Rewrite persistence to use Windows / macOS / Linux native keyrings

[matt-edmondson]

Audit findings

This branch is the result of an audit-and-finish pass on the library. The headline issues found on main:

1. README lied about security. It claimed the cache "encrypts sensitive credentials using platform-specific security features" — the actual implementation serialised credentials as plaintext JSON to %APPDATA%/ktsu/CredentialCache via ktsu.PersistenceProvider. There was no encryption anywhere.
2. Couldn't restore. CredentialCache.csproj inherited TargetFrameworks=net5..10;netstandard2.0;netstandard2.1 from ktsu.Sdk but every upstream ktsu.*Provider dep only ships net9.0/net10.0. dotnet restore failed on every non-net9/10 TFM.
3. Upstream namespaces had drifted. ktsu.UniversalSerializer.Json.JsonSerializer had moved to ktsu.UniversalSerializer.Services.Json.JsonSerializer; FileSystemProvider's ctor now requires options. The library no longer even compiled against the pinned packages.
4. README documented an API that doesn't exist. UsernamePasswordCredential, ApiKeyCredential, OAuthCredential, CertificateCredential, CredentialCacheOptions, Store/Get/TryGet/Contains/Remove/Clear, expiration — none of it was real. The real surface is a CredentialCache.Instance singleton over PersonaGUID keys.
5. Tests polluted user state. With no isolation hook, tests ran against the singleton's default disk provider and accumulated credentials in the real user AppData on every run.
6. CI was Windows-only. Despite shipping as a cross-platform library, runs-on: windows-latest was the only matrix entry.

What's in this PR

New persistence layer (Storage/)

Platform	Implementation	API
Windows	WindowsCredentialStore	advapi32.dll — CredReadW / CredWriteW / CredDeleteW / CredEnumerateW
macOS	MacOsCredentialStore	Security.framework — SecKeychainAddGenericPassword / Find / ModifyAttributesAndData / Delete
Linux	LinuxSecretServiceCredentialStore	libsecret-1.so.0 — secret_password_store_sync / lookup_sync / clear_sync
opt-out	InMemoryCredentialStore	for tests and headless CI agents

Each PersonaGUID becomes its own entry in the OS keyring (service-scoped). CredentialStoreFactory.CreateDefault() picks the right one for the current RuntimeInformation.IsOSPlatform(...) and throws PlatformNotSupportedException otherwise. CredentialStoreException wraps native failures with the underlying Win32Exception/status code.

CredentialCache refactor

• New public constructor CredentialCache(ICredentialStore) for DI and tests.
• Kept the Instance singleton (lazy + thread-safe) for back-compat, but it now resolves its store via CredentialStoreFactory.CreateDefault() instead of hard-wiring the broken AppDataPersistenceProvider.
• Added Remove(PersonaGUID), Dispose() that doesn't double-flush, and ResetSingletonForTesting() so tests stop polluting user AppData.
• Renamed ConfigurePersistenceProvider → ConfigureStore to match the new abstraction.
• TryGet now falls through to the backing store on a miss, populating the in-memory cache.

Serialization

• Dropped ktsu.AppDataStorage / ktsu.FileSystemProvider / ktsu.PersistenceProvider / ktsu.UniversalSerializer (broken upstream surface).
• New public CredentialSerialization helper using System.Text.Json + [JsonPolymorphic] directly.
• Wired in ktsu.RoundTripStringJsonConverterFactory so SemanticString<T> values (CredentialToken, CredentialUsername, CredentialPassword, PersonaGUID) round-trip as JSON strings — without it, STJ treats them as IEnumerable<char> and explodes on deserialize.

Project & CI

• Constrained TargetFrameworks to net9.0;net10.0 (the only TFMs the remaining deps actually publish for).
• New .github/workflows/cross-platform.yml: build + test matrix on ubuntu-latest / windows-latest / macos-latest with libsecret-1-0 installed on Linux. The existing publish-oriented dotnet.yml is untouched.
• Test project sets UseAppHost=false so distro-specific Microsoft.NETCore.App.Host.{rid} packages aren't required at restore time.

Tests

• Every test now constructs its own CredentialCache over a fresh InMemoryCredentialStore — no shared singleton, no disk writes.
• Migrated Assert.ThrowsException<> → Assert.Throws<> for MSTest 4.x.
• Added: backing-store round-trip, Remove across both layers, Dispose semantics, null-store guard, singleton store-injection behaviour, and a polymorphic JSON round-trip for every Credential subclass.
• All 17 tests pass locally on Linux.

Platform caveats (also documented in README)

• Windows Credential Manager caps the credential blob at 2560 bytes; oversized credentials throw CredentialStoreException.
• Linux needs libsecret-1 installed and a running Secret Service (gnome-keyring / KWallet bridge / KeePassXC / …). Headless CI agents typically have neither — use InMemoryCredentialStore.
• macOS uses the default login keychain and will prompt the user the first time the app accesses it.
• EnumerateKeys() is fully implemented on Windows. macOS/Linux currently return an empty sequence (the modern SecItemCopyMatching / secret_search_sync paths need substantial CoreFoundation / GLib marshalling for a use case most consumers can serve by tracking persona GUIDs themselves).

Test plan

• dotnet build CredentialCache.sln — clean on net9.0 + net10.0 (3 SourceLink warnings only).
• dotnet test on Linux — 17/17 pass.
• CI matrix run against Linux / macOS / Windows runners.
• Manual smoke test that WindowsCredentialStore writes into the real Credential Manager (cannot exercise from CI sandbox).
• Manual smoke test of MacOsCredentialStore against the login keychain.
• Manual smoke test of LinuxSecretServiceCredentialStore against gnome-keyring or equivalent.

https://claude.ai/code/session_017B9mN9F7C3pWGZRyoKBd6R

---

Generated by Claude Code