Module cache 

In-memory TTL cache layer on top of a CredentialStore.

The OS keychain is fast enough for interactive CLI usage, but inside a long-running MCP proxy loop we call get() on every routing decision and telemetry flush. On macOS that also risks repeated UI prompts if the Keychain access control list is strict. A short-lived in-memory cache cuts the lookup cost without compromising safety: secrets still live in OS-protected storage and are zeroized on drop.

Guarantees

• TTL of 0 disables caching entirely (useful for high-security configurations).
• store() / delete() on the wrapped store also invalidate the cache entry so we do not serve stale secrets after rotation.
• Cached values are held as secrecy::SecretString, whose Debug impl redacts the value and which zeroizes its buffer on drop — so eviction and cache-drop scrub the in-memory copy without manual Zeroizing wrappers.
• The std::fmt::Debug impl never prints values.

Non-goals

• Cross-process coherence: every process has its own cache. Rotation semantics rely on processes being short-lived or reconnecting before cache_ttl_secs elapse.

Structs

CachedStore

Caching wrapper around any CredentialStore.