OpenKeyring · alphaqiu · Jan 26, 2026 · Jan 26, 2026 · Jan 26, 2026 · Jan 26, 2026
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -31,51 +31,50 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ~/.cargo/registry
-          key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
+          key: build-${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Cache cargo index
         uses: actions/cache@v4
         with:
           path: ~/.cargo/git
-          key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
+          key: build-${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Cache cargo build
         uses: actions/cache@v4
         with:
-          path: keyring-cli/target
-          key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
+          path: target
+          key: build-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Build for x86_64
         run: |
-          cd keyring-cli
           cargo build --target x86_64-apple-darwin --release --verbose
 
       - name: Build for aarch64
         run: |
-          cd keyring-cli
           cargo build --target aarch64-apple-darwin --release --verbose
 
       - name: Create universal binary
         run: |
+          mkdir -p target/universal-apple-darwin-release
           lipo -create \
-            keyring-cli/target/x86_64-apple-darwin/release/ok \
-            keyring-cli/target/aarch64-apple-darwin/release/ok \
-            -output keyring-cli/target/universal-apple-darwin-release/ok
-          chmod +x keyring-cli/target/universal-apple-darwin-release/ok
+            target/x86_64-apple-darwin/release/ok \
+            target/aarch64-apple-darwin/release/ok \
+            -output target/universal-apple-darwin-release/ok
+          chmod +x target/universal-apple-darwin-release/ok
 
       - name: Strip binary
-        run: strip -x keyring-cli/target/universal-apple-darwin-release/ok
+        run: strip -x target/universal-apple-darwin-release/ok
 
       - name: Upload macOS universal binary
         uses: actions/upload-artifact@v4
         with:
           name: ok-macos-universal
-          path: keyring-cli/target/universal-apple-darwin-release/ok
+          path: target/universal-apple-darwin-release/ok
 
       - name: Create archive
         if: startsWith(github.ref, 'refs/tags/v')
         run: |
-          cd keyring-cli/target/universal-apple-darwin-release
+          cd target/universal-apple-darwin-release
           tar czf ok-macos-universal.tar.gz ok
           mv ok-macos-universal.tar.gz ../../../
 
@@ -109,27 +108,26 @@ jobs:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
-            keyring-cli/target
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+            target
+          key: build-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Build
         run: |
-          cd keyring-cli
           cargo build --release --verbose
 
       - name: Strip binary
-        run: strip keyring-cli/target/release/ok
+        run: strip target/release/ok
 
       - name: Upload Linux binary
         uses: actions/upload-artifact@v4
         with:
           name: ok-linux-x86_64
-          path: keyring-cli/target/release/ok
+          path: target/release/ok
 
       - name: Create archive
         if: startsWith(github.ref, 'refs/tags/v')
         run: |
-          cd keyring-cli/target/release
+          cd target/release
           tar czf ok-linux-x86_64.tar.gz ok
           mv ok-linux-x86_64.tar.gz ../../../
 
@@ -165,29 +163,28 @@ jobs:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
-            keyring-cli/target
-          key: ${{ runner.os }}-cargo-arm64-${{ hashFiles('**/Cargo.lock') }}
+            target
+          key: build-${{ runner.os }}-cargo-arm64-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Build
         run: |
-          cd keyring-cli
           CC=aarch64-linux-gnu-gcc \
           CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc \
             cargo build --target aarch64-unknown-linux-gnu --release --verbose
 
       - name: Strip binary
-        run: aarch64-linux-gnu-strip keyring-cli/target/aarch64-unknown-linux-gnu/release/ok
+        run: aarch64-linux-gnu-strip target/aarch64-unknown-linux-gnu/release/ok
 
       - name: Upload Linux ARM64 binary
         uses: actions/upload-artifact@v4
         with:
           name: ok-linux-aarch64
-          path: keyring-cli/target/aarch64-unknown-linux-gnu/release/ok
+          path: target/aarch64-unknown-linux-gnu/release/ok
 
       - name: Create archive
         if: startsWith(github.ref, 'refs/tags/v')
         run: |
-          cd keyring-cli/target/aarch64-unknown-linux-gnu/release
+          cd target/aarch64-unknown-linux-gnu/release
           tar czf ok-linux-aarch64.tar.gz ok
           mv ok-linux-aarch64.tar.gz ../../../
 
@@ -220,24 +217,23 @@ jobs:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
-            keyring-cli/target
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+            target
+          key: build-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Build
         run: |
-          cd keyring-cli
           cargo build --release --verbose
 
       - name: Upload Windows binary
         uses: actions/upload-artifact@v4
         with:
           name: ok-windows-x86_64
-          path: keyring-cli/target/release/ok.exe
+          path: target/release/ok.exe
 
       - name: Create archive
         if: startsWith(github.ref, 'refs/tags/v')
         run: |
-          Compress-Archive -Path keyring-cli\target\release\ok.exe -DestinationPath ok-windows-x86_64.zip
+          Compress-Archive -Path target\release\ok.exe -DestinationPath ok-windows-x86_64.zip
 
       - name: Upload release asset
         if: startsWith(github.ref, 'refs/tags/v')
@@ -270,24 +266,23 @@ jobs:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
-            keyring-cli/target
-          key: ${{ runner.os }}-cargo-arm64-${{ hashFiles('**/Cargo.lock') }}
+            target
+          key: build-${{ runner.os }}-cargo-arm64-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Build
         run: |
-          cd keyring-cli
           cargo build --target aarch64-pc-windows-msvc --release --verbose
 
       - name: Upload Windows ARM64 binary
         uses: actions/upload-artifact@v4
         with:
           name: ok-windows-aarch64
-          path: keyring-cli/target/aarch64-pc-windows-msvc/release/ok.exe
+          path: target/aarch64-pc-windows-msvc/release/ok.exe
 
       - name: Create archive
         if: startsWith(github.ref, 'refs/tags/v')
         run: |
-          Compress-Archive -Path keyring-cli\target\aarch64-pc-windows-msvc\release\ok.exe -DestinationPath ok-windows-aarch64.zip
+          Compress-Archive -Path target\aarch64-pc-windows-msvc\release\ok.exe -DestinationPath ok-windows-aarch64.zip
 
       - name: Upload release asset
         if: startsWith(github.ref, 'refs/tags/v')
@@ -296,50 +291,3 @@ jobs:
           files: ok-windows-aarch64.zip
           generate_release_notes: true
 
-  # Run tests
-  test:
-    name: Run Tests
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        rust: [stable]
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@master
-        with:
-          toolchain: ${{ matrix.rust }}
-
-      - name: Install dependencies (Linux)
-        if: runner.os == 'Linux'
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y pkg-config libssl-dev
-
-      - name: Cache cargo
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            keyring-cli/target
-          key: ${{ runner.os }}-test-${{ hashFiles('**/Cargo.lock') }}
-
-      - name: Run tests
-        run: |
-          cd keyring-cli
-          cargo test --verbose --all-features
-
-      - name: Run clippy
-        run: |
-          cd keyring-cli
-          cargo clippy -- -D warnings
-
-      - name: Check formatting
-        run: |
-          cd keyring-cli
-          cargo fmt -- --check
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -0,0 +1,56 @@
+name: Test Coverage
+
+on:
+  push:
+    branches: [ master, develop ]
+  pull_request:
+    branches: [ master, develop ]
+
+jobs:
+  coverage:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache dependencies
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: coverage-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Run tests with coverage
+        run: |
+          cargo install cargo-tarpaulin
+          cargo tarpaulin --out Html --out Json --output-dir coverage --timeout 300 --verbose
+
+      - name: Upload coverage report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage/
+
+      - name: Check coverage threshold
+        run: |
+          COVERAGE=$(jq '.coverage // 0' coverage/tarpaulin.json 2>/dev/null || echo "0")
+          echo "Coverage: $COVERAGE%"
+          if (( $(echo "$COVERAGE < 80" | bc -l) )); then
+            echo "❌ Coverage below 80% (current: $COVERAGE%)"
+            exit 1
+          else
+            echo "✅ Coverage at $COVERAGE%"
+          fi
+
+      - name: Add coverage summary
+        run: |
+          COVERAGE=$(jq '.coverage // 0' coverage/tarpaulin.json 2>/dev/null || echo "0")
+          echo "## Test Coverage" >> $GITHUB_STEP_SUMMARY
+          echo "Current coverage: **$COVERAGE%**" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Target: 80%+ for M1 v0.1 release" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,98 @@
+name: Security Checks
+
+on:
+  push:
+    branches: [ master, develop ]
+  pull_request:
+    branches: [ master, develop ]
+  workflow_dispatch:
+
+jobs:
+  security-verification:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        include:
+          - os: ubuntu-latest
+            target: x86_64-unknown-linux-gnu
+          - os: macos-latest
+            target: x86_64-apple-darwin
+          - os: windows-latest
+            target: x86_64-pc-windows-msvc
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: stable
+          targets: ${{ matrix.target }}
+
+      - name: Cache dependencies
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: security-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Build release without test-env
+        run: |
+          cargo build --release --no-default-features
+
+      - name: Verify test-env NOT in release binary (Linux/macOS)
+        if: runner.os != 'Windows'
+        run: |
+          echo "Checking for test environment variables in release binary..."
+          if grep -r "OK_MASTER_PASSWORD\|OK_CONFIG_DIR\|OK_DATA_DIR" target/release/ok 2>/dev/null; then
+            echo "❌ ERROR: Test environment variables leaked to release!"
+            exit 1
+          fi
+          echo "✅ Release binary verified clean"
+
+      - name: Verify test-env NOT in release binary (Windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          Write-Host "Checking for test environment variables in release binary..."
+          $binaryPath = "target\release\ok.exe"
+          if (Test-Path $binaryPath) {
+            $content = Get-Content $binaryPath -Raw -Encoding ASCII
+            if ($content -match "OK_MASTER_PASSWORD|OK_CONFIG_DIR|OK_DATA_DIR") {
+              Write-Host "❌ ERROR: Test environment variables leaked to release!"
+              exit 1
+            }
+          }
+          Write-Host "✅ Release binary verified clean"
+
+      - name: Verify test-env feature works
+        run: |
+          cargo build --features test-env
+          echo "✅ Build with test-env feature successful"
+
+      - name: Run security audit
+        run: |
+          cargo install cargo-audit
+          cargo audit || echo "⚠️  Security audit found potential issues"
+
+      - name: Check MSRV in Cargo.toml
+        run: |
+          if grep -q "rust-version" Cargo.toml; then
+            echo "✅ MSRV declared in Cargo.toml"
+            grep "rust-version" Cargo.toml
+          else
+            echo "❌ ERROR: MSRV not declared in Cargo.toml"
+            exit 1
+          fi
+
+      - name: Security summary
+        run: |
+          echo "## Security Verification" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "✅ Release binary verified clean (no test-env strings)" >> $GITHUB_STEP_SUMMARY
+          echo "✅ test-env feature flag working" >> $GITHUB_STEP_SUMMARY
+          echo "✅ MSRV declared in Cargo.toml" >> $GITHUB_STEP_SUMMARY