feat(cli): keyring (#367)

* feat: use OS keyring for credential passphrase storage
- OtpPassphraseCache: XOR-masks passphrase with random pad, auto-expires
- LazyEncryptedCredentialStore: ICredentialStore that starts locked,
  defers EncryptedKvCredentialStore construction until unlock()
- GraphFormatScanner: walks task graph schemas for format annotations,
  detects credential requirements before prompting
- credential CLI command: add/list/get/delete encrypted credentials
- keyring.ts: CLI module for OS keyring access with file migration

* feat: implement human-in-the-loop interaction components for CLI
- Introduced `CliHumanInteractionEnqueue` for managing human prompts in the CLI.
- Added `HumanInteractionHost` to integrate human interaction within the Ink UI.
- Created `InkHumanConnector` to facilitate communication between tasks and human prompts.
- Developed UI components for displaying notifications, elicitations, and data input forms.
- Enhanced credential management with improved error handling and user feedback.

Author: sroussey

bun.lock

@@ -43,6 +43,7 @@
     "@huggingface/inference": "catalog:",
     "@anthropic-ai/sdk": "catalog:",
     "@google/generative-ai": "catalog:",
+    "@napi-rs/keyring": "^1.1.2",
     "@inkjs/ui": "^2.0.0",
     "chalk": "^5.6.2",
     "commander": "^14.0.3",

examples/cli/package.json

@@ -0,0 +1,26 @@
+/**
+ * @license
+ * Copyright 2025 Steven Roussey <sroussey@gmail.com>
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import type { IHumanRequest, IHumanResponse } from "@workglow/tasks";
+
+export type CliHumanInteractionEnqueue = (
+  request: IHumanRequest,
+  signal: AbortSignal
+) => Promise<IHumanResponse>;
+
+let enqueue: CliHumanInteractionEnqueue | undefined;
+
+/**
+ * Installed by {@link HumanInteractionHost} while the Ink run UI is mounted.
+ * {@link InkHumanConnector} delegates here so human/credential-style prompts share the same Ink tree as workflow progress.
+ */
+export function setCliHumanInteractionEnqueue(fn: CliHumanInteractionEnqueue | undefined): void {
+  enqueue = fn;
+}
+
+export function getCliHumanInteractionEnqueue(): CliHumanInteractionEnqueue | undefined {
+  return enqueue;
+}

examples/cli/src/cliHumanBridge.ts

@@ -330,6 +330,14 @@ export function registerAgentCommand(program: Command): void {
         process.exit(0);
       }
 
+      // Unlock encrypted credential store if the graph needs credentials
+      const { scanGraphForCredentials } = await import("@workglow/task-graph");
+      const scanResult = scanGraphForCredentials(graph);
+      if (scanResult.needsCredentials) {
+        const { ensureCredentialStoreUnlocked } = await import("../keyring");
+        await ensureCredentialStoreUnlocked();
+      }
+
       try {
         if (process.stdout.isTTY) {
           const { renderWorkflowRun } = await import("../ui/render");

examples/cli/src/commands/agent.ts

@@ -0,0 +1,175 @@
+/**
+ * @license
+ * Copyright 2025 Steven Roussey <sroussey@gmail.com>
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import {
+  CREDENTIAL_PROVIDER_NONE,
+  CredentialPutInputSchema,
+  getGlobalCredentialStore,
+} from "@workglow/util";
+import type { DataPortSchemaObject } from "@workglow/util/schema";
+import type { Command } from "commander";
+import {
+  applySchemaDefaults,
+  generateSchemaHelpText,
+  parseDynamicFlags,
+  resolveInput,
+  validateInput,
+} from "../input";
+import { ensureCredentialStoreUnlocked } from "../keyring";
+
+const CredentialSchema = CredentialPutInputSchema as unknown as DataPortSchemaObject;
+
+export function registerCredentialCommand(program: Command): void {
+  const credential = program.command("credential").description("Manage encrypted credentials");
+
+  const add = credential
+    .command("add")
+    .argument("[key]", "optional credential key; pre-fills Key and focuses Value in the form")
+    .description("Add or update an encrypted credential")
+    .allowUnknownOption()
+    .allowExcessArguments(true)
+    .helpOption(false)
+    .option("--input-json <json>", "Input as JSON string")
+    .option("--input-json-file <path>", "Input from JSON file")
+    .option("--dry-run", "Validate input without saving")
+    .option("--help", "Show help")
+    .action(
+      async (cliKey: string | undefined, opts: Record<string, string | boolean | undefined>) => {
+        if (opts.help) {
+          add.outputHelp();
+          console.log("\nInput flags (from credential schema):");
+          console.log(generateSchemaHelpText(CredentialSchema));
+          process.exit(0);
+        }
+
+        await ensureCredentialStoreUnlocked();
+
+        const dynamicFlags = parseDynamicFlags(process.argv, CredentialSchema);
+        let input = await resolveInput({
+          inputJson: opts.inputJson as string | undefined,
+          inputJsonFile: opts.inputJsonFile as string | undefined,
+          dynamicFlags,
+          schema: CredentialSchema,
+        });
+
+        input = applySchemaDefaults(input, CredentialSchema);
+
+        const trimmedPositional = cliKey !== undefined ? String(cliKey).trim() : "";
+        let usedPositionalKey = false;
+        if (trimmedPositional !== "") {
+          const existing = input.key;
+          const hasExplicitKey =
+            existing !== undefined && existing !== null && String(existing).trim() !== "";
+          if (!hasExplicitKey) {
+            input = { ...input, key: trimmedPositional };
+            usedPositionalKey = true;
+          }
+        }
+
+        if (process.stdin.isTTY) {
+          const { promptEditableInput } = await import("../input/prompt");
+          input = await promptEditableInput(input, CredentialSchema, {
+            initialFocusedFieldKey: usedPositionalKey ? "value" : undefined,
+          });
+        }
+
+        const validation = validateInput(input, CredentialSchema);
+        if (!validation.valid) {
+          console.error("Input validation failed:");
+          for (const err of validation.errors) {
+            console.error(`  - ${err}`);
+          }
+          process.exit(1);
+        }
+
+        const key = String(input.key ?? "").trim();
+        const value = String(input.value ?? "");
+        const labelRaw = input.label;
+        const providerRaw = input.provider;
+        const label =
+          typeof labelRaw === "string" && labelRaw.trim() !== "" ? labelRaw.trim() : undefined;
+        const providerTrim =
+          typeof providerRaw === "string" && providerRaw.trim() !== ""
+            ? providerRaw.trim()
+            : undefined;
+        const provider =
+          providerTrim !== undefined && providerTrim !== CREDENTIAL_PROVIDER_NONE
+            ? providerTrim
+            : undefined;
+
+        if (!key || !value) {
+          console.error("Key and value are required and must be non-empty.");
+          process.exit(1);
+        }
+
+        if (opts.dryRun) {
+          console.log(JSON.stringify({ key, value: "(redacted)", label, provider }, null, 2));
+          process.exit(0);
+        }
+
+        const store = getGlobalCredentialStore();
+        await store.put(key, value, {
+          provider,
+          label,
+        });
+        console.log(`Credential "${key}" saved.`);
+      }
+    );
+
+  credential
+    .command("list")
+    .description("List all stored credential keys")
+    .action(async () => {
+      await ensureCredentialStoreUnlocked();
+
+      const store = getGlobalCredentialStore();
+      const keys = await store.keys();
+      if (keys.length === 0) {
+        console.log("No credentials stored.");
+        return;
+      }
+      for (const key of keys) {
+        console.log(key);
+      }
+    });
+
+  credential
+    .command("get")
+    .argument("<key>", "credential key to retrieve")
+    .description("Retrieve and display a credential value")
+    .action(async (key: string) => {
+      await ensureCredentialStoreUnlocked();
+
+      const store = getGlobalCredentialStore();
+      const value = await store.get(key);
+      if (value === undefined) {
+        console.error(`Credential "${key}" not found.`);
+        process.exit(1);
+      }
+
+      if (process.stdout.isTTY) {
+        console.warn("Warning: credential value will be displayed in plaintext.");
+      }
+      console.log(value);
+    });
+
+  credential
+    .command("delete")
+    .argument("<key>", "credential key to delete")
+    .description("Delete a stored credential")
+    .action(async (key: string) => {
+      await ensureCredentialStoreUnlocked();
+
+      const store = getGlobalCredentialStore();
+      const deleted = await store.delete(key);
+      if (deleted) {
+        console.log(`Credential "${key}" deleted.`);
+      } else {
+        console.error(`Credential "${key}" not found.`);
+        process.exit(1);
+      }
+    });
+}

examples/cli/src/commands/credential.ts

@@ -337,6 +337,14 @@ export function registerWorkflowCommand(program: Command): void {
         process.exit(0);
       }
 
+      // Unlock encrypted credential store if the graph needs credentials
+      const { scanGraphForCredentials } = await import("@workglow/task-graph");
+      const scanResult = scanGraphForCredentials(graph);
+      if (scanResult.needsCredentials) {
+        const { ensureCredentialStoreUnlocked } = await import("../keyring");
+        await ensureCredentialStoreUnlocked();
+      }
+
       try {
         const { withCli } = await import("../run-interactive");
         const result = await withCli(graph, { suppressResultOutput: true }).run(input, runConfig);

examples/cli/src/commands/workflow.ts

@@ -6,8 +6,8 @@
 
 import type { DataPortSchemaNonBoolean, DataPortSchemaObject } from "@workglow/util/schema";
 import { getNestedValue } from "../util";
-import { evaluateConditionalRequired } from "./schema-conditions";
 import { deepMerge } from "./resolve-input";
+import { evaluateConditionalRequired } from "./schema-conditions";
 
 export interface PromptFieldDescriptor {
   readonly key: string;
@@ -273,23 +273,41 @@ function collectAllFields(
   }
 }
 
+/**
+ * Builds field descriptors for an Ink form (including model/credential option enrichment).
+ */
+export async function prepareSchemaFormFields(
+  input: Record<string, unknown>,
+  schema: DataPortSchemaObject
+): Promise<PromptFieldDescriptor[]> {
+  let fields = getAllFields(input, schema);
+  return enrichFieldsWithOptions(fields);
+}
+
+export interface PromptEditableInputOptions {
+  /** Schema field `key` to focus first (e.g. `"value"` when Key was pre-filled from the CLI). */
+  readonly initialFocusedFieldKey?: string;
+}
+
 /**
  * Present a full editable form with all schema fields pre-populated from input.
  * Returns the edited values merged with input, or exits if cancelled.
  */
 export async function promptEditableInput(
   input: Record<string, unknown>,
-  schema: DataPortSchemaObject
+  schema: DataPortSchemaObject,
+  options?: PromptEditableInputOptions
 ): Promise<Record<string, unknown>> {
   if (!process.stdin.isTTY) {
     return input;
   }
 
-  let fields = getAllFields(input, schema);
-  fields = await enrichFieldsWithOptions(fields);
+  const fields = await prepareSchemaFormFields(input, schema);
 
   const { renderSchemaPrompt } = await import("../ui/render");
-  const prompted = await renderSchemaPrompt(fields);
+  const prompted = await renderSchemaPrompt(fields, {
+    initialFocusedFieldKey: options?.initialFocusedFieldKey,
+  });
   if (prompted === undefined) {
     process.exit(0);
   }