refactor(auth): consolidate the auth-source secret lookup into one helper

The auth-source-search + funcall-the-secret block was copied four times: calendar-sync--calendar-url, cj/auth-source-secret (ai-config), cj/--auth-source-password (transcription), and cj/slack--get-credential. Each searched authinfo, pulled :secret, and called it when the netrc backend returned a function.

I pulled that into cj/auth-source-secret-value in system-lib (a leaf, so calendar-sync doesn't have to depend on ai-config and drag in the gptel stack). It takes an optional user and returns the secret or nil. The four callers now delegate to it: ai-config layers its required-secret error on top, and the others keep their nil-on-miss behavior. With the direct auth-source-search calls gone, I dropped the now-unused (require 'auth-source) from transcription, slack, and calendar-sync. The helper's autoload covers it.

The transcription tests that exercise the delegated path stay green, and the primitive and the error wrapper get their own tests.

5 files changed, 29 insertions, 33 deletions

diff --git a/modules/ai-config.el b/modules/ai-config.el
index 8cf70ee4..fad43584 100644
--- a/modules/ai-config.el
+++ b/modules/ai-config.el
@@ -29,6 +29,7 @@
 ;;; Code:
 
 (require 'keybindings)  ;; provides cj/custom-keymap
+(require 'system-lib)   ;; provides cj/auth-source-secret-value
 
 (autoload 'cj/gptel-save-conversation "ai-conversations" "Save the AI conversation to a file." t)
 (autoload 'cj/gptel-load-conversation "ai-conversations" "Load a saved AI conversation." t)
@@ -100,15 +101,12 @@ tools are reported with `message' and do not signal."
   (cj/gptel-load-local-tools))
 
 (defun cj/auth-source-secret (host user)
-  "Fetch a secret from auth-source for HOST and USER.
+  "Fetch a required secret from auth-source for HOST and USER.
 
-HOST and USER must be strings that identify the credential to return."
-  (let* ((found (auth-source-search :host host :user user :require '(:secret) :max 1))
-         (secret (plist-get (car found) :secret)))
-    (cond
-     ((functionp secret) (funcall secret))
-     ((stringp secret) secret)
-     (t (error "No usable secret found for host %s and user %s" host user)))))
+HOST and USER must be strings that identify the credential to return.
+Errors when no secret is found."
+  (or (cj/auth-source-secret-value host user)
+      (error "No usable secret found for host %s and user %s" host user)))
 
 (defun cj/anthropic-api-key ()
   "Return the Anthropic API key, caching the result after first retrieval."
diff --git a/modules/calendar-sync.el b/modules/calendar-sync.el
index 9379b427..4ccb0917 100644
--- a/modules/calendar-sync.el
+++ b/modules/calendar-sync.el
@@ -71,7 +71,7 @@
 
 (require 'cl-lib)
 (require 'subr-x)
-(require 'auth-source)
+(require 'system-lib)  ;; provides cj/auth-source-secret-value (leaf; no ai-config dep)
 (require 'cj-org-text-lib)
 
 (defun calendar-sync--log-silently (format-string &rest args)
@@ -1509,13 +1509,8 @@ An explicit :url wins.  Otherwise :secret-host names an auth-source host
 whose stored secret is the URL (kept in auth-source because the .ics URL
 is itself a token)."
   (or (plist-get calendar :url)
-      (let ((host (plist-get calendar :secret-host)))
-        (when host
-          (let ((secret (plist-get (car (auth-source-search :host host :max 1))
-                                   :secret)))
-            ;; auth-source's netrc backend returns the secret as a function
-            (cond ((functionp secret) (funcall secret))
-                  (secret secret)))))))
+      (when-let* ((host (plist-get calendar :secret-host)))
+        (cj/auth-source-secret-value host))))
 
 (defun calendar-sync--sync-calendar-ics (calendar)
   "Sync a single CALENDAR from its .ics feed asynchronously.
diff --git a/modules/slack-config.el b/modules/slack-config.el
index b51db444..e63b720a 100644
--- a/modules/slack-config.el
+++ b/modules/slack-config.el
@@ -34,7 +34,7 @@
 
 ;;; Code:
 
-(require 'auth-source)
+(require 'system-lib)  ;; provides cj/auth-source-secret-value
 (require 'cl-lib)
 
 (defvar slack-current-buffer)
@@ -65,14 +65,7 @@
 
 (defun cj/slack--get-credential (login-key)
   "Look up LOGIN-KEY credential for the Slack workspace from auth-source."
-  (let ((entry (car (auth-source-search :host cj/slack-workspace
-                                        :user login-key
-                                        :max 1))))
-    (when entry
-      (let ((secret (plist-get entry :secret)))
-        (if (functionp secret)
-            (funcall secret)
-          secret)))))
+  (cj/auth-source-secret-value cj/slack-workspace login-key))
 
 (defun cj/slack-start ()
   "Connect to Slack, registering the team if needed."
diff --git a/modules/system-lib.el b/modules/system-lib.el
index 96159179..80175958 100644
--- a/modules/system-lib.el
+++ b/modules/system-lib.el
@@ -106,5 +106,19 @@ This does so without echoing in the minibuffer."
       (insert (apply #'format format-string args))
       (unless (bolp) (insert "\n")))))
 
+;; ------------------------------ Auth Source ----------------------------------
+
+(declare-function auth-source-search "auth-source")
+
+(defun cj/auth-source-secret-value (host &optional user)
+  "Return the auth-source secret for HOST, or nil when none is found.
+With USER, also match on the login.  Resolves a function-valued secret
+\(the netrc backend returns the secret as a function\) by calling it.
+Callers that must have a secret layer their own error on top."
+  (let* ((spec (append (list :host host :require '(:secret) :max 1)
+                       (when user (list :user user))))
+         (secret (plist-get (car (apply #'auth-source-search spec)) :secret)))
+    (if (functionp secret) (funcall secret) secret)))
+
 (provide 'system-lib)
 ;;; system-lib.el ends here
diff --git a/modules/transcription-config.el b/modules/transcription-config.el
index d81ccba0..344ec473 100644
--- a/modules/transcription-config.el
+++ b/modules/transcription-config.el
@@ -38,7 +38,7 @@
 
 (require 'dired)
 (require 'notifications)
-(require 'auth-source)
+(require 'system-lib)      ; provides cj/auth-source-secret-value
 (require 'user-constants)  ; For cj/audio-file-extensions
 
 ;; Declare keymap defined in keybindings.el
@@ -121,14 +121,10 @@ SUCCESS-P indicates whether transcription succeeded."
     (expand-file-name (concat "scripts/" script-name) user-emacs-directory)))
 
 (defun cj/--auth-source-password (host)
-  "Retrieve password for HOST from authinfo.gpg.
-Expects entry like: machine HOST login api password <key>.
+  "Retrieve the auth-source secret for HOST from authinfo.gpg.
+Expects an entry like: machine HOST login api password <key>.
 Returns the password string, or nil if no matching entry exists."
-  (when-let* ((auth-info (car (auth-source-search :host host :require '(:secret))))
-              (secret (plist-get auth-info :secret)))
-    (if (functionp secret)
-        (funcall secret)
-      secret)))
+  (cj/auth-source-secret-value host))
 
 (defun cj/--build-process-environment (backend)
   "Return `process-environment' augmented with BACKEND's API-key env var.