chore(client): Phase 9 — bump keyring 2 → 4 (rusqlite blocked)#568
Draft
Detair wants to merge 1 commit into
Draft
chore(client): Phase 9 — bump keyring 2 → 4 (rusqlite blocked)#568Detair wants to merge 1 commit into
Detair wants to merge 1 commit into
Conversation
## Summary Phase 9 of the dep-update sweep, scoped down: only the keyring bump ships in this PR. rusqlite 0.32 → 0.39 was attempted but is hard- blocked by a cargo `links = "sqlite3"` namespace conflict — see inline comment in client/src-tauri/Cargo.toml. keyring 2 → 4 keyring-core (new direct dep, 1.0.x) rusqlite 0.32 (unchanged, blocked) ## Why rusqlite is blocked cargo's `links = "sqlite3"` constraint prevents two crates linking to the same native library from coexisting in the dep graph — even when one of them is an optional, unactivated dep. sqlx 0.8.x pulls sqlx-sqlite (optional) which pins libsqlite3-sys 0.30. Any rusqlite >= 0.33 wants libsqlite3-sys >= 0.31, which conflicts. The unblock requires sqlx 0.9 (currently only 0.9.0-alpha.1; no stable 0.9). Documented inline in Cargo.toml so future contributors don't re-attempt the bump and hit the same wall. ## keyring 4 migration keyring split into two crates in 4.0: - `keyring` — credential-store selection (`use_*_store` functions) - `keyring-core` — `Entry`, `Error`, password operations Migration applied: 1. Added `keyring-core` as a direct dep alongside `keyring`. 2. Six call sites in `commands/auth.rs` switched from `keyring::Entry/Error` → `keyring_core::Entry/Error`. 3. `entry.delete_password()` → `entry.delete_credential()` (renamed in 4.0; `_password` was misleading since the underlying call removes the credential entry, not just the password field). 4. Tauri setup callback now calls `keyring::use_native_store(true)` at startup. keyring 4 requires explicit store selection before any `Entry::new`; keyring 2 had an implicit default. Passing `not_keyutils = true` picks Secret Service over the kernel keyutils store on Linux — keyutils evicts on session end, which breaks refresh-token persistence across reboot. macOS/Windows/ Android pick the native platform store automatically. ## Verification - [x] `cargo deny check` — advisories/bans/licenses/sources all ok - ⚠ `cargo check -p vc-client` blocked locally by pre-existing libspa 0.8.0 FFI mismatch with installed PipeWire (reproduces on main; unrelated to this change). CI's macOS/Windows/Android Tauri builds will validate vc-client compilation. ## Required smoke test (before mark-ready) DRAFT until you run these manually — keyring backends are platform- specific and brittle, so platform-by-platform validation is essential: - [ ] Linux: log in → quit → relaunch → session restores - [ ] Linux: log out → confirm Secret Service entry removed - [ ] macOS: log in → quit → relaunch → session restores (Keychain) - [ ] Windows: log in → quit → relaunch → session restores (Credential Manager) - [ ] Android: log in → app foreground/background cycle → session restores Phase 9 → Phase 10 soak: 24h per the plan. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DRAFT — needs platform-by-platform keyring smoke test before mark-ready
Phase 9 of the dep-update sweep, scoped down: only the keyring bump ships here. rusqlite was attempted but is hard-blocked by a cargo
links = "sqlite3"namespace conflict.What's in this PR
keyringkeyring-corerusqliteWhy rusqlite is blocked
cargo's
links = "sqlite3"constraint prevents two crates linking to the same native library from coexisting in the dep graph — even when one is an optional, unactivated dep. sqlx 0.8.x pullssqlx-sqlite(optional, behind a feature we don't enable) which pinslibsqlite3-sys 0.30. Any rusqlite ≥ 0.33 wantslibsqlite3-sys ≥ 0.31, which collides. The unblock requires sqlx 0.9 (currently only0.9.0-alpha.1exists; no stable 0.9 release yet).Inline comment added in
client/src-tauri/Cargo.tomlso future contributors don't re-attempt the bump and hit the same wall.keyring 4 migration
keyring 4.0 split the crate:
keyring— credential-store selection (use_*_storefunctions)keyring-core—Entry,Error, password operationsSix call sites in
commands/auth.rsmigrated fromkeyring::Entry/Error→keyring_core::Entry/Error.entry.delete_password()→entry.delete_credential()(renamed in 4.0).Tauri setup callback now calls
keyring::use_native_store(true)— keyring 4 requires explicit store selection at startup. Passingnot_keyutils = truepicks Secret Service over the kernel keyutils store on Linux (keyutils evicts on session end, which would break refresh-token persistence across reboot). macOS/Windows/Android auto-select platform-native stores.Required smoke test before mark-ready
Keyring backends are platform-specific and brittle. Each must be validated separately:
secret-toolto verify)Verification (local)
cargo deny check— advisories/bans/licenses/sources all okcargo check -p vc-clientcannot complete locally due to a pre-existinglibspa-0.8.0FFI mismatch with installed PipeWire (reproduces onmain). CI's macOS/Windows/Android Tauri builds will validate vc-client compilation.Tracking
This PR documents the rusqlite block inline; consider opening a tracking issue to revisit when sqlx 0.9 stable ships.
🤖 Generated with Claude Code