feat: Add credential helpers for Docker and pip with custom domain support

This PR adds credential helper infrastructure for Docker and pip package managers,
enabling automatic authentication to Cloudsmith registries without manual login
commands or embedding credentials in URLs.

This builds upon #267 (OIDC authentication) and extends the credential provider
chain to Docker and pip workflows.

## Features

### Docker Credential Helper
- Command: `cloudsmith credential-helper docker`
- Binary: `docker-credential-cloudsmith` (for Docker CLI integration)
- Supports standard domains: `docker.cloudsmith.io`, `*.docker.cloudsmith.io`
- Supports custom vanity domains via API auto-discovery

### Pip Keyring Backend
- Auto-discovered by pip/twine via `keyring.backends` entry point
- Supports standard domains: `python.cloudsmith.io`, `dl.cloudsmith.io`, `*.cloudsmith.sh`
- Supports custom vanity domains via API auto-discovery
- Priority: 9.9 (runs before system keychains)

### Custom Domain Support
- Set `CLOUDSMITH_ORG=my-org` to enable custom domain discovery
- Fetches domains from `GET /orgs/{org}/custom-domains/` API endpoint
- Caches results in `~/.cloudsmith/cache/custom_domains/` for 1 hour
- Automatic, no manual configuration needed

### Shared Architecture
- Both helpers use the same credential provider chain
- Order: Environment Variable → Config File → Keyring → OIDC
- Consistent authentication behavior across all package managers
- Extensible design for future helpers (npm, cargo, maven, etc.)

## Type of Change
- [x] New feature
- [x] Documentation update

## Backward Compatibility
- ✅ Fully backward compatible
- ✅ No breaking changes
- ✅ Existing authentication methods unchanged
- ✅ Optional features - enable by configuration

## Testing

### Manual Testing - Docker

Environment setup:
```bash
$ env | grep CLOUDSMITH_
CLOUDSMITH_ORG=iduffy-demo
CLOUDSMITH_SERVICE_SLUG=default-v9ty

$ stat ~/.cloudsmith/config.ini
stat: cannot stat '/Users/iduffy/.cloudsmith/config.ini': No such file or directory

$ cloudsmith whoami --verbose
Retrieving your authentication status from the API ... OK

User: default (slug: default-v9ty)

Authentication Method: OIDC Auto-Discovery
  Source: OIDC auto-discovery: AWS (org: iduffy-demo)
  Token Slug: 6FmYSZVQrEho
  Created: 2025-06-07T19:43:47.840466Z

SSO Status: Not configured
  Keyring: Enabled (no tokens stored)
```

Before configuration:
```bash
$ cat ~/.docker/config.json
cat: /Users/iduffy/.docker/config.json: No such file or directory

$ docker pull docker.cloudsmith.io/iduffy-demo/default/library/ubuntu:latest
Error response from daemon: Head "https://docker.cloudsmith.io/v2/iduffy-demo/default/library/ubuntu/manifests/latest": unauthorized
```

After configuration:
```bash
$ cat ~/.docker/config.json
{
  "credHelpers": {
    "docker.cloudsmith.io": "cloudsmith"
  }
}

$ docker pull docker.cloudsmith.io/iduffy-demo/default/library/ubuntu:latest
latest: Pulling from iduffy-demo/default/library/ubuntu
cc43ec4c1381: Pull complete
Digest: sha256:9cbed754112939e914291337b5e554b07ad7c392491dba6daf25eef1332a22e8
Status: Downloaded newer image for docker.cloudsmith.io/iduffy-demo/default/library/ubuntu:latest
docker.cloudsmith.io/iduffy-demo/default/library/ubuntu:latest
```

✅ **Success:** Docker authenticated using AWS OIDC credentials via credential helper

### Manual Testing - Pip

Environment setup:
```bash
$ pip config list
:env:.default-timeout='100'
:env:.disable-pip-version-check='1'

$ python -c 'import keyring; print(keyring.backend.get_all_keyring())'
[<keyring.backends.fail.Keyring object at 0x1033a4460>, <cloudsmith_cli.credential_helpers.pip.CloudsmithKeyringBackend object at 0x1033a4c80>, <keyring.backends.chainer.ChainerBackend object at 0x1033a5360>, <keyring.backends.macOS.Keyring object at 0x1033a5720>]
```

Test installation (no credentials in URL):
```bash
$ pip install --no-cache-dir --index-url=https://dl.cloudsmith.io/basic/iduffy-demo/default/python/simple/ cloudsmith-python-native
Looking in indexes: https://dl.cloudsmith.io/basic/iduffy-demo/default/python/simple/
Collecting cloudsmith-python-native
  Downloading https://dl.cloudsmith.io/basic/iduffy-demo/default/python/cloudsmith_python_native-1.0.1050047-py2.py3-none-any.whl (2.2 kB)
Requirement already satisfied: toml in /Users/iduffy/projects/cloudsmith-cli/.venv/lib/python3.10/site-packages (from cloudsmith-python-native) (0.10.2)
Installing collected packages: cloudsmith-python-native
Successfully installed cloudsmith-python-native-1.0.1050047
```

✅ **Success:** Pip authenticated using AWS OIDC credentials via keyring backend

### Automated Testing
- ✅ Pylint: 10.00/10 (perfect score)
- ✅ Tests: 199 passed, 39 skipped
- ✅ No new test failures introduced

## Documentation

Added comprehensive documentation:
- `CUSTOM_DOMAINS.md` - Complete guide for custom domain configuration
- `PIP_KEYRING_POC.md` - Proof of concept guide for pip keyring backend
- `PIP_KEYRING_SUCCESS.md` - Success report with usage examples
- `pip_keyring_poc.sh` - Automated testing script

## Additional Notes

### Architecture Validation
The credential helper architecture was validated by implementing two different
package manager protocols (Docker binary stdin/stdout vs Python keyring API)
to ensure the design is flexible and extensible.

### Custom Domain Support
Custom domains are discovered automatically when `CLOUDSMITH_ORG` is set:
1. First request fetches domains from API
2. Results cached for 1 hour in `~/.cloudsmith/cache/custom_domains/`
3. Subsequent requests use cache (no repeated API calls)
4. Works seamlessly with OIDC in CI/CD environments

### Future Extensions
The architecture is designed to support additional credential helpers:
- npm (`.npmrc` credential helper)
- cargo (Cargo credential helper)
- maven (Maven settings credential helper)
- gradle (Gradle properties credential helper)
- nuget (NuGet credential helper)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: cloudsmith-iduffy

cloudsmith_cli/cli/commands/__init__.py

@@ -4,6 +4,7 @@
     auth,
     check,
     copy,
+    credential_helper,
     delete,
     dependencies,
     docs,

cloudsmith_cli/cli/commands/credential_helper/__init__.py

@@ -0,0 +1,36 @@
+"""
+Credential helper commands for Cloudsmith.
+
+This module provides credential helper commands for various package managers
+(Docker, pip, npm, etc.) that follow their respective credential helper protocols.
+"""
+
+import click
+
+from ..main import main
+from .docker import docker as docker_cmd
+
+
+@click.group()
+def credential_helper():
+    """
+    Credential helpers for package managers.
+
+    These commands provide credentials for package managers like Docker, pip, npm, etc.
+    They are typically called by wrapper binaries (e.g., docker-credential-cloudsmith)
+    or used directly for debugging.
+
+    Examples:
+        # Test Docker credential helper
+        $ echo "docker.cloudsmith.io" | cloudsmith credential-helper docker
+
+        # Called by Docker via wrapper
+        $ echo "docker.cloudsmith.io" | docker-credential-cloudsmith get
+    """
+
+
+# Register subcommands
+credential_helper.add_command(docker_cmd, name="docker")
+
+# Register with main CLI
+main.add_command(credential_helper, name="credential-helper")

cloudsmith_cli/cli/commands/credential_helper/docker.py

@@ -0,0 +1,80 @@
+"""
+Docker credential helper command.
+
+Implements the Docker credential helper protocol for Cloudsmith registries.
+"""
+
+import json
+import sys
+
+import click
+
+from ....credential_helpers.docker import get_credentials, is_cloudsmith_registry
+
+
+@click.command()
+def docker():
+    """
+    Docker credential helper for Cloudsmith registries.
+
+    Reads a Docker registry server URL from stdin and returns credentials in JSON format.
+    This command implements the 'get' operation of the Docker credential helper protocol.
+
+    Only provides credentials for Cloudsmith Docker registries (docker.cloudsmith.io).
+
+    Input (stdin):
+        Server URL as plain text (e.g., "docker.cloudsmith.io")
+
+    Output (stdout):
+        JSON: {"Username": "token", "Secret": "<cloudsmith-token>"}
+
+    Exit codes:
+        0: Success
+        1: Error (no credentials available, not a Cloudsmith registry, etc.)
+
+    Examples:
+        # Manual testing
+        $ echo "docker.cloudsmith.io" | cloudsmith credential-helper docker
+        {"Username":"token","Secret":"eyJ0eXAiOiJKV1Qi..."}
+
+        # Called by Docker via wrapper
+        $ echo "docker.cloudsmith.io" | docker-credential-cloudsmith get
+        {"Username":"token","Secret":"eyJ0eXAiOiJKV1Qi..."}
+
+    Environment variables:
+        CLOUDSMITH_API_KEY: API key for authentication (optional)
+        CLOUDSMITH_ORG: Organization slug (required for OIDC)
+        CLOUDSMITH_SERVICE_SLUG: Service account slug (required for OIDC)
+    """
+    try:
+        # Read server URL from stdin
+        server_url = sys.stdin.read().strip()
+
+        if not server_url:
+            click.echo("Error: No server URL provided on stdin", err=True)
+            sys.exit(1)
+
+        # Check if this is a Cloudsmith registry
+        if not is_cloudsmith_registry(server_url):
+            click.echo(f"Error: Not a Cloudsmith registry: {server_url}", err=True)
+            sys.exit(1)
+
+        # Get credentials using the credential provider chain
+        credentials = get_credentials(server_url, debug=False)
+
+        if not credentials:
+            click.echo(
+                "Error: Unable to retrieve credentials. "
+                "Make sure you have either CLOUDSMITH_API_KEY set, "
+                "or CLOUDSMITH_ORG + CLOUDSMITH_SERVICE_SLUG for OIDC authentication.",
+                err=True,
+            )
+            sys.exit(1)
+
+        # Output credentials in Docker credential helper JSON format
+        click.echo(json.dumps(credentials))
+
+    except Exception as e:  # pylint: disable=broad-exception-caught
+        # Broad exception catch to ensure we never crash without a message
+        click.echo(f"Error: {e}", err=True)
+        sys.exit(1)

cloudsmith_cli/credential_helpers/__init__.py

@@ -0,0 +1,6 @@
+"""
+Credential helpers for various package managers.
+
+This package provides credential helper implementations for Docker, pip, npm, etc.
+Each helper follows its respective package manager's credential helper protocol.
+"""

cloudsmith_cli/credential_helpers/custom_domains.py

@@ -0,0 +1,253 @@
+"""
+Helper for discovering Cloudsmith custom domains.
+
+This module provides functions to fetch custom domains from the Cloudsmith API
+for use in credential helpers. Results are cached on the filesystem.
+"""
+
+import json
+import logging
+import os
+import time
+from pathlib import Path
+from typing import List, Optional
+
+logger = logging.getLogger(__name__)
+
+# Cache custom domains for 1 hour
+CACHE_TTL_SECONDS = 3600
+
+
+def get_cache_dir() -> Path:
+    """
+    Get the cache directory for custom domains.
+
+    Returns:
+        Path to cache directory (e.g., ~/.cloudsmith/cache/custom_domains/)
+    """
+    home = Path.home()
+    cache_dir = home / ".cloudsmith" / "cache" / "custom_domains"
+    cache_dir.mkdir(parents=True, exist_ok=True)
+    return cache_dir
+
+
+def get_cache_path(org: str) -> Path:
+    """
+    Get the cache file path for an organization's custom domains.
+
+    Args:
+        org: Organization slug
+
+    Returns:
+        Path to cache file
+    """
+    cache_dir = get_cache_dir()
+    # Use org slug as filename (sanitized)
+    safe_org = "".join(c if c.isalnum() or c in "-_" else "_" for c in org)
+    return cache_dir / f"{safe_org}.json"
+
+
+def is_cache_valid(cache_path: Path) -> bool:
+    """
+    Check if a cache file exists and is still valid.
+
+    Args:
+        cache_path: Path to cache file
+
+    Returns:
+        bool: True if cache exists and hasn't expired
+    """
+    if not cache_path.exists():
+        return False
+
+    try:
+        mtime = cache_path.stat().st_mtime
+        age = time.time() - mtime
+        return age < CACHE_TTL_SECONDS
+    except OSError:
+        return False
+
+
+def read_cache(cache_path: Path) -> Optional[List[str]]:
+    """
+    Read custom domains from cache file.
+
+    Args:
+        cache_path: Path to cache file
+
+    Returns:
+        List of domain strings or None if cache invalid/missing
+    """
+    if not is_cache_valid(cache_path):
+        return None
+
+    try:
+        with open(cache_path, encoding="utf-8") as f:
+            data = json.load(f)
+            if isinstance(data, dict) and "domains" in data:
+                domains = data["domains"]
+                if isinstance(domains, list):
+                    logger.debug(
+                        "Read %d domains from cache: %s", len(domains), cache_path
+                    )
+                    return domains
+    except (OSError, json.JSONDecodeError) as exc:
+        logger.debug("Failed to read cache %s: %s", cache_path, exc)
+
+    return None
+
+
+def write_cache(cache_path: Path, domains: List[str]) -> None:
+    """
+    Write custom domains to cache file.
+
+    Args:
+        cache_path: Path to cache file
+        domains: List of domain strings to cache
+    """
+    try:
+        data = {
+            "domains": domains,
+            "cached_at": time.time(),
+        }
+        with open(cache_path, "w", encoding="utf-8") as f:
+            json.dump(data, f)
+        logger.debug("Wrote %d domains to cache: %s", len(domains), cache_path)
+    except OSError as exc:
+        logger.debug("Failed to write cache %s: %s", cache_path, exc)
+
+
+def get_custom_domains_for_org(
+    org: str, api_host: str = "https://api.cloudsmith.io"
+) -> List[str]:
+    """
+    Fetch custom domains for a Cloudsmith organization.
+
+    Results are cached on the filesystem for 1 hour to avoid excessive API calls.
+
+    Args:
+        org: Organization slug
+        api_host: Cloudsmith API host
+
+    Returns:
+        List of custom domain strings (e.g., ['docker.customer.com', 'dl.customer.com'])
+        Empty list if API call fails or org has no custom domains
+
+    Example:
+        >>> domains = get_custom_domains_for_org('my-org')
+        >>> print(domains)
+        ['docker.acme.com', 'dl.acme.com']
+    """
+    # Check cache first
+    cache_path = get_cache_path(org)
+    cached_domains = read_cache(cache_path)
+    if cached_domains is not None:
+        logger.debug("Using cached custom domains for %s", org)
+        return cached_domains
+
+    # Cache miss - fetch from API
+    logger.debug("Fetching custom domains from API for %s", org)
+
+    try:
+        import requests
+
+        # Construct API URL
+        url = f"{api_host}/orgs/{org}/custom-domains/"
+
+        # Make API request (no auth needed for custom domains endpoint)
+        response = requests.get(url, timeout=5)
+
+        if response.status_code == 404:
+            logger.debug("Organization %s not found or has no custom domains", org)
+            # Cache empty result to avoid repeated 404s
+            write_cache(cache_path, [])
+            return []
+
+        if response.status_code != 200:
+            logger.debug(
+                "Failed to fetch custom domains for %s: HTTP %d",
+                org,
+                response.status_code,
+            )
+            return []
+
+        data = response.json()
+
+        # Extract domain names from response
+        # Expected format: [{"domain": "docker.customer.com", ...}, ...]
+        domains = []
+        if isinstance(data, list):
+            for item in data:
+                if isinstance(item, dict) and "domain" in item:
+                    domains.append(item["domain"])
+
+        logger.debug("Fetched %d custom domains for %s", len(domains), org)
+
+        # Cache the result
+        write_cache(cache_path, domains)
+
+        return domains
+
+    except ImportError:
+        logger.debug("requests library not available, cannot fetch custom domains")
+        return []
+    except Exception as exc:  # pylint: disable=broad-exception-caught
+        logger.debug("Error fetching custom domains: %s", exc)
+        return []
+
+
+def get_custom_domains_from_env() -> List[str]:
+    """
+    Get custom domains by fetching from API if CLOUDSMITH_ORG is set.
+
+    Returns:
+        List of custom domain strings
+        Empty list if CLOUDSMITH_ORG not set or API call fails
+
+    Example:
+        >>> os.environ['CLOUDSMITH_ORG'] = 'my-org'
+        >>> domains = get_custom_domains_from_env()
+        >>> print(domains)
+        ['docker.acme.com', 'dl.acme.com']
+    """
+    # Check for org and fetch custom domains from API
+    org = os.environ.get("CLOUDSMITH_ORG", "").strip()
+    if not org:
+        return []
+
+    api_host = os.environ.get("CLOUDSMITH_API_HOST", "https://api.cloudsmith.io")
+    return get_custom_domains_for_org(org, api_host)
+
+
+def is_custom_cloudsmith_domain(server_url: str, org: Optional[str] = None) -> bool:
+    """
+    Check if a server URL matches a custom Cloudsmith domain.
+
+    Args:
+        server_url: The server URL to check
+        org: Optional organization slug (if not provided, uses CLOUDSMITH_ORG from env)
+
+    Returns:
+        bool: True if this is a custom Cloudsmith domain, False otherwise
+
+    Example:
+        >>> os.environ['CLOUDSMITH_ORG'] = 'my-org'
+        >>> is_custom_cloudsmith_domain('docker.acme.com')
+        True
+        >>> is_custom_cloudsmith_domain('docker.hub.io')
+        False
+    """
+    if not server_url:
+        return False
+
+    # Normalize URL
+    normalized = server_url.lower()
+    if "://" in normalized:
+        normalized = normalized.split("://", 1)[1]
+    normalized = normalized.split(":")[0]  # Remove port
+
+    # Get custom domains
+    custom_domains = get_custom_domains_from_env()
+
+    # Check if normalized URL matches any custom domain
+    return normalized in custom_domains