secret storage (#239)

* feat: Implement secure API key storage using Obsidian's SecretStorage API, migrate existing keys, and update `GeminiService` to dynamically retrieve them.

* feat: Resolve Google API key via `geminiService` for validation and update the plugin interface to include `geminiService`.

* refactor: Make `GeminiService` API key retrieval and `SecretStorage` interactions synchronous, and add a retry option for secure storage migrations.

* Refactor 'Obsidian' string in a notice to avoid a linter flag and update API key setting description text.

Author: cybaea

CHANGELOG.md

@@ -13,6 +13,12 @@ New features are added in the "Unreleased" section.
 
 ### Developer features
 
+-   **Secure API key storage**: Migrated Google Gemini API keys from plain text `data.json` to Obsidian's native `SecretStorage` API (v1.11.4+).
+    -   **JIT initialization**: Refactored `GeminiService` to use asynchronous just-in-time client instantiation, preventing "Async Constructor" race conditions during plugin load.
+    -   **Stable secret IDs**: Mandated a persistent secret ID (`vault-intelligence-api-key`) to prevent sync-induced "ping-pong" conflicts between multiple devices.
+    -   **Robust Linux fallback**: Implemented a fail-safe migration handler that automatically detects and suppresses repeated keyring failures on minimal Linux environments, falling back to secure-ish plain text only when necessary.
+    -   **Improved UI security**: Replaced the standard text input with Obsidian's `SecretComponent`, providing clear visual feedback on encryption status and better UX for managing credentials.
+
 ## [7.0.0] - 2026-02-15
 
 ### Breaking changes

manifest.json

@@ -2,7 +2,7 @@
 	"id": "vault-intelligence",
 	"name": "Vault Intelligence",
 	"version": "7.0.0",
-	"minAppVersion": "1.5.0",
+	"minAppVersion": "1.11.4",
 	"description": "Research your vault with an AI agent powered by Google Gemini, discover related notes through semantic search, and analyze specific documents with contextual note referencing.",
 	"author": "Allan Engelhardt",
 	"authorUrl": "https://github.com/cybaea",

src/main.ts

@@ -148,14 +148,17 @@ export default class VaultIntelligencePlugin extends Plugin implements IVaultInt
 		logger.setLevel(this.settings.logLevel);
 
 		// 1. Initialize Base Services (Chat/Reasoning always needs Gemini for now)
-		this.geminiService = new GeminiService(this.settings);
+		this.geminiService = new GeminiService(this.settings, this.app);
 
-		// 1b. Fetch available models asynchronously
+		// 1b. Fetch available models asynchronously (Now uses getApiKey resolver)
 		if (this.settings.googleApiKey) {
 			void (async () => {
-				await ModelRegistry.fetchModels(this.app, this.settings.googleApiKey, this.settings.modelCacheDurationDays);
-				// Re-sanitize after fetch completes in case dynamic limits are different
-				await this.sanitizeBudgets();
+				const apiKey = this.geminiService.getApiKey(); // Synchronous call
+				if (apiKey) {
+					await ModelRegistry.fetchModels(this.app, apiKey, this.settings.modelCacheDurationDays);
+					// Re-sanitize after fetch completes in case dynamic limits are different
+					await this.sanitizeBudgets();
+				}
 			})();
 		}
 
@@ -373,6 +376,29 @@ export default class VaultIntelligencePlugin extends Plugin implements IVaultInt
 			this.settings.gardenerSystemInstruction = null;
 		}
 
+		// --- SecretStorage Migration (v7.0.0) ---
+		if (this.settings.googleApiKey && this.settings.googleApiKey.startsWith('AIza') && !this.settings.secretStorageFailure) {
+			try {
+				logger.info("[SecretStorage] Migrating API key to secure storage...");
+				// SecretStorage is synchronous in v1.11.4+
+				// @ts-ignore - Types might be lagging strictly in some environments
+				if (this.app.secretStorage && this.app.secretStorage.setSecret) {
+					this.app.secretStorage.setSecret('vault-intelligence-api-key', this.settings.googleApiKey);
+					this.settings.googleApiKey = 'vault-intelligence-api-key';
+					await this.saveData(this.settings);
+					logger.info("[SecretStorage] Migration successful.");
+				} else {
+					throw new Error("SecretStorage API not available.");
+				}
+			} catch (error) {
+				logger.error("[SecretStorage] Migration failed:", error);
+				// Suppress future attempts to avoid "Nag Loop" on broken Linux systems
+				this.settings.secretStorageFailure = true;
+				await this.saveData(this.settings);
+				new Notice("Secure storage unavailable. Storing API key as plain text.");
+			}
+		}
+
 		await this.sanitizeBudgets();
 
 		// Sanity check: Ensure dimensions match presets if using a local provider

src/services/GeminiService.ts

@@ -1,4 +1,5 @@
 import { GoogleGenAI, Content, Tool, EmbedContentConfig } from "@google/genai";
+import { App } from "obsidian";
 
 import { MODEL_CONSTANTS, SEARCH_CONSTANTS } from "../constants";
 import { VaultIntelligenceSettings } from "../settings";
@@ -11,35 +12,70 @@ export interface EmbedOptions {
 }
 
 export class GeminiService {
-    private client: GoogleGenAI;
+    private client: GoogleGenAI | null = null;
     private settings: VaultIntelligenceSettings;
+    private app: App;
 
-    constructor(settings: VaultIntelligenceSettings) {
+    constructor(settings: VaultIntelligenceSettings, app: App) {
         this.settings = settings;
-        this.initialize();
+        this.app = app;
     }
 
-    public initialize() {
-        if (!this.settings.googleApiKey) {
-            logger.warn("Google API Key is missing.");
-            return;
+    /**
+     * Resolves the actual Google API key.
+     * Handles SecretStorage ID lookup vs Legacy plain text fallback.
+     * Public to allow ModelRegistry access in main.ts.
+     */
+    public getApiKey(): string | null {
+        const storedValue = this.settings.googleApiKey;
+        if (!storedValue) return null;
+
+        // Fallback for Linux or failed migration
+        if (this.settings.secretStorageFailure || storedValue.startsWith('AIza')) {
+            return storedValue;
+        }
+
+        // SecretStorage Lookup
+        if (storedValue === 'vault-intelligence-api-key') {
+            try {
+                // SecretStorage is synchronous in v1.11.4+
+                // @ts-ignore - Types might be lagging strictly in some environments, but we checked d.ts
+                return this.app.secretStorage.getSecret(storedValue);
+            } catch (error) {
+                logger.error("Failed to retrieve secret from storage:", error);
+                return null;
+            }
+        }
+
+        return null;
+    }
+
+    private getClient(): GoogleGenAI | null {
+        if (this.client) return this.client;
+
+        const apiKey = this.getApiKey();
+        if (!apiKey) {
+            logger.warn("Google API Key is missing or could not be retrieved.");
+            return null;
         }
 
         try {
-            this.client = new GoogleGenAI({ apiKey: this.settings.googleApiKey });
-            logger.info("GeminiService initialized for Chat/Reasoning with @google/genai.");
+            this.client = new GoogleGenAI({ apiKey });
+            logger.info("GeminiService initialized with resolved key.");
+            return this.client;
         } catch (error) {
-            logger.error("Failed to initialize GeminiService:", error);
+            logger.error("Failed to initialize Gemini client:", error);
+            return null;
         }
     }
 
     public updateSettings(settings: VaultIntelligenceSettings) {
         this.settings = settings;
-        this.initialize();
+        this.client = null; // Force re-initialization on next call
     }
 
     public isReady(): boolean {
-        return !!this.client;
+        return !!this.client || (!!this.settings.googleApiKey && !this.settings.secretStorageFailure);
     }
 
     public getEmbeddingModelName(): string {
@@ -48,9 +84,10 @@ export class GeminiService {
 
     public async generateContent(prompt: string): Promise<{ text: string, tokenCount: number }> {
         return this.retryOperation(async () => {
-            if (!this.client) throw new Error("GenAI client not initialized.");
+            const client = this.getClient();
+            if (!client) throw new Error("GenAI client could not be initialized.");
 
-            const response = await this.client.models.generateContent({
+            const response = await client.models.generateContent({
                 contents: prompt,
                 model: this.settings.chatModel
             });
@@ -75,11 +112,12 @@ export class GeminiService {
         options: { model?: string; systemInstruction?: string; tools?: Tool[] } = {}
     ): Promise<{ text: string, tokenCount: number }> {
         return this.retryOperation(async () => {
-            if (!this.client) throw new Error("GenAI client not initialized.");
+            const client = this.getClient();
+            if (!client) throw new Error("GenAI client could not be initialized.");
 
             const modelId = options.model || this.settings.chatModel;
 
-            const response = await this.client.models.generateContent({
+            const response = await client.models.generateContent({
                 config: {
                     responseMimeType: "application/json",
                     responseSchema: schema,
@@ -106,12 +144,13 @@ export class GeminiService {
      */
     public async searchWithGrounding(query: string): Promise<{ text: string, tokenCount: number }> {
         return this.retryOperation(async () => {
-            if (!this.client) throw new Error("GenAI client not initialized.");
+            const client = this.getClient();
+            if (!client) throw new Error("GenAI client could not be initialized.");
 
             const prompt = `Search for: "${query}". List key facts, dates, and details. Be concise.`;
             const groundingModel = this.settings.groundingModel;
 
-            const response = await this.client.models.generateContent({
+            const response = await client.models.generateContent({
                 config: {
                     tools: [{ googleSearch: {} }]
                 },
@@ -136,15 +175,16 @@ export class GeminiService {
      */
     public async solveWithCode(query: string): Promise<{ text: string, tokenCount: number }> {
         return this.retryOperation(async () => {
-            if (!this.client) throw new Error("GenAI client not initialized.");
+            const client = this.getClient();
+            if (!client) throw new Error("GenAI client could not be initialized.");
 
             if (!this.settings.enableCodeExecution || !this.settings.codeModel) {
                 return { text: "Code execution is currently disabled in settings.", tokenCount: 0 };
             }
 
             const codeModel = this.settings.codeModel;
 
-            const response = await this.client.models.generateContent({
+            const response = await client.models.generateContent({
                 config: {
                     tools: [{ codeExecution: {} }]
                 },
@@ -193,9 +233,10 @@ export class GeminiService {
      */
     public async startChat(history: Content[], tools?: Tool[], systemInstruction: string = "", modelId?: string) {
         return this.retryOperation(async () => {
-            if (!this.client) throw new Error("GenAI client not initialized.");
+            const client = this.getClient();
+            if (!client) throw new Error("GenAI client could not be initialized.");
 
-            const chat = this.client.chats.create({
+            const chat = client.chats.create({
                 config: {
                     systemInstruction: systemInstruction,
                     tools: tools
@@ -209,10 +250,11 @@ export class GeminiService {
 
     public async embedText(text: string, options: EmbedOptions = {}): Promise<{ values: number[], tokenCount: number }> {
         return this.retryOperation(async () => {
-            if (!this.client) throw new Error("GenAI client not initialized.");
+            const client = this.getClient();
+            if (!client) throw new Error("GenAI client could not be initialized.");
 
             const config: EmbedContentConfig = {};
-
+            // ... (rest of method unchanged)
             if (options.outputDimensionality) {
                 config.outputDimensionality = options.outputDimensionality;
             } else {
@@ -227,7 +269,7 @@ export class GeminiService {
             if (modelId === 'embedding-001') modelId = MODEL_CONSTANTS.EMBEDDING_001;
             if (modelId === 'embedding-004') modelId = MODEL_CONSTANTS.TEXT_EMBEDDING_004;
 
-            const result = await this.client.models.embedContent({
+            const result = await client.models.embedContent({
                 config: config,
                 contents: text,
                 model: modelId
@@ -288,7 +330,8 @@ export class GeminiService {
      */
     public async reRank(query: string, payload: unknown[]): Promise<unknown[]> {
         return this.retryOperation(async () => {
-            if (!this.client) throw new Error("GenAI client not initialized.");
+            const client = this.getClient();
+            if (!client) throw new Error("GenAI client could not be initialized.");
 
             // Truncate payload if too huge (should be handled by packer budget, but safety first)
             const safePayload = payload.slice(0, 50);