refactor: use system secrets when possible (#248)

src/tests/settings-manager.test.ts

@@ -3,6 +3,11 @@ import { mkdtemp, rm } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { settingsManager } from "../settings-manager";
+import {
+  deleteSecureTokens,
+  isKeychainAvailable,
+  keychainAvailablePrecompute,
+} from "../utils/secrets.js";
 
 // Store original HOME to restore after tests
 const originalHome = process.env.HOME;
@@ -94,8 +99,24 @@ describe("Settings Manager - Initialization", () => {
 // ============================================================================
 
 describe("Settings Manager - Global Settings", () => {
+  let keychainSupported: boolean = false;
+
   beforeEach(async () => {
     await settingsManager.initialize();
+    // Check if secrets are available on this system
+    keychainSupported = await isKeychainAvailable();
+
+    if (keychainSupported) {
+      // Clean up any existing test tokens
+      await deleteSecureTokens();
+    }
+  });
+
+  afterEach(async () => {
+    if (keychainSupported) {
+      // Clean up after each test
+      await deleteSecureTokens();
+    }
   });
 
   test("Get settings returns a copy", () => {
@@ -162,12 +183,34 @@ describe("Settings Manager - Global Settings", () => {
     });
 
     const settings = settingsManager.getSettings();
+    // LETTA_API_KEY should not be in settings file (moved to keychain)
     expect(settings.env).toEqual({
-      LETTA_API_KEY: "sk-test-123",
       CUSTOM_VAR: "value",
     });
   });
 
+  test.skipIf(!keychainAvailablePrecompute)(
+    "Get settings with secure tokens (async method)",
+    async () => {
+      // This test verifies the async method that includes keychain tokens
+      settingsManager.updateSettings({
+        env: {
+          LETTA_API_KEY: "sk-test-async-123",
+          CUSTOM_VAR: "async-value",
+        },
+        refreshToken: "rt-test-refresh",
+        tokenExpiresAt: Date.now() + 3600000,
+      });
+
+      const settingsWithTokens =
+        await settingsManager.getSettingsWithSecureTokens();
+
+      // Should include the environment variables and other settings
+      expect(settingsWithTokens.env?.CUSTOM_VAR).toBe("async-value");
+      expect(typeof settingsWithTokens.tokenExpiresAt).toBe("number");
+    },
+  );
+
   test("LETTA_BASE_URL should not be cached in settings", () => {
     // This test verifies that LETTA_BASE_URL is NOT persisted to settings
     // It should only come from environment variables