Store API tokens in Obsidian Keychain

[jdevera]

Summary

Resolves #177

Uses the Obsidian SecretStorage API (introduced in v1.11.4) to store GitHub tokens in the OS keychain (macOS Keychain, Windows Credential Manager, Linux libsecret) instead of plain text in data.json.

• Tokens are stored and retrieved via a new keychain.ts module
• Existing plain-text tokens are automatically migrated to the keychain on first load after update
• Tokens are stripped from data.json on every save
• Deleting an account clears the token value from the keychain (the SecretStorage API does not support deleting entries, only clearing them)
• minAppVersion bumped to 1.11.4

What I have tested

• Fresh install: create a new account with a token, verify it appears in Obsidian's Keychain settings and data.json has an empty token field
• Migration: start with an existing data.json containing a plain-text token (dataVersion 1), reload, verify the token moves to keychain and data.json token is cleared
• Token still works: after migration, verify GitHub links in notes still resolve
• Account deletion: delete an account, verify its keychain value is cleared
• OAuth flow: generate a token via the OAuth device flow, verify it lands in the keychain

[jdevera]

Reworking this to be more idiomatic with Obsidian's SecretStorage API:

• Use SecretComponent (via Setting.addComponent) to let users pick/create named secrets through Obsidian's built-in UI, instead of managing secret keys directly
• Store the secret name in settings (tokenSecret) rather than the value — the actual token is read at runtime via app.secretStorage.getSecret(name)
• This aligns with how other plugins (Enveloppe, QuickAdd, BRAT, etc.) use the API, and lets users share secrets across plugins

Converting to draft while I rework.

[sonarqubecloud]

Quality Gate passed

Issues
5 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud