feat: add secure API key storage via system keychain

Optional keyring integration behind `secure-storage` feature flag.
Adds set-key/get-key commands and keyring fallback in config loading
chain (CLI > env > keyring > config file > defaults).

Author: Sephyi

Cargo.lock

@@ -56,9 +56,16 @@ indicatif = "0.18"
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 
+# Secure storage (optional)
+keyring = { version = "3", optional = true }
+
 # Utilities
 regex = "1.12"
 
+[features]
+default = []
+secure-storage = ["keyring"]
+
 [profile.release]
 lto = true
 strip = true

Cargo.toml

@@ -261,6 +261,10 @@ impl App {
                 clap_complete::generate(*shell, &mut cmd, "commitbee", &mut std::io::stdout());
                 Ok(())
             }
+            #[cfg(feature = "secure-storage")]
+            Commands::SetKey { provider } => self.set_api_key(provider),
+            #[cfg(feature = "secure-storage")]
+            Commands::GetKey { provider } => self.get_api_key(provider),
         }
     }
 
@@ -341,6 +345,88 @@ impl App {
         Ok(())
     }
 
+    // ─── Keyring Commands ───
+
+    #[cfg(feature = "secure-storage")]
+    fn set_api_key(&self, provider: &str) -> Result<()> {
+        let provider_lower = provider.to_lowercase();
+        if provider_lower != "openai" && provider_lower != "anthropic" {
+            return Err(Error::Config(format!(
+                "Keyring storage is only for cloud providers (openai, anthropic), got '{}'",
+                provider
+            )));
+        }
+
+        eprintln!(
+            "Enter API key for {} (input will be hidden):",
+            style(&provider_lower).bold()
+        );
+
+        let key = dialoguer::Password::new()
+            .with_prompt("API key")
+            .interact()
+            .map_err(|e| Error::Dialog(e.to_string()))?;
+
+        if key.trim().is_empty() {
+            return Err(Error::Config("API key cannot be empty".into()));
+        }
+
+        let entry = keyring::Entry::new("commitbee", &provider_lower)
+            .map_err(|e| Error::Keyring(e.to_string()))?;
+        entry
+            .set_password(&key)
+            .map_err(|e| Error::Keyring(e.to_string()))?;
+
+        eprintln!(
+            "{} API key stored for {}",
+            style("✓").green().bold(),
+            provider_lower
+        );
+        Ok(())
+    }
+
+    #[cfg(feature = "secure-storage")]
+    fn get_api_key(&self, provider: &str) -> Result<()> {
+        let provider_lower = provider.to_lowercase();
+        if provider_lower != "openai" && provider_lower != "anthropic" {
+            return Err(Error::Config(format!(
+                "Keyring storage is only for cloud providers (openai, anthropic), got '{}'",
+                provider
+            )));
+        }
+
+        let entry = keyring::Entry::new("commitbee", &provider_lower)
+            .map_err(|e| Error::Keyring(e.to_string()))?;
+
+        match entry.get_password() {
+            Ok(_) => {
+                eprintln!(
+                    "{} API key for {} is stored in keychain",
+                    style("✓").green().bold(),
+                    provider_lower
+                );
+            }
+            Err(keyring::Error::NoEntry) => {
+                eprintln!(
+                    "{} No API key found for {} in keychain",
+                    style("✗").red().bold(),
+                    provider_lower
+                );
+                eprintln!(
+                    "  Store one with: {}",
+                    style(format!("commitbee set-key {}", provider_lower)).yellow()
+                );
+            }
+            Err(e) => {
+                return Err(Error::Keyring(e.to_string()));
+            }
+        }
+
+        Ok(())
+    }
+
+    // ─── Output Helpers ───
+
     fn print_status(&self, msg: &str) {
         eprintln!("{} {}", style("→").cyan(), msg);
     }

src/app.rs

@@ -55,4 +55,16 @@ pub enum Commands {
         #[arg(value_enum)]
         shell: clap_complete::Shell,
     },
+    /// Store API key in system keychain
+    #[cfg(feature = "secure-storage")]
+    SetKey {
+        /// Provider to store key for (openai, anthropic)
+        provider: String,
+    },
+    /// Check if API key exists in system keychain
+    #[cfg(feature = "secure-storage")]
+    GetKey {
+        /// Provider to check key for (openai, anthropic)
+        provider: String,
+    },
 }

src/cli.rs

@@ -189,6 +189,17 @@ impl Config {
             };
         }
 
+        // Keyring fallback (if still no key and secure-storage feature is enabled)
+        #[cfg(feature = "secure-storage")]
+        if config.api_key.is_none() && config.provider != Provider::Ollama {
+            let provider_name = config.provider.to_string();
+            if let Ok(entry) = keyring::Entry::new("commitbee", &provider_name) {
+                if let Ok(key) = entry.get_password() {
+                    config.api_key = Some(key);
+                }
+            }
+        }
+
         // CLI overrides (highest priority)
         config.apply_cli(cli);
         config.validate()?;

src/config.rs

@@ -89,6 +89,14 @@ pub enum Error {
 
     #[error("Dialog error: {0}")]
     Dialog(String),
+
+    #[cfg(feature = "secure-storage")]
+    #[error("Keyring error: {0}")]
+    #[diagnostic(
+        code(commitbee::keyring::error),
+        help("Check your system keychain configuration")
+    )]
+    Keyring(String),
 }
 
 impl From<dialoguer::Error> for Error {