@agentmeshhq/agent 0.4.6 → 0.4.11

package/dist/core/auth-guard.js

@@ -0,0 +1,498 @@
+/**
+ * OpenCode Auth Guard — Epics #470 + #490
+ *
+ * Implements symlink-first auth linking, startup preflight, schema validation,
+ * temp-path rejection, and periodic healthcheck to eliminate per-agent auth
+ * drift permanently and guard against runtime auth.type errors.
+ *
+ * Strategy:
+ *  1. Canonical store: ~/.local/share/opencode/auth.json
+ *  2. Per-agent auth: ~/.agentmesh/opencode-data/<agent>/opencode/auth.json
+ *     -> Always a symlink pointing to canonical store (never a temp-path).
+ *     -> If a stale regular file or temp-path symlink exists, replace safely.
+ *     -> If canonical missing: write a validated real-file copy as fallback.
+ *  3. Schema validation: auth.json must contain a valid `type` field.
+ *  4. Startup preflight: validate before runner boot; one auto-repair attempt.
+ *  5. Periodic healthcheck: re-validate on interval + exponential backoff.
+ */
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+// ─── Constants ───────────────────────────────────────────────────────────────
+export const CANONICAL_AUTH_PATH = path.join(os.homedir(), ".local", "share", "opencode", "auth.json");
+export const AGENTMESH_OPENCODE_DATA_ROOT = path.join(os.homedir(), ".agentmesh", "opencode-data");
+// Healthcheck interval: 5 minutes
+const HEALTH_CHECK_INTERVAL_MS = 5 * 60 * 1000;
+// Minimum re-check interval on repeated failures (exponential backoff ceiling)
+const MAX_BACKOFF_INTERVAL_MS = 30 * 60 * 1000; // 30 minutes
+// Temp-path prefixes that must never be used as symlink targets (#490)
+const TEMP_PATH_PREFIXES = ["/tmp/", "/var/folders/", os.tmpdir()];
+// ─── Core helpers ────────────────────────────────────────────────────────────
+/**
+ * Returns the per-agent auth.json path.
+ */
+export function agentAuthPath(agentName) {
+    return path.join(AGENTMESH_OPENCODE_DATA_ROOT, agentName, "opencode", "auth.json");
+}
+/**
+ * Returns the per-agent opencode dir.
+ */
+export function agentOpencodeDir(agentName) {
+    return path.join(AGENTMESH_OPENCODE_DATA_ROOT, agentName, "opencode");
+}
+/**
+ * Validates that canonical auth.json exists and can be parsed as JSON.
+ */
+export function validateCanonicalAuth(canonicalPath = CANONICAL_AUTH_PATH) {
+    try {
+        if (!fs.existsSync(canonicalPath))
+            return false;
+        const stat = fs.statSync(canonicalPath);
+        if (!stat.isFile())
+            return false;
+        JSON.parse(fs.readFileSync(canonicalPath, "utf-8"));
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Checks whether agentAuthPath is already a valid symlink to a readable target.
+ */
+export function isValidAuthSymlink(authPath) {
+    try {
+        const lstats = fs.lstatSync(authPath);
+        if (!lstats.isSymbolicLink())
+            return false;
+        // Verify the target is readable
+        const target = fs.realpathSync(authPath);
+        const content = fs.readFileSync(target, "utf-8");
+        JSON.parse(content);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Returns true if the given path is a temp/ephemeral path that must not be
+ * used as an auth symlink target. (#490)
+ */
+export function isTempPath(p) {
+    const resolved = path.resolve(p);
+    return TEMP_PATH_PREFIXES.some((prefix) => resolved.startsWith(prefix) || resolved === prefix.replace(/\/$/, ""));
+}
+/**
+ * Validates that an auth.json file has the minimum required schema:
+ * - Parseable JSON
+ * - Contains a `type` field (string) — prevents `auth.type undefined` crash (#490)
+ *
+ * Reads from `authPath` (follows symlinks via readFileSync).
+ */
+export function validateAuthSchema(authPath) {
+    try {
+        const content = fs.readFileSync(authPath, "utf-8");
+        const parsed = JSON.parse(content);
+        if (typeof parsed !== "object" || parsed === null) {
+            return { valid: false, error: "auth.json is not a JSON object" };
+        }
+        if (!("type" in parsed) || typeof parsed["type"] !== "string" || parsed["type"] === "") {
+            return {
+                valid: false,
+                parsed,
+                error: 'auth.json missing required field "type" (string) — agent will crash on auth.type access',
+            };
+        }
+        return { valid: true, parsed };
+    }
+    catch (err) {
+        return { valid: false, error: `Cannot read/parse auth.json: ${err.message}` };
+    }
+}
+/**
+ * Checks if the symlink at authPath points to a temp path.
+ * Returns the target path if it's a temp path, null otherwise. (#490)
+ */
+export function getSymlinkTempTarget(authPath) {
+    try {
+        const lstat = fs.lstatSync(authPath);
+        if (!lstat.isSymbolicLink())
+            return null;
+        const target = fs.readlinkSync(authPath);
+        return isTempPath(target) ? target : null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Writes a real validated auth file copy from canonical source. (#490)
+ *
+ * Used as fallback when canonical auth is present but symlinking fails,
+ * or as a recovery path when no persistent canonical exists yet.
+ * Strips non-Anthropic provider keys (e.g., xai) to keep agent minimal.
+ * Sets file permissions to 0o600.
+ *
+ * Returns true if written successfully.
+ */
+export function writeRealAuthFile(authPath, canonicalPath = CANONICAL_AUTH_PATH) {
+    try {
+        if (!validateCanonicalAuth(canonicalPath)) {
+            return { written: false, error: `Canonical auth not valid: ${canonicalPath}` };
+        }
+        const schema = validateAuthSchema(canonicalPath);
+        if (!schema.valid) {
+            return { written: false, error: `Canonical auth schema invalid: ${schema.error}` };
+        }
+        fs.mkdirSync(path.dirname(authPath), { recursive: true });
+        let backedUp;
+        let existingLstat = null;
+        try {
+            existingLstat = fs.lstatSync(authPath);
+        }
+        catch {
+            // nothing to back up
+        }
+        if (existingLstat !== null) {
+            if (existingLstat.isSymbolicLink() || existingLstat.isFile()) {
+                backedUp = `${authPath}.bak.${Date.now()}`;
+                // Can't rename a symlink's target — unlink then skip backup for symlinks
+                if (existingLstat.isFile()) {
+                    fs.renameSync(authPath, backedUp);
+                }
+                else {
+                    fs.unlinkSync(authPath);
+                    backedUp = undefined;
+                }
+            }
+            else {
+                fs.rmSync(authPath, { force: true, recursive: true });
+            }
+        }
+        const auth = JSON.parse(fs.readFileSync(canonicalPath, "utf-8"));
+        delete auth["xai"]; // strip non-Anthropic keys
+        const content = JSON.stringify(auth, null, 2);
+        fs.writeFileSync(authPath, content, { mode: 0o600 });
+        return { written: true, backedUp };
+    }
+    catch (err) {
+        return { written: false, error: err.message };
+    }
+}
+/**
+ * Safely replaces agentAuthPath with a symlink to canonicalPath.
+ * If a regular file already exists it is backed up first.
+ */
+export function linkAgentAuth(authPath, canonicalPath = CANONICAL_AUTH_PATH) {
+    try {
+        // Ensure parent directory exists
+        fs.mkdirSync(path.dirname(authPath), { recursive: true });
+        let backedUp;
+        // Use lstatSync (not existsSync) so we detect broken symlinks
+        let existingLstat = null;
+        try {
+            existingLstat = fs.lstatSync(authPath);
+        }
+        catch {
+            // File does not exist — nothing to remove
+        }
+        if (existingLstat !== null) {
+            if (existingLstat.isSymbolicLink()) {
+                // Remove stale or broken symlink
+                fs.unlinkSync(authPath);
+            }
+            else if (existingLstat.isFile()) {
+                // Back up the existing regular file
+                backedUp = `${authPath}.bak.${Date.now()}`;
+                fs.renameSync(authPath, backedUp);
+            }
+            else {
+                // Unknown type — remove
+                fs.rmSync(authPath, { force: true, recursive: true });
+            }
+        }
+        fs.symlinkSync(canonicalPath, authPath);
+        return { linked: true, backedUp };
+    }
+    catch (err) {
+        return { linked: false, error: err.message };
+    }
+}
+// ─── Primary API ─────────────────────────────────────────────────────────────
+/**
+ * Ensures the per-agent auth file is a valid symlink to canonical auth.
+ *
+ * Epics #470 + #490 hardening:
+ * - Rejects temp-path symlink targets (e.g., /tmp/...) and replaces them.
+ * - Validates auth schema (auth.type must be present) after linking.
+ * - Falls back to writeRealAuthFile() if symlinking fails but canonical is valid.
+ *
+ * Called from prepareOpenCodeRuntime() on every startup.
+ */
+export function ensureAgentAuthLink(agentName) {
+    const authPath = agentAuthPath(agentName);
+    const canonicalPath = CANONICAL_AUTH_PATH;
+    // Fast path: already a valid symlink — but also check for temp-path target (#490)
+    if (isValidAuthSymlink(authPath)) {
+        const tempTarget = getSymlinkTempTarget(authPath);
+        if (tempTarget) {
+            // Reject temp-path symlink — fall through to repair
+            console.warn(`[AUTH] Rejecting temp-path symlink target: ${tempTarget}`);
+        }
+        else {
+            // Also validate schema to catch auth.type undefined (#490)
+            const schema = validateAuthSchema(authPath);
+            if (!schema.valid) {
+                console.warn(`[AUTH] Schema validation failed: ${schema.error}`);
+                // Fall through to repair
+            }
+            else {
+                return {
+                    status: "ok",
+                    agentAuthPath: authPath,
+                    canonicalAuthPath: canonicalPath,
+                    message: "Auth symlink is valid",
+                };
+            }
+        }
+    }
+    // Canonical auth must exist for us to link
+    if (!validateCanonicalAuth(canonicalPath)) {
+        return {
+            status: "no-canonical",
+            agentAuthPath: authPath,
+            canonicalAuthPath: canonicalPath,
+            message: `Canonical auth not found or invalid: ${canonicalPath}`,
+        };
+    }
+    // Attempt to create/repair symlink
+    const result = linkAgentAuth(authPath, canonicalPath);
+    if (result.linked) {
+        // Validate schema after linking (#490)
+        const schema = validateAuthSchema(authPath);
+        if (!schema.valid) {
+            return {
+                status: "degraded",
+                agentAuthPath: authPath,
+                canonicalAuthPath: canonicalPath,
+                message: `Symlink created but canonical auth schema invalid: ${schema.error}`,
+            };
+        }
+        const backupNote = result.backedUp ? ` (backed up previous file to ${result.backedUp})` : "";
+        return {
+            status: "repaired",
+            agentAuthPath: authPath,
+            canonicalAuthPath: canonicalPath,
+            message: `Auth symlink created${backupNote}`,
+        };
+    }
+    // Symlinking failed — fall back to writing a real file copy (#490)
+    const fallback = writeRealAuthFile(authPath, canonicalPath);
+    if (fallback.written) {
+        return {
+            status: "repaired",
+            agentAuthPath: authPath,
+            canonicalAuthPath: canonicalPath,
+            message: `Auth written as real file (symlink failed): ${result.error}`,
+        };
+    }
+    return {
+        status: "degraded",
+        agentAuthPath: authPath,
+        canonicalAuthPath: canonicalPath,
+        message: `Failed to create auth symlink: ${result.error}`,
+    };
+}
+/**
+ * Startup preflight: ensure auth link and validate once more.
+ *
+ * Returns true if auth is ready, false if agent should be marked degraded.
+ * Performs one auto-repair attempt on failure.
+ */
+export function preflightAgentAuth(agentName) {
+    const first = ensureAgentAuthLink(agentName);
+    // Good states
+    if (first.status === "ok" || first.status === "repaired") {
+        // Final validation: confirm symlink is readable post-repair
+        if (isValidAuthSymlink(first.agentAuthPath)) {
+            return { ok: true, result: first };
+        }
+        // Repaired but symlink still not readable — degrade
+        return {
+            ok: false,
+            result: {
+                ...first,
+                status: "degraded",
+                message: `Symlink created but target is unreadable: ${first.agentAuthPath}`,
+            },
+        };
+    }
+    if (first.status === "no-canonical") {
+        // Cannot do anything without canonical auth
+        return { ok: false, result: first };
+    }
+    // status === "degraded": one more attempt after a short wait
+    const retry = ensureAgentAuthLink(agentName);
+    if (retry.status === "repaired" && isValidAuthSymlink(retry.agentAuthPath)) {
+        return { ok: true, result: retry };
+    }
+    return { ok: false, result: retry };
+}
+/**
+ * Starts a periodic auth healthcheck for an agent.
+ *
+ * On failure: emits a structured event and attempts repair.
+ * Uses exponential backoff up to MAX_BACKOFF_INTERVAL_MS on repeated failures.
+ *
+ * @param agentName  Agent name
+ * @param onEvent    Callback for health events (for structured logging/alerting)
+ */
+export function startAuthHealthWatcher(agentName, onEvent) {
+    let consecutiveFailures = 0;
+    let currentInterval = HEALTH_CHECK_INTERVAL_MS;
+    let timer = null;
+    function schedule() {
+        timer = setTimeout(check, currentInterval);
+    }
+    function check() {
+        const authPath = agentAuthPath(agentName);
+        if (isValidAuthSymlink(authPath)) {
+            // Healthy: reset backoff
+            if (consecutiveFailures > 0) {
+                consecutiveFailures = 0;
+                currentInterval = HEALTH_CHECK_INTERVAL_MS;
+                onEvent({
+                    type: "auth-health-repaired",
+                    agentName,
+                    agentAuthPath: authPath,
+                    message: "Auth symlink healthy again after previous failure",
+                    timestamp: new Date().toISOString(),
+                });
+            }
+            else {
+                onEvent({
+                    type: "auth-health-ok",
+                    agentName,
+                    agentAuthPath: authPath,
+                    message: "Auth symlink healthy",
+                    timestamp: new Date().toISOString(),
+                });
+            }
+        }
+        else {
+            // Unhealthy: attempt repair
+            const repairResult = ensureAgentAuthLink(agentName);
+            const repaired = (repairResult.status === "ok" || repairResult.status === "repaired") &&
+                isValidAuthSymlink(authPath);
+            consecutiveFailures++;
+            // Exponential backoff: double interval each failure up to ceiling
+            currentInterval = Math.min(HEALTH_CHECK_INTERVAL_MS * 2 ** (consecutiveFailures - 1), MAX_BACKOFF_INTERVAL_MS);
+            onEvent({
+                type: repaired ? "auth-health-repaired" : "auth-health-degraded",
+                agentName,
+                agentAuthPath: authPath,
+                message: repaired
+                    ? `Auth repaired (consecutive failures before: ${consecutiveFailures - 1})`
+                    : `Auth degraded (${consecutiveFailures} consecutive failures): ${repairResult.message}`,
+                timestamp: new Date().toISOString(),
+            });
+        }
+        schedule();
+    }
+    schedule();
+    return {
+        stop() {
+            if (timer !== null) {
+                clearTimeout(timer);
+                timer = null;
+            }
+        },
+    };
+}
+/**
+ * Generates a diagnostic report for all agents (or a specific one).
+ * If `repair` is true, attempts to fix any broken links.
+ */
+export function runAuthDoctor(options) {
+    const canonicalValid = validateCanonicalAuth();
+    const agents = [];
+    // Discover agent names if not specified
+    let names = options.agentNames ?? [];
+    if (names.length === 0) {
+        try {
+            if (fs.existsSync(AGENTMESH_OPENCODE_DATA_ROOT)) {
+                names = fs.readdirSync(AGENTMESH_OPENCODE_DATA_ROOT).filter((entry) => {
+                    const p = path.join(AGENTMESH_OPENCODE_DATA_ROOT, entry);
+                    return fs.statSync(p).isDirectory();
+                });
+            }
+        }
+        catch {
+            // No agents discovered
+        }
+    }
+    for (const name of names) {
+        const authPath = agentAuthPath(name);
+        let isSymlink = false;
+        let symlinkTarget = null;
+        let isValid = false;
+        try {
+            const lstat = fs.lstatSync(authPath);
+            isSymlink = lstat.isSymbolicLink();
+            if (isSymlink) {
+                try {
+                    symlinkTarget = fs.readlinkSync(authPath);
+                    isValid = isValidAuthSymlink(authPath);
+                }
+                catch {
+                    symlinkTarget = null;
+                }
+            }
+            else {
+                // Regular file — not using symlink model
+                isValid = false;
+            }
+        }
+        catch {
+            // auth.json doesn't exist at all
+        }
+        let status = isValid ? "ok" : "degraded";
+        let message = isValid
+            ? `Symlink -> ${symlinkTarget}`
+            : isSymlink
+                ? `Broken symlink -> ${symlinkTarget}`
+                : "No symlink (regular file or missing)";
+        if (options.repair && !isValid && canonicalValid) {
+            const repairResult = ensureAgentAuthLink(name);
+            if (repairResult.status === "repaired" || repairResult.status === "ok") {
+                status = "repaired";
+                isValid = true;
+                const target = fs.readlinkSync(authPath);
+                symlinkTarget = target;
+                isSymlink = true;
+                message = repairResult.message;
+            }
+            else {
+                status = "degraded";
+                message = repairResult.message;
+            }
+        }
+        agents.push({
+            agentName: name,
+            authPath,
+            isSymlink,
+            symlinkTarget,
+            isValid,
+            status,
+            message,
+        });
+    }
+    return {
+        canonicalAuthPath: CANONICAL_AUTH_PATH,
+        canonicalValid,
+        agents,
+        overallOk: canonicalValid && agents.every((a) => a.isValid),
+    };
+}
+//# sourceMappingURL=auth-guard.js.map

package/dist/core/auth-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-guard.js","sourceRoot":"","sources":["../../src/core/auth-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,gFAAgF;AAEhF,MAAM,CAAC,MAAM,mBAAmB,GAAG,IAAI,CAAC,IAAI,CAC1C,EAAE,CAAC,OAAO,EAAE,EACZ,QAAQ,EACR,OAAO,EACP,UAAU,EACV,WAAW,CACZ,CAAC;AAEF,MAAM,CAAC,MAAM,4BAA4B,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,YAAY,EAAE,eAAe,CAAC,CAAC;AAEnG,kCAAkC;AAClC,MAAM,wBAAwB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,uBAAuB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,aAAa;AAE7D,uEAAuE;AACvE,MAAM,kBAAkB,GAAG,CAAC,OAAO,EAAE,eAAe,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;AAiCnE,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB;IAC7C,OAAO,IAAI,CAAC,IAAI,CAAC,4BAA4B,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;AACrF,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAChD,OAAO,IAAI,CAAC,IAAI,CAAC,4BAA4B,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;AACxE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,aAAa,GAAG,mBAAmB;IACvE,IAAI,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC;YAAE,OAAO,KAAK,CAAC;QAChD,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QACxC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;YAAE,OAAO,KAAK,CAAC;QACjC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAgB;IACjD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE;YAAE,OAAO,KAAK,CAAC;QAC3C,gCAAgC;QAChC,MAAM,MAAM,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACjD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACpB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,CAAS;IAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IACjC,OAAO,kBAAkB,CAAC,IAAI,CAC5B,CAAC,MAAM,EAAE,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,QAAQ,KAAK,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAClF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAgB;IACjD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;QAC9D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YAClD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAC;QACnE,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;YACvF,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM;gBACN,KAAK,EACH,yFAAyF;aAC5F,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IACjC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gCAAiC,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;IAC3F,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,QAAgB;IACnD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE;YAAE,OAAO,IAAI,CAAC;QACzC,MAAM,MAAM,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QACzC,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAC/B,QAAgB,EAChB,aAAa,GAAG,mBAAmB;IAEnC,IAAI,CAAC;QACH,IAAI,CAAC,qBAAqB,CAAC,aAAa,CAAC,EAAE,CAAC;YAC1C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,aAAa,EAAE,EAAE,CAAC;QACjF,CAAC;QAED,MAAM,MAAM,GAAG,kBAAkB,CAAC,aAAa,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,kCAAkC,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;QACrF,CAAC;QAED,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE1D,IAAI,QAA4B,CAAC;QACjC,IAAI,aAAa,GAAoB,IAAI,CAAC;QAC1C,IAAI,CAAC;YACH,aAAa,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,qBAAqB;QACvB,CAAC;QAED,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC3B,IAAI,aAAa,CAAC,cAAc,EAAE,IAAI,aAAa,CAAC,MAAM,EAAE,EAAE,CAAC;gBAC7D,QAAQ,GAAG,GAAG,QAAQ,QAAQ,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBAC3C,yEAAyE;gBACzE,IAAI,aAAa,CAAC,MAAM,EAAE,EAAE,CAAC;oBAC3B,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;gBACpC,CAAC;qBAAM,CAAC;oBACN,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;oBACxB,QAAQ,GAAG,SAAS,CAAC;gBACvB,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,EAAE,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAA4B,CAAC;QAC5F,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,2BAA2B;QAC/C,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC9C,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACrD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;IAC3D,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,QAAgB,EAChB,aAAa,GAAG,mBAAmB;IAEnC,IAAI,CAAC;QACH,iCAAiC;QACjC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE1D,IAAI,QAA4B,CAAC;QAEjC,8DAA8D;QAC9D,IAAI,aAAa,GAAoB,IAAI,CAAC;QAC1C,IAAI,CAAC;YACH,aAAa,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,0CAA0C;QAC5C,CAAC;QAED,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC3B,IAAI,aAAa,CAAC,cAAc,EAAE,EAAE,CAAC;gBACnC,iCAAiC;gBACjC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YAC1B,CAAC;iBAAM,IAAI,aAAa,CAAC,MAAM,EAAE,EAAE,CAAC;gBAClC,oCAAoC;gBACpC,QAAQ,GAAG,GAAG,QAAQ,QAAQ,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBAC3C,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YACpC,CAAC;iBAAM,CAAC;gBACN,wBAAwB;gBACxB,EAAE,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAED,EAAE,CAAC,WAAW,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;QACxC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IACpC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;IAC1D,CAAC;AACH,CAAC;AAED,gFAAgF;AAEhF;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAiB;IACnD,MAAM,QAAQ,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;IAC1C,MAAM,aAAa,GAAG,mBAAmB,CAAC;IAE1C,kFAAkF;IAClF,IAAI,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjC,MAAM,UAAU,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC;QAClD,IAAI,UAAU,EAAE,CAAC;YACf,oDAAoD;YACpD,OAAO,CAAC,IAAI,CAAC,8CAA8C,UAAU,EAAE,CAAC,CAAC;QAC3E,CAAC;aAAM,CAAC;YACN,2DAA2D;YAC3D,MAAM,MAAM,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YAC5C,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBAClB,OAAO,CAAC,IAAI,CAAC,oCAAoC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;gBACjE,yBAAyB;YAC3B,CAAC;iBAAM,CAAC;gBACN,OAAO;oBACL,MAAM,EAAE,IAAI;oBACZ,aAAa,EAAE,QAAQ;oBACvB,iBAAiB,EAAE,aAAa;oBAChC,OAAO,EAAE,uBAAuB;iBACjC,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,2CAA2C;IAC3C,IAAI,CAAC,qBAAqB,CAAC,aAAa,CAAC,EAAE,CAAC;QAC1C,OAAO;YACL,MAAM,EAAE,cAAc;YACtB,aAAa,EAAE,QAAQ;YACvB,iBAAiB,EAAE,aAAa;YAChC,OAAO,EAAE,wCAAwC,aAAa,EAAE;SACjE,CAAC;IACJ,CAAC;IAED,mCAAmC;IACnC,MAAM,MAAM,GAAG,aAAa,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAEtD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,uCAAuC;QACvC,MAAM,MAAM,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO;gBACL,MAAM,EAAE,UAAU;gBAClB,aAAa,EAAE,QAAQ;gBACvB,iBAAiB,EAAE,aAAa;gBAChC,OAAO,EAAE,sDAAsD,MAAM,CAAC,KAAK,EAAE;aAC9E,CAAC;QACJ,CAAC;QACD,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,gCAAgC,MAAM,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAC7F,OAAO;YACL,MAAM,EAAE,UAAU;YAClB,aAAa,EAAE,QAAQ;YACvB,iBAAiB,EAAE,aAAa;YAChC,OAAO,EAAE,uBAAuB,UAAU,EAAE;SAC7C,CAAC;IACJ,CAAC;IAED,mEAAmE;IACnE,MAAM,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAC5D,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO;YACL,MAAM,EAAE,UAAU;YAClB,aAAa,EAAE,QAAQ;YACvB,iBAAiB,EAAE,aAAa;YAChC,OAAO,EAAE,+CAA+C,MAAM,CAAC,KAAK,EAAE;SACvE,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,UAAU;QAClB,aAAa,EAAE,QAAQ;QACvB,iBAAiB,EAAE,aAAa;QAChC,OAAO,EAAE,kCAAkC,MAAM,CAAC,KAAK,EAAE;KAC1D,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,SAAiB;IAIlD,MAAM,KAAK,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;IAE7C,cAAc;IACd,IAAI,KAAK,CAAC,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;QACzD,4DAA4D;QAC5D,IAAI,kBAAkB,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;YAC5C,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QACrC,CAAC;QACD,oDAAoD;QACpD,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE;gBACN,GAAG,KAAK;gBACR,MAAM,EAAE,UAAU;gBAClB,OAAO,EAAE,6CAA6C,KAAK,CAAC,aAAa,EAAE;aAC5E;SACF,CAAC;IACJ,CAAC;IAED,IAAI,KAAK,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;QACpC,4CAA4C;QAC5C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IACtC,CAAC;IAED,6DAA6D;IAC7D,MAAM,KAAK,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;IAC7C,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU,IAAI,kBAAkB,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;QAC3E,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IACrC,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACtC,CAAC;AAQD;;;;;;;;GAQG;AACH,MAAM,UAAU,sBAAsB,CACpC,SAAiB,EACjB,OAA0C;IAE1C,IAAI,mBAAmB,GAAG,CAAC,CAAC;IAC5B,IAAI,eAAe,GAAG,wBAAwB,CAAC;IAC/C,IAAI,KAAK,GAAyC,IAAI,CAAC;IAEvD,SAAS,QAAQ;QACf,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IAC7C,CAAC;IAED,SAAS,KAAK;QACZ,MAAM,QAAQ,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;QAE1C,IAAI,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjC,yBAAyB;YACzB,IAAI,mBAAmB,GAAG,CAAC,EAAE,CAAC;gBAC5B,mBAAmB,GAAG,CAAC,CAAC;gBACxB,eAAe,GAAG,wBAAwB,CAAC;gBAC3C,OAAO,CAAC;oBACN,IAAI,EAAE,sBAAsB;oBAC5B,SAAS;oBACT,aAAa,EAAE,QAAQ;oBACvB,OAAO,EAAE,mDAAmD;oBAC5D,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACpC,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC;oBACN,IAAI,EAAE,gBAAgB;oBACtB,SAAS;oBACT,aAAa,EAAE,QAAQ;oBACvB,OAAO,EAAE,sBAAsB;oBAC/B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACpC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,CAAC;YACN,4BAA4B;YAC5B,MAAM,YAAY,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;YACpD,MAAM,QAAQ,GACZ,CAAC,YAAY,CAAC,MAAM,KAAK,IAAI,IAAI,YAAY,CAAC,MAAM,KAAK,UAAU,CAAC;gBACpE,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YAE/B,mBAAmB,EAAE,CAAC;YACtB,kEAAkE;YAClE,eAAe,GAAG,IAAI,CAAC,GAAG,CACxB,wBAAwB,GAAG,CAAC,IAAI,CAAC,mBAAmB,GAAG,CAAC,CAAC,EACzD,uBAAuB,CACxB,CAAC;YAEF,OAAO,CAAC;gBACN,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,sBAAsB;gBAChE,SAAS;gBACT,aAAa,EAAE,QAAQ;gBACvB,OAAO,EAAE,QAAQ;oBACf,CAAC,CAAC,+CAA+C,mBAAmB,GAAG,CAAC,GAAG;oBAC3E,CAAC,CAAC,kBAAkB,mBAAmB,2BAA2B,YAAY,CAAC,OAAO,EAAE;gBAC1F,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC,CAAC,CAAC;QACL,CAAC;QAED,QAAQ,EAAE,CAAC;IACb,CAAC;IAED,QAAQ,EAAE,CAAC;IAEX,OAAO;QACL,IAAI;YACF,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;gBACnB,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,KAAK,GAAG,IAAI,CAAC;YACf,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAqBD;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,OAAoD;IAChF,MAAM,cAAc,GAAG,qBAAqB,EAAE,CAAC;IAC/C,MAAM,MAAM,GAAwB,EAAE,CAAC;IAEvC,wCAAwC;IACxC,IAAI,KAAK,GAAG,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;IACrC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,IAAI,CAAC;YACH,IAAI,EAAE,CAAC,UAAU,CAAC,4BAA4B,CAAC,EAAE,CAAC;gBAChD,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,4BAA4B,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;oBACpE,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;oBACzD,OAAO,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;gBACtC,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,uBAAuB;QACzB,CAAC;IACH,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,IAAI,aAAa,GAAkB,IAAI,CAAC;QACxC,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;YACrC,SAAS,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC;YACnC,IAAI,SAAS,EAAE,CAAC;gBACd,IAAI,CAAC;oBACH,aAAa,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;oBAC1C,OAAO,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;gBACzC,CAAC;gBAAC,MAAM,CAAC;oBACP,aAAa,GAAG,IAAI,CAAC;gBACvB,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,yCAAyC;gBACzC,OAAO,GAAG,KAAK,CAAC;YAClB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iCAAiC;QACnC,CAAC;QAED,IAAI,MAAM,GAAmB,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC;QACzD,IAAI,OAAO,GAAG,OAAO;YACnB,CAAC,CAAC,cAAc,aAAa,EAAE;YAC/B,CAAC,CAAC,SAAS;gBACT,CAAC,CAAC,qBAAqB,aAAa,EAAE;gBACtC,CAAC,CAAC,sCAAsC,CAAC;QAE7C,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC,OAAO,IAAI,cAAc,EAAE,CAAC;YACjD,MAAM,YAAY,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAC/C,IAAI,YAAY,CAAC,MAAM,KAAK,UAAU,IAAI,YAAY,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;gBACvE,MAAM,GAAG,UAAU,CAAC;gBACpB,OAAO,GAAG,IAAI,CAAC;gBACf,MAAM,MAAM,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;gBACzC,aAAa,GAAG,MAAM,CAAC;gBACvB,SAAS,GAAG,IAAI,CAAC;gBACjB,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC;YACjC,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,UAAU,CAAC;gBACpB,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC;YACjC,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CAAC;YACV,SAAS,EAAE,IAAI;YACf,QAAQ;YACR,SAAS;YACT,aAAa;YACb,OAAO;YACP,MAAM;YACN,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,iBAAiB,EAAE,mBAAmB;QACtC,cAAc;QACd,MAAM;QACN,SAAS,EAAE,cAAc,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;KAC5D,CAAC;AACJ,CAAC"}

package/dist/core/auth-sync.d.ts

@@ -0,0 +1,105 @@
+/**
+ * OpenCode auth sync — symlink-first strategy.
+ *
+ * Canonical source: ~/.local/share/opencode/auth.json
+ * Per-agent target:  ~/.agentmesh/opencode-data/<agent>/opencode/auth.json
+ *
+ * Strategy (in order):
+ *   1. If target is already a correct symlink → no-op.
+ *   2. If target is a regular file (stale copy) → backup + replace with symlink.
+ *   3. If target does not exist → create symlink.
+ *   4. If canonical does not exist → no-op (agent must auth manually).
+ *
+ * On any symlink creation failure (e.g. cross-device) → fall back to copy.
+ */
+export declare const CANONICAL_AUTH_PATH: string;
+export interface AuthLinkResult {
+    /** What action was taken */
+    action: "symlink-ok" | "symlink-created" | "symlink-replaced-file" | "copy-fallback" | "no-op";
+    /** Human-readable description */
+    message: string;
+    /** Whether the agent auth file is now in a good state */
+    ok: boolean;
+}
+/**
+ * Returns the per-agent auth.json path for the given agent name.
+ * Pass `homeDir` to override os.homedir() — useful for testing.
+ */
+export declare function agentAuthPath(agentName: string, homeDir?: string): string;
+/**
+ * Ensures the per-agent auth.json is a symlink to the canonical source.
+ * Safe to call at every agent startup — idempotent.
+ *
+ * @param agentName   - Agent identifier (used to compute per-agent path)
+ * @param canonicalPath - Override canonical auth path (default: ~/.local/share/opencode/auth.json)
+ * @param homeDir       - Override home directory base (default: os.homedir()); useful for tests
+ */
+export declare function ensureAuthLink(agentName: string, canonicalPath?: string, homeDir?: string): AuthLinkResult;
+export interface AuthLinkStatus {
+    agentName: string;
+    authPath: string;
+    /** Does the auth file exist (symlink target resolves or copy present)? */
+    exists: boolean;
+    /** Is it a symlink? */
+    isSymlink: boolean;
+    /** Does the symlink point to the canonical path? */
+    pointsToCanonical: boolean;
+    /** Is the canonical auth file present? */
+    canonicalExists: boolean;
+    /** If symlink, what does it point to? */
+    symlinkTarget?: string;
+    /** Auth file mtime (for drift detection) */
+    mtime?: Date;
+}
+/**
+ * Returns diagnostic status for a single agent's auth link.
+ *
+ * @param agentName     - Agent identifier
+ * @param canonicalPath - Override canonical auth path (default: ~/.local/share/opencode/auth.json)
+ * @param homeDir       - Override home directory base (default: os.homedir()); useful for tests
+ */
+export declare function getAuthLinkStatus(agentName: string, canonicalPath?: string, homeDir?: string): AuthLinkStatus;
+/**
+ * Returns the list of agent names that have opencode-data directories.
+ *
+ * @param homeDir - Override home directory base (default: os.homedir()); useful for tests
+ */
+export declare function listManagedAgents(homeDir?: string): string[];
+/**
+ * Repairs ALL managed agents' auth links.
+ * Returns per-agent results.
+ *
+ * @param canonicalPath - Override canonical auth path (default: ~/.local/share/opencode/auth.json)
+ * @param homeDir       - Override home directory base (default: os.homedir()); useful for tests
+ */
+export declare function repairAllAuthLinks(canonicalPath?: string, homeDir?: string): AuthLinkResult[];
+export interface AuthPreflightResult {
+    /** Overall pass/fail */
+    passed: boolean;
+    /** Whether auth link is in good state */
+    linkOk: boolean;
+    /** Whether canonical auth file is present and readable */
+    canonicalOk: boolean;
+    /** Whether the auth content looks structurally valid (has at least one provider) */
+    contentOk: boolean;
+    /** If repair was attempted, the result */
+    repairResult?: AuthLinkResult;
+    /** Human-readable message */
+    message: string;
+}
+/**
+ * Startup preflight: verify auth is in good shape, auto-repair if not.
+ *
+ * Does NOT make a live provider API call (that would slow down every startup).
+ * It validates:
+ *   1. Canonical auth file exists and is readable
+ *   2. Per-agent auth link is correct (symlink → canonical or readable copy)
+ *   3. Auth JSON has at least one provider entry
+ *
+ * If link is bad → auto-repair via ensureAuthLink.
+ *
+ * @param agentName     - Agent identifier
+ * @param canonicalPath - Override canonical auth path (default: ~/.local/share/opencode/auth.json)
+ * @param homeDir       - Override home directory base (default: os.homedir()); useful for tests
+ */
+export declare function preflightAuth(agentName: string, canonicalPath?: string, homeDir?: string): AuthPreflightResult;