Skip to content

Commit adfdf89

Browse files
committed
[gobby-#15001] fix: make gcode dsn refs broker-only
1 parent 0ab812f commit adfdf89

8 files changed

Lines changed: 119 additions & 266 deletions

File tree

CHANGELOG.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
2222
daemon and CLI together. This compatibility boundary is covered by the
2323
Neo4j-to-FalkorDB Phase 8.3 validation matrix.
2424

25+
## [0.8.4] — gcode
26+
27+
### Changed
28+
29+
#### gcode
30+
31+
- **Broker-only PostgreSQL DSN refs** — `database_url_ref:
32+
keyring:gobby:postgres_database_url` and broker-only generated refs now resolve
33+
only through the local Gobby daemon broker. `gcode` no longer falls back to
34+
native OS Keychain/credential-store reads from short-lived processes; broker
35+
failures return a clear daemon connectivity/auth error. Inline `database_url`
36+
remains supported for explicit daemonless setups.
37+
38+
### Removed
39+
40+
#### gcode
41+
42+
- **Native keyring runtime path** — removed direct `keyring-core` and
43+
platform-keyring-store dependencies from `gobby-code`.
44+
2545
## [0.8.3] — gcode
2646

2747
### Changed

Cargo.lock

Lines changed: 1 addition & 91 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

README.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -91,11 +91,11 @@ Cargo feature flags for FalkorDB, Qdrant, or embeddings support.
9191
`~/.gobby/bootstrap.yaml`, requires `hub_backend: postgres`, and resolves the
9292
hub DSN from either `database_url_ref` or inline `database_url`. For
9393
`database_url_ref: keyring:gobby:postgres_database_url`, `gcode` asks the local
94-
daemon broker first and falls back to the native OS keyring. The DSN is not
95-
written to a plaintext runtime file.
96-
If macOS keeps asking for Keychain authorization, check `which -a gcode` and
97-
remove or de-prioritize stale binaries; older installs bypass daemon-brokered
98-
DSN resolution.
94+
daemon broker and fails clearly if the daemon is unavailable. It never reads
95+
the native OS keyring directly. The DSN is not written to a plaintext runtime
96+
file. For explicit daemonless setups, use inline `database_url`.
97+
If macOS keeps asking for Keychain authorization, check `which -a gcode`; stale
98+
binaries from before `0.8.4` can still read Keychain directly.
9999
Installing from source or crates.io requires Rust 1.88+.
100100

101101
### From source

crates/gcode/Cargo.toml

Lines changed: 1 addition & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[package]
22
name = "gobby-code"
3-
version = "0.8.3"
3+
version = "0.8.4"
44
edition = "2024"
55
rust-version = "1.88"
66
authors = ["Josh Wilhelmi <hello@gobby.ai>"]
@@ -30,7 +30,6 @@ serde_yaml = "0.9"
3030

3131
# Database
3232
postgres = "0.19"
33-
keyring-core = "1"
3433

3534
# Graph backends
3635
falkordb = "0.2"
@@ -85,12 +84,3 @@ tempfile = "3"
8584

8685
[dev-dependencies]
8786
serial_test = "3"
88-
89-
[target.'cfg(target_os = "macos")'.dependencies]
90-
apple-native-keyring-store = { version = "1", features = ["keychain"] }
91-
92-
[target.'cfg(target_os = "linux")'.dependencies]
93-
linux-keyutils-keyring-store = "1"
94-
95-
[target.'cfg(target_os = "windows")'.dependencies]
96-
windows-native-keyring-store = "1"

crates/gcode/README.md

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -96,13 +96,12 @@ Runtime indexing/search requires a migrated Gobby PostgreSQL hub. gcode reads
9696
`~/.gobby/bootstrap.yaml`, requires `hub_backend: postgres`, and resolves the
9797
hub DSN from `database_url_ref` or `database_url`. For
9898
`database_url_ref: keyring:gobby:postgres_database_url`, gcode asks the local
99-
Gobby daemon broker for the DSN first and falls back to the native OS keyring
100-
when the broker is unavailable. The DSN is not written to a plaintext runtime file. The
101-
Gobby daemon process does not need to be running for normal index/search
102-
commands when keyring fallback is available.
103-
If macOS keeps asking for Keychain authorization, check `which -a gcode` and
104-
remove or de-prioritize stale binaries; older installs bypass daemon-brokered
105-
DSN resolution.
99+
Gobby daemon broker for the DSN and fails clearly when the daemon is unavailable.
100+
gcode never reads the native OS keyring directly. The DSN is not written to a
101+
plaintext runtime file. For explicit daemonless setups, use inline
102+
`database_url`.
103+
If macOS keeps asking for Keychain authorization, check `which -a gcode`; stale
104+
binaries from before `0.8.4` can still read Keychain directly.
106105

107106
### With Gobby
108107

@@ -199,9 +198,8 @@ Gobby adds graph queries, graph lifecycle orchestration, semantic search, and in
199198
**Config and secrets are managed.** FalkorDB connection settings, Qdrant API keys, and auth credentials are stored in the shared database and encrypted with Fernet. No env vars to juggle.
200199

201200
**PostgreSQL DSNs stay out of plaintext files.** Isolated gcode runtimes keep
202-
`database_url_ref: keyring:gobby:postgres_database_url`; gcode resolves it
203-
through the daemon broker when available and falls back to the native OS
204-
keyring.
201+
`database_url_ref: daemon:gobby:postgres_database_url`; gcode resolves it
202+
through the daemon broker only.
205203

206204
**Indexing happens automatically.** The Gobby daemon watches for file changes and re-indexes in the background. Without the daemon, run `gcode index` manually.
207205

0 commit comments

Comments
 (0)