feat(cli): add OS credential store and bind9 auth subcommand

Integrate keyring, secrecy, and rpassword crates for TSIG key management:

- AuthConfig.key_secret uses SecretString (zeroized on drop, redacted
  in Debug) instead of plain String
- Secret resolution order: CLI --key-secret flag > OS credential store
  (macOS Keychain, Linux Secret Service, Windows Credential Manager) >
  config file fallback (with tracing::warn!)
- New keyring module: get/set/delete using service name "bind9-sdk"
- New `bind9 auth set-key` and `bind9 auth delete-key` subcommands
- Secret input uses rpassword (no terminal echo)
- Server address resolution uses ToSocketAddrs (supports hostnames)

Author: Sephyi

Cargo.lock

@@ -101,6 +101,9 @@ clap_complete = "4"
 toml = "0.8"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 dirs = "6"
+keyring = { version = "3", features = ["apple-native", "linux-native"] }
+secrecy = { version = "0.10", features = ["serde"] }
+rpassword = "5"
 
 # Testing (consumed via [dev-dependencies] in each crate)
 proptest = { version = "1" }

Cargo.toml

@@ -21,6 +21,9 @@ bind9-sdk = { path = "../../bind9-sdk" }
 clap = { workspace = true }
 clap_complete = { workspace = true }
 dirs = { workspace = true }
+keyring = { workspace = true }
+rpassword = { workspace = true }
+secrecy = { workspace = true }
 serde = { workspace = true, features = ["std"] }
 serde_json = { workspace = true }
 thiserror = { workspace = true }

crates/bind9-sdk-cli/Cargo.toml

@@ -0,0 +1,59 @@
+// SPDX-FileCopyrightText: 2026 Sephyi <me@sephy.io>
+//
+// SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Commercial
+
+//! `bind9 auth` subcommands for managing TSIG key credentials.
+
+use clap::Subcommand;
+use secrecy::SecretString;
+
+use crate::error::CliError;
+use crate::keyring;
+
+/// Authentication credential management commands.
+#[derive(Subcommand, Debug)]
+pub enum AuthCommand {
+    /// Store a TSIG key secret in the OS credential store (macOS Keychain,
+    /// Linux Secret Service, Windows Credential Manager).
+    SetKey {
+        /// Server profile identifier (e.g., `127.0.0.1:953` or a profile name).
+        /// Must match the server address used in other commands.
+        #[arg(long)]
+        profile: String,
+
+        /// Base64-encoded TSIG key secret. If omitted, reads from stdin.
+        #[arg(long)]
+        secret: Option<String>,
+    },
+
+    /// Remove a TSIG key secret from the OS credential store.
+    DeleteKey {
+        /// Server profile identifier to remove.
+        #[arg(long)]
+        profile: String,
+    },
+}
+
+pub fn execute(cmd: &AuthCommand) -> Result<(), CliError> {
+    match cmd {
+        AuthCommand::SetKey { profile, secret } => {
+            let secret_value = match secret {
+                Some(s) => SecretString::from(s.clone()),
+                None => {
+                    eprint!("Enter base64-encoded TSIG key secret: ");
+                    let line = rpassword::read_password()?;
+                    SecretString::from(line.trim().to_owned())
+                }
+            };
+
+            keyring::set_secret(profile, &secret_value)?;
+            eprintln!("Stored TSIG key secret for profile '{profile}' in OS credential store.");
+            Ok(())
+        }
+        AuthCommand::DeleteKey { profile } => {
+            keyring::delete_secret(profile)?;
+            eprintln!("Deleted TSIG key secret for profile '{profile}' from OS credential store.");
+            Ok(())
+        }
+    }
+}

crates/bind9-sdk-cli/src/commands/auth.rs

@@ -4,6 +4,7 @@
 
 //! CLI command structure using clap derive.
 
+pub mod auth;
 pub mod dnssec;
 pub mod record;
 pub mod stats;
@@ -73,6 +74,10 @@ pub enum Command {
     #[command(subcommand)]
     Dnssec(dnssec::DnssecCommand),
 
+    /// Manage TSIG key credentials in the OS credential store.
+    #[command(subcommand)]
+    Auth(auth::AuthCommand),
+
     /// Fetch server statistics from the BIND9 statistics-channel.
     Stats,
 

crates/bind9-sdk-cli/src/commands/mod.rs

@@ -10,6 +10,7 @@
 
 use std::path::PathBuf;
 
+use secrecy::SecretString;
 use serde::Deserialize;
 
 use crate::error::CliError;
@@ -38,17 +39,30 @@ pub struct ServerConfig {
 }
 
 /// TSIG authentication credentials.
-#[derive(Debug, Deserialize)]
+///
+/// The `key_secret` field is wrapped in `SecretString` to prevent accidental
+/// exposure in logs or debug output. The `Debug` impl redacts it.
+#[derive(Deserialize)]
 pub struct AuthConfig {
     /// TSIG key name.
     pub key_name: String,
-    /// Base64-encoded TSIG key secret.
-    pub key_secret: String,
+    /// Base64-encoded TSIG key secret (protected in-memory).
+    pub key_secret: SecretString,
     /// TSIG algorithm (default: `hmac-sha256`).
     #[serde(default = "default_algorithm")]
     pub algorithm: String,
 }
 
+impl std::fmt::Debug for AuthConfig {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("AuthConfig")
+            .field("key_name", &self.key_name)
+            .field("key_secret", &"[REDACTED]")
+            .field("algorithm", &self.algorithm)
+            .finish()
+    }
+}
+
 fn default_port() -> u16 {
     953
 }
@@ -90,6 +104,8 @@ impl CliConfig {
 
 #[cfg(test)]
 mod tests {
+    use secrecy::ExposeSecret;
+
     use super::*;
 
     #[test]
@@ -130,7 +146,7 @@ algorithm = "hmac-sha512"
         let auth = config.auth.unwrap();
         assert_eq!(auth.key_name, "rndc-key");
         assert_eq!(
-            auth.key_secret,
+            auth.key_secret.expose_secret(),
             "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
         );
         assert_eq!(auth.algorithm, "hmac-sha512");
@@ -175,4 +191,20 @@ key_secret = "dGVzdA=="
         // We cannot guarantee the file doesn't exist, but this exercises the code path
         let _ = result;
     }
+
+    #[test]
+    fn auth_config_debug_redacts_secret() {
+        let toml = r#"
+[server]
+host = "127.0.0.1"
+
+[auth]
+key_name = "rndc-key"
+key_secret = "dGVzdA=="
+"#;
+        let config = CliConfig::from_str(toml).unwrap();
+        let debug_output = format!("{:?}", config.auth.unwrap());
+        assert!(debug_output.contains("[REDACTED]"));
+        assert!(!debug_output.contains("dGVzdA=="));
+    }
 }