@aigne/afs-cli 1.11.0-beta.11 → 1.11.0-beta.12

package/dist/cli.cjs

@@ -25,12 +25,13 @@ async function main() {
 		version: require_version.VERSION
 	}).execute(args);
 	if (result.success) {
+		process.exitCode = require_errors.ExitCode.OK;
 		console.log(result.formatted);
-		process.exit(require_errors.ExitCode.OK);
 	} else {
+		process.exitCode = result.error?.code ?? require_errors.ExitCode.RUNTIME_ERROR;
 		console.error(result.formatted);
-		process.exit(result.error?.code ?? require_errors.ExitCode.RUNTIME_ERROR);
 	}
+	process.exit(process.exitCode);
 }
 main().catch((error) => {
 	console.error(error instanceof Error ? error.message : String(error));

package/dist/cli.mjs

@@ -24,12 +24,13 @@ async function main() {
 		version: VERSION
 	}).execute(args);
 	if (result.success) {
+		process.exitCode = ExitCode.OK;
 		console.log(result.formatted);
-		process.exit(ExitCode.OK);
 	} else {
+		process.exitCode = result.error?.code ?? ExitCode.RUNTIME_ERROR;
 		console.error(result.formatted);
-		process.exit(result.error?.code ?? ExitCode.RUNTIME_ERROR);
 	}
+	process.exit(process.exitCode);
 }
 main().catch((error) => {
 	console.error(error instanceof Error ? error.message : String(error));

package/dist/cli.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"cli.mjs","names":[],"sources":["../src/cli.ts"],"sourcesContent":["#!/usr/bin/env node\n\n/**\n * AFS CLI - Command Line Interface\n *\n * Simple CLI that delegates to executor. AFS is lazy-loaded on demand\n * by individual commands, so mount failures don't block config commands.\n */\n\nimport \"urlpattern-polyfill\";\nimport { hideBin } from \"yargs/helpers\";\nimport { AFSCommandExecutor } from \"./core/index.js\";\nimport { ExitCode } from \"./errors.js\";\nimport { VERSION } from \"./version.js\";\n\nasync function main() {\n  const args = hideBin(process.argv);\n  const cwd = process.cwd();\n\n  // Check for -i / --interactive before yargs parsing\n  if (args.includes(\"-i\") || args.includes(\"--interactive\")) {\n    const { startRepl } = await import(\"./repl.js\");\n    await startRepl({ cwd, version: VERSION });\n    process.exit(ExitCode.OK);\n  }\n\n  const executor = new AFSCommandExecutor(undefined, {\n    cwd,\n    tty: process.stdout.isTTY ?? false,\n    version: VERSION,\n  });\n\n  const result = await executor.execute(args);\n\n  if (result.success) {\n    console.log(result.formatted);\n    process.exit(ExitCode.OK);\n  } else {\n    console.error(result.formatted);\n    process.exit(result.error?.code ?? ExitCode.RUNTIME_ERROR);\n  }\n}\n\nmain().catch((error) => {\n  console.error(error instanceof Error ? error.message : String(error));\n  process.exit(ExitCode.RUNTIME_ERROR);\n});\n"],"mappings":";;;;;;;;;AAeA,eAAe,OAAO;CACpB,MAAM,OAAO,QAAQ,QAAQ,KAAK;CAClC,MAAM,MAAM,QAAQ,KAAK;AAGzB,KAAI,KAAK,SAAS,KAAK,IAAI,KAAK,SAAS,gBAAgB,EAAE;EACzD,MAAM,EAAE,cAAc,MAAM,OAAO;AACnC,QAAM,UAAU;GAAE;GAAK,SAAS;GAAS,CAAC;AAC1C,UAAQ,KAAK,SAAS,GAAG;;CAS3B,MAAM,SAAS,MANE,IAAI,mBAAmB,QAAW;EACjD;EACA,KAAK,QAAQ,OAAO,SAAS;EAC7B,SAAS;EACV,CAAC,CAE4B,QAAQ,KAAK;AAE3C,KAAI,OAAO,SAAS;AAClB,UAAQ,IAAI,OAAO,UAAU;AAC7B,UAAQ,KAAK,SAAS,GAAG;QACpB;AACL,UAAQ,MAAM,OAAO,UAAU;AAC/B,UAAQ,KAAK,OAAO,OAAO,QAAQ,SAAS,cAAc;;;AAI9D,MAAM,CAAC,OAAO,UAAU;AACtB,SAAQ,MAAM,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,CAAC;AACrE,SAAQ,KAAK,SAAS,cAAc;EACpC"}
+{"version":3,"file":"cli.mjs","names":[],"sources":["../src/cli.ts"],"sourcesContent":["#!/usr/bin/env node\n\n/**\n * AFS CLI - Command Line Interface\n *\n * Simple CLI that delegates to executor. AFS is lazy-loaded on demand\n * by individual commands, so mount failures don't block config commands.\n */\n\nimport \"urlpattern-polyfill\";\nimport { hideBin } from \"yargs/helpers\";\nimport { AFSCommandExecutor } from \"./core/index.js\";\nimport { ExitCode } from \"./errors.js\";\nimport { VERSION } from \"./version.js\";\n\nasync function main() {\n  const args = hideBin(process.argv);\n  const cwd = process.cwd();\n\n  // Check for -i / --interactive before yargs parsing\n  if (args.includes(\"-i\") || args.includes(\"--interactive\")) {\n    const { startRepl } = await import(\"./repl.js\");\n    await startRepl({ cwd, version: VERSION });\n    process.exit(ExitCode.OK);\n  }\n\n  const executor = new AFSCommandExecutor(undefined, {\n    cwd,\n    tty: process.stdout.isTTY ?? false,\n    version: VERSION,\n  });\n\n  const result = await executor.execute(args);\n\n  if (result.success) {\n    process.exitCode = ExitCode.OK;\n    console.log(result.formatted);\n  } else {\n    process.exitCode = result.error?.code ?? ExitCode.RUNTIME_ERROR;\n    console.error(result.formatted);\n  }\n\n  // Force exit — providers may hold background resources (MCP child processes,\n  // Telegram long-polling, open HTTP connections) that keep the event loop alive.\n  // stdout/stderr are flushed synchronously above via console.log/console.error.\n  process.exit(process.exitCode);\n}\n\nmain().catch((error) => {\n  console.error(error instanceof Error ? error.message : String(error));\n  process.exit(ExitCode.RUNTIME_ERROR);\n});\n"],"mappings":";;;;;;;;;AAeA,eAAe,OAAO;CACpB,MAAM,OAAO,QAAQ,QAAQ,KAAK;CAClC,MAAM,MAAM,QAAQ,KAAK;AAGzB,KAAI,KAAK,SAAS,KAAK,IAAI,KAAK,SAAS,gBAAgB,EAAE;EACzD,MAAM,EAAE,cAAc,MAAM,OAAO;AACnC,QAAM,UAAU;GAAE;GAAK,SAAS;GAAS,CAAC;AAC1C,UAAQ,KAAK,SAAS,GAAG;;CAS3B,MAAM,SAAS,MANE,IAAI,mBAAmB,QAAW;EACjD;EACA,KAAK,QAAQ,OAAO,SAAS;EAC7B,SAAS;EACV,CAAC,CAE4B,QAAQ,KAAK;AAE3C,KAAI,OAAO,SAAS;AAClB,UAAQ,WAAW,SAAS;AAC5B,UAAQ,IAAI,OAAO,UAAU;QACxB;AACL,UAAQ,WAAW,OAAO,OAAO,QAAQ,SAAS;AAClD,UAAQ,MAAM,OAAO,UAAU;;AAMjC,SAAQ,KAAK,QAAQ,SAAS;;AAGhC,MAAM,CAAC,OAAO,UAAU;AACtB,SAAQ,MAAM,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,CAAC;AACrE,SAAQ,KAAK,SAAS,cAAc;EACpC"}

package/dist/config/afs-loader.cjs

@@ -1,11 +1,28 @@
 const require_rolldown_runtime = require('../_virtual/rolldown_runtime.cjs');
+const require_credential_helpers = require('./credential-helpers.cjs');
 const require_loader = require('./loader.cjs');
 const require_mount_commands = require('./mount-commands.cjs');
+let node_fs_promises = require("node:fs/promises");
+let node_os = require("node:os");
+let node_path = require("node:path");
 let _aigne_afs = require("@aigne/afs");
 let _aigne_afs_utils_uri = require("@aigne/afs/utils/uri");
 
 //#region src/config/afs-loader.ts
 /**
+* AFS Loader - Lazy loading with parallel tolerant mount
+*
+* Provides loadAFS() for on-demand AFS creation with caching.
+* createAFS() uses Promise.allSettled for parallel provider creation + mount,
+* tolerating individual failures while reporting them to stderr.
+*
+* Integrates 4-step credential resolution:
+* 1. Determine missing fields from provider schema
+* 2. Silent resolution (config > env > credential store)
+* 3. Interactive collection (provider auth() or default collect())
+* 4. Unified persistence (sensitive → credentials.toml, non-sensitive → config options)
+*/
+/**
 * Register the workspace:// scheme on a ProviderRegistry.
 *
 * Extracted so that both createAFS() and verifyMount() can support
@@ -27,17 +44,26 @@ function registerWorkspaceFactory(registry) {
 		});
 	});
 }
-let cached;
+const cacheMap = /* @__PURE__ */ new Map();
+function cacheKey(cwd) {
+	const { resolve } = require("node:path");
+	return resolve(cwd);
+}
 /**
-* Load AFS with caching - first call creates, subsequent calls return cached instance
+* Load AFS with per-cwd caching — same cwd returns same instance,
+* different cwd creates a separate instance.
 */
 async function loadAFS(cwd, options) {
+	const key = cacheKey(cwd);
+	const cached = cacheMap.get(key);
 	if (cached) return {
 		afs: cached,
-		failures: []
+		failures: [],
+		configMountPaths: [],
+		registry: new _aigne_afs.ProviderRegistry()
 	};
 	const result = await createAFS(cwd, options);
-	cached = result.afs;
+	cacheMap.set(key, result.afs);
 	return result;
 }
 /**
@@ -64,10 +90,10 @@ async function createAFS(cwd, options) {
 			workspacePath: parsed.body,
 			registry,
 			createProvider: async (subMount) => {
-				const credResult = await resolveAndMergeCredentials(subMount, authContext, credentialStore, registry);
+				const credResult = await require_credential_helpers.resolveAndMergeCredentials(subMount, authContext, credentialStore, registry);
 				const provider = await registry.createProvider(subMount);
 				if (credResult) {
-					await persistCredentialResult(subMount, credResult);
+					await require_credential_helpers.persistCredentialResult(subMount, credResult);
 					const opts = subMount.options ?? {};
 					for (const key of Object.keys(credResult.sensitive)) delete opts[key];
 					subMount.options = Object.keys(opts).length > 0 ? opts : void 0;
@@ -84,9 +110,13 @@ async function createAFS(cwd, options) {
 			...mount.options
 		});
 	});
+	afs.createProviderFromMount = async (mount) => {
+		await require_credential_helpers.resolveAndMergeCredentials(mount, authContext, credentialStore, registry);
+		return registry.createProvider(mount);
+	};
 	afs.loadProvider = async (uri, mountPath, options$1) => {
 		(0, _aigne_afs_utils_uri.parseURI)(uri);
-		const { cleanUri: loadConfigUri, envRecord: loadEnvRecord } = extractEnvFromURI(uri);
+		const { cleanUri: loadConfigUri, envRecord: loadEnvRecord } = require_credential_helpers.extractEnvFromURI(uri);
 		const hasLoadEnv = Object.keys(loadEnvRecord).length > 0;
 		const { accessMode, auth, description, scope, ...providerOptions } = options$1 ?? {};
 		if (hasLoadEnv) providerOptions.env = {
@@ -102,7 +132,7 @@ async function createAFS(cwd, options) {
 			options: Object.keys(providerOptions).length > 0 ? providerOptions : void 0
 		};
 		const persistScope = scope || "cwd";
-		let credResult = await resolveAndMergeCredentials(mount, authContext, credentialStore, registry);
+		let credResult = await require_credential_helpers.resolveAndMergeCredentials(mount, authContext, credentialStore, registry);
 		try {
 			const provider = await registry.createProvider(mount);
 			await afs.mount(provider, mountPath);
@@ -117,13 +147,13 @@ async function createAFS(cwd, options) {
 					description: description ?? void 0,
 					options: Object.keys(retryProviderOptions).length > 0 ? retryProviderOptions : void 0
 				};
-				credResult = await resolveAndMergeCredentials(retryMount, authContext, credentialStore, registry, { forceCollect: true });
+				credResult = await require_credential_helpers.resolveAndMergeCredentials(retryMount, authContext, credentialStore, registry, { forceCollect: true });
 				const retryProvider = await registry.createProvider(retryMount);
 				await afs.mount(retryProvider, mountPath);
 				Object.assign(mount, retryMount);
 			} else throw mountError;
 		}
-		if (credResult) await persistCredentialResult(mount, credResult);
+		if (credResult) await require_credential_helpers.persistCredentialResult(mount, credResult);
 		if (hasLoadEnv && credentialStore) try {
 			const envCreds = {};
 			for (const [k, v] of Object.entries(loadEnvRecord)) envCreds[`env:${k}`] = v;
@@ -177,14 +207,14 @@ async function createAFS(cwd, options) {
 	};
 	if (config.registry?.enabled !== false) try {
 		const { AFSRegistry } = await import("@aigne/afs-registry");
-		const officialRegistry = new AFSRegistry(config.registry?.providers?.length ? { providers: config.registry.providers } : { url: "https://raw.githubusercontent.com/ArcBlock/afs-registry/refs/heads/main/providers.json" });
-		await afs.mount(officialRegistry, "/registry/official");
-		const internalRegistry = new AFSRegistry();
-		await afs.mount(internalRegistry, "/registry/internal");
+		const registry$1 = new AFSRegistry(config.registry?.providers?.length ? { providers: config.registry.providers } : void 0);
+		await afs.mount(registry$1, "/registry");
 	} catch {}
 	if (config.mounts.length === 0) return {
 		afs,
-		failures: []
+		failures: [],
+		configMountPaths: [],
+		registry
 	};
 	const total = config.mounts.length;
 	let completed = 0;
@@ -194,7 +224,7 @@ async function createAFS(cwd, options) {
 		completed: 0,
 		failed: 0
 	});
-	if (credentialStore && mountSources.size > 0) await mergeStoredCredentials(config.mounts, mountSources, credentialStore);
+	if (credentialStore && mountSources.size > 0) await require_credential_helpers.mergeStoredCredentials(config.mounts, mountSources, credentialStore);
 	const results = await Promise.allSettled(config.mounts.map(async (mount) => {
 		const provider = await registry.createProvider(mount);
 		await afs.mount(provider, mount.path, { namespace: mount.namespace ?? null });
@@ -232,304 +262,23 @@ async function createAFS(cwd, options) {
 		for (const f of failures) console.warn(`  - ${f.path}: ${f.reason}`);
 	}
 	if (succeeded.length === 0 && config.mounts.length > 0) throw new Error("All providers failed to mount");
-	return {
-		afs,
-		failures
-	};
-}
-/**
-* Extract env query params from MCP URIs for secure credential storage.
-*
-* MCP servers receive secrets via env vars (e.g., `mcp+stdio://npx?env=API_KEY=sk-xxx`).
-* This function extracts env params from the URI so they can be stored in credentials.toml
-* instead of being persisted in plaintext in config.toml.
-*
-* Only applies to MCP schemes (mcp://, mcp+stdio://, mcp+sse://).
-* Non-MCP URIs are returned unchanged.
-*/
-function extractEnvFromURI(uri) {
-	const parsed = (0, _aigne_afs_utils_uri.parseURI)(uri);
-	const envRecord = {};
-	if (!parsed.scheme.startsWith("mcp")) return {
-		cleanUri: uri,
-		envRecord
-	};
-	const envValues = parsed.query.env;
-	if (!envValues) return {
-		cleanUri: uri,
-		envRecord
-	};
-	const envList = Array.isArray(envValues) ? envValues : [envValues];
-	for (const entry of envList) {
-		const eqIdx = entry.indexOf("=");
-		if (eqIdx > 0) envRecord[entry.slice(0, eqIdx)] = entry.slice(eqIdx + 1);
-	}
-	const queryIndex = uri.indexOf("?");
-	if (queryIndex < 0) return {
-		cleanUri: uri,
-		envRecord
-	};
-	const rawQuery = uri.slice(queryIndex + 1);
-	const params = new URLSearchParams(rawQuery);
-	params.delete("env");
-	const newQuery = params.toString();
-	const base = uri.slice(0, queryIndex);
-	return {
-		cleanUri: newQuery ? `${base}?${newQuery}` : base,
-		envRecord
-	};
-}
-/**
-* Extract template variables from mount.uri using the manifest's uriTemplate
-* and merge them into mount.options so the credential resolver sees them as "known".
-*
-* Example: cloudflare://d9e5fca3... + template "cloudflare://{accountId}"
-*        → mount.options.accountId = "d9e5fca3..."
-*/
-function mergeTemplateVarsIntoMount(mount, manifest) {
-	if (!manifest?.uriTemplate) return;
-	const { parseTemplate } = require("@aigne/afs/utils/uri-template");
-	const parsed = (0, _aigne_afs_utils_uri.parseURI)(mount.uri);
-	let templateVars;
-	try {
-		templateVars = parseTemplate(manifest.uriTemplate, parsed.body);
-	} catch {
-		return;
-	}
-	for (const [key, value] of Object.entries(templateVars)) if (value !== void 0) {
-		if (!mount.options) mount.options = {};
-		if (mount.options[key] === void 0) mount.options[key] = value;
-	}
-}
-/**
-* After credential resolution, rebuild mount.uri from the template if the
-* current URI body is empty/incomplete and resolved options can fill template vars.
-*
-* Example: mount.uri = "cloudflare://" (empty body), mount.options.accountId = "abc"
-*        → mount.uri = "cloudflare://abc"
-*/
-function rebuildURIFromTemplate(mount, manifest) {
-	if (!manifest?.uriTemplate) return;
-	const { buildURI, getTemplateVariableNames } = require("@aigne/afs/utils/uri-template");
-	const varNames = getTemplateVariableNames(manifest.uriTemplate);
-	if (varNames.length === 0) return;
-	const parsed = (0, _aigne_afs_utils_uri.parseURI)(mount.uri);
-	const { parseTemplate } = require("@aigne/afs/utils/uri-template");
-	let existingVars;
-	try {
-		existingVars = parseTemplate(manifest.uriTemplate, parsed.body);
-	} catch {
-		existingVars = {};
-	}
-	const allVars = { ...existingVars };
-	for (const name of varNames) if (!allVars[name] && mount.options?.[name] != null) allVars[name] = String(mount.options[name]);
-	try {
-		const newURI = buildURI(manifest.uriTemplate, allVars);
-		if (newURI !== mount.uri) mount.uri = newURI;
-	} catch {}
-}
-/**
-* Attempt credential resolution for a mount, merging resolved values into mount.options.
-*
-* Returns the credential result if any fields were collected interactively,
-* or null if no interactive collection was needed (or no schema/authContext).
-*
-* This function mutates mount.options and mount.auth/mount.token when credentials
-* are resolved, so the subsequent registry.createProvider(mount) receives complete values.
-*/
-async function resolveAndMergeCredentials(mount, authContext, credentialStore, registry, opts) {
-	const info = await registry.getProviderInfo(mount.uri);
-	const schema = info?.schema ?? null;
-	const providerAuth = info?.auth;
-	if (!schema) return null;
-	mergeTemplateVarsIntoMount(mount, info?.manifest);
-	const { getSensitiveFields } = await import("@aigne/afs/utils/schema");
-	const sensitiveFieldsInSchema = getSensitiveFields(schema);
-	const schemaProps = schema.properties ?? {};
-	const hasEnvFields = Object.values(schemaProps).some((p) => Array.isArray(p?.env));
-	if (sensitiveFieldsInSchema.length === 0 && !hasEnvFields && !providerAuth) return null;
-	const { resolveCredentials } = await Promise.resolve().then(() => require("../credential/resolver.cjs"));
-	const result = await resolveCredentials({
-		mount,
-		schema,
-		authContext,
-		credentialStore,
-		providerAuth,
-		forceCollect: opts?.forceCollect
-	});
-	if (!result) {
-		const fieldNames = Object.keys(schema.properties ?? {});
-		const known = /* @__PURE__ */ new Set();
-		if (mount.auth !== void 0) known.add("auth");
-		if (mount.token !== void 0) known.add("token");
-		if (mount.options) for (const k of Object.keys(mount.options)) known.add(k);
-		const missing = fieldNames.filter((f) => !known.has(f));
-		const fieldList = missing.length > 0 ? missing.join(", ") : fieldNames.join(", ");
-		throw new Error(`Missing credentials: ${fieldList}. Retry with them as args, e.g. { "uri": "${mount.uri}", "path": "${mount.path}", ${missing.map((f) => `"${f}": "..."`).join(", ")} }`);
-	}
-	if (Object.keys(result.values).length > 0) {
-		if (result.values.token !== void 0 && mount.token === void 0) mount.token = String(result.values.token);
-		if (result.values.auth !== void 0 && mount.auth === void 0) mount.auth = String(result.values.auth);
-		const opts$1 = mount.options ?? {};
-		for (const [key, value] of Object.entries(result.values)) if (key !== "token" && key !== "auth" && opts$1[key] === void 0) opts$1[key] = value;
-		if (Object.keys(opts$1).length > 0) mount.options = opts$1;
-	}
-	rebuildURIFromTemplate(mount, info?.manifest);
-	return result.collected ? result : null;
-}
-/**
-* Persist credential resolution result (sensitive → credentials.toml, non-sensitive → config).
-*/
-async function persistCredentialResult(mount, result) {
-	if (Object.keys(result.sensitive).length > 0) try {
-		const { createCredentialStore } = await Promise.resolve().then(() => require("../credential/store.cjs"));
-		await createCredentialStore().set(mount.uri, result.sensitive);
-	} catch (err) {
-		const msg = err instanceof Error ? err.message : String(err);
-		console.warn(`[mount] credential persistence failed: ${msg}`);
-	}
-}
-/**
-* Load stored credentials and merge into mount options during startup.
-*
-* Credentials are keyed by URI (the resource identity), not mount path.
-*/
-async function mergeStoredCredentials(mounts, _mountSources, store) {
-	for (const mount of mounts) try {
-		const stored = await store.get(mount.uri);
-		if (stored) {
-			const opts = mount.options ?? {};
-			for (const [key, value] of Object.entries(stored)) if (key.startsWith("env:")) {
-				if (!opts.env) opts.env = {};
-				opts.env[key.slice(4)] = value;
-			} else if (opts[key] === void 0) opts[key] = value;
-			if (Object.keys(opts).length > 0) mount.options = opts;
-		}
-	} catch {}
-}
-/**
-* Resolve and persist credentials for a mount configuration.
-*
-* Used by `mount add` CLI command to trigger credential collection
-* at add-time rather than deferring to AFS creation.
-*
-* - Gets provider schema via registry
-* - Runs 4-step credential resolution
-* - Persists sensitive values to credentials.toml
-* - Returns non-sensitive values for caller to update config
-*
-* Returns null if no schema found or no credentials needed.
-* Throws if user cancels collection when credentials are required.
-*/
-async function resolveCredentialsForMount(options) {
-	const { uri, mountPath, authContext, credentialStore, extraOptions, sensitiveArgs } = options;
-	const { cleanUri: configUri, envRecord } = extractEnvFromURI(uri);
-	const hasExtractedEnv = Object.keys(envRecord).length > 0;
-	const info = await (options.registry ?? new _aigne_afs.ProviderRegistry()).getProviderInfo(uri);
-	let schema = info?.schema ?? null;
-	const providerAuth = info?.auth;
-	if (!schema && extraOptions && Object.keys(extraOptions).length > 0) {
-		const { buildAdHocSchema } = await import("@aigne/afs/utils/schema");
-		schema = buildAdHocSchema(extraOptions, sensitiveArgs ?? []);
-	}
-	const envOnlyResult = () => {
-		if (!hasExtractedEnv) return null;
-		return {
-			collected: false,
-			nonSensitive: {},
-			allValues: {},
-			persistCredentials: async () => {
-				const toStore = {};
-				for (const [key, val] of Object.entries(envRecord)) toStore[`env:${key}`] = val;
-				if (credentialStore) try {
-					await credentialStore.set(configUri, toStore);
-				} catch (err) {
-					const msg = err instanceof Error ? err.message : String(err);
-					console.warn(`[mount add] credential persistence failed: ${msg}`);
-				}
-			},
-			sensitiveFields: [],
-			configUri
-		};
-	};
-	if (!schema) return envOnlyResult();
-	const properties = schema.properties;
-	if (!properties || Object.keys(properties).length === 0) return envOnlyResult();
-	if (sensitiveArgs && sensitiveArgs.length > 0) {
-		const mergedProps = { ...properties };
-		let changed = false;
-		for (const field of sensitiveArgs) if (mergedProps[field]) {
-			mergedProps[field] = {
-				...mergedProps[field],
-				sensitive: true
-			};
-			changed = true;
-		} else if (extraOptions?.[field] !== void 0) {
-			const value = extraOptions[field];
-			mergedProps[field] = {
-				type: typeof value === "number" ? "number" : typeof value === "boolean" ? "boolean" : "string",
-				sensitive: true
-			};
-			changed = true;
-		}
-		if (changed) schema = {
-			...schema,
-			properties: mergedProps
-		};
-	}
-	const { getSensitiveFields } = await import("@aigne/afs/utils/schema");
-	const sensitiveFieldsInSchema = getSensitiveFields(schema);
-	const schemaProps = schema.properties;
-	const hasEnvFields = Object.values(schemaProps).some((p) => Array.isArray(p?.env));
-	if (sensitiveFieldsInSchema.length === 0 && !hasEnvFields && !extraOptions) return envOnlyResult();
-	const mount = {
-		uri,
-		path: mountPath
-	};
-	if (extraOptions && Object.keys(extraOptions).length > 0) mount.options = {
-		...mount.options ?? {},
-		...extraOptions
-	};
-	mergeTemplateVarsIntoMount(mount, info?.manifest);
-	const { resolveCredentials } = await Promise.resolve().then(() => require("../credential/resolver.cjs"));
-	const result = await resolveCredentials({
-		mount,
-		schema,
-		authContext,
-		credentialStore,
-		providerAuth,
-		forceCollect: options.forceCollect
-	});
-	if (!result) {
-		const fieldNames = Object.keys(properties);
-		throw new Error(`Missing credentials: ${fieldNames.join(", ")}. Retry with them as args, e.g. { "uri": "${uri}", "path": "${mountPath}", ${fieldNames.map((f) => `"${f}": "..."`).join(", ")} }`);
-	}
-	const sensitiveFieldSet = new Set(sensitiveFieldsInSchema);
-	const flatSensitive = {};
-	for (const field of sensitiveFieldsInSchema) {
-		const val = result.values[field];
-		if (val === void 0) continue;
-		if (field === "env" && typeof val === "object" && val !== null) for (const [envKey, envVal] of Object.entries(val)) flatSensitive[`env:${envKey}`] = String(envVal);
-		else flatSensitive[field] = String(val);
+	{
+		const dataDir = (0, node_path.join)(process.env[require_loader.AFS_USER_CONFIG_DIR_ENV] ?? (0, node_path.join)((0, node_os.homedir)(), require_loader.CONFIG_DIR_NAME), "data");
+		try {
+			await (0, node_fs_promises.mkdir)(dataDir, { recursive: true });
+			const dataProvider = await registry.createProvider({
+				uri: `fs://${dataDir}`,
+				path: "/.data",
+				access_mode: "readwrite"
+			});
+			await afs.mount(dataProvider, "/.data");
+		} catch {}
 	}
-	const nonSensitive = result.collected ? result.nonSensitive : extraOptions ? Object.fromEntries(Object.entries(extraOptions).filter(([k]) => !sensitiveFieldSet.has(k))) : {};
-	const persistCredentials = async () => {
-		const toStore = { ...flatSensitive };
-		for (const [key, val] of Object.entries(envRecord)) toStore[`env:${key}`] = val;
-		if (Object.keys(toStore).length > 0 && credentialStore) try {
-			await credentialStore.set(configUri, toStore);
-		} catch (err) {
-			const msg = err instanceof Error ? err.message : String(err);
-			console.warn(`[mount add] credential persistence failed: ${msg}`);
-		}
-	};
 	return {
-		collected: result.collected,
-		nonSensitive,
-		allValues: result.values,
-		persistCredentials,
-		sensitiveFields: sensitiveFieldsInSchema,
-		configUri: hasExtractedEnv ? configUri : void 0
+		afs,
+		failures,
+		configMountPaths: succeeded,
+		registry
 	};
 }
 /**
@@ -565,8 +314,8 @@ async function verifyMount(uri, mountPath, options) {
 		const msg = err instanceof Error ? err.message : String(err);
 		throw new Error(`Mount verification failed: could not reach provider at ${uri}. Error: ${msg}. Check your URI and credentials.`);
 	} finally {
-		if (typeof provider.close === "function") try {
-			await provider.close();
+		try {
+			await provider.close?.();
 		} catch {}
 	}
 }
@@ -574,5 +323,5 @@ async function verifyMount(uri, mountPath, options) {
 //#endregion
 exports.createAFS = createAFS;
 exports.loadAFS = loadAFS;
-exports.resolveCredentialsForMount = resolveCredentialsForMount;
+exports.resolveCredentialsForMount = require_credential_helpers.resolveCredentialsForMount;
 exports.verifyMount = verifyMount;

package/dist/config/afs-loader.d.cts.map

@@ -1 +1 @@
-{"version":3,"file":"afs-loader.d.cts","names":[],"sources":["../../src/config/afs-loader.ts"],"mappings":";;;;UA0DiB,kBAAA;EACf,KAAA;EACA,SAAA;EACA,MAAA;AAAA;AAAA,UAae,gBAAA;EACf,UAAA,IAAc,KAAA,EAAO,kBAAA;;EAErB,WAAA,GAAc,WAAA;;EAEd,eAAA,GAAkB,eAAA;AAAA"}
+{"version":3,"file":"afs-loader.d.cts","names":[],"sources":["../../src/config/afs-loader.ts"],"mappings":";;;;UA8EiB,kBAAA;EACf,KAAA;EACA,SAAA;EACA,MAAA;AAAA;AAAA,UAiBe,gBAAA;EACf,UAAA,IAAc,KAAA,EAAO,kBAAA;;EAErB,WAAA,GAAc,WAAA;;EAEd,eAAA,GAAkB,eAAA;AAAA"}

package/dist/config/afs-loader.d.mts

@@ -1,5 +1,6 @@
 import { CredentialStore } from "../credential/store.mjs";
-import { AFS, AuthContext, ProviderRegistry } from "@aigne/afs";
+import "./credential-helpers.mjs";
+import { AFS, AuthContext } from "@aigne/afs";
 
 //#region src/config/afs-loader.d.ts
 interface MountProgressEvent {

package/dist/config/afs-loader.d.mts.map

@@ -1 +1 @@
-{"version":3,"file":"afs-loader.d.mts","names":[],"sources":["../../src/config/afs-loader.ts"],"mappings":";;;;UA0DiB,kBAAA;EACf,KAAA;EACA,SAAA;EACA,MAAA;AAAA;AAAA,UAae,gBAAA;EACf,UAAA,IAAc,KAAA,EAAO,kBAAA;;EAErB,WAAA,GAAc,WAAA;;EAEd,eAAA,GAAkB,eAAA;AAAA"}
+{"version":3,"file":"afs-loader.d.mts","names":[],"sources":["../../src/config/afs-loader.ts"],"mappings":";;;;;UA8EiB,kBAAA;EACf,KAAA;EACA,SAAA;EACA,MAAA;AAAA;AAAA,UAiBe,gBAAA;EACf,UAAA,IAAc,KAAA,EAAO,kBAAA;;EAErB,WAAA,GAAc,WAAA;;EAEd,eAAA,GAAkB,eAAA;AAAA"}