infra: slim the keyring dependency (keyring meta-crate -> keyring-core + one store/OS)

keyring 4's `keyring` meta-crate has no feature gating and compiles every
platform credential backend for the target. On Linux that dragged in the zbus
async stack, a redundant libdbus secret-service, the keyutils store, a
sqlite/zstd db-keystore, and OpenSSL (~290 crates in its subtree) — a real cost
on the RAM/CPU-constrained CI runner building with CARGO_BUILD_JOBS=1.

Depend on keyring-core (the API) + exactly one store crate per OS instead:
- macOS  -> apple-native-keyring-store (keychain feature)
- Linux  -> dbus-secret-service-keyring-store (crypto-rust; libdbus, no openssl)

oauth.rs registers the per-target store as the keyring-core default itself
(replacing keyring::use_native_store). Runtime behavior is unchanged (tokens
still go to the macOS Keychain / Linux Secret Service).

hephd's Linux dependency graph: 401 -> 235 crates (-166), dropping the zbus
ecosystem and two C builds (zstd-sys, plus the redundant secret-service path).

macOS builds + the full suite are green here (228 tests, clippy -D warnings,
fmt, prek); the Linux store path is CI-verified (API confirmed from source).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Cargo.toml

@@ -41,8 +41,15 @@ clap = { version = "4", features = ["derive"] }
 ratatui = "0.30"
 axum = "0.8"
 jsonwebtoken = { version = "10", features = ["rust_crypto"] }
-keyring = { version = "4" }
+# keyring 4's `keyring` meta-crate compiles *every* platform credential backend
+# for the target (on Linux: the zbus + libdbus secret-service stacks, keyutils,
+# and a sqlite/zstd db-keystore — ~290 crates). We use exactly one backend per
+# platform, so depend on keyring-core (the API) + a single store crate per OS.
 keyring-core = "1"
+apple-native-keyring-store = { version = "1", features = ["keychain"] }
+dbus-secret-service-keyring-store = { version = "1", features = [
+  "crypto-rust",
+] }
 ureq = { version = "3", features = ["json"] }
 reqwest = { version = "0.13", default-features = false, features = [
   "json",

crates/hephd/Cargo.toml

@@ -29,11 +29,18 @@ tracing-subscriber.workspace = true
 clap.workspace = true
 axum.workspace = true
 jsonwebtoken.workspace = true
-keyring.workspace = true
 keyring-core.workspace = true
 reqwest.workspace = true
 ureq.workspace = true
 
+# The OS credential backend that `oauth.rs` registers as the keyring-core
+# default store — exactly one per platform, not the whole keyring meta-crate.
+[target.'cfg(target_os = "macos")'.dependencies]
+apple-native-keyring-store.workspace = true
+
+[target.'cfg(target_os = "linux")'.dependencies]
+dbus-secret-service-keyring-store.workspace = true
+
 [dev-dependencies]
 tempfile = "3"
 # Auth tests generate a throwaway RSA key + JWKS at runtime (no key in the repo).

crates/hephd/src/oauth.rs

@@ -89,16 +89,24 @@ impl KeyringTokenStore {
     }
 
     fn entry(&self) -> Result<keyring_core::Entry, AuthError> {
-        // keyring 4 splits the cross-platform `Entry`/`Error` types into
-        // `keyring_core` and requires a credential store to be registered
-        // before any entry is built. Register the OS-native store once,
-        // lazily, on first use (idempotent across both surfaces).
+        // keyring-core holds the cross-platform `Entry`/`Error` types but no
+        // backend — a credential store must be registered before any entry is
+        // built. Register the OS-native store once, lazily, on first use
+        // (idempotent across both surfaces). We register a single backend per
+        // platform (macOS Keychain / Linux Secret Service) rather than pulling
+        // the `keyring` meta-crate, which compiles every backend at once.
         static NATIVE_STORE: std::sync::Once = std::sync::Once::new();
         NATIVE_STORE.call_once(|| {
-            // `not_keyutils = true`: on Linux prefer the Secret Service over
-            // the kernel keyutils store, which is wiped on logout/reboot and
-            // would silently drop a persisted login token.
-            let _ = keyring::use_native_store(true);
+            #[cfg(target_os = "macos")]
+            if let Ok(store) = apple_native_keyring_store::keychain::Store::new() {
+                keyring_core::set_default_store(store);
+            }
+            // The D-Bus Secret Service (not the kernel keyutils store, which is
+            // wiped on logout/reboot and would silently drop a persisted token).
+            #[cfg(target_os = "linux")]
+            if let Ok(store) = dbus_secret_service_keyring_store::Store::new() {
+                keyring_core::set_default_store(store);
+            }
         });
         keyring_core::Entry::new(&self.service, &self.account)
             .map_err(|e| AuthError::Provider(e.to_string()))

docs/changelog.d/+keyring-slim.infra.md

@@ -0,0 +1 @@
+Slimmed the credential-keyring dependency to cut CI compile time. keyring 4's `keyring` meta-crate compiles *every* platform backend for the target — on Linux that pulled the zbus async stack, a redundant libdbus secret-service, the kernel keyutils store, a SQLite/zstd `db-keystore`, and OpenSSL (~290 crates in its subtree). Replaced it with `keyring-core` (the API) plus a single store per OS — macOS Keychain (`apple-native-keyring-store`), Linux Secret Service (`dbus-secret-service-keyring-store`, pure-Rust crypto) — registered directly in `oauth.rs`. hephd's Linux dependency graph drops from **401 to 235 crates** (−166), removing the zbus stack and two C builds. Runtime behavior is unchanged.