fix(build): install all platform keyring bindings for cross-compile

[wyattjoh]

Summary

Cross-compiled macOS and Windows CLI binaries were silently falling back to plaintext-file credential storage instead of using the OS keychain.

Root cause: the build runs on a Linux CI host. Default bun install skips @napi-rs/keyring optional deps whose os or cpu field doesn't match the host, so the darwin and win32 bindings are not in node_modules when the cross-compile runs. Bun then rewrites the unresolved require() calls to throw stubs and the bundle ships without the native binding. At runtime, the import() fails, the catch swallows the error, and the CLI falls back to ~/Library/Application Support/clerk-cli/credentials (chmod 600).

Fix

• bun install --frozen-lockfile --cpu='*' --os='*' in .github/workflows/build-binaries.yml so every target's binding is installed before the Linux host bundles each target.
• Preflight check in scripts/build.ts so local build:compile:all runs on a developer Mac also fail fast with the install command if a required binding is missing.

Lockfile unchanged; --frozen-lockfile still holds.

Test plan

• Reproduced the failure in a Docker ubuntu:24.04 + Bun 1.3.11 container matching CI, then applied the fix and confirmed every target bundle embeds its platform's native .node asset.
• Pulled the Docker-built darwin-arm64 binary onto a Mac, signed with a real Team ID + scripts/entitlements.plist, and confirmed clerk whoami --verbose reports found token in keyring.
• Removed two bindings and reran scripts/build.ts; preflight check fired with the expected error and install hint.
• bun run format:check, bun run lint, bun run typecheck, bun run test all pass.
• Validate a released canary on a clean Mac and confirm new logins land in the Keychain.

[wyattjoh]

Stack: wyattjoh/fix-keyring-cross-compile

• fix(build): install all platform keyring bindings for cross-compile #198 👈 this PR

Part of a stacked PR chain. Do not merge manually.

[changeset-bot]

🦋 Changeset detected

Latest commit: ddaa8a2

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
clerk	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6c395226-e78f-4276-914f-cce9c02bbfb4

📥 Commits

Reviewing files that changed from the base of the PR and between 890137f and ddaa8a2.

📒 Files selected for processing (3)

• .changeset/fix-keyring-cross-compile.md
• .github/workflows/build-binaries.yml
• scripts/build.ts

---

📝 Walkthrough

Walkthrough

This pull request addresses cross-compilation issues for the clerk CLI's native @napi-rs/keyring bindings. The changeset documents a security improvement moving OAuth tokens from plaintext storage to the macOS Keychain. The CI/CD workflow is updated to install dependencies with platform wildcard options (--cpu='*' and --os='*') to ensure all target platform bindings are available. A new validation function in the build script computes expected binding paths for each target and verifies their presence in node_modules before compilation, failing with a diagnostic error if bindings are missing.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: fixing the build process to install platform-specific keyring bindings needed for cross-compilation.
Description check	✅ Passed	The description is detailed and directly related to the changeset, explaining the root cause, the fix implemented, and test plan validation.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}