feat: Add cross-platform credential store for secure connection string management

Store database credentials in OS keychain (Windows Credential Manager,
macOS Keychain, Linux libsecret) via `credentials add/list/remove` subcommand.
Connection strings without explicit credentials auto-inject stored values,
eliminating passwords from CLI args, config files, and process lists.
Centralizes connection string normalization into ConnectionStringHelper.Resolve()
across all 5 entry points. Mitigates STRIDE findings I-1 and I-2.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: stevehansen

CLAUDE.md

@@ -99,6 +99,22 @@ Conditionally compiled (`#if !RELEASELIBRARY`) alongside the Optimize subsystem.
 - **Derived table flattening**: When `FlattenDerivedTables` is enabled, `DerivedTableFlattener` runs as a post-processing step after stripping. It replaces eligible `QueryDerivedTable` nodes with their inner `FROM` tree (single table or JOIN tree), rewrites column references, and merges WHERE clauses. Uses `OuterScopeColumnReferenceCollector` that stops at `QueryDerivedTable` boundaries to prevent corrupting shared AST object references.
 - **`ParametersToIgnore`**: Maps SQL functions (e.g., DATEADD) to parameter indexes that should be excluded from column reference analysis.
 
+### Credential subsystem (`Optimize/` directory)
+
+Conditionally compiled (`#if !RELEASELIBRARY`) alongside the Optimize subsystem.
+
+22. **ICredentialStore** — Interface for platform-specific credential storage. Defines `Store()`, `Retrieve()`, `Remove()`, and `List()`. `StoredCredential` holds username + password. `CredentialStoreFactory.Create()` returns the platform-appropriate implementation (or null with a warning). `CredentialStoreFactory.BuildKey()` normalizes server/database into a `"server\database"` key (lowercase, trimmed).
+
+23. **WindowsCredentialStore** — P/Invoke to `advapi32.dll` (Credential Manager). Uses `CRED_TYPE_GENERIC` with target prefix `"sqlinliner:"`. Username in `CREDENTIAL.UserName`, password as UTF-16 bytes in `CredentialBlob`. `List()` uses `CredEnumerate("sqlinliner:*")`.
+
+24. **MacCredentialStore** — Wraps macOS `security` CLI (Keychain). Uses a JSON index file (`~/.sqlinliner/credentials.json`) for username lookup and listing (no passwords in index).
+
+25. **LinuxCredentialStore** — Wraps `secret-tool` CLI (libsecret). Uses a JSON index file (`~/.sqlinliner/credentials.json`) for username lookup and listing. Constructor checks for `secret-tool` availability with install instructions.
+
+26. **ConnectionStringHelper** — Static `Resolve(connectionString, store)` method that replaces the duplicated `SqlConnectionStringBuilder` normalization blocks across all 5 entry points. Sets `ApplicationName`, injects stored credentials if no explicit credentials or Integrated Security, falls back to Integrated Security.
+
+27. **CredentialsCommand** — System.CommandLine subcommand (`credentials`) with `add`, `list`, and `remove` sub-commands. `add` prompts for username/password with masked input. `list` displays server/database/username table (never shows passwords). `remove` deletes from the OS credential store. Does not take `configOption`.
+
 ## Testing Patterns
 
 Tests use **NUnit** with **Shouldly** assertions. The standard pattern:

README.md

@@ -514,6 +514,69 @@ Two tables are displayed:
 
 Plus a summary of views skipped because they have no nested view references.
 
+## Credential management
+
+The `credentials` subcommand stores database credentials in your OS credential store (Windows Credential Manager, macOS Keychain, or Linux libsecret). This eliminates the need to put passwords in connection strings, CLI arguments, or config files.
+
+### Storing credentials
+
+```bash
+# Store credentials (prompts for password with masked input)
+sqlinliner credentials add -s myserver -d mydb -u myuser
+
+# Store with prompted username too
+sqlinliner credentials add -s myserver -d mydb
+```
+
+### Auto-injection
+
+Once credentials are stored, connection strings without explicit credentials will automatically use the stored values:
+
+```bash
+# Password-free connection string — credentials auto-injected from store
+sqlinliner -cs "Server=myserver;Database=mydb" -vn dbo.VHeavy
+
+# Also works with subcommands
+sqlinliner validate -cs "Server=myserver;Database=mydb"
+sqlinliner optimize -cs "Server=myserver;Database=mydb"
+```
+
+The resolution order is:
+1. Explicit `User Id` and `Password` in the connection string — used as-is
+2. `Integrated Security=true` in the connection string — used as-is
+3. Stored credentials matching the server/database — injected automatically
+4. Fallback — `Integrated Security=true` (Windows Authentication)
+
+### Listing and removing credentials
+
+```bash
+# List all stored credentials (passwords are never shown)
+sqlinliner credentials list
+
+# Remove stored credentials
+sqlinliner credentials remove -s myserver -d mydb
+```
+
+### Config files without passwords
+
+With the credential store, config files can omit passwords entirely:
+
+```json
+{
+    "connectionString": "Server=myserver;Database=mydb"
+}
+```
+
+### Platform support
+
+| Platform | Backend |
+|----------|---------|
+| Windows | Credential Manager (advapi32.dll) |
+| macOS | Keychain (`security` CLI) |
+| Linux | libsecret (`secret-tool` CLI) |
+
+On Linux, `secret-tool` must be installed (`sudo apt install libsecret-tools` on Ubuntu/Debian).
+
 ## Feature details
 
 ### Column stripping

STRIDE.md

@@ -5,7 +5,7 @@
 | Field | Value |
 |-------|-------|
 | Application | sql-inliner |
-| Version | v1 |
+| Version | v2 |
 | Created | 2026-02-28 |
 | Last Updated | 2026-02-28 |
 | Next Review | 2029-02-28 |
@@ -147,17 +147,18 @@ sql-inliner is a .NET CLI tool and NuGet library that optimizes SQL Server views
 
 | ID | Threat | Attack Path | Likelihood | Impact | Score | Mitigation |
 |----|--------|-------------|------------|--------|-------|------------|
-| I-1 | Connection string exposure via CLI arguments | `--connection-string` visible in process list, shell history, CI/CD logs | 3 | 3 | **9** | **Partially mitigated.** Config file and environment-based alternatives exist, but CLI still accepts plaintext. No built-in redaction. |
-| I-2 | Connection strings in config files | `sqlinliner.json` stores connection strings with embedded passwords; file not gitignored by default | 3 | 3 | **9** | **Partially mitigated.** Users can use Windows Authentication (no password). Config file not gitignored — could be committed accidentally. |
+| I-1 | Connection string exposure via CLI arguments | `--connection-string` visible in process list, shell history, CI/CD logs | 3 | 3 | **9** | **Mitigated.** Built-in credential store stores credentials in OS keychain (Windows Credential Manager, macOS Keychain, Linux libsecret). Passwords never appear in CLI args, process lists, or shell history. |
+| I-2 | Connection strings in config files | `sqlinliner.json` stores connection strings with embedded passwords; file not gitignored by default | 3 | 3 | **9** | **Mitigated.** Config files can specify `Server=...;Database=...` without passwords. Credentials injected at runtime from OS credential store. |
 | I-3 | Session files contain view SQL and metadata | Session directories store full view SQL, execution plans, table names, machine/user names | 2 | 2 | 4 | Files are local to the user's machine. Default OS permissions apply. No automatic cleanup. |
 | I-4 | Exception messages may leak paths or SQL | Error messages expose file paths and database errors to the user | 2 | 1 | 2 | Acceptable for a CLI tool. Errors are displayed to the authenticated user only. |
 | I-5 | Benchmark reports contain environment info | HTML reports include `Environment.MachineName`, `Environment.UserName`, database version, table names | 2 | 2 | 4 | Reports are local files. Users should treat them as internal artifacts. |
 
 **Countermeasures:**
+- Built-in credential store (`credentials` subcommand) stores credentials in OS keychain — passwords never appear in CLI args or config files
 - Windows Authentication / Integrated Security eliminates password exposure
+- `ConnectionStringHelper.Resolve()` auto-injects stored credentials at runtime
 - `SqlConnectionStringBuilder` normalizes connection strings (does not add passwords)
 - Session files are local with OS-level access control
-- **Gap:** `sqlinliner.json` is not in `.gitignore` by default — credential leak risk
 - **Gap:** No automatic cleanup of session directories
 
 ### D — Denial of Service
@@ -196,13 +197,13 @@ sql-inliner is a .NET CLI tool and NuGet library that optimizes SQL Server views
 | ID | Threat | Score | Status |
 |----|--------|-------|--------|
 | T-1 | SQL injection via `--view-name` in `DatabaseConnection.cs` | 8 | Mitigated ([#93](https://github.com/stevehansen/sql-inliner/issues/93)) |
-| I-1 | Connection string exposure via CLI arguments | 9 | Partially mitigated |
-| I-2 | Connection strings in config files (not gitignored) | 9 | Partially mitigated |
+| I-1 | Connection string exposure via CLI arguments | 9 | Mitigated (credential store) |
+| I-2 | Connection strings in config files (not gitignored) | 9 | Mitigated (credential store) |
 
 ### Residual Risks
 
 - **T-1 (SQL Injection):** Fixed in [#93](https://github.com/stevehansen/sql-inliner/issues/93). `GetViewDefinition()` and `TryGetRawViewDefinition()` now use Dapper parameterized queries instead of string interpolation.
-- **I-1/I-2 (Credential Exposure):** Connection strings with embedded passwords can leak via process lists, shell history, CI logs, or accidentally committed config files. The recommended approach is Windows Authentication (no password in connection string). Adding `sqlinliner.json` to the `.gitignore` template would reduce the config file risk.
+- **I-1/I-2 (Credential Exposure):** Mitigated by built-in credential store (`credentials` subcommand). Credentials are stored in the OS keychain and auto-injected at runtime. Connection strings in CLI args and config files no longer need embedded passwords.
 
 ## 4. Security Controls Summary
 
@@ -212,7 +213,7 @@ sql-inliner is a .NET CLI tool and NuGet library that optimizes SQL Server views
 | Authorization | Delegates to SQL Server permissions; tool requires VIEW DEFINITION, SELECT, and optionally CREATE/ALTER/DROP VIEW |
 | Input Validation | ScriptDom AST parsing validates SQL structure; `SqlConnectionStringBuilder` validates connection strings |
 | Output Encoding | SQL output generated by `Sql150ScriptGenerator` with proper escaping |
-| Secrets Management | Connection strings via CLI args or config file; no built-in secrets vault integration |
+| Secrets Management | Built-in OS credential store (`credentials` subcommand) for Windows Credential Manager, macOS Keychain, and Linux libsecret; auto-injects stored credentials into connection strings at runtime |
 | Audit Logging | Session logs with timestamps; `validate-errors.log` for batch operations |
 | Error Handling | Exceptions caught at command level; error messages displayed to user |
 | Dependency Security | CodeQL analysis in CI; no known vulnerable dependencies |
@@ -224,6 +225,7 @@ sql-inliner is a .NET CLI tool and NuGet library that optimizes SQL Server views
 | Version | Date | Reviewer | Changes |
 |---------|------|----------|---------|
 | v1 | 2026-02-28 | Claude Code (STRIDE analysis) | Initial threat model |
+| v2 | 2026-02-28 | Claude Code | Mitigated I-1, I-2: Added built-in OS credential store |
 
 ## 6. References