feat(credentials): Implement secure credential storage service

[jbdevprimary]

Summary

Implements secure credential storage service for Issue #9, providing hardware-backed encryption for API keys and tokens.

Features

• SecureStore Integration: Uses expo-secure-store with WHEN_UNLOCKED_THIS_DEVICE_ONLY for hardware-backed encryption
• Biometric Authentication: Optional biometric auth via expo-local-authentication for storing/retrieving credentials
• API Token Validation: Automatic validation against GitHub, Anthropic, and OpenAI APIs
• Secure Masking: Credential values are masked for display (e.g., ghp_xxx...xxxx)
• Credential Lifecycle: Store, retrieve, validate, delete, and revalidate all credentials

API

// Store a credential with validation
await CredentialService.store('github', {
  name: 'My GitHub Token',
  secret: 'ghp_xxxxxxxxxxxx',
});

// Retrieve with biometric auth
const { secret } = await CredentialService.retrieve('github', {
  requireBiometric: true,
});

// Validate all credentials
const results = await CredentialService.revalidateAll();

Supported Providers

• GitHub (PAT validation via /user endpoint)
• Anthropic (API key validation via /v1/messages)
• OpenAI (API key validation via /v1/models)
• MCP Server (passthrough, no validation)
• GitLab, Bitbucket (placeholders for future)

Security Model

• Secrets stored ONLY in SecureStore (hardware-backed)
• Zustand store contains METADATA only (provider, status, timestamps)
• No secrets ever written to AsyncStorage or logs
• Biometric gating available for sensitive operations

Testing

• 22 unit tests covering all service methods
• Mocked SecureStore, LocalAuthentication, and fetch
• Tests for success paths, failures, and edge cases

Closes #9

Test plan

• All 22 credential service tests pass
• Biometric availability detection works
• Store/retrieve/delete lifecycle works
• API validation for GitHub/Anthropic/OpenAI works
• Credential masking displays correctly
• Integration with credentialStore (Zustand) works

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@jbdevprimary has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 19 minutes and 18 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 14ae953 and 01807ea.

📒 Files selected for processing (5)

• jest.setup.js
• src/services/credentials/CredentialService.ts
• src/services/credentials/__tests__/CredentialService.test.ts
• src/services/credentials/index.ts
• src/services/index.ts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jbdevprimary]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[sonarqubecloud]

Quality Gate failed

Failed conditions
63.3% Coverage on New Code (required ≥ 80%)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE