Part of #32: Security Hardening - API Key Storage and Input Sanitization
Scope
Replace plaintext API key storage in NbPreferences with encrypted storage using the NetBeans Keyring API or an equivalent secure mechanism.
What to do
- Audit current API key storage across all 9 AI modules (find all
NbPreferences.forModule(...) calls storing API keys)
- Replace with
org.netbeans.api.keyring.Keyring for secure storage
- Implement a migration path: on first launch after upgrade, read existing plaintext keys, store them in keyring, and remove plaintext entries
- Ensure the settings UI reads/writes keys via the keyring API
- If Keyring API is not available on all platforms, provide a fallback with at-rest encryption (AES with a platform-derived key)
Acceptance criteria
- API keys are never stored in plaintext in NbPreferences
- Existing users' keys are migrated transparently on upgrade
- Settings panels still allow viewing/editing API keys (masked input)
- Keys are retrievable by the AI clients at runtime
Part of #32: Security Hardening - API Key Storage and Input Sanitization
Scope
Replace plaintext API key storage in NbPreferences with encrypted storage using the NetBeans Keyring API or an equivalent secure mechanism.
What to do
NbPreferences.forModule(...)calls storing API keys)org.netbeans.api.keyring.Keyringfor secure storageAcceptance criteria