refactor: inline subprocess helpers into platform backends

bendrucker · bendrucker · commit 85eea5f68d4b · 2026-02-13T11:01:21.000-08:00
Each backend now owns its subprocess logic instead of importing a
shared run() from index.ts. This removes the circular-feeling
dependency and makes spawn error messages specific to the actual
binary (security, secret-tool) rather than a generic platformHint.

Also: document CREDENTIALW struct layout and GetLastError FFI
limitation in windows.ts, extract mock backend in keyring tests,
fix stale PowerShell reference in docs.
diff --git a/docs/authentication.md b/docs/authentication.md
@@ -82,7 +82,7 @@ API keys are not stored in this file. they are stored in the system keyring and
 - **Linux**: requires `secret-tool` from libsecret
   - Debian/Ubuntu: `apt install libsecret-tools`
   - Arch: `pacman -S libsecret`
-- **Windows**: uses CredentialManager via PowerShell (built-in)
+- **Windows**: uses Credential Manager via `advapi32.dll` (built-in)
 
 if the keyring is unavailable, set `LINEAR_API_KEY` as a fallback.
 
diff --git a/src/keyring/index.ts b/src/keyring/index.ts
@@ -16,20 +16,6 @@ export function _setBackend(b: KeyringBackend | null): void {
   backend = b
 }
 
-function platformHint(): string {
-  switch (Deno.build.os) {
-    case "darwin":
-      return "Could not find /usr/bin/security. Is this a macOS system?"
-    case "linux":
-      return "Could not find secret-tool. Install libsecret (e.g. apt install libsecret-tools, pacman -S libsecret).\n" +
-        "Alternatively, set the LINEAR_API_KEY environment variable."
-    case "windows":
-      return "Could not load advapi32.dll. Is this a Windows system?"
-    default:
-      return `Unsupported platform: ${Deno.build.os}`
-  }
-}
-
 function getBackend(): KeyringBackend {
   if (backend != null) return backend
   switch (Deno.build.os) {
@@ -44,47 +30,6 @@ function getBackend(): KeyringBackend {
   }
 }
 
-export async function run(
-  cmd: string[],
-  options?: { stdin?: string },
-): Promise<{ success: boolean; code: number; stdout: string; stderr: string }> {
-  let process: Deno.ChildProcess
-  try {
-    const command = new Deno.Command(cmd[0], {
-      args: cmd.slice(1),
-      stdin: options?.stdin != null ? "piped" : "null",
-      stdout: "piped",
-      stderr: "piped",
-    })
-    process = command.spawn()
-  } catch (error) {
-    const detail = error instanceof Error ? error.message : String(error)
-    throw new Error(`${platformHint()}\n  (${detail})`)
-  }
-
-  if (options?.stdin != null) {
-    try {
-      const writer = process.stdin.getWriter()
-      await writer.write(new TextEncoder().encode(options.stdin))
-      await writer.close()
-    } catch (error) {
-      try {
-        process.kill()
-      } catch { /* already exited */ }
-      const detail = error instanceof Error ? error.message : String(error)
-      throw new Error(`Failed to write to stdin of ${cmd[0]}: ${detail}`)
-    }
-  }
-
-  const { success, code, stdout, stderr } = await process.output()
-  return {
-    success,
-    code,
-    stdout: new TextDecoder().decode(stdout).trim(),
-    stderr: new TextDecoder().decode(stderr).trim(),
-  }
-}
-
 export async function getPassword(account: string): Promise<string | null> {
   return await getBackend().get(account)
 }
diff --git a/src/keyring/linux.ts b/src/keyring/linux.ts
@@ -1,10 +1,58 @@
 import type { KeyringBackend } from "./index.ts"
-import { run, SERVICE } from "./index.ts"
+import { SERVICE } from "./index.ts"
+
+function spawnError(error: unknown): never {
+  const detail = error instanceof Error ? error.message : String(error)
+  throw new Error(
+    "Could not run secret-tool. Install libsecret " +
+      "(e.g. apt install libsecret-tools, pacman -S libsecret).\n" +
+      "Alternatively, set the LINEAR_API_KEY environment variable.\n" +
+      `  (${detail})`,
+  )
+}
+
+async function secretTool(
+  args: string[],
+  options?: { stdin?: string },
+) {
+  let process: Deno.ChildProcess
+  try {
+    process = new Deno.Command("secret-tool", {
+      args,
+      stdin: options?.stdin != null ? "piped" : "null",
+      stdout: "piped",
+      stderr: "piped",
+    }).spawn()
+  } catch (error) {
+    spawnError(error)
+  }
+
+  if (options?.stdin != null) {
+    try {
+      const writer = process.stdin.getWriter()
+      await writer.write(new TextEncoder().encode(options.stdin))
+      await writer.close()
+    } catch (error) {
+      try {
+        process.kill()
+      } catch { /* already exited */ }
+      const detail = error instanceof Error ? error.message : String(error)
+      throw new Error(`Failed to write to stdin of secret-tool: ${detail}`)
+    }
+  }
+
+  const result = await process.output()
+  return {
+    success: result.success,
+    code: result.code,
+    stdout: new TextDecoder().decode(result.stdout).trim(),
+    stderr: new TextDecoder().decode(result.stderr).trim(),
+  }
+}
 
 export const linuxBackend: KeyringBackend = {
   async get(account) {
-    const result = await run([
-      "secret-tool",
+    const result = await secretTool([
       "lookup",
       "service",
       SERVICE,
@@ -24,9 +72,8 @@ export const linuxBackend: KeyringBackend = {
   },
 
   async set(account, password) {
-    const result = await run(
+    const result = await secretTool(
       [
-        "secret-tool",
         "store",
         "--label",
         `${SERVICE}: ${account}`,
@@ -45,8 +92,7 @@ export const linuxBackend: KeyringBackend = {
   },
 
   async delete(account) {
-    const result = await run([
-      "secret-tool",
+    const result = await secretTool([
       "clear",
       "service",
       SERVICE,
diff --git a/src/keyring/macos.ts b/src/keyring/macos.ts
@@ -1,17 +1,37 @@
 import type { KeyringBackend } from "./index.ts"
-import { run, SERVICE } from "./index.ts"
+import { SERVICE } from "./index.ts"
+
+async function security(...args: string[]) {
+  try {
+    const result = await new Deno.Command("/usr/bin/security", {
+      args,
+      stdout: "piped",
+      stderr: "piped",
+    }).output()
+    return {
+      success: result.success,
+      code: result.code,
+      stdout: new TextDecoder().decode(result.stdout).trim(),
+      stderr: new TextDecoder().decode(result.stderr).trim(),
+    }
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error)
+    throw new Error(
+      `Could not run /usr/bin/security. Is this a macOS system?\n  (${detail})`,
+    )
+  }
+}
 
 export const macosBackend: KeyringBackend = {
   async get(account) {
-    const result = await run([
-      "/usr/bin/security",
+    const result = await security(
       "find-generic-password",
       "-a",
       account,
       "-s",
       SERVICE,
       "-w",
-    ])
+    )
     if (!result.success) {
       // exit 44 = errSecItemNotFound
       if (result.code === 44) return null
@@ -23,17 +43,16 @@ export const macosBackend: KeyringBackend = {
   },
 
   async set(account, password) {
-    const result = await run([
-      "/usr/bin/security",
+    const result = await security(
       "add-generic-password",
       "-a",
       account,
       "-s",
       SERVICE,
       "-w",
       password,
-      "-U", // update the item if it already exists
-    ])
+      "-U",
+    )
     if (!result.success) {
       throw new Error(
         `security add-generic-password failed (exit ${result.code}): ${result.stderr}`,
@@ -42,14 +61,13 @@ export const macosBackend: KeyringBackend = {
   },
 
   async delete(account) {
-    const result = await run([
-      "/usr/bin/security",
+    const result = await security(
       "delete-generic-password",
       "-a",
       account,
       "-s",
       SERVICE,
-    ])
+    )
     // exit 44 = errSecItemNotFound
     if (!result.success && result.code !== 44) {
       throw new Error(
diff --git a/src/keyring/windows.ts b/src/keyring/windows.ts
@@ -4,6 +4,12 @@ import { SERVICE } from "./index.ts"
 const ERROR_NOT_FOUND = 1168
 const CRED_TYPE_GENERIC = 1
 const CRED_PERSIST_LOCAL_MACHINE = 2
+// CREDENTIALW struct layout on 64-bit Windows (80 bytes):
+//   0: Flags (u32)        4: Type (u32)           8: TargetName (ptr)
+//  16: Comment (ptr)      24: LastWritten (i64)   32: CredentialBlobSize (u32)
+//  36: (padding)          40: CredentialBlob (ptr) 48: Persist (u32)
+//  52: AttributeCount     56: Attributes (ptr)    64: TargetAlias (ptr)
+//  72: UserName (ptr)
 const CREDENTIAL_SIZE = 80
 
 type FfiBuffer = Uint8Array<ArrayBuffer>
@@ -86,6 +92,9 @@ function credGet(account: string): string | null {
   const ok = lib.symbols.CredReadW(target, CRED_TYPE_GENERIC, 0, outBuf)
   if (!ok) {
     const err = getLastError()
+    // Deno's FFI boundary clobbers the Win32 thread-local error before
+    // GetLastError can read it through a separate dlopen call. Treat 0
+    // (no error set) as "not found" since that's the only expected failure.
     if (err === ERROR_NOT_FOUND || err === 0) return null
     throw new Error(`CredReadW failed (error ${err})`)
   }
@@ -138,6 +147,7 @@ function credDelete(account: string): void {
   const ok = lib.symbols.CredDeleteW(target, CRED_TYPE_GENERIC, 0)
   if (!ok) {
     const err = getLastError()
+    // See credGet for why err === 0 is treated as "not found"
     if (err === ERROR_NOT_FOUND || err === 0) return
     throw new Error(`CredDeleteW failed (error ${err})`)
   }
diff --git a/test/keyring.test.ts b/test/keyring.test.ts
@@ -4,6 +4,19 @@ import { fromFileUrl } from "@std/path"
 const keyringUrl = new URL("../src/keyring/index.ts", import.meta.url)
 const denoJsonPath = fromFileUrl(new URL("../deno.json", import.meta.url))
 
+const MOCK_BACKEND = `
+const _store = new Map();
+_setBackend({
+  get(account) { return Promise.resolve(_store.get(account) ?? null) },
+  set(account, password) { _store.set(account, password); return Promise.resolve() },
+  delete(account) { _store.delete(account); return Promise.resolve() },
+});
+`.trim()
+
+function mockAndImport(imports: string): string {
+  return `import { ${imports}, _setBackend } from "${keyringUrl}";\n${MOCK_BACKEND}`
+}
+
 async function runWithKeyring(code: string): Promise<string> {
   const command = new Deno.Command("deno", {
     args: [
@@ -28,13 +41,7 @@ async function runWithKeyring(code: string): Promise<string> {
 
 Deno.test("keyring - getPassword returns null when not set", async () => {
   const code = `
-    import { getPassword, _setBackend } from "${keyringUrl}";
-    _setBackend({
-      store: new Map(),
-      get(account) { return Promise.resolve(this.store.get(account) ?? null) },
-      set(account, password) { this.store.set(account, password); return Promise.resolve() },
-      delete(account) { this.store.delete(account); return Promise.resolve() },
-    });
+    ${mockAndImport("getPassword")}
     const result = await getPassword("missing");
     console.log(result === null ? "null" : result);
   `
@@ -44,13 +51,7 @@ Deno.test("keyring - getPassword returns null when not set", async () => {
 
 Deno.test("keyring - setPassword and getPassword round-trip", async () => {
   const code = `
-    import { getPassword, setPassword, _setBackend } from "${keyringUrl}";
-    _setBackend({
-      store: new Map(),
-      get(account) { return Promise.resolve(this.store.get(account) ?? null) },
-      set(account, password) { this.store.set(account, password); return Promise.resolve() },
-      delete(account) { this.store.delete(account); return Promise.resolve() },
-    });
+    ${mockAndImport("getPassword, setPassword")}
     await setPassword("my-account", "secret123");
     const result = await getPassword("my-account");
     console.log(result);
@@ -61,13 +62,7 @@ Deno.test("keyring - setPassword and getPassword round-trip", async () => {
 
 Deno.test("keyring - deletePassword removes stored password", async () => {
   const code = `
-    import { getPassword, setPassword, deletePassword, _setBackend } from "${keyringUrl}";
-    _setBackend({
-      store: new Map(),
-      get(account) { return Promise.resolve(this.store.get(account) ?? null) },
-      set(account, password) { this.store.set(account, password); return Promise.resolve() },
-      delete(account) { this.store.delete(account); return Promise.resolve() },
-    });
+    ${mockAndImport("getPassword, setPassword, deletePassword")}
     await setPassword("my-account", "secret123");
     await deletePassword("my-account");
     const result = await getPassword("my-account");
@@ -79,13 +74,7 @@ Deno.test("keyring - deletePassword removes stored password", async () => {
 
 Deno.test("keyring - setPassword overwrites existing value", async () => {
   const code = `
-    import { getPassword, setPassword, _setBackend } from "${keyringUrl}";
-    _setBackend({
-      store: new Map(),
-      get(account) { return Promise.resolve(this.store.get(account) ?? null) },
-      set(account, password) { this.store.set(account, password); return Promise.resolve() },
-      delete(account) { this.store.delete(account); return Promise.resolve() },
-    });
+    ${mockAndImport("getPassword, setPassword")}
     await setPassword("my-account", "first");
     await setPassword("my-account", "second");
     const result = await getPassword("my-account");
@@ -97,13 +86,7 @@ Deno.test("keyring - setPassword overwrites existing value", async () => {
 
 Deno.test("keyring - multiple accounts are independent", async () => {
   const code = `
-    import { getPassword, setPassword, _setBackend } from "${keyringUrl}";
-    _setBackend({
-      store: new Map(),
-      get(account) { return Promise.resolve(this.store.get(account) ?? null) },
-      set(account, password) { this.store.set(account, password); return Promise.resolve() },
-      delete(account) { this.store.delete(account); return Promise.resolve() },
-    });
+    ${mockAndImport("getPassword, setPassword")}
     await setPassword("account-a", "password-a");
     await setPassword("account-b", "password-b");
     const a = await getPassword("account-a");
@@ -118,13 +101,7 @@ Deno.test("keyring - multiple accounts are independent", async () => {
 
 Deno.test("keyring - deletePassword on missing account is a no-op", async () => {
   const code = `
-    import { deletePassword, _setBackend } from "${keyringUrl}";
-    _setBackend({
-      store: new Map(),
-      get(account) { return Promise.resolve(this.store.get(account) ?? null) },
-      set(account, password) { this.store.set(account, password); return Promise.resolve() },
-      delete(account) { this.store.delete(account); return Promise.resolve() },
-    });
+    ${mockAndImport("deletePassword")}
     await deletePassword("nonexistent");
     console.log("ok");
   `
