From 20c8ac66dde1cdf0a938a9233017d5756fe660eb Mon Sep 17 00:00:00 2001
From: Rhys Sullivan <39114868+RhysSullivan@users.noreply.github.com>
Date: Tue, 5 May 2026 22:05:03 -0700
Subject: [PATCH] Keep keychain boundaries typed

---
 packages/plugins/keychain/src/index.test.ts | 8 ++++----
 packages/plugins/keychain/src/provider.ts   | 8 ++++++--
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/packages/plugins/keychain/src/index.test.ts b/packages/plugins/keychain/src/index.test.ts
index ebd05a798..5a18ffe3b 100644
--- a/packages/plugins/keychain/src/index.test.ts
+++ b/packages/plugins/keychain/src/index.test.ts
@@ -42,7 +42,7 @@ describe("keychain plugin", () => {
         return;
       }
 
-      try {
+      yield* Effect.gen(function* () {
         // Store through SDK, pinned to keychain provider
         yield* executor.secrets.set(
           new SetSecretInput({
@@ -61,9 +61,9 @@ describe("keychain plugin", () => {
         // SDK routes through the core secret table → pinned provider
         const resolved = yield* executor.secrets.get(testId);
         expect(resolved).toBe("keychain-test-value");
-      } finally {
-        yield* executor.secrets.remove(testId).pipe(Effect.orElseSucceed(() => undefined));
-      }
+      }).pipe(
+        Effect.ensuring(executor.secrets.remove(testId).pipe(Effect.orElseSucceed(() => undefined))),
+      );
     }),
   );
 
diff --git a/packages/plugins/keychain/src/provider.ts b/packages/plugins/keychain/src/provider.ts
index afaca888b..732b57e82 100644
--- a/packages/plugins/keychain/src/provider.ts
+++ b/packages/plugins/keychain/src/provider.ts
@@ -2,6 +2,7 @@ import { Effect } from "effect";
 
 import { StorageError, type SecretProvider } from "@executor-js/sdk/core";
 
+import type { KeychainError } from "./errors";
 import { getPassword, setPassword, deletePassword } from "./keyring";
 
 // ---------------------------------------------------------------------------
@@ -18,8 +19,11 @@ import { getPassword, setPassword, deletePassword } from "./keyring";
 // impossible to debug why secrets weren't resolving.
 // ---------------------------------------------------------------------------
 
-const toStorageError = (cause: { readonly message: string; readonly cause?: unknown }) =>
-  new StorageError({ message: cause.message, cause: cause.cause ?? cause });
+const toStorageError = (cause: KeychainError) => {
+  const { cause: underlyingCause } = cause;
+  // oxlint-disable-next-line executor/no-unknown-error-message -- boundary: typed KeychainError message becomes StorageError message
+  return new StorageError({ message: cause.message, cause: underlyingCause ?? cause });
+};
 
 // Scope arg is ignored — keychain partitions by `serviceName`, which the
 // host fixes per executor at construction time. A future refactor could