[Auth] Choose which auth storage to use based on config (#5792)

This PR is a follow-up to #5591. It allows users to choose which auth
storage mode they want by using the new
`cli_auth_credentials_store_mode` config.

docs/config.md

@@ -836,7 +836,9 @@ notifications = [ "agent-turn-complete", "approval-requested" ]
 
 > [!NOTE] > `tui.notifications` is built‑in and limited to the TUI session. For programmatic or cross‑environment notifications—or to integrate with OS‑specific notifiers—use the top‑level `notify` option to run an external program that receives event JSON. The two settings are independent and can be used together.
 
-## Forcing a login method
+## Authentication and authorization
+
+### Forcing a login method
 
 To force users on a given machine to use a specific login method or workspace, use a combination of [managed configurations](https://developers.openai.com/codex/security#managed-configuration) as well as either or both of the following fields:
 
@@ -852,6 +854,22 @@ If the active credentials don't match the config, the user will be logged out an
 
 If `forced_chatgpt_workspace_id` is set but `forced_login_method` is not set, API key login will still work.
 
+### Control where login credentials are stored
+
+```toml
+cli_auth_credentials_store = "keyring"
+```
+
+Valid values:
+
+- `file` (default) – Store credentials in `auth.json` under `$CODEX_HOME`.
+- `keyring` – Store credentials in the operating system keyring via the [`keyring` crate](https://crates.io/crates/keyring); the CLI reports an error if secure storage is unavailable. Backends by OS:
+  - macOS: macOS Keychain
+  - Windows: Windows Credential Manager
+  - Linux: DBus‑based Secret Service, the kernel keyutils, or a combination
+  - FreeBSD/OpenBSD: DBus‑based Secret Service
+- `auto` – Save credentials to the operating system keyring when available; otherwise, fall back to `auth.json` under `$CODEX_HOME`.
+
 ## Config reference
 
 | Key                                              | Type / Values                                                     | Notes                                                                                                                      |
@@ -910,4 +928,5 @@ If `forced_chatgpt_workspace_id` is set but `forced_login_method` is not set, AP
 | `tools.web_search`                               | boolean                                                           | Enable web search tool (alias: `web_search_request`) (default: false).                                                     |
 | `forced_login_method`                            | `chatgpt` \| `api`                                                | Only allow Codex to be used with ChatGPT or API keys.                                                                      |
 | `forced_chatgpt_workspace_id`                    | string (uuid)                                                     | Only allow Codex to be used with the specified ChatGPT workspace.                                                          |
+| `cli_auth_credentials_store`                     | `file` \| `keyring` \| `auto`                                     | Where to store CLI login credentials (default: `file`).                                                                    |
 | `tools.view_image`                               | boolean                                                           | Enable the `view_image` tool so Codex can attach local image files from the workspace (default: false).                    |