Add ability to store API keys in configuration #134
Description
Add ability to store API keys in configuration
Description
Currently, the CLI tool only looks for API keys in environment variables. This enhancement would allow users to store API keys in the configuration file as an alternative to setting environment variables, making it more convenient to use the CLI across different environments.
Proposed Implementation
- Extend the configuration system to store API keys securely
- Update the API key retrieval logic to check both the config file and environment variables
- Add commands to manage API keys in the configuration
Specific Changes
-
In
packages/cli/src/settings/config.ts:- Add API key fields to the default configuration (with empty default values)
- Consider implementing basic encryption or obfuscation for storing sensitive data
-
In the provider initialization code:
- Update the key retrieval logic to first check the configuration file
- Fall back to environment variables if keys aren't in the config
- Maintain backward compatibility with existing environment variable approach
-
In
packages/cli/src/commands/config.ts:- Add special handling for API key configuration to ensure proper validation
- Add warnings about security implications when storing API keys
- Consider adding a separate command for managing API keys (e.g.,
mycoder keys set <provider>)
Expected Behavior
- Users should be able to store API keys using
mycoder config set ANTHROPIC_API_KEY <key>(or similar command) - The CLI should check both the config file and environment variables for API keys
- Environment variables should take precedence over stored configuration
- Users should be able to clear stored API keys using the existing clear command
Security Considerations
- API keys are sensitive data and should be handled with care
- Consider basic obfuscation to prevent casual viewing of keys
- Add warnings about the security implications of storing keys in plaintext
- Document the feature with appropriate security disclaimers
- Consider adding an option to require confirmation when setting API keys
Additional Considerations
- Should we add validation for API key formats?
- Should we test the API keys when they're set to verify they're valid?
- Should we add a command to test stored API keys?