chore: switch from keytar to @github/keytar (#25143)

packages/core/package.json

@@ -91,13 +91,13 @@
     "zod-to-json-schema": "^3.25.1"
   },
   "optionalDependencies": {
+    "@github/keytar": "^7.10.6",
     "@lydell/node-pty": "1.1.0",
     "@lydell/node-pty-darwin-arm64": "1.1.0",
     "@lydell/node-pty-darwin-x64": "1.1.0",
     "@lydell/node-pty-linux-x64": "1.1.0",
     "@lydell/node-pty-win32-arm64": "1.1.0",
     "@lydell/node-pty-win32-x64": "1.1.0",
-    "keytar": "^7.9.0",
     "node-pty": "^1.0.0"
   },
   "devDependencies": {

packages/core/src/services/keychainService.test.ts

@@ -42,7 +42,7 @@ const mockFileKeychain: MockKeychain = {
   findCredentials: vi.fn(),
 };
 
-vi.mock('keytar', () => ({ default: mockKeytar }));
+vi.mock('@github/keytar', () => ({ default: mockKeytar }));
 
 vi.mock('./fileKeychain.js', () => ({
   FileKeychain: vi.fn(() => mockFileKeychain),

packages/core/src/services/keychainService.ts

@@ -22,7 +22,7 @@ import { FileKeychain } from './fileKeychain.js';
 export const FORCE_FILE_STORAGE_ENV_VAR = 'GEMINI_FORCE_FILE_STORAGE';
 
 /**
- * Service for interacting with OS-level secure storage (e.g. keytar).
+ * Service for interacting with OS-level secure storage (e.g. @github/keytar).
  */
 export class KeychainService {
   // Track an ongoing initialization attempt to avoid race conditions.
@@ -119,7 +119,7 @@ export class KeychainService {
   }
 
   /**
-   * Attempts to load and verify the native keychain module (keytar).
+   * Attempts to load and verify the native keychain module (@github/keytar).
    */
   private async getNativeKeychain(): Promise<Keychain | null> {
     try {
@@ -152,7 +152,7 @@ export class KeychainService {
 
   // Low-level dynamic loading and structural validation.
   private async loadKeychainModule(): Promise<Keychain | null> {
-    const moduleName = 'keytar';
+    const moduleName = '@github/keytar';
     const module: unknown = await import(moduleName);
     const potential = (isRecord(module) && module['default']) || module;
 
@@ -189,7 +189,7 @@ export class KeychainService {
    */
   private isMacOSKeychainAvailable(): boolean {
     // Probing via the `security` CLI avoids a blocking OS-level popup that
-    // occurs when calling keytar without a configured keychain.
+    // occurs when calling @github/keytar without a configured keychain.
     const result = spawnSync('security', ['default-keychain'], {
       encoding: 'utf8',
       // We pipe stdout to read the path, but ignore stderr to suppress

packages/core/src/services/keychainTypes.ts

@@ -8,7 +8,7 @@ import { z } from 'zod';
 
 /**
  * Interface for OS-level secure storage operations.
- * Note: Method names must match the underlying library (e.g. keytar)
+ * Note: Method names must match the underlying library (e.g. @github/keytar)
  * to support correct dynamic loading and schema validation.
  */
 export interface Keychain {