Implement secure credential management and global-config command

Add a new global-config command that allows users to securely set up their
API token once and reuse it across all commands. Implements a three-tier
credential resolution system with proper priority:

1. Environment variable (STD_TOKEN) - highest priority for CI/CD
2. OS Keychain (macOS Keychain, Linux Secret Service, Windows Credential Manager)
3. Fallback to ~/.stacktodate/credentials.yaml file storage

Key changes:
- Add helpers/credentials.go with centralized credential management functions
  (GetToken, SetToken, DeleteToken, GetTokenSource)
- Implement global-config command with three subcommands:
  * set: Interactive token setup with secure hidden input
  * status: Show current token configuration and storage location
  * delete: Remove stored credentials with confirmation
- Update push command to use new credential system instead of requiring env var
- Update init command to prompt for token setup if not configured
- Add zalando/go-keyring dependency for cross-platform OS keychain support
- Add golang.org/x/term dependency for secure password input (no echo)

Benefits:
- Users no longer need to set STD_TOKEN env var for local development
- Token is stored securely in OS keychain by default
- Seamless CI/CD integration via environment variables
- Better error messages guide users to set up credentials

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

Author: ceritium

cmd/globalconfig/delete.go

@@ -0,0 +1,47 @@
+package globalconfig
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/stacktodate/stacktodate-cli/cmd/helpers"
+	"github.com/spf13/cobra"
+)
+
+var deleteCmd = &cobra.Command{
+	Use:   "delete",
+	Short: "Remove stored authentication token",
+	Long:  `Remove your stored authentication token from keychain or credential storage.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		// Confirm deletion
+		source, _, _ := helpers.GetTokenSource()
+		if source == "not configured" {
+			fmt.Println("No credentials to delete")
+			return
+		}
+
+		fmt.Printf("This will remove your token from: %s\n", source)
+		fmt.Print("Are you sure you want to delete your credentials? (type 'yes' to confirm): ")
+
+		reader := bufio.NewReader(os.Stdin)
+		response, err := reader.ReadString('\n')
+		if err != nil {
+			helpers.ExitOnError(err, "failed to read input")
+		}
+
+		response = strings.TrimSpace(response)
+		if response != "yes" {
+			fmt.Println("Cancelled - credentials not deleted")
+			return
+		}
+
+		// Delete the token
+		if err := helpers.DeleteToken(); err != nil {
+			helpers.ExitOnError(err, "")
+		}
+
+		fmt.Println("✓ Credentials deleted successfully")
+	},
+}

cmd/globalconfig/get.go

@@ -0,0 +1,34 @@
+package globalconfig
+
+import (
+	"fmt"
+
+	"github.com/stacktodate/stacktodate-cli/cmd/helpers"
+	"github.com/spf13/cobra"
+)
+
+var getCmd = &cobra.Command{
+	Use:   "status",
+	Short: "Show current authentication configuration",
+	Long:  `Display information about where your authentication token is stored and its status.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		source, isSecure, err := helpers.GetTokenSource()
+
+		if err != nil {
+			fmt.Println("Status: Not configured")
+			fmt.Println("")
+			fmt.Println("To set up authentication, run:")
+			fmt.Println("  stacktodate global-config set")
+			return
+		}
+
+		fmt.Println("Status: Configured")
+		fmt.Printf("Source: %s\n", source)
+
+		if !isSecure {
+			fmt.Println("")
+			fmt.Println("⚠️  Warning: Token stored in plain text file")
+			fmt.Println("For better security, use a system with OS keychain support")
+		}
+	},
+}

cmd/globalconfig/globalconfig.go

@@ -0,0 +1,15 @@
+package globalconfig
+
+import "github.com/spf13/cobra"
+
+var GlobalConfigCmd = &cobra.Command{
+	Use:   "global-config",
+	Short: "Manage global configuration and authentication",
+	Long:  `Configure authentication tokens and other global settings for stacktodate-cli`,
+}
+
+func init() {
+	GlobalConfigCmd.AddCommand(setCmd)
+	GlobalConfigCmd.AddCommand(getCmd)
+	GlobalConfigCmd.AddCommand(deleteCmd)
+}

cmd/globalconfig/set.go

@@ -0,0 +1,53 @@
+package globalconfig
+
+import (
+	"fmt"
+	"strings"
+	"syscall"
+
+	"github.com/stacktodate/stacktodate-cli/cmd/helpers"
+	"golang.org/x/term"
+
+	"github.com/spf13/cobra"
+)
+
+var setCmd = &cobra.Command{
+	Use:   "set",
+	Short: "Set up authentication token",
+	Long:  `Set up your stacktodate API token for authentication.\n\nThe token will be securely stored in your system's keychain or credential store.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		token, err := promptForToken()
+		if err != nil {
+			helpers.ExitOnError(err, "failed to read token")
+		}
+
+		if token == "" {
+			helpers.ExitOnError(fmt.Errorf("token cannot be empty"), "")
+		}
+
+		// Store the token
+		if err := helpers.SetToken(token); err != nil {
+			helpers.ExitOnError(err, "")
+		}
+
+		source, _, _ := helpers.GetTokenSource()
+		fmt.Printf("✓ Token successfully configured\n")
+		fmt.Printf("  Storage: %s\n", source)
+	},
+}
+
+// promptForToken prompts the user for their API token without echoing it to the terminal
+func promptForToken() (string, error) {
+	fmt.Print("Enter your stacktodate API token: ")
+
+	// Read password without echoing
+	bytePassword, err := term.ReadPassword(int(syscall.Stdin))
+	if err != nil {
+		return "", fmt.Errorf("failed to read token: %w", err)
+	}
+
+	fmt.Println() // Print newline after hidden input
+
+	token := strings.TrimSpace(string(bytePassword))
+	return token, nil
+}

cmd/helpers/credentials.go

@@ -0,0 +1,222 @@
+package helpers
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/zalando/go-keyring"
+	"gopkg.in/yaml.v3"
+)
+
+const (
+	serviceName = "stacktodate"
+	username    = "token"
+)
+
+// CredentialSource indicates where a credential came from
+type CredentialSource string
+
+const (
+	SourceEnvVar CredentialSource = "environment variable"
+	SourceKeyring CredentialSource = "OS keychain"
+	SourceFile   CredentialSource = "config file"
+)
+
+// CredentialInfo contains information about stored credentials
+type CredentialInfo struct {
+	Token  string
+	Source CredentialSource
+}
+
+// credentialsFile represents the structure of the credentials YAML file
+type credentialsFile struct {
+	Token string `yaml:"token"`
+}
+
+// GetToken retrieves the API token using the priority order:
+// 1. STD_TOKEN environment variable (highest priority)
+// 2. OS Keychain (macOS/Linux/Windows)
+// 3. Returns error if not found (Option B - fail securely)
+func GetToken() (string, error) {
+	// Check environment variable first
+	if token := os.Getenv("STD_TOKEN"); token != "" {
+		return token, nil
+	}
+
+	// Try to get from keychain
+	token, err := keyring.Get(serviceName, username)
+	if err == nil && token != "" {
+		return token, nil
+	}
+
+	// Try to get from fallback file (for migration purposes, but don't use it by default)
+	if token, err := getTokenFromFile(); err == nil && token != "" {
+		return token, nil
+	}
+
+	// No token found anywhere
+	return "", fmt.Errorf("no authentication token found\n\nSetup your token with one of these methods:\n  1. Interactive setup: stacktodate global-config set\n  2. Environment variable: export STD_TOKEN=<your_token>\n\nFor more help: stacktodate global-config --help")
+}
+
+// GetTokenWithSource retrieves the token and returns information about its source
+func GetTokenWithSource() (*CredentialInfo, error) {
+	// Check environment variable first
+	if token := os.Getenv("STD_TOKEN"); token != "" {
+		return &CredentialInfo{
+			Token:  token,
+			Source: SourceEnvVar,
+		}, nil
+	}
+
+	// Try to get from keychain
+	token, err := keyring.Get(serviceName, username)
+	if err == nil && token != "" {
+		return &CredentialInfo{
+			Token:  token,
+			Source: SourceKeyring,
+		}, nil
+	}
+
+	// Try to get from fallback file
+	if token, err := getTokenFromFile(); err == nil && token != "" {
+		return &CredentialInfo{
+			Token:  token,
+			Source: SourceFile,
+		}, nil
+	}
+
+	// No token found anywhere
+	return nil, fmt.Errorf("no authentication token found")
+}
+
+// SetToken stores the token in the OS keychain
+// Falls back to file storage if keychain is unavailable
+// Per Option B: Fails if keychain is unavailable and no fallback
+func SetToken(token string) error {
+	// Ensure config directory exists
+	if err := EnsureConfigDir(); err != nil {
+		return fmt.Errorf("failed to create config directory: %w", err)
+	}
+
+	// Try to store in keychain first
+	err := keyring.Set(serviceName, username, token)
+	if err == nil {
+		return nil
+	}
+
+	// If keychain fails, also try file storage as a fallback
+	// This allows local development to work
+	if err := setTokenInFile(token); err != nil {
+		return fmt.Errorf("failed to store token securely:\n  Keychain error: %v\n  File storage error: %v\n\nFor CI/headless environments, use: export STD_TOKEN=<your_token>", err, err)
+	}
+
+	fmt.Println("⚠️  Warning: Token stored in plain text file at ~/.stacktodate/credentials.yaml")
+	fmt.Println("For better security, consider using a system with OS keychain support")
+	return nil
+}
+
+// DeleteToken removes the token from keychain and file storage
+func DeleteToken() error {
+	var keychainErr error
+	var fileErr error
+
+	// Try to delete from keychain
+	keychainErr = keyring.Delete(serviceName, username)
+
+	// Try to delete from file
+	fileErr = deleteTokenFromFile()
+
+	// If both failed, return error
+	if keychainErr != nil && fileErr != nil {
+		return fmt.Errorf("failed to delete token: keychain error: %v, file error: %v", keychainErr, fileErr)
+	}
+
+	return nil
+}
+
+// GetTokenSource returns information about where the token is currently stored
+func GetTokenSource() (string, bool, error) {
+	// Check environment variable
+	if os.Getenv("STD_TOKEN") != "" {
+		return "STD_TOKEN environment variable", true, nil
+	}
+
+	// Check keychain
+	_, err := keyring.Get(serviceName, username)
+	if err == nil {
+		return "OS keychain", true, nil
+	}
+
+	// Check file
+	if _, err := getTokenFromFile(); err == nil {
+		return "credentials file (~/.stacktodate/credentials.yaml)", false, nil
+	}
+
+	return "not configured", false, fmt.Errorf("no token found")
+}
+
+// EnsureConfigDir creates the ~/.stacktodate directory if it doesn't exist
+func EnsureConfigDir() error {
+	configDir := getConfigDir()
+	return os.MkdirAll(configDir, 0700)
+}
+
+// Helper functions
+
+func getConfigDir() string {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		// Fallback to current directory if home can't be determined
+		return ".stacktodate"
+	}
+	return filepath.Join(home, ".stacktodate")
+}
+
+func getCredentialsFilePath() string {
+	return filepath.Join(getConfigDir(), "credentials.yaml")
+}
+
+func getTokenFromFile() (string, error) {
+	filePath := getCredentialsFilePath()
+
+	content, err := os.ReadFile(filePath)
+	if err != nil {
+		return "", fmt.Errorf("failed to read credentials file: %w", err)
+	}
+
+	var creds credentialsFile
+	if err := yaml.Unmarshal(content, &creds); err != nil {
+		return "", fmt.Errorf("failed to parse credentials file: %w", err)
+	}
+
+	return creds.Token, nil
+}
+
+func setTokenInFile(token string) error {
+	filePath := getCredentialsFilePath()
+
+	creds := credentialsFile{
+		Token: token,
+	}
+
+	content, err := yaml.Marshal(creds)
+	if err != nil {
+		return fmt.Errorf("failed to marshal credentials: %w", err)
+	}
+
+	// Write with restricted permissions (0600 = read/write for owner only)
+	if err := os.WriteFile(filePath, content, 0600); err != nil {
+		return fmt.Errorf("failed to write credentials file: %w", err)
+	}
+
+	return nil
+}
+
+func deleteTokenFromFile() error {
+	filePath := getCredentialsFilePath()
+	if err := os.Remove(filePath); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to delete credentials file: %w", err)
+	}
+	return nil
+}