Context
The run_onchange_after_keychain-anthropic.sh script currently stores the Anthropic API key from 1Password into macOS Keychain for the zsh-ai-cmd plugin. The script skips on Linux.
Goal
Support secure API key storage on Linux for the zsh-ai-cmd plugin, covering:
- Headful (Fedora) — GNOME Keyring via
secret-tool (libsecret) is the natural choice. Works without password prompts in a logged-in desktop session.
- Headless (Debian) — harder. Options include:
secret-tool with pam_gnome_keyring to auto-unlock on loginpass (password-store) with a GPG agent caching the passphrase- Encrypted file with
age or gpg and a cached key
Tasks
Context
The
run_onchange_after_keychain-anthropic.shscript currently stores the Anthropic API key from 1Password into macOS Keychain for thezsh-ai-cmdplugin. The script skips on Linux.Goal
Support secure API key storage on Linux for the zsh-ai-cmd plugin, covering:
secret-tool(libsecret) is the natural choice. Works without password prompts in a logged-in desktop session.secret-toolwithpam_gnome_keyringto auto-unlock on loginpass(password-store) with a GPG agent caching the passphraseageorgpgand a cached keyTasks
ZSH_AI_CMD_API_KEY_COMMANDper-OS in the plugin config (or useZSH_AI_CMD_KEYCHAIN_NAMEif a keyring CLI matches the same lookup pattern)007_plugin_config.zsha template if OS-specific logic is needed