Summary
API keys are stored using Windows DPAPI (WindowsDpapiCryptographyService), which only works on Windows. The abstraction ICryptographyService exists but there is no cross-platform fallback and no path to add exchange credentials from the UI.
What needs to be done
- Add macOS/Linux fallback using
AesGcm + a machine-derived key stored in the user's config folder
- Add a settings dialog panel in the GUI:
- List of saved exchange credentials (masked key display)
- Add / Edit / Delete credential
- Select active credential
- Validate credential by making a test call to
GET /api/v3/account before saving
- Never log or expose raw API keys in console output
Security rules
- Keys must never be stored in plain text
- Keys must never appear in logs, crash reports, or event bus messages
- Use
SecureString for in-memory handling where feasible
Acceptance criteria
References
src/Omnijure.Core/Shared/Infrastructure/Security/src/Omnijure.Core/Features/Settings/Model/ExchangeCredential.cs
Summary
API keys are stored using Windows DPAPI (
WindowsDpapiCryptographyService), which only works on Windows. The abstractionICryptographyServiceexists but there is no cross-platform fallback and no path to add exchange credentials from the UI.What needs to be done
AesGcm+ a machine-derived key stored in the user's config folderGET /api/v3/accountbefore savingSecurity rules
SecureStringfor in-memory handling where feasibleAcceptance criteria
WindowsDpapiCryptographyServiceis used on WindowsAesGcmCryptographyServiceis used on macOS and LinuxReferences
src/Omnijure.Core/Shared/Infrastructure/Security/src/Omnijure.Core/Features/Settings/Model/ExchangeCredential.cs