init simpler

Author: maxffarrell

.env.example

@@ -1 +1,3 @@
-VERCEL_OIDC_TOKEN="create with vercel cli"
+# API keys (set via 'bun run scripts/secrets.ts set VERCEL_OIDC_TOKEN')
+# Note: API keys are stored in OS credential manager for security
+# No .env file needed - use the secrets CLI instead

AGENTS.md

@@ -8,7 +8,7 @@ AI SDK benchmarking tool built with Vercel AI SDK and Bun runtime. Tests AI agen
 # Install dependencies (runs patch-package automatically)
 bun install
 
-# Run the main benchmark (discovers and runs all tests)
+# Run main benchmark (discovers and runs all tests)
 bun run index.ts
 
 # Verify reference implementations against test suites
@@ -22,6 +22,11 @@ bun run generate-report.ts results/result-2024-12-07-14-30-45.json
 
 # Run TypeScript type checking
 bun tsc --noEmit
+
+# Secrets management
+bun run secrets                       # Show token status
+bun run secrets set VERCEL_OIDC_TOKEN <value>  # Store Vercel token
+bun run secrets get VERCEL_OIDC_TOKEN           # Get Vercel token
 ```
 
 ## Environment Variables
@@ -106,10 +111,28 @@ MCP_SERVER_URL=
 
 ### Required API Keys
 
-- `ANTHROPIC_API_KEY`: Required when using `anthropic/*` models
-- `OPENAI_API_KEY`: Required when using `openai/*` models (get at https://platform.openai.com/api-keys)
-- `OPENROUTER_API_KEY`: Required when using `openrouter/*` models (get at https://openrouter.ai/keys)
-- No API key required for `lmstudio/*` models (runs locally)
+- `VERCEL_OIDC_TOKEN`: Required for Vercel AI Gateway (stored in bun.secrets)
+- Other API keys (Anthropic, OpenAI, OpenRouter) are configured in Vercel dashboard when using AI Gateway
+
+### Secrets Management
+
+The tool uses Bun's secure credential storage for the Vercel OIDC token:
+
+```bash
+# Store Vercel OIDC token
+bun run secrets set VERCEL_OIDC_TOKEN your_token_here
+
+# Check if token is stored
+bun run secrets
+
+# Get the stored token
+bun run secrets get VERCEL_OIDC_TOKEN
+```
+
+**Security Benefits:**
+- Encrypted storage using OS credential manager (Keychain, libsecret, Windows Credential Manager)
+- No plaintext tokens in files
+- User-level access control
 
 ### Provider Routing
 

README.md

@@ -12,17 +12,40 @@ bun install
 
 ## Setup
 
-Configure your API keys in `.env`:
+Configure your Vercel OIDC token using bun.secrets:
 
 1. Install Vercel CLI if you haven't already
 2. Run `bun run vercel:link` and link the benchmark to a project that has AI Gateway enabled
-3. Run the benchmark with "bun run dev"
+3. Store your VERCEL_OIDC_TOKEN securely:
+   ```bash
+   # Get your token from Vercel project settings
+   bun run secrets set VERCEL_OIDC_TOKEN your_token_here
+   ```
 
 ### Required API Keys
 
-You'll need at least one API key for the providers you want to test:
+- `VERCEL_OIDC_TOKEN`: Required for Vercel AI Gateway (stored in bun.secrets)
+- Other API keys (Anthropic, OpenAI, OpenRouter) are configured in the Vercel dashboard when using AI Gateway
 
-- `VERCEL_OIDC_TOKEN`: The OIDC token for vercel AI gateway
+## Secrets Management
+
+API keys are stored securely using your OS credential manager:
+
+```bash
+# Check if token is set
+bun run secrets
+
+# Set token
+bun run secrets set VERCEL_OIDC_TOKEN your_token_here
+
+# Get token
+bun run secrets get VERCEL_OIDC_TOKEN
+```
+
+**Security Benefits:**
+- Encrypted storage using OS credential manager (Keychain, libsecret, Windows Credential Manager)
+- No plaintext API keys in files
+- User-level access control
 
 ## Usage
 

index.ts

@@ -43,6 +43,7 @@ import {
   note,
 } from "@clack/prompts";
 import { gateway } from "ai";
+import { loadTokenToEnv } from "./scripts/secrets.ts";
 
 interface PricingValidationResult {
   enabled: boolean;
@@ -500,6 +501,9 @@ async function runSingleTest(
 
 // Main execution
 async function main() {
+  // Load VERCEL_OIDC_TOKEN from bun.secrets
+  await loadTokenToEnv();
+  
   const { models, mcp, testingTool, pricing } = await selectOptions();
 
   // Get MCP server URL/command from environment (optional)

package.json

@@ -13,7 +13,8 @@
     "tsc": "tsc --noEmit",
     "test:self": "bun vitest run lib/*.test.ts",
     "vercel:link": "vercel link",
-    "vercel:env:pull": "vercel env pull .env.local --yes"
+    "vercel:env:pull": "vercel env pull .env.local --yes",
+    "secrets": "bun run scripts/secrets.ts"
   },
   "devDependencies": {
     "@sveltejs/vite-plugin-svelte": "^5.0.3",

scripts/secrets.ts

@@ -0,0 +1,124 @@
+#!/usr/bin/env bun
+/**
+ * Simple CLI tool for managing VERCEL_OIDC_TOKEN using bun.secrets
+ * 
+ * Usage:
+ *   bun run secrets set VERCEL_OIDC_TOKEN <value>  # Set the token
+ *   bun run secrets get VERCEL_OIDC_TOKEN         # Get the token
+ *   bun run secrets                            # Show status
+ */
+
+import { secrets } from "bun";
+
+async function showStatus() {
+  console.log("\n🔐 Vercel OIDC Token Status");
+  console.log("─".repeat(40));
+  
+  const token = await secrets.get({ 
+    service: "svelte-ai", 
+    name: "VERCEL_OIDC_TOKEN" 
+  });
+  
+  if (token) {
+    const masked = token.slice(0, 12) + "..." + token.slice(-8);
+    console.log(`✅ VERCEL_OIDC_TOKEN: ${masked}`);
+  } else {
+    console.log("❌ VERCEL_OIDC_TOKEN: Not set");
+    console.log("\n💡 Run 'bun run secrets set VERCEL_OIDC_TOKEN <value>' to set it");
+  }
+}
+
+async function setToken(value: string) {
+  if (!value) {
+    // Empty value means delete the token
+    await secrets.delete({ 
+      service: "svelte-ai", 
+      name: "VERCEL_OIDC_TOKEN" 
+    });
+    console.log("🗑️  VERCEL_OIDC_TOKEN deleted from OS credential manager");
+    return;
+  }
+  
+  if (value.length < 20) {
+    console.error("❌ Invalid token: VERCEL_OIDC_TOKEN appears to be too short");
+    process.exit(1);
+  }
+  
+  await secrets.set({
+    service: "svelte-ai",
+    name: "VERCEL_OIDC_TOKEN",
+    value,
+  });
+  
+  console.log("✅ VERCEL_OIDC_TOKEN stored securely in OS credential manager");
+}
+
+async function getToken() {
+  const token = await secrets.get({ 
+    service: "svelte-ai", 
+    name: "VERCEL_OIDC_TOKEN" 
+  });
+  
+  if (token) {
+    console.log(`VERCEL_OIDC_TOKEN: ${token}`);
+  } else {
+    console.log("❌ VERCEL_OIDC_TOKEN not found");
+    process.exit(1);
+  }
+}
+
+async function loadTokenToEnv() {
+  const token = await secrets.get({ 
+    service: "svelte-ai", 
+    name: "VERCEL_OIDC_TOKEN" 
+  });
+  
+  if (token) {
+    process.env.VERCEL_OIDC_TOKEN = token;
+    console.log("✅ VERCEL_OIDC_TOKEN loaded from bun.secrets");
+  }
+}
+
+// Export for use in main application
+export { loadTokenToEnv };
+
+// CLI logic
+if (import.meta.main) {
+  const command = process.argv[2];
+  const arg1 = process.argv[3];
+  const arg2 = process.argv[4];
+  
+  switch (command) {
+    case "set":
+      if (arg1 !== "VERCEL_OIDC_TOKEN") {
+        console.error("Usage: bun run secrets set VERCEL_OIDC_TOKEN <value>");
+        process.exit(1);
+      }
+      // Empty arg2 means delete, otherwise set the value
+      await setToken(arg2 || "");
+      break;
+      
+    case "get":
+      if (arg1 !== "VERCEL_OIDC_TOKEN") {
+        console.error("Usage: bun run secrets get VERCEL_OIDC_TOKEN");
+        process.exit(1);
+      }
+      await getToken();
+      break;
+      
+    case "load":
+      // Internal command used by main app
+      await loadTokenToEnv();
+      break;
+      
+    case undefined:
+    case "status":
+      await showStatus();
+      break;
+      
+    default:
+      console.error(`Unknown command: ${command}`);
+      console.error("Available commands: status, set VERCEL_OIDC_TOKEN <value>, get VERCEL_OIDC_TOKEN");
+      process.exit(1);
+  }
+}