feat(auth): use OS keyring in bundle distributions

[l2ysho]

Closes #1170.

Problem

The OS-keyring storage from #1148 works for npm install -g apify-cli but not for the bundle distributions (install-cli.sh / install-cli.ps1), which are built with Bun's --compile. The @napi-rs/keyring wrapper loads its native .node via createRequire(__filename)('@napi-rs/keyring-<platform>'), and --compile doesn't follow that indirection — so no native module gets embedded and bundle users silently fall back to plaintext file storage (token in cleartext) even with a working keyring present.

Fix — embed one platform subpackage per bundle

Bun's docs: "the .node file must be directly required or it won't bundle correctly." Only a literal dynamic import('@napi-rs/keyring-<platform>') embeds and runs; static imports fail to bundle or crash with __require is not defined, and createRequire isn't bundled at all.

• scripts/build-cli-bundles.ts — a placeholder keyring specifier stays external in the fat-JS step so the literal import() survives, then is rewritten per target to @napi-rs/keyring-<platform> before --compile resolves and embeds that one .node. Rewrite runs once per subpackage (baseline variants share their sibling's). Build throws if the placeholder is missing, so a bundle can never silently ship with plaintext fallback.
• src/lib/credentials.ts — imports the placeholder in bundle mode (useCLIMetadata().installMethod === 'bundle') and the @napi-rs/keyring wrapper otherwise. Fallback/migration behavior unchanged.
• pnpm-workspace.yaml — supportedArchitectures so every target's native subpackage installs at build time. Affects only pnpm install in this repo; npm consumers and the shipped bundle are unaffected.
• src/lib/typings/keyring-native-subpackage.d.ts — ambient declaration so tsc/oxlint accept the placeholder specifier.
• src/commands/auth/login.ts — drops the now-obsolete "install via npm for keyring" hint.

Verification

Compiled the real credentials.ts into a bun-linux-arm64 bundle, ran against real D-Bus + gnome-keyring:

1. ✅ Legacy plaintext auth.json migrates → secretsBackend: "keyring", token removed, proxy password stripped.
2. ✅ Token + proxy password discoverable under service com.apify.cli from another process (secret-tool search).
3. ✅ No working keyring → graceful fallback to secretsBackend: "file", no crash.
4. ✅ npm path unchanged — 23/23 credential tests pass.

lint, format, build, tsc green.

Note for reviewers

Criteria 1 & 2 were validated in a hand-rolled keyring environment; a sanity check on a real macOS/Windows/Linux desktop with pnpm run build-bundles is worth doing before release.

[l2ysho]

This is the main hack, --compile (bun) skipped napi-rs due to its dynamic require shenanigans -> we provide literal for specific bundle which is shipped as external subpackage (per arch).

https://bun.com/docs/bundler/executables

[l2ysho]

Testing bundles in progress, but feel free to review.

[patrikbraborec]

I did review using Claude Code and Fable 5. Here is the one thing that might be interesting:

In build-cli-bundles.ts, the keyring rewrite was inserted after the Windows ARM64 special case that overrides arch = 'arm64'. CI has a windows-11-arm matrix job, so this path is live. Those bundles are still compiled with target: 'bun-windows-x64' — the output is an x64 PE that runs under x64 emulation on ARM64 Windows. The rewrite, however, computes keyringSubpackage('windows', 'arm64', …) → @napi-rs/keyring-win32-arm64-msvc, a plain ARM64 DLL. An x64 process (even emulated on ARM64 Windows) can only load x64 or ARM64EC DLLs, so LoadLibrary will fail, the dynamic import throws, and the code falls back to file storage — recreating the exact plaintext-fallback bug this PR fixes, for Windows ARM users only. Fix: capture the target's declared arch before the override (or move the rewrite above the override block) so these bundles embed win32-x64-msvc, which loads fine under emulation. It degrades gracefully today, so this isn't a blocker, but it's a two-line fix and otherwise the issue will be invisible until someone debugs it again.

[vladfrangu]

Ocne we merge my PR for unified CLI bundles the arm64 Windows remark won't matter anyways, so lets deal with that first

[DaveHanns]

Few nits, suggestions and questions.
Great job otherwise 🚀

[DaveHanns]

Q: in detectInstallMethod, we first check if (process.env.APIFY_CLI_MARKED_INSTALL_METHOD) {.

Once we publish bundled versions to NPM, the APIFY_CLI_MARKED_INSTALL_METHOD will be npm, but the underlying source will be bundle, right?

That will break this check AFAIK 🤔

[l2ysho]

bundles are not shiped to npm, install.sh download them from release artefacts -> https://github.com/apify/apify-cli/releases/tag/v1.6.2

[DaveHanns]

Yeah, now they are not shipped through npm, but, and correct me if I'm wrong, there either was or still is a plan to ship bundles through npm instead of plain JS.

At least the comment above following check in function detectInstallMethod() indicates so:

	// Will be useful once npm versions move to running from bundles (and for testing)
	if (process.env.APIFY_CLI_MARKED_INSTALL_METHOD) {
		return process.env.APIFY_CLI_MARKED_INSTALL_METHOD as InstallMethod;
	}

In such case, the APIFY_CLI_MARKED_INSTALL_METHOD would get set to npm even tho a bundle would be shipped and the affected if (useCLIMetadata().installMethod === 'bundle') { statement would not pass. We would then treat bundle as a plain JS, not applying the workaround this PR introduces.

That being said, I think this is not an issue as the APIFY_CLI_MARKED_INSTALL_METHOD is currently not used / set anywhere really. Let's just get rid of the check in function detectInstallMethod(). We can re-introduce it once it is needed, if ever.

[l2ysho]

Yes I see your point now, lets remove that.

[DaveHanns]

Nit: @napi-rs/keyring exports Entry. Re-export should be possible and avoid type drift (if the upstream Entry in @napi-rs/keyring ever change).

Suggested change

	export class Entry {
	constructor(service: string, account: string);
	getPassword(): string | null;
	setPassword(password: string): void;
	deletePassword(): boolean;
	}
	export { Entry } from '@napi-rs/keyring';

[l2ysho]

this is intentional, the placeholder resolves to the @napi-rs/keyring- native subpackage, which ships no .d.ts

I will update that commentary about this information.

[DaveHanns]

Yeah, my point was that the '@napi-rs/keyring' exports Entry and it should be possible to simply re-export it from here as a type without having to "mirror" the Entry with hand written class 🤔 That way, if the Entry ever changes upstream, we get the update for free.

So, we keep the keyring-native-subpackage.d.ts, but its content would be just:

export type { Entry } from '@napi-rs/keyring';

or

export { Entry } from '@napi-rs/keyring';

Should be alright, AFAIK. Not tested tho.
That being said, it is just a nit, so feel free to ignore.

[l2ysho]

I remember I was fighting any in some point, but I tried reexport now and all 🟢

[DaveHanns]

Important: if, for any reason, the if (subpackage !== writtenSubpackage) { never passes, the proxy-agent patch at line 126 is now dropped (never written) as well.

Should not happen, AFAIK, but good to keep in mind and maybe future-proof.

[l2ysho]

good catch 👍

[DaveHanns]

LGTM 👍