A keyring transient failure on Set silently falls through to the file backend today, which leaves a stale keyring entry from any prior successful write shadowing the new file-backend token. Fixing the shadow itself is deferred (would need a Set-and-Delete coordination, or a stricter contract). What we can do cheaply: surface the fallback so an operator hitting the shadow has a breadcrumb. On Chain.Set fallthrough past a writable backend that errored, print: veans: credential store: keyring rejected write (X); falling back to file The warning goes to stderr (not the structured envelope — Set still returns nil because the write landed somewhere). Env-backend's read-only skip is unchanged and silent. ChainStderr is exposed as a package var so tests can capture/assert the warning when we backfill credential-store coverage. |
||
|---|---|---|
| .. | ||
| auth | ||
| bootstrap | ||
| client | ||
| commands | ||
| config | ||
| credentials | ||
| output | ||
| status | ||