refactor(auth): consolidate the auth-source secret lookup into one helper

The auth-source-search + funcall-the-secret block was copied four times: calendar-sync--calendar-url, cj/auth-source-secret (ai-config), cj/--auth-source-password (transcription), and cj/slack--get-credential. Each searched authinfo, pulled :secret, and called it when the netrc backend returned a function.

I pulled that into cj/auth-source-secret-value in system-lib (a leaf, so calendar-sync doesn't have to depend on ai-config and drag in the gptel stack). It takes an optional user and returns the secret or nil. The four callers now delegate to it: ai-config layers its required-secret error on top, and the others keep their nil-on-miss behavior. With the direct auth-source-search calls gone, I dropped the now-unused (require 'auth-source) from transcription, slack, and calendar-sync. The helper's autoload covers it.

The transcription tests that exercise the delegated path stay green, and the primitive and the error wrapper get their own tests.

7 files changed, 123 insertions, 33 deletions

diff --git a/modules/ai-config.el b/modules/ai-config.el
index 8cf70ee4..fad43584 100644
--- a/modules/ai-config.el
+++ b/modules/ai-config.el
@@ -29,6 +29,7 @@
 ;;; Code:
 
 (require 'keybindings)  ;; provides cj/custom-keymap
+(require 'system-lib)   ;; provides cj/auth-source-secret-value
 
 (autoload 'cj/gptel-save-conversation "ai-conversations" "Save the AI conversation to a file." t)
 (autoload 'cj/gptel-load-conversation "ai-conversations" "Load a saved AI conversation." t)
@@ -100,15 +101,12 @@ tools are reported with `message' and do not signal."
   (cj/gptel-load-local-tools))
 
 (defun cj/auth-source-secret (host user)
-  "Fetch a secret from auth-source for HOST and USER.
+  "Fetch a required secret from auth-source for HOST and USER.
 
-HOST and USER must be strings that identify the credential to return."
-  (let* ((found (auth-source-search :host host :user user :require '(:secret) :max 1))
-         (secret (plist-get (car found) :secret)))
-    (cond
-     ((functionp secret) (funcall secret))
-     ((stringp secret) secret)
-     (t (error "No usable secret found for host %s and user %s" host user)))))
+HOST and USER must be strings that identify the credential to return.
+Errors when no secret is found."
+  (or (cj/auth-source-secret-value host user)
+      (error "No usable secret found for host %s and user %s" host user)))
 
 (defun cj/anthropic-api-key ()
   "Return the Anthropic API key, caching the result after first retrieval."
diff --git a/modules/calendar-sync.el b/modules/calendar-sync.el
index 9379b427..4ccb0917 100644
--- a/modules/calendar-sync.el
+++ b/modules/calendar-sync.el
@@ -71,7 +71,7 @@
 
 (require 'cl-lib)
 (require 'subr-x)
-(require 'auth-source)
+(require 'system-lib)  ;; provides cj/auth-source-secret-value (leaf; no ai-config dep)
 (require 'cj-org-text-lib)
 
 (defun calendar-sync--log-silently (format-string &rest args)
@@ -1509,13 +1509,8 @@ An explicit :url wins.  Otherwise :secret-host names an auth-source host
 whose stored secret is the URL (kept in auth-source because the .ics URL
 is itself a token)."
   (or (plist-get calendar :url)
-      (let ((host (plist-get calendar :secret-host)))
-        (when host
-          (let ((secret (plist-get (car (auth-source-search :host host :max 1))
-                                   :secret)))
-            ;; auth-source's netrc backend returns the secret as a function
-            (cond ((functionp secret) (funcall secret))
-                  (secret secret)))))))
+      (when-let* ((host (plist-get calendar :secret-host)))
+        (cj/auth-source-secret-value host))))
 
 (defun calendar-sync--sync-calendar-ics (calendar)
   "Sync a single CALENDAR from its .ics feed asynchronously.
diff --git a/modules/slack-config.el b/modules/slack-config.el
index b51db444..e63b720a 100644
--- a/modules/slack-config.el
+++ b/modules/slack-config.el
@@ -34,7 +34,7 @@
 
 ;;; Code:
 
-(require 'auth-source)
+(require 'system-lib)  ;; provides cj/auth-source-secret-value
 (require 'cl-lib)
 
 (defvar slack-current-buffer)
@@ -65,14 +65,7 @@
 
 (defun cj/slack--get-credential (login-key)
   "Look up LOGIN-KEY credential for the Slack workspace from auth-source."
-  (let ((entry (car (auth-source-search :host cj/slack-workspace
-                                        :user login-key
-                                        :max 1))))
-    (when entry
-      (let ((secret (plist-get entry :secret)))
-        (if (functionp secret)
-            (funcall secret)
-          secret)))))
+  (cj/auth-source-secret-value cj/slack-workspace login-key))
 
 (defun cj/slack-start ()
   "Connect to Slack, registering the team if needed."
diff --git a/modules/system-lib.el b/modules/system-lib.el
index 96159179..80175958 100644
--- a/modules/system-lib.el
+++ b/modules/system-lib.el
@@ -106,5 +106,19 @@ This does so without echoing in the minibuffer."
       (insert (apply #'format format-string args))
       (unless (bolp) (insert "\n")))))
 
+;; ------------------------------ Auth Source ----------------------------------
+
+(declare-function auth-source-search "auth-source")
+
+(defun cj/auth-source-secret-value (host &optional user)
+  "Return the auth-source secret for HOST, or nil when none is found.
+With USER, also match on the login.  Resolves a function-valued secret
+\(the netrc backend returns the secret as a function\) by calling it.
+Callers that must have a secret layer their own error on top."
+  (let* ((spec (append (list :host host :require '(:secret) :max 1)
+                       (when user (list :user user))))
+         (secret (plist-get (car (apply #'auth-source-search spec)) :secret)))
+    (if (functionp secret) (funcall secret) secret)))
+
 (provide 'system-lib)
 ;;; system-lib.el ends here
diff --git a/modules/transcription-config.el b/modules/transcription-config.el
index d81ccba0..344ec473 100644
--- a/modules/transcription-config.el
+++ b/modules/transcription-config.el
@@ -38,7 +38,7 @@
 
 (require 'dired)
 (require 'notifications)
-(require 'auth-source)
+(require 'system-lib)      ; provides cj/auth-source-secret-value
 (require 'user-constants)  ; For cj/audio-file-extensions
 
 ;; Declare keymap defined in keybindings.el
@@ -121,14 +121,10 @@ SUCCESS-P indicates whether transcription succeeded."
     (expand-file-name (concat "scripts/" script-name) user-emacs-directory)))
 
 (defun cj/--auth-source-password (host)
-  "Retrieve password for HOST from authinfo.gpg.
-Expects entry like: machine HOST login api password <key>.
+  "Retrieve the auth-source secret for HOST from authinfo.gpg.
+Expects an entry like: machine HOST login api password <key>.
 Returns the password string, or nil if no matching entry exists."
-  (when-let* ((auth-info (car (auth-source-search :host host :require '(:secret))))
-              (secret (plist-get auth-info :secret)))
-    (if (functionp secret)
-        (funcall secret)
-      secret)))
+  (cj/auth-source-secret-value host))
 
 (defun cj/--build-process-environment (backend)
   "Return `process-environment' augmented with BACKEND's API-key env var.
diff --git a/tests/test-ai-config-auth-source-secret.el b/tests/test-ai-config-auth-source-secret.el
new file mode 100644
index 00000000..bab506e5
--- /dev/null
+++ b/tests/test-ai-config-auth-source-secret.el
@@ -0,0 +1,27 @@
+;;; test-ai-config-auth-source-secret.el --- Tests for the required-secret wrapper -*- lexical-binding: t; -*-
+
+;;; Commentary:
+;; `cj/auth-source-secret' is the required-secret layer over the shared
+;; `cj/auth-source-secret-value' primitive: it returns the secret, or errors
+;; when none is found.  These tests stub the primitive to exercise both paths.
+
+;;; Code:
+
+(require 'ert)
+(require 'cl-lib)
+
+(add-to-list 'load-path (expand-file-name "modules" user-emacs-directory))
+(require 'ai-config)
+
+(ert-deftest test-ai-config-auth-source-secret-returns-value ()
+  "Normal: returns the value the primitive resolves."
+  (cl-letf (((symbol-function 'cj/auth-source-secret-value) (lambda (&rest _) "sk-x")))
+    (should (equal "sk-x" (cj/auth-source-secret "api.example.com" "apikey")))))
+
+(ert-deftest test-ai-config-auth-source-secret-errors-on-miss ()
+  "Error: signals when the primitive finds no secret."
+  (cl-letf (((symbol-function 'cj/auth-source-secret-value) (lambda (&rest _) nil)))
+    (should-error (cj/auth-source-secret "api.example.com" "apikey"))))
+
+(provide 'test-ai-config-auth-source-secret)
+;;; test-ai-config-auth-source-secret.el ends here
diff --git a/tests/test-system-lib-auth-source-secret-value.el b/tests/test-system-lib-auth-source-secret-value.el
new file mode 100644
index 00000000..ec526cec
--- /dev/null
+++ b/tests/test-system-lib-auth-source-secret-value.el
@@ -0,0 +1,67 @@
+;;; test-system-lib-auth-source-secret-value.el --- Tests for the auth-source secret primitive -*- lexical-binding: t; -*-
+
+;;; Commentary:
+;; `cj/auth-source-secret-value' is the shared low-level accessor that the
+;; calendar-sync, ai-config, transcription, and slack helpers all delegate to.
+;; It searches authinfo for HOST (and optional USER), resolves a
+;; function-valued secret by calling it, and returns the value or nil.  These
+;; tests stub `auth-source-search' (the external boundary) and capture its args.
+
+;;; Code:
+
+(require 'ert)
+(require 'cl-lib)
+
+(add-to-list 'load-path (expand-file-name "modules" user-emacs-directory))
+(require 'system-lib)
+
+(defvar test-ass--args nil "Captured args of the stubbed `auth-source-search'.")
+
+(defmacro test-ass--with-search (return-value &rest body)
+  "Run BODY with `auth-source-search' stubbed to return RETURN-VALUE.
+Captures the call args in `test-ass--args'."
+  (declare (indent 1))
+  `(let ((test-ass--args nil))
+     (cl-letf (((symbol-function 'auth-source-search)
+                (lambda (&rest args) (setq test-ass--args args) ,return-value)))
+       ,@body)))
+
+;;; Normal
+
+(ert-deftest test-auth-source-secret-value-returns-string-secret ()
+  "Normal: a string :secret is returned as-is."
+  (test-ass--with-search (list (list :secret "sk-abc"))
+    (should (equal "sk-abc" (cj/auth-source-secret-value "api.example.com")))))
+
+(ert-deftest test-auth-source-secret-value-calls-function-secret ()
+  "Normal: a function :secret is funcalled (the netrc backend returns one)."
+  (test-ass--with-search (list (list :secret (lambda () "from-fn")))
+    (should (equal "from-fn" (cj/auth-source-secret-value "api.example.com")))))
+
+(ert-deftest test-auth-source-secret-value-passes-user-when-given ()
+  "Normal: USER and HOST are forwarded to `auth-source-search'."
+  (test-ass--with-search (list (list :secret "x"))
+    (cj/auth-source-secret-value "h" "apikey")
+    (should (equal "h" (plist-get test-ass--args :host)))
+    (should (equal "apikey" (plist-get test-ass--args :user)))))
+
+;;; Boundary
+
+(ert-deftest test-auth-source-secret-value-omits-user-when-absent ()
+  "Boundary: with no USER, :user is not added to the search spec."
+  (test-ass--with-search (list (list :secret "x"))
+    (cj/auth-source-secret-value "h")
+    (should-not (plist-member test-ass--args :user))))
+
+(ert-deftest test-auth-source-secret-value-nil-on-no-match ()
+  "Boundary: no matching entry yields nil."
+  (test-ass--with-search nil
+    (should (null (cj/auth-source-secret-value "h")))))
+
+(ert-deftest test-auth-source-secret-value-nil-on-entry-without-secret ()
+  "Boundary: a matching entry with no :secret yields nil."
+  (test-ass--with-search (list (list :host "h"))
+    (should (null (cj/auth-source-secret-value "h")))))
+
+(provide 'test-system-lib-auth-source-secret-value)
+;;; test-system-lib-auth-source-secret-value.el ends here