init__.py +7 -0
codeframe/lib/quality/complexity_analyzer.py +316 -0
codeframe/lib/quality/owasp_patterns.py +284 -0
codeframe/lib/quality/security_scanner.py +250 -0
codeframe/lib/rate_limiter.py +312 -0
codeframe/notifications/__init__.py +0 -0
codeframe/notifications/webhook.py +380 -0
codeframe/planning/__init__.py +30 -0
codeframe/planning/issue_generator.py +219 -0
codeframe/planning/prd_template_functions.py +137 -0
codeframe/planning/prd_templates.py +975 -0
codeframe/planning/task_scheduler.py +511 -0
codeframe/planning/task_templates.py +533 -0
codeframe/platform_store/__init__.py +5 -0
codeframe/platform_store/database.py +277 -0
codeframe/platform_store/repositories/__init__.py +24 -0
codeframe/platform_store/repositories/api_key_repository.py +245 -0
codeframe/platform_store/repositories/audit_repository.py +67 -0
codeframe/platform_store/repositories/base.py +295 -0
codeframe/platform_store/repositories/interactive_sessions.py +165 -0
codeframe/platform_store/repositories/token_repository.py +598 -0
codeframe/platform_store/repositories/workspace_registry_repository.py +175 -0
codeframe/platform_store/schema_manager.py +321 -0
codeframe/templates/AGENTS.md.default +94 -0
codeframe/tui/__init__.py +5 -0
codeframe/tui/app.py +256 -0
codeframe/tui/data_service.py +103 -0
codeframe/ui/__init__.py +0 -0
codeframe/ui/dependencies.py +103 -0
codeframe/ui/models.py +999 -0
codeframe/ui/response_models.py +201 -0
codeframe/ui/routers/__init__.py +5 -0
codeframe/ui/routers/_helpers.py +29 -0
codeframe/ui/routers/batches_v2.py +315 -0
codeframe/ui/routers/blockers_v2.py +320 -0
codeframe/ui/routers/checkpoints_v2.py +310 -0
codeframe/ui/routers/costs_v2.py +322 -0
codeframe/ui/routers/diagnose_v2.py +225 -0
codeframe/ui/routers/discovery_v2.py +417 -0
codeframe/ui/routers/environment_v2.py +284 -0
codeframe/ui/routers/events_v2.py +75 -0
codeframe/ui/routers/gates_v2.py +166 -0
codeframe/ui/routers/git_v2.py +284 -0
codeframe/ui/routers/github_integrations_v2.py +532 -0
codeframe/ui/routers/interactive_sessions_v2.py +238 -0
codeframe/ui/routers/pr_v2.py +709 -0
codeframe/ui/routers/prd_v2.py +695 -0
codeframe/ui/routers/proof_v2.py +755 -0
codeframe/ui/routers/review_v2.py +360 -0
codeframe/ui/routers/schedule_v2.py +214 -0
codeframe/ui/routers/session_chat_ws.py +354 -0
codeframe/ui/routers/settings_v2.py +562 -0
codeframe/ui/routers/streaming_v2.py +155 -0
codeframe/ui/routers/tasks_v2.py +1098 -0
codeframe/ui/routers/templates_v2.py +232 -0
codeframe/ui/routers/terminal_ws.py +267 -0
codeframe/ui/routers/workspace_v2.py +527 -0
codeframe/ui/server.py +568 -0
codeframe/ui/shared.py +241 -0
codeframe/workspace/__init__.py +5 -0
codeframe/workspace/manager.py +249 -0
codeframe_ai-0.9.0.dist-info/METADATA +517 -0
codeframe_ai-0.9.0.dist-info/RECORD +197 -0
codeframe_ai-0.9.0.dist-info/WHEEL +5 -0
codeframe_ai-0.9.0.dist-info/entry_points.txt +3 -0
codeframe_ai-0.9.0.dist-info/licenses/LICENSE +661 -0
codeframe_ai-0.9.0.dist-info/top_level.txt +1 -0

codeframe/core/credentials.py ADDED Viewed

@@ -0,0 +1,735 @@
+"""Secure credential management for CodeFRAME.
+This module provides:
+- Platform-native keyring integration (primary storage)
+- Encrypted file fallback when keyring unavailable
+- Environment variable override support
+- Credential validation and rotation
+Security features:
+- Fernet encryption for file-based storage
+- File permissions enforced at 600 (owner-only)
+- Machine-specific encryption keys
+- Audit logging for credential operations
+Usage:
+    from codeframe.core.credentials import CredentialManager, CredentialProvider
+    manager = CredentialManager()
+    api_key = manager.get_credential(CredentialProvider.LLM_ANTHROPIC)
+    manager.set_credential(CredentialProvider.GIT_GITHUB, "ghp_token")
+"""
+import base64
+import hashlib
+import json
+import logging
+import os
+import platform
+import uuid
+from dataclasses import dataclass, field
+from datetime import datetime, timezone
+from enum import Enum
+from pathlib import Path
+from typing import Any, Optional
+try:
+    import keyring
+    from keyring.errors import KeyringError
+    KEYRING_AVAILABLE = True
+except ImportError:
+    KEYRING_AVAILABLE = False
+    keyring = None
+    KeyringError = Exception
+from cryptography.fernet import Fernet, InvalidToken
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+logger = logging.getLogger(__name__)
+# Constants
+KEYRING_SERVICE_NAME = "codeframe-credentials"
+ENCRYPTED_FILE_NAME = "credentials.encrypted"
+SALT_FILE_NAME = "salt"
+DEFAULT_STORAGE_DIR = Path.home() / ".codeframe"
+class CredentialSource(str, Enum):
+    """Source of a credential."""
+    ENVIRONMENT = "environment"
+    STORED = "stored"
+    NOT_FOUND = "not_found"
+class CredentialProvider(Enum):
+    """Supported credential provider types.
+    Each provider type has associated metadata for env var mapping
+    and display purposes.
+    """
+    LLM_ANTHROPIC = ("ANTHROPIC_API_KEY", "Anthropic (Claude)")
+    LLM_OPENAI = ("OPENAI_API_KEY", "OpenAI (GPT)")
+    GIT_GITHUB = ("GITHUB_TOKEN", "GitHub")
+    GIT_GITLAB = ("GITLAB_TOKEN", "GitLab")
+    CICD_GENERIC = ("CICD_TOKEN", "CI/CD")
+    DATABASE = ("DATABASE_URL", "Database")
+    def __init__(self, env_var: str, display_name: str):
+        self._env_var = env_var
+        self._display_name = display_name
+    @property
+    def env_var(self) -> str:
+        """Environment variable name for this provider."""
+        return self._env_var
+    @property
+    def display_name(self) -> str:
+        """Human-readable display name."""
+        return self._display_name
+@dataclass
+class Credential:
+    """A stored credential with metadata.
+    Attributes:
+        provider: The provider type (LLM, Git, etc.)
+        value: The actual credential value (API key, token, etc.)
+        name: Optional friendly name for the credential
+        metadata: Additional metadata (scopes, permissions, etc.)
+        created_at: When the credential was stored
+        expires_at: Optional expiration timestamp
+    """
+    provider: CredentialProvider
+    value: str
+    name: Optional[str] = None
+    metadata: dict[str, Any] = field(default_factory=dict)
+    created_at: datetime = field(default_factory=lambda: datetime.now(timezone.utc))
+    expires_at: Optional[datetime] = None
+    @property
+    def is_expired(self) -> bool:
+        """Check if credential has expired."""
+        exp = self.expires_at
+        if exp is None:
+            return False
+        if exp.tzinfo is None:
+            exp = exp.replace(tzinfo=timezone.utc)
+        return datetime.now(timezone.utc) > exp
+    @property
+    def masked_value(self) -> str:
+        """Get masked version of value for display."""
+        if len(self.value) <= 8:
+            return "***"
+        return f"{self.value[:4]}...{self.value[-4:]}"
+    def to_safe_dict(self) -> dict[str, Any]:
+        """Convert to dictionary, excluding actual value."""
+        return {
+            "provider": self.provider.name,
+            "name": self.name,
+            "masked_value": self.masked_value,
+            "metadata": self.metadata,
+            "created_at": self.created_at.isoformat() if self.created_at else None,
+            "expires_at": self.expires_at.isoformat() if self.expires_at else None,
+            "is_expired": self.is_expired,
+        }
+    def to_dict(self) -> dict[str, Any]:
+        """Convert to dictionary for storage (includes value)."""
+        return {
+            "provider": self.provider.name,
+            "value": self.value,
+            "name": self.name,
+            "metadata": self.metadata,
+            "created_at": self.created_at.isoformat() if self.created_at else None,
+            "expires_at": self.expires_at.isoformat() if self.expires_at else None,
+        }
+    @classmethod
+    def from_dict(cls, data: dict[str, Any]) -> "Credential":
+        """Create Credential from dictionary."""
+        provider = CredentialProvider[data["provider"]]
+        created_at = None
+        if data.get("created_at"):
+            created_at = datetime.fromisoformat(data["created_at"])
+        expires_at = None
+        if data.get("expires_at"):
+            expires_at = datetime.fromisoformat(data["expires_at"])
+        return cls(
+            provider=provider,
+            value=data["value"],
+            name=data.get("name"),
+            metadata=data.get("metadata", {}),
+            created_at=created_at or datetime.now(timezone.utc),
+            expires_at=expires_at,
+        )
+@dataclass
+class CredentialInfo:
+    """Summary information about a credential (no actual value)."""
+    provider: CredentialProvider
+    source: CredentialSource
+    name: Optional[str] = None
+    masked_value: Optional[str] = None
+    is_expired: bool = False
+    last_validated: Optional[datetime] = None
+    metadata: dict[str, Any] = field(default_factory=dict)
+def derive_encryption_key(salt_file: Path) -> bytes:
+    """Derive encryption key from machine-specific data.
+    Uses PBKDF2 with machine ID and a persistent salt to create
+    a Fernet-compatible encryption key.
+    Args:
+        salt_file: Path to store/retrieve the salt
+    Returns:
+        Fernet-compatible key (base64 encoded)
+    """
+    # Get or create salt
+    if salt_file.exists():
+        with open(salt_file, "rb") as f:
+            salt = f.read()
+        # Validate salt file integrity
+        if len(salt) != 16:
+            raise ValueError(
+                f"Invalid salt file at {salt_file}: expected 16 bytes, got {len(salt)}. "
+                "Delete the salt file to regenerate (note: this will make existing "
+                "credentials inaccessible)."
+            )
+    else:
+        salt = os.urandom(16)
+        salt_file.parent.mkdir(parents=True, exist_ok=True)
+        with open(salt_file, "wb") as f:
+            f.write(salt)
+        # Secure permissions
+        salt_file.chmod(0o600)
+    # Get machine-specific identifier
+    machine_id = _get_machine_id()
+    # Derive key using PBKDF2
+    kdf = PBKDF2HMAC(
+        algorithm=hashes.SHA256(),
+        length=32,
+        salt=salt,
+        iterations=480000,
+    )
+    key = base64.urlsafe_b64encode(kdf.derive(machine_id.encode()))
+    return key
+def _get_machine_id() -> str:
+    """Get a machine-specific identifier.
+    Uses platform-specific stable identifiers when available:
+    - Linux: /etc/machine-id
+    - Windows: MachineGuid from registry
+    - Fallback: hostname + machine type + MAC address
+    Note: MAC address (uuid.getnode) can be randomized on WiFi adapters
+    on privacy-focused systems, so we prefer OS-level machine IDs.
+    """
+    components = []
+    # Try Linux machine-id first (most stable)
+    machine_id_path = Path("/etc/machine-id")
+    if machine_id_path.exists():
+        try:
+            machine_id = machine_id_path.read_text().strip()
+            if machine_id:
+                components.append(machine_id)
+        except (PermissionError, OSError):
+            pass
+    # Try Windows MachineGuid
+    if platform.system() == "Windows" and not components:
+        try:
+            import winreg
+            with winreg.OpenKey(
+                winreg.HKEY_LOCAL_MACHINE,
+                r"SOFTWARE\Microsoft\Cryptography"
+            ) as key:
+                machine_guid, _ = winreg.QueryValueEx(key, "MachineGuid")
+                if machine_guid:
+                    components.append(machine_guid)
+        except (ImportError, OSError, FileNotFoundError):
+            pass
+    # Fallback: use portable identifiers
+    if not components:
+        components = [
+            platform.node(),
+            platform.machine(),
+            str(uuid.getnode()),  # MAC address (less stable on some systems)
+        ]
+    combined = "-".join(components)
+    return hashlib.sha256(combined.encode()).hexdigest()
+def validate_credential_format(
+    provider: CredentialProvider,
+    value: str,
+) -> bool:
+    """Validate credential format for a provider.
+    Args:
+        provider: The credential provider type
+        value: The credential value to validate
+    Returns:
+        True if format appears valid, False otherwise
+    """
+    if not value or len(value) < 5:
+        return False
+    if provider == CredentialProvider.LLM_ANTHROPIC:
+        # Anthropic keys start with "sk-ant-" (e.g., sk-ant-api03-...)
+        return len(value) >= 20 and value.startswith("sk-ant-")
+    elif provider == CredentialProvider.LLM_OPENAI:
+        # OpenAI keys start with "sk-" (legacy) or "sk-proj-" (project-scoped)
+        return len(value) >= 20 and value.startswith("sk-")
+    elif provider == CredentialProvider.GIT_GITHUB:
+        # GitHub PATs: ghp_ (classic) or github_pat_ (fine-grained)
+        return len(value) >= 10 and (
+            value.startswith("ghp_") or
+            value.startswith("github_pat_") or
+            value.startswith("gho_") or  # OAuth
+            value.startswith("ghs_")  # Server-to-server
+        )
+    elif provider == CredentialProvider.GIT_GITLAB:
+        # GitLab tokens start with "glpat-"
+        return len(value) >= 20 and value.startswith("glpat-")
+    # Default: just check minimum length
+    return len(value) >= 5
+class CredentialStore:
+    """Low-level credential storage.
+    Uses platform keyring as primary storage with encrypted file fallback.
+    """
+    def __init__(self, storage_dir: Optional[Path] = None):
+        """Initialize credential store.
+        Args:
+            storage_dir: Directory for encrypted file storage
+        """
+        self.storage_dir = storage_dir or DEFAULT_STORAGE_DIR
+        self._keyring_available = self._check_keyring()
+        self._fernet: Optional[Fernet] = None
+    def _check_keyring(self) -> bool:
+        """Check if keyring is available and working."""
+        if not KEYRING_AVAILABLE:
+            return False
+        try:
+            # Try to get the keyring backend
+            kr = keyring.get_keyring()
+            # Check if it's a real backend (not fail keyring)
+            if "fail" in kr.__class__.__name__.lower():
+                return False
+            return True
+        except Exception:
+            return False
+    def _get_fernet(self) -> Fernet:
+        """Get or create Fernet instance for encryption."""
+        if self._fernet is None:
+            salt_file = self.storage_dir / SALT_FILE_NAME
+            key = derive_encryption_key(salt_file)
+            self._fernet = Fernet(key)
+        return self._fernet
+    def _get_encrypted_file_path(self) -> Path:
+        """Get path to encrypted credentials file."""
+        return self.storage_dir / ENCRYPTED_FILE_NAME
+    def _load_encrypted_store(self) -> dict[str, dict]:
+        """Load all credentials from encrypted file.
+        Returns:
+            Dictionary of stored credentials, or empty dict if file doesn't exist.
+        Note:
+            Returns empty dict on decryption failure (e.g., machine ID changed).
+            This is intentional - credentials become inaccessible on new machines.
+        """
+        file_path = self._get_encrypted_file_path()
+        if not file_path.exists():
+            return {}
+        try:
+            with open(file_path, "rb") as f:
+                encrypted_data = f.read()
+            fernet = self._get_fernet()
+            decrypted = fernet.decrypt(encrypted_data)
+            return json.loads(decrypted.decode())
+        except InvalidToken:
+            # Decryption failed - likely machine ID changed or file corrupted
+            logger.error(
+                "Failed to decrypt credentials file. This can happen if the machine ID "
+                "changed (e.g., new machine, VM clone). Stored credentials are inaccessible. "
+                "Re-run 'cf auth setup' to reconfigure credentials."
+            )
+            return {}
+        except json.JSONDecodeError as e:
+            # Decryption succeeded but JSON is invalid - file corruption
+            logger.error(f"Credentials file corrupted (invalid JSON): {e}")
+            return {}
+        except PermissionError as e:
+            logger.error(f"Permission denied reading credentials file: {e}")
+            return {}
+        except OSError as e:
+            logger.error(f"Failed to read credentials file: {e}")
+            return {}
+    def _save_encrypted_store(self, store: dict[str, dict]) -> None:
+        """Save all credentials to encrypted file."""
+        self.storage_dir.mkdir(parents=True, exist_ok=True)
+        file_path = self._get_encrypted_file_path()
+        fernet = self._get_fernet()
+        data = json.dumps(store).encode()
+        encrypted = fernet.encrypt(data)
+        # Write atomically
+        temp_path = file_path.with_suffix(".tmp")
+        try:
+            with open(temp_path, "wb") as f:
+                f.write(encrypted)
+            temp_path.chmod(0o600)
+            temp_path.replace(file_path)
+            file_path.chmod(0o600)
+        finally:
+            try:
+                temp_path.unlink(missing_ok=True)
+            except OSError:
+                pass
+    def store(self, credential: Credential) -> None:
+        """Store a credential securely.
+        Tries keyring first, falls back to encrypted file.
+        Args:
+            credential: The credential to store
+        """
+        key = credential.provider.name
+        data = json.dumps(credential.to_dict())
+        # Try keyring first
+        if self._keyring_available:
+            try:
+                keyring.set_password(KEYRING_SERVICE_NAME, key, data)
+                logger.debug(f"Stored {key} in keyring")
+                return
+            except Exception as e:
+                logger.warning(f"Keyring storage failed, using encrypted file: {e}")
+                try:
+                    keyring.delete_password(KEYRING_SERVICE_NAME, key)
+                except Exception:
+                    pass
+                self._keyring_available = False
+        # Fall back to encrypted file
+        store = self._load_encrypted_store()
+        store[key] = credential.to_dict()
+        self._save_encrypted_store(store)
+        logger.debug(f"Stored {key} in encrypted file")
+    def retrieve(self, provider: CredentialProvider) -> Optional[Credential]:
+        """Retrieve a credential.
+        Tries keyring first, falls back to encrypted file.
+        Args:
+            provider: The provider type to retrieve
+        Returns:
+            Credential if found, None otherwise
+        """
+        key = provider.name
+        # Try keyring first
+        if self._keyring_available:
+            try:
+                data = keyring.get_password(KEYRING_SERVICE_NAME, key)
+                if data:
+                    return Credential.from_dict(json.loads(data))
+            except (KeyError, TypeError, ValueError, json.JSONDecodeError) as e:
+                logger.warning(f"Malformed credential data in keyring for {key}: {e}")
+            except Exception as e:
+                logger.debug(f"Keyring retrieval failed: {e}")
+        # Fall back to encrypted file
+        store = self._load_encrypted_store()
+        if key in store:
+            try:
+                return Credential.from_dict(store[key])
+            except (KeyError, TypeError, ValueError) as e:
+                logger.warning(f"Malformed credential data in encrypted store for {key}: {e}")
+                return None
+        return None
+    def delete(self, provider: CredentialProvider) -> None:
+        """Delete a credential.
+        Args:
+            provider: The provider type to delete
+        """
+        key = provider.name
+        # Try keyring
+        if self._keyring_available:
+            try:
+                keyring.delete_password(KEYRING_SERVICE_NAME, key)
+                logger.debug(f"Deleted {key} from keyring")
+            except Exception as e:
+                logger.warning(f"Keyring deletion failed: {e}")
+                raise
+        # Also remove from encrypted file (if exists)
+        store = self._load_encrypted_store()
+        if key in store:
+            del store[key]
+            self._save_encrypted_store(store)
+            logger.debug(f"Deleted {key} from encrypted file")
+    def list_providers(self) -> list[CredentialProvider]:
+        """List all stored provider types from encrypted file storage.
+        Note:
+            This only returns credentials stored in the encrypted file.
+            Credentials stored directly in the system keyring (when keyring
+            is available and working) are not enumerable due to keyring API
+            limitations. However, CredentialManager.list_credentials()
+            checks all known provider types and will find keyring entries.
+        Returns:
+            List of providers that have stored credentials in encrypted file
+        """
+        providers = []
+        # Check encrypted file only - keyring doesn't support enumeration
+        store = self._load_encrypted_store()
+        for key in store:
+            try:
+                providers.append(CredentialProvider[key])
+            except KeyError:
+                logger.warning(f"Unknown provider in store: {key}")
+        return providers
+class CredentialManager:
+    """High-level credential management API.
+    Provides environment variable override, storage abstraction,
+    and credential lifecycle management.
+    """
+    def __init__(self, storage_dir: Optional[Path] = None):
+        """Initialize credential manager.
+        Args:
+            storage_dir: Directory for credential storage
+        """
+        self._store = CredentialStore(storage_dir)
+    def get_credential(
+        self,
+        provider: CredentialProvider,
+        name: Optional[str] = None,
+    ) -> Optional[str]:
+        """Get credential value, checking env var first.
+        Args:
+            provider: The provider type
+            name: Optional credential name (unused for env var lookup)
+        Returns:
+            Credential value if found, None otherwise
+        """
+        # Check environment variable first
+        env_value = os.environ.get(provider.env_var)
+        if env_value:
+            logger.debug(f"Using {provider.env_var} from environment")
+            return env_value
+        # Fall back to store
+        credential = self._store.retrieve(provider)
+        if credential:
+            if credential.is_expired:
+                logger.warning(f"Credential for {provider.name} has expired")
+                return None
+            return credential.value
+        return None
+    def get_credential_source(
+        self,
+        provider: CredentialProvider,
+    ) -> CredentialSource:
+        """Determine where a credential comes from.
+        Args:
+            provider: The provider type
+        Returns:
+            CredentialSource indicating the source
+        """
+        if os.environ.get(provider.env_var):
+            return CredentialSource.ENVIRONMENT
+        credential = self._store.retrieve(provider)
+        if credential:
+            return CredentialSource.STORED
+        return CredentialSource.NOT_FOUND
+    def set_credential(
+        self,
+        provider: CredentialProvider,
+        value: str,
+        name: Optional[str] = None,
+        metadata: Optional[dict[str, Any]] = None,
+        expires_at: Optional[datetime] = None,
+    ) -> None:
+        """Store a credential securely.
+        Args:
+            provider: The provider type
+            value: The credential value
+            name: Optional friendly name
+            metadata: Optional metadata (scopes, etc.)
+            expires_at: Optional expiration timestamp
+        """
+        credential = Credential(
+            provider=provider,
+            value=value,
+            name=name,
+            metadata=metadata or {},
+            expires_at=expires_at,
+        )
+        self._store.store(credential)
+        logger.info(f"Stored credential for {provider.display_name}")
+    def delete_credential(self, provider: CredentialProvider) -> None:
+        """Delete a credential.
+        Args:
+            provider: The provider type to delete
+        """
+        self._store.delete(provider)
+        logger.info(f"Deleted credential for {provider.display_name}")
+    def rotate_credential(
+        self,
+        provider: CredentialProvider,
+        new_value: str,
+        metadata: Optional[dict[str, Any]] = None,
+    ) -> None:
+        """Rotate a credential atomically.
+        Stores new value, only removes old after successful store.
+        Args:
+            provider: The provider type
+            new_value: The new credential value
+            metadata: Optional updated metadata
+        """
+        # Get existing metadata if not provided
+        existing = self._store.retrieve(provider)
+        if existing and metadata is None:
+            metadata = existing.metadata
+        # Store new credential (overwrites old)
+        self.set_credential(
+            provider=provider,
+            value=new_value,
+            name=existing.name if existing else None,
+            metadata=metadata,
+        )
+        logger.info(f"Rotated credential for {provider.display_name}")
+    def list_credentials(self) -> list[CredentialInfo]:
+        """List all available credentials with their sources.
+        Returns:
+            List of CredentialInfo objects
+        """
+        credentials = []
+        # Check all providers
+        for provider in CredentialProvider:
+            source = self.get_credential_source(provider)
+            if source == CredentialSource.NOT_FOUND:
+                continue
+            info = CredentialInfo(
+                provider=provider,
+                source=source,
+            )
+            if source == CredentialSource.ENVIRONMENT:
+                env_value = os.environ.get(provider.env_var, "")
+                if len(env_value) > 8:
+                    info.masked_value = f"{env_value[:4]}...{env_value[-4:]}"
+                else:
+                    info.masked_value = "***"
+            elif source == CredentialSource.STORED:
+                cred = self._store.retrieve(provider)
+                if cred:
+                    info.name = cred.name
+                    info.masked_value = cred.masked_value
+                    info.is_expired = cred.is_expired
+                    info.metadata = cred.metadata
+            credentials.append(info)
+        return credentials
+    def validate_credential_format(
+        self,
+        provider: CredentialProvider,
+        value: str,
+    ) -> bool:
+        """Validate credential format.
+        Args:
+            provider: The provider type
+            value: The credential value
+        Returns:
+            True if format appears valid
+        """
+        return validate_credential_format(provider, value)