Add macOS Keychain vault type

[bixu]

Problem

On macOS, the system Keychain is the native and most convenient way to store secrets. Currently, swamp supports AWS Secrets Manager, Azure Key Vault, 1Password, and local encryption vaults, but there is no option to use the macOS Keychain. Users on macOS who don't use 1Password or a cloud secret manager must fall back to local file encryption, which is less integrated with the OS security model.

Proposed Solution

Add a new vault type (e.g., macos-keychain) that stores and retrieves secrets using the macOS Keychain via the security CLI or the Security framework. This would:

• Use the login keychain by default, with an option to specify a custom keychain
• Store secrets as generic passwords keyed by a service name (e.g., swamp/<vault-name>) and account name (the secret key)
• Support put and get operations like other vault types
• Leverage existing keychain access controls (Touch ID, password prompts) for authentication

Alternatives Considered

• local_encryption vault: Works but doesn't integrate with macOS security features (Touch ID, keychain syncing, lock-on-sleep)
• 1Password vault: Requires a 1Password subscription and the op CLI
• Wrapping security CLI in a shell model: Goes against the swamp design philosophy of using dedicated extension models over shell wrappers

Additional Context

The security CLI (/usr/bin/security) is available on all macOS installations and supports adding/finding/deleting generic passwords programmatically. A Deno-based implementation could also use Deno.Command to call security find-generic-password and security add-generic-password.

[github-actions]

Hi @bixu, thanks for opening this issue!

We appreciate you taking the time to report it. A maintainer will review it as soon as possible.

In the meantime, please make sure you've included all relevant details (steps to reproduce, expected vs actual behaviour, swamp version, etc.) to help us triage it quickly.