fix(cli): auth edge cases found in review

- logout no longer blocked when OS keychain is locked: read() throw is
  caught in both logout/index.ts and logout.ts; local credential cleanup
  (hosts.yml) always runs regardless of keychain state
- FileTokenStore transparently reads pre-upgrade tokens.yml (no version
  header = legacy format); next write stamps version: 1
- KeychainTokenStore.write() now wraps native keyring errors as
  KeyringUnavailable, matching the error surface of read()
- tests for all three: logout-with-locked-keychain, legacy-file
  migration, write-error wrapping

Author: GareArc

cli/src/commands/auth/logout/index.ts

@@ -26,7 +26,11 @@ export default class Logout extends DifyCommand {
 
     let http: HttpClient | undefined
     if (active !== undefined) {
-      const bearer = getTokenStore(reg.token_storage).read(active.host, active.email)
+      let bearer = ''
+      try {
+        bearer = getTokenStore(reg.token_storage).read(active.host, active.email)
+      }
+      catch { /* keyring locked — skip remote revocation, local cleanup still runs */ }
       if (bearer !== '') {
         http = createHttpClient({ baseURL: openAPIBase(hostWithScheme(active.host, active.scheme)), bearer, retryAttempts: 0 })
       }

cli/src/commands/auth/logout/logout.test.ts

@@ -56,6 +56,17 @@ describe('runLogout', () => {
     expect(raw).toContain('b@x')
   })
 
+  it('clears local credentials even when the store.read throws (e.g. keyring locked)', async () => {
+    const store = new MemStore()
+    seed(store)
+    store.read = () => {
+      throw new Error('keyring locked')
+    }
+    await runLogout({ io: bufferStreams(), reg: Registry.load(), store })
+    const after = Registry.load()
+    expect(after?.hosts.h1?.accounts['a@x']).toBeUndefined()
+  })
+
   it('throws NotLoggedIn when no active context', async () => {
     Registry.empty('file').save()
     await expect(runLogout({ io: bufferStreams(), reg: Registry.load(), store: new MemStore() }))

cli/src/commands/auth/logout/logout.ts

@@ -22,7 +22,11 @@ export async function runLogout(opts: LogoutOptions): Promise<void> {
   const active = reg.requireActive()
 
   const store = opts.store ?? getTokenStore(reg.token_storage)
-  const bearer = store.read(active.host, active.email)
+  let bearer = ''
+  try {
+    bearer = store.read(active.host, active.email)
+  }
+  catch { /* keyring locked — skip remote revocation, local cleanup still runs */ }
 
   let revokeWarning = ''
   if (bearer !== '' && revokeAllowed(bearer) && opts.http !== undefined) {

cli/src/store/keychain-token-store.test.ts

@@ -7,6 +7,7 @@ type EntryArgs = { service: string, username: string }
 const passwords = new Map<string, string>()
 const constructed: EntryArgs[] = []
 let getPasswordError: Error | null = null
+let setPasswordError: Error | null = null
 
 class FakeEntry {
   private readonly key: string
@@ -16,6 +17,8 @@ class FakeEntry {
   }
 
   setPassword(value: string): void {
+    if (setPasswordError !== null)
+      throw setPasswordError
     passwords.set(this.key, value)
   }
 
@@ -45,6 +48,7 @@ beforeEach(() => {
   passwords.clear()
   constructed.length = 0
   getPasswordError = null
+  setPasswordError = null
 })
 
 describe('KeychainTokenStore', () => {
@@ -104,7 +108,7 @@ describe('KeychainTokenStore', () => {
     expect(store.read('h', 'e')).toBe('')
   })
 
-  it('throws KeyringUnavailable (not empty string) when keyring access fails', () => {
+  it('throws KeyringUnavailable (not empty string) when keyring access fails on read', () => {
     getPasswordError = new Error('keyring locked')
     const store = new KeychainTokenStore(SERVICE)
     let caught: unknown
@@ -117,4 +121,18 @@ describe('KeychainTokenStore', () => {
     expect(caught).toBeInstanceOf(BaseError)
     expect((caught as BaseError).code).toBe(ErrorCode.KeyringUnavailable)
   })
+
+  it('throws KeyringUnavailable when keyring access fails on write', () => {
+    setPasswordError = new Error('keyring locked')
+    const store = new KeychainTokenStore(SERVICE)
+    let caught: unknown
+    try {
+      store.write('h', 'e', 'dfoa_secret')
+    }
+    catch (err) {
+      caught = err
+    }
+    expect(caught).toBeInstanceOf(BaseError)
+    expect((caught as BaseError).code).toBe(ErrorCode.KeyringUnavailable)
+  })
 })

cli/src/store/token-store.test.ts

@@ -44,12 +44,27 @@ describe('FileTokenStore', () => {
     expect(raw).toContain('a@x.com')
   })
 
-  it('reads empty when the document version is unknown', () => {
+  it('reads empty when the document version is an unknown future version', () => {
     writeFileSync(file, 'version: 999\ntokens:\n  "h":\n    "e": "x"\n')
     const s = new FileTokenStore(file)
     expect(s.read('h', 'e')).toBe('')
   })
 
+  it('reads tokens from legacy format (no version field) for transparent migration', () => {
+    writeFileSync(file, 'tokens:\n  "h":\n    "e": "dfoa_legacy"\n')
+    const s = new FileTokenStore(file)
+    expect(s.read('h', 'e')).toBe('dfoa_legacy')
+  })
+
+  it('preserves existing tokens and stamps version when writing to a legacy file', () => {
+    writeFileSync(file, 'tokens:\n  "h":\n    "existing@x": "dfoa_existing"\n')
+    const s = new FileTokenStore(file)
+    s.write('h', 'new@x', 'dfoa_new')
+    expect(s.read('h', 'existing@x')).toBe('dfoa_existing')
+    expect(s.read('h', 'new@x')).toBe('dfoa_new')
+    expect(readFileSync(file, 'utf8')).toContain('version: 1')
+  })
+
   it('remove deletes the credential and prunes the empty host map', () => {
     const s = new FileTokenStore(file)
     s.write('https://cloud.dify.ai', 'a@x.com', 'A')

cli/src/store/token-store.ts

@@ -28,7 +28,10 @@ export class FileTokenStore implements TokenStore {
 
   read(host: string, email: string): string {
     const doc = this.store.getTyped<TokenDoc>()
-    if (doc === null || doc.version !== DOC_VERSION)
+    if (doc === null)
+      return ''
+    // missing version = legacy pre-v1 format (same data shape); future unknown versions are rejected
+    if (doc.version !== undefined && doc.version !== DOC_VERSION)
       return ''
     return doc.tokens?.[host]?.[email] ?? ''
   }
@@ -43,7 +46,9 @@ export class FileTokenStore implements TokenStore {
 
   remove(host: string, email: string): void {
     const doc = this.store.getTyped<TokenDoc>()
-    if (doc === null || doc.version !== DOC_VERSION)
+    if (doc === null)
+      return
+    if (doc.version !== undefined && doc.version !== DOC_VERSION)
       return
     const tokens = doc.tokens ?? {}
     const hostMap = tokens[host]
@@ -57,9 +62,11 @@ export class FileTokenStore implements TokenStore {
 
   private load(): { version: number, tokens: Record<string, Record<string, string>> } {
     const doc = this.store.getTyped<TokenDoc>()
-    if (doc === null || doc.version !== DOC_VERSION)
+    if (doc === null)
       return { version: DOC_VERSION, tokens: {} }
-    return { version: DOC_VERSION, tokens: doc.tokens ?? {} }
+    if (doc.version !== undefined && doc.version !== DOC_VERSION)
+      return { version: DOC_VERSION, tokens: {} }
+    return { version: DOC_VERSION, tokens: (doc.tokens ?? {}) as Record<string, Record<string, string>> }
   }
 }
 
@@ -93,7 +100,12 @@ export class KeychainTokenStore implements TokenStore {
   }
 
   write(host: string, email: string, bearer: string): void {
-    new Entry(this.service, entryName(host, email)).setPassword(JSON.stringify(bearer))
+    try {
+      new Entry(this.service, entryName(host, email)).setPassword(JSON.stringify(bearer))
+    }
+    catch (err) {
+      throw keyringUnavailableError(err)
+    }
   }
 
   remove(host: string, email: string): void {