chore: enable SecretString and overflow checks for security

API keys now stored as `secrecy::SecretString` with memory zeroed on
drop and `[REDACTED]` in debug output. Release profile updated to `lto =
"fat"`, `strip = "symbols"`, and `overflow-checks = true` for ANSSI-FR
compliance.

Author: Sephyi

CHANGELOG.md

@@ -39,6 +39,8 @@ All notable changes to CommitBee are documented here.
 
 - **API key validation ordering** — `set-key`, `get-key`, `init`, `config`, `completions`, and `hook` commands no longer require an API key to be present. CLI `--provider` flag now applies before keyring lookup.
 - **Platform-native keyring backends** — keyring v3 now uses macOS Keychain (`apple-native`), Windows Credential Manager (`windows-native`), and Linux Secret Service (`linux-native`) instead of a mock file-based backend.
+- **SecretString for API keys** — API keys stored as `secrecy::SecretString` in Config and provider structs. Memory zeroed on drop, never exposed except at HTTP header insertion.
+- **Overflow checks in release builds** — `overflow-checks = true` added to release profile for ANSSI-FR compliance.
 
 ### Testing
 

CLAUDE.md

@@ -198,6 +198,7 @@ When adding or modifying LLM providers (`src/services/llm/`), every provider mus
 5. **Zero-allocation streaming** — parse from `&line_buffer[..newline_pos]` slices, then `drain(..=newline_pos)` instead of allocating new Strings per line
 6. **Shared system prompt** — use `super::SYSTEM_PROMPT`, never duplicate prompt text
 7. **CancellationToken** — check in `tokio::select!` loop alongside stream chunks
+8. **SecretString for API keys** — store as `secrecy::SecretString`, expose only via `.expose_secret()` at HTTP header insertion. Never log, Debug, or Display the raw key.
 
 ### Commit Type Conventions
 

Cargo.toml

@@ -128,8 +128,8 @@ all-languages = [
 ]
 
 [profile.release]
-lto = true
-strip = true
+lto = "fat"
+strip = "symbols"
 codegen-units = 1
 overflow-checks = true
 

DOCS.md

@@ -356,17 +356,20 @@ export ANTHROPIC_API_KEY=sk-ant-...
 
 ### Secure Key Storage
 
-If built with the `secure-storage` feature, CommitBee can store API keys in your OS keychain using platform-native backends (macOS Keychain, Windows Credential Manager, Linux Secret Service):
+API keys are stored as `secrecy::SecretString` — memory is zeroed on drop and keys show as `[REDACTED]` in debug output. Keys are only exposed at the HTTP header insertion point.
+
+The `secure-storage` feature (enabled by default) stores keys in your OS keychain using platform-native backends (macOS Keychain, Windows Credential Manager, Linux Secret Service):
 
 ```bash
-cargo install commitbee --features secure-storage
 commitbee config set-key openai      # Prompts for key, stores in keychain
 commitbee config set-key anthropic   # Same for Anthropic
 commitbee config get-key openai      # Check if key exists
 ```
 
 Key lookup order: CLI `--provider` flag → config file → environment variable → keychain. The `set-key` and `get-key` commands do not require an API key to already be configured.
 
+To build without keychain support: `cargo install commitbee --no-default-features --features all-languages`
+
 ## ✂️ Commit Splitting
 
 One of CommitBee's standout features. When your staged changes contain logically independent work, CommitBee detects this and offers to create separate commits.

PRD.md

@@ -6,18 +6,19 @@ SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Commercial
 
 # CommitBee — Product Requirements Document
 
-**Version**: 5.1
+**Version**: 5.2
 **Date**: 2026-03-28
 **Status**: Active  
 **Author**: [Sephyi](https://github.com/Sephyi) + [Claude Opus 4.6](https://www.anthropic.com/news/claude-opus-4-6)  
 
 ## Changelog
 
 <details>
-<summary>Revision history (v3.3 → v5.1)</summary>
+<summary>Revision history (v3.3 → v5.2)</summary>
 
 | Version | Date       | Summary |
 | ------- | ---------- | ------- |
+| 5.2     | 2026-03-28 | Security hardening: `secrecy::SecretString` for API keys (F-004), overflow-checks in release profile (F-001). Updated SR-002, DR-005, DR-006. |
 | 5.1     | 2026-03-28 | fix: keyring platform-native backends, API key validation ordering for set-key command. Updated FR-019 and SR-002. |
 | 5.0     | 2026-03-28 | PRD structural overhaul: removed stale §3.1 Resolved Issues (all v0.2.0), removed Dependency Status table, removed dead ORCommit references. Updated §2 competitive landscape for 2026 (added IDE-native competitors: GitHub Copilot Desktop, Cursor, Windsurf; updated star counts; refreshed feature matrix). Updated §3 codebase structure (added diff.rs, differ.rs, progress.rs). Updated PE-001/PE-002 with v0.6.0 prompt sections (STRUCTURED CHANGES, IMPORTS, RELATED FILES, INTENT). Updated PR-005 with adaptive budget. Added v0.6.0 feature section §4.6 (FR-064–FR-072). Renumbered Future to §4.7. |
 | 4.4     | 2026-03-27 | Added future requirements from audit: FR-073 (move detection), FR-074 (AST-based splitting), FR-075 (configurable categorization), TR-008 (LLM quality testing), PE-007 (token-accurate budgets). |
@@ -548,6 +549,7 @@ Allow users to define custom file category patterns in config (e.g., `[categoriz
 
 ### SR-002: API Key Management
 
+- **In-memory protection**: API keys stored as `secrecy::SecretString` in Config and provider structs — memory zeroed on drop, `[REDACTED]` in Debug output, only exposed at HTTP header insertion via `.expose_secret()`
 - System keychain via `keyring` with platform-native backends: `apple-native` (macOS Keychain), `linux-native` (Linux Secret Service), `windows-native` (Windows Credential Manager)
 - Environment variable fallback
 - Never stores keys in plaintext config
@@ -795,8 +797,9 @@ bash, zsh, fish, powershell via `clap_complete`. Documented installation per she
 [profile.release]
 lto = true
 strip = true
-codegen-units = 1
 opt-level = "z"  # or "s" — benchmark both
+codegen-units = 1
+overflow-checks = true  # ANSSI-FR compliance
 ```
 
 ### DR-006: Feature Flags