fix(cli): decode Go keyring tokens (#5406)

## What changed

Decode `go-keyring-base64:` wrapped access tokens when reading from the
OS keyring in both the legacy and next CLI credential layers.

## Why

The Go keyring backend can store the real `sbp_...` access token inside
a `go-keyring-base64:` wrapper. The TypeScript credential readers were
validating and using the raw wrapped value, so legacy Management API
commands such as `supabase secrets set` failed with an invalid access
token format error even though the decoded token was valid.

## Notes for reviewers

The normalization happens at the keyring-read boundary so existing
validation continues to run against the actual token value, not the
storage representation.

Author: jgoux

apps/cli/src/legacy/auth/legacy-credentials.layer.ts

@@ -1,6 +1,7 @@
 import { Effect, FileSystem, Layer, Option, Path, Redacted } from "effect";
 
 import { RuntimeInfo } from "../../shared/runtime/runtime-info.service.ts";
+import { normalizeKeyringToken } from "../../shared/auth/keyring-token.ts";
 import { LegacyCliConfig } from "../config/legacy-cli-config.service.ts";
 import { LegacyCredentials } from "./legacy-credentials.service.ts";
 import { LegacyInvalidAccessTokenError } from "./legacy-errors.ts";
@@ -33,7 +34,9 @@ const tryKeyringRead = (
     try: () => {
       const entry = new module.Entry(KEYRING_SERVICE, account);
       const value = entry.getPassword();
-      return value && value.length > 0 ? Option.some(value) : Option.none<string>();
+      return value && value.length > 0
+        ? Option.some(normalizeKeyringToken(value))
+        : Option.none<string>();
     },
     catch: () => Option.none<string>(),
   }).pipe(Effect.orElseSucceed(() => Option.none<string>()));

apps/cli/src/legacy/auth/legacy-credentials.layer.unit.test.ts

@@ -88,6 +88,8 @@ afterEach(() => {
 
 const VALID_TOKEN = "sbp_" + "a".repeat(40);
 const VALID_OAUTH_TOKEN = "sbp_oauth_" + "b".repeat(40);
+const encodeGoKeyringBase64 = (token: string) =>
+  `go-keyring-base64:${Buffer.from(token).toString("base64")}`;
 
 const expectSomeToken = (token: Option.Option<Redacted.Redacted<string>>, expected: string) => {
   expect(Option.isSome(token)).toBe(true);
@@ -115,6 +117,15 @@ describe("legacyCredentialsLayer.getAccessToken", () => {
     }).pipe(Effect.provide(makeLayer()));
   });
 
+  it.effect("decodes Go keyring base64 values from the keyring profile account", () => {
+    passwords.set("Supabase CLI/supabase", encodeGoKeyringBase64(VALID_TOKEN));
+    return Effect.gen(function* () {
+      const { getAccessToken } = yield* LegacyCredentials;
+      const token = yield* getAccessToken;
+      expectSomeToken(token, VALID_TOKEN);
+    }).pipe(Effect.provide(makeLayer()));
+  });
+
   it.effect("falls through to the legacy access-token keyring entry", () => {
     passwords.set("Supabase CLI/access-token", VALID_OAUTH_TOKEN);
     return Effect.gen(function* () {

apps/cli/src/next/auth/credentials.layer.ts

@@ -1,5 +1,6 @@
 import { Effect, FileSystem, Layer, Option, Path, Redacted } from "effect";
 
+import { normalizeKeyringToken } from "../../shared/auth/keyring-token.ts";
 import { CliConfig } from "../config/cli-config.service.ts";
 import { Credentials } from "./credentials.service.ts";
 
@@ -32,15 +33,15 @@ const makeCredentials = Effect.gen(function* () {
         try {
           const entry = new keyringModule.value.Entry(SERVICE, ACCOUNT);
           const token = entry.getPassword();
-          if (token) return Option.some(Redacted.make(token));
+          if (token) return Option.some(Redacted.make(normalizeKeyringToken(token)));
         } catch {
           /* fall through */
         }
 
         try {
           const entry = new keyringModule.value.Entry(SERVICE, LEGACY_ACCOUNT);
           const token = entry.getPassword();
-          if (token) return Option.some(Redacted.make(token));
+          if (token) return Option.some(Redacted.make(normalizeKeyringToken(token)));
         } catch {
           /* fall through */
         }

apps/cli/src/next/auth/credentials.layer.unit.test.ts

@@ -20,6 +20,8 @@ let throwOnSetPassword = false;
 const throwOnGetPasswordAccounts = new Set<string>();
 const returnNullForAccounts = new Set<string>();
 const throwOnDeletePasswordAccounts = new Set<string>();
+const encodeGoKeyringBase64 = (token: string) =>
+  `go-keyring-base64:${Buffer.from(token).toString("base64")}`;
 
 vi.mock("@napi-rs/keyring", () => ({
   Entry: class Entry {
@@ -108,6 +110,15 @@ describe("Credentials", () => {
       }).pipe(Effect.provide(makeLayer(tempHome)));
     });
 
+    it.effect("decodes Go keyring base64 values from current account", () => {
+      passwords.set("Supabase CLI/access-token", encodeGoKeyringBase64("current-token"));
+      return Effect.gen(function* () {
+        const { getAccessToken } = yield* Credentials;
+        const token = yield* getAccessToken;
+        expectSomeToken(token, "current-token");
+      }).pipe(Effect.provide(makeLayer(tempHome)));
+    });
+
     it.effect("falls back to legacy account when current is missing", () => {
       passwords.set("Supabase CLI/supabase", "legacy-token");
       return Effect.gen(function* () {

apps/cli/src/shared/auth/keyring-token.ts

@@ -0,0 +1,9 @@
+const GO_KEYRING_BASE64_PREFIX = "go-keyring-base64:";
+
+export function normalizeKeyringToken(value: string): string {
+  if (!value.startsWith(GO_KEYRING_BASE64_PREFIX)) {
+    return value;
+  }
+
+  return Buffer.from(value.slice(GO_KEYRING_BASE64_PREFIX.length), "base64").toString("utf8");
+}