@ait-co/console-cli 0.1.36 → 0.1.38

package/dist/cli.mjs

@@ -5851,28 +5851,6 @@ const appCommand = defineCommand({
 //#endregion
 //#region src/auth/backend.ts
 const CREDENTIAL_SERVICE = "aitcc.credentials";
-var CredentialBackendUnsupportedError = class extends Error {
-	platform;
-	hint;
-	constructor(platform, hint) {
-		super(`No supported credential backend for platform "${platform}". ${hint}`);
-		this.platform = platform;
-		this.hint = hint;
-		this.name = "CredentialBackendUnsupportedError";
-	}
-};
-var CredentialBackendCommandError = class extends Error {
-	command;
-	exitCode;
-	redactedStderr;
-	constructor(command, exitCode, redactedStderr) {
-		super(`Credential backend command "${command}" failed (exit=${exitCode ?? "null"}): ${redactedStderr}`);
-		this.command = command;
-		this.exitCode = exitCode;
-		this.redactedStderr = redactedStderr;
-		this.name = "CredentialBackendCommandError";
-	}
-};
 async function runCommand(command, opts) {
 	return new Promise((resolve, reject) => {
 		const child = spawn(command, [...opts.args], { stdio: [
@@ -5906,289 +5884,142 @@ function isCommandNotFound(err) {
 function stripTrailingNewline$1(s) {
 	return s.replace(/\r?\n$/, "");
 }
-function redactStderr(stderr) {
-	const trimmed = stderr.trim();
-	if (trimmed.length === 0) return "<no stderr>";
-	if (trimmed.length > 200) return `${trimmed.slice(0, 200)}… <truncated>`;
-	return trimmed;
-}
-//#endregion
-//#region src/auth/backends/linux.ts
-const MISSING_HINT_FULL$1 = "libsecret tools are missing. Install `libsecret-tools` (Debian/Ubuntu) or the equivalent and ensure a Secret Service provider (gnome-keyring / KWallet) is running.";
-const MISSING_HINT_SHORT$1 = "libsecret tools are missing. Install `libsecret-tools` and ensure a Secret Service provider is running.";
-const LINUX_BACKEND = {
-	name: "libsecret",
-	async get(account) {
-		let result;
-		try {
-			result = await runCommand("secret-tool", { args: [
-				"lookup",
-				"service",
-				CREDENTIAL_SERVICE,
-				"account",
-				account
-			] });
-		} catch (err) {
-			if (isCommandNotFound(err)) throw new CredentialBackendUnsupportedError("linux", MISSING_HINT_FULL$1);
-			throw err;
-		}
-		if (result.exitCode !== 0) {
-			if (result.stdout.length === 0) return null;
-			throw new CredentialBackendCommandError("secret-tool lookup", result.exitCode, redactStderr(result.stderr));
-		}
-		if (result.stdout.length === 0) return null;
-		const password = stripTrailingNewline$1(result.stdout);
-		return password.length > 0 ? password : null;
-	},
-	async set(account, password) {
-		let result;
-		try {
-			result = await runCommand("secret-tool", {
-				args: [
-					"store",
-					"--label",
-					"aitcc Toss Business credentials",
-					"service",
-					CREDENTIAL_SERVICE,
-					"account",
-					account
-				],
-				stdin: password
-			});
-		} catch (err) {
-			if (isCommandNotFound(err)) throw new CredentialBackendUnsupportedError("linux", MISSING_HINT_SHORT$1);
-			throw err;
-		}
-		if (result.exitCode !== 0) throw new CredentialBackendCommandError("secret-tool store", result.exitCode, redactStderr(result.stderr));
-	},
-	async clear(account) {
-		let result;
-		try {
-			result = await runCommand("secret-tool", { args: [
-				"clear",
-				"service",
-				CREDENTIAL_SERVICE,
-				"account",
-				account
-			] });
-		} catch (err) {
-			if (isCommandNotFound(err)) throw new CredentialBackendUnsupportedError("linux", "libsecret tools are missing.");
-			throw err;
-		}
-		if (result.exitCode !== 0) throw new CredentialBackendCommandError("secret-tool clear", result.exitCode, redactStderr(result.stderr));
-		return { existed: true };
-	}
-};
-//#endregion
-//#region src/auth/backends/macos.ts
-const MISSING_HINT = "macOS `security` is missing from PATH.";
-const MACOS_BACKEND = {
-	name: "macos-keychain",
-	async get(account) {
-		let result;
-		try {
-			result = await runCommand("security", { args: [
-				"find-generic-password",
-				"-s",
-				CREDENTIAL_SERVICE,
-				"-a",
-				account,
-				"-w"
-			] });
-		} catch (err) {
-			if (isCommandNotFound(err)) throw new CredentialBackendUnsupportedError("darwin", MISSING_HINT);
-			throw err;
-		}
-		if (result.exitCode === 44) return null;
-		if (result.exitCode !== 0) return null;
-		const password = stripTrailingNewline$1(result.stdout);
-		return password.length > 0 ? password : null;
-	},
-	async set(account, password) {
-		let result;
-		try {
-			result = await runCommand("security", { args: [
-				"add-generic-password",
-				"-U",
-				"-A",
-				"-s",
-				CREDENTIAL_SERVICE,
-				"-a",
-				account,
-				"-w",
-				password
-			] });
-		} catch (err) {
-			if (isCommandNotFound(err)) throw new CredentialBackendUnsupportedError("darwin", MISSING_HINT);
-			throw err;
-		}
-		if (result.exitCode !== 0) throw new CredentialBackendCommandError("security add-generic-password", result.exitCode, redactStderr(result.stderr));
-	},
-	async clear(account) {
-		let result;
-		try {
-			result = await runCommand("security", { args: [
-				"delete-generic-password",
-				"-s",
-				CREDENTIAL_SERVICE,
-				"-a",
-				account
-			] });
-		} catch (err) {
-			if (isCommandNotFound(err)) throw new CredentialBackendUnsupportedError("darwin", MISSING_HINT);
-			throw err;
-		}
-		if (result.exitCode === 44) return { existed: false };
-		if (result.exitCode === 0) return { existed: true };
-		throw new CredentialBackendCommandError("security delete-generic-password", result.exitCode, redactStderr(result.stderr));
-	}
-};
 //#endregion
-//#region src/auth/backends/windows.ts
-const PS_HEADER = `
-$ErrorActionPreference = 'Stop';
-Add-Type @"
-using System;
-using System.Runtime.InteropServices;
-
-public class AitccCredApi {
-    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
-    public struct CREDENTIAL {
-        public uint Flags;
-        public uint Type;
-        public IntPtr TargetName;
-        public IntPtr Comment;
-        public System.Runtime.InteropServices.ComTypes.FILETIME LastWritten;
-        public uint CredentialBlobSize;
-        public IntPtr CredentialBlob;
-        public uint Persist;
-        public uint AttributeCount;
-        public IntPtr Attributes;
-        public IntPtr TargetAlias;
-        public IntPtr UserName;
-    }
-    [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredWriteW", CharSet = CharSet.Unicode)]
-    public static extern bool CredWrite([In] ref CREDENTIAL Credential, [In] uint Flags);
-    [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredReadW", CharSet = CharSet.Unicode)]
-    public static extern bool CredRead(string target, uint type, uint reservedFlag, out IntPtr CredentialPtr);
-    [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredDeleteW", CharSet = CharSet.Unicode)]
-    public static extern bool CredDelete(string target, uint type, uint flags);
-    [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredFree")]
-    public static extern void CredFree([In] IntPtr cred);
-}
-"@
-`;
-const MISSING_HINT_FULL = "`powershell.exe` is missing from PATH. Windows credential storage requires PowerShell.";
-const MISSING_HINT_SHORT = "`powershell.exe` is missing from PATH.";
-function targetName(account) {
-	return `${CREDENTIAL_SERVICE}/${account}`;
-}
-function powerShellArgs(script) {
-	return [
-		"-NoProfile",
-		"-NonInteractive",
-		"-Command",
-		script
-	];
+//#region src/auth/backends/file.ts
+function credentialFilePath() {
+	const override = process.env.AITCC_CREDENTIAL_FILE;
+	if (override && override.length > 0) return override;
+	return join(configDir(), "credentials.json");
 }
-function escapeSingleQuotes(s) {
-	return s.replace(/'/g, "''");
+function makeKey(account) {
+	return `${CREDENTIAL_SERVICE}:${account}`;
 }
-async function runPowerShell(script) {
+async function readStore(filePath) {
+	let raw;
 	try {
-		return await runCommand("powershell.exe", { args: powerShellArgs(script) });
+		raw = await readFile(filePath, "utf8");
 	} catch (err) {
-		if (isCommandNotFound(err)) throw new CredentialBackendUnsupportedError("win32", MISSING_HINT_FULL);
+		if (err.code === "ENOENT") return null;
 		throw err;
 	}
+	try {
+		const mode = (await stat(filePath)).mode & 511;
+		if (mode !== 384) process.stderr.write(`Warning: credential file ${filePath} has permissions ${mode.toString(8)} — expected 0600.\n  Run: chmod 600 ${filePath}\n`);
+	} catch {}
+	try {
+		return JSON.parse(raw);
+	} catch {
+		return null;
+	}
 }
-const WINDOWS_BACKEND = {
-	name: "windows-credential-manager",
+async function writeStore(filePath, store) {
+	await mkdir(dirname(filePath), {
+		recursive: true,
+		mode: 448
+	});
+	await writeFile(filePath, JSON.stringify(store, null, 2), { mode: 384 });
+	try {
+		await chmod(filePath, 384);
+	} catch {}
+}
+const FILE_BACKEND = {
+	name: "file",
 	async get(account) {
-		const result = await runPowerShell(`
-${PS_HEADER}
-$target = '${escapeSingleQuotes(targetName(account))}';
-$ptr = [IntPtr]::Zero;
-$ok = [AitccCredApi]::CredRead($target, 1, 0, [ref]$ptr);
-if (-not $ok) { exit 0; }
-$cred = [Runtime.InteropServices.Marshal]::PtrToStructure($ptr, [Type][AitccCredApi+CREDENTIAL]);
-$blob = New-Object byte[] $cred.CredentialBlobSize;
-[Runtime.InteropServices.Marshal]::Copy($cred.CredentialBlob, $blob, 0, $cred.CredentialBlobSize);
-$pw = [System.Text.Encoding]::Unicode.GetString($blob);
-[AitccCredApi]::CredFree($ptr);
-[Console]::Out.Write($pw);
-`);
-		if (result.exitCode !== 0) throw new CredentialBackendCommandError("powershell CredRead", result.exitCode, redactStderr(result.stderr));
-		return result.stdout.length > 0 ? result.stdout : null;
+		const store = await readStore(credentialFilePath());
+		if (store === null) return null;
+		const value = store[makeKey(account)];
+		return typeof value === "string" && value.length > 0 ? value : null;
 	},
 	async set(account, password) {
-		const target = targetName(account);
-		const passwordHex = Buffer.from(password, "utf8").toString("hex");
-		const script = `
-${PS_HEADER}
-$target = '${escapeSingleQuotes(target)}';
-$user = '${escapeSingleQuotes(account)}';
-$pwHex = '${passwordHex}';
-$pwBytes = New-Object byte[] ($pwHex.Length / 2);
-for ($i = 0; $i -lt $pwBytes.Length; $i++) {
-  $pwBytes[$i] = [Convert]::ToByte($pwHex.Substring($i * 2, 2), 16);
-}
-$pwUtf16 = [System.Text.Encoding]::Unicode.GetBytes([System.Text.Encoding]::UTF8.GetString($pwBytes));
-$cred = New-Object AitccCredApi+CREDENTIAL;
-$cred.Type = 1;
-$cred.TargetName = [Runtime.InteropServices.Marshal]::StringToHGlobalUni($target);
-$cred.CredentialBlobSize = [uint32]$pwUtf16.Length;
-$cred.CredentialBlob = [Runtime.InteropServices.Marshal]::AllocHGlobal($pwUtf16.Length);
-[Runtime.InteropServices.Marshal]::Copy($pwUtf16, 0, $cred.CredentialBlob, $pwUtf16.Length);
-$cred.Persist = 2;
-$cred.UserName = [Runtime.InteropServices.Marshal]::StringToHGlobalUni($user);
-try {
-  $ok = [AitccCredApi]::CredWrite([ref]$cred, 0);
-  if (-not $ok) { Write-Error 'CredWrite failed'; exit 1; }
-} finally {
-  [Runtime.InteropServices.Marshal]::FreeHGlobal($cred.TargetName);
-  [Runtime.InteropServices.Marshal]::FreeHGlobal($cred.UserName);
-  [Runtime.InteropServices.Marshal]::FreeHGlobal($cred.CredentialBlob);
-}
-`;
-		let result;
-		try {
-			result = await runPowerShell(script);
-		} catch (err) {
-			if (err instanceof CredentialBackendUnsupportedError) throw new CredentialBackendUnsupportedError("win32", MISSING_HINT_SHORT);
-			throw err;
-		}
-		if (result.exitCode !== 0) throw new CredentialBackendCommandError("powershell CredWrite", result.exitCode, redactStderr(result.stderr));
+		const filePath = credentialFilePath();
+		const store = await readStore(filePath) ?? {};
+		store[makeKey(account)] = password;
+		await writeStore(filePath, store);
 	},
 	async clear(account) {
-		const script = `
-${PS_HEADER}
-$target = '${escapeSingleQuotes(targetName(account))}';
-$ok = [AitccCredApi]::CredDelete($target, 1, 0);
-if ($ok) { [Console]::Out.Write('deleted'); } else { [Console]::Out.Write('absent'); }
-`;
-		let result;
-		try {
-			result = await runPowerShell(script);
+		const filePath = credentialFilePath();
+		const store = await readStore(filePath);
+		if (store === null) return { existed: false };
+		const key = makeKey(account);
+		if (!(key in store)) return { existed: false };
+		delete store[key];
+		if (Object.keys(store).length === 0) try {
+			await unlink(filePath);
 		} catch (err) {
-			if (err instanceof CredentialBackendUnsupportedError) throw new CredentialBackendUnsupportedError("win32", MISSING_HINT_SHORT);
-			throw err;
+			if (err.code !== "ENOENT") throw err;
 		}
-		if (result.exitCode !== 0) throw new CredentialBackendCommandError("powershell CredDelete", result.exitCode, redactStderr(result.stderr));
-		return { existed: result.stdout.includes("deleted") };
+		else await writeStore(filePath, store);
+		return { existed: true };
 	}
 };
 //#endregion
+//#region src/auth/keychain-migration.ts
+/**
+* Attempt a one-time migration of a macOS Keychain credential entry to the
+* file backend. Silent on failure — the caller is expected to fall through
+* to "no credentials found" if migration is not possible.
+*
+* @param email  The email (= keychain account) to look up.
+*/
+async function migrateKeychainToFileIfNeeded(email) {
+	if (process.platform !== "darwin") return {
+		migrated: false,
+		reason: "non-darwin platform — skipping"
+	};
+	let result;
+	try {
+		result = await runCommand("security", { args: [
+			"find-generic-password",
+			"-s",
+			CREDENTIAL_SERVICE,
+			"-a",
+			email,
+			"-w"
+		] });
+	} catch (err) {
+		if (isCommandNotFound(err)) return {
+			migrated: false,
+			reason: "`security` not found"
+		};
+		return {
+			migrated: false,
+			reason: err.message
+		};
+	}
+	if (result.exitCode !== 0) return {
+		migrated: false,
+		reason: `security exited ${result.exitCode ?? "null"}`
+	};
+	const password = stripTrailingNewline$1(result.stdout);
+	if (password.length === 0) return {
+		migrated: false,
+		reason: "empty password in keychain entry"
+	};
+	try {
+		await FILE_BACKEND.set(email, password);
+	} catch (err) {
+		return {
+			migrated: false,
+			reason: `file write failed: ${err.message}`
+		};
+	}
+	try {
+		await runCommand("security", { args: [
+			"delete-generic-password",
+			"-s",
+			CREDENTIAL_SERVICE,
+			"-a",
+			email
+		] });
+	} catch {}
+	process.stderr.write(`기존 keychain 자격증명을 ~/.config/aitcc/credentials.json으로 이전했습니다.\n`);
+	return { migrated: true };
+}
+//#endregion
 //#region src/auth/credentials.ts
 function resolveBackend(opts = {}) {
 	if (opts.override) return opts.override;
-	const platform = opts.platform ?? process.platform;
-	switch (platform) {
-		case "darwin": return MACOS_BACKEND;
-		case "linux": return LINUX_BACKEND;
-		case "win32": return WINDOWS_BACKEND;
-		default: throw new CredentialBackendUnsupportedError(platform, "Only macOS, Linux (libsecret), and Windows are supported.");
-	}
+	return FILE_BACKEND;
 }
 async function readAuthState() {
 	let raw;
@@ -6233,15 +6064,13 @@ async function clearAuthState() {
 /**
 * Resolve credentials from the highest-priority source available:
 *   1. `AITCC_EMAIL` + `AITCC_PASSWORD` env vars (CI single-shot use).
-*   2. OS keychain entry whose email is recorded in `auth-state.json`.
+*   2. File backend (`~/.config/aitcc/credentials.json`) — the only
+*      persistent store; email pointer lives in `auth-state.json`.
 *
 * Returns `null` when no source is configured. The discriminated `kind`
 * lets callers (e.g. the login flow) tell why a credential was found
 * without having to peek at process env themselves — useful for
 * "auto-login from CI" diagnostics.
-*
-* A future `'file'` source (~/.config/aitcc/credentials.json) is left as a
-* follow-up; once added, it slots between (1) and (2).
 */
 async function loadCredentials(opts = {}) {
 	const env = opts.env ?? process.env;
@@ -6254,19 +6083,24 @@ async function loadCredentials(opts = {}) {
 	};
 	const state = await readAuthState();
 	if (!state) return null;
-	const password = await resolveBackend(opts).get(state.activeEmail);
+	const backend = resolveBackend(opts);
+	let password = await backend.get(state.activeEmail);
+	if (password === null) {
+		await migrateKeychainToFileIfNeeded(state.activeEmail).catch(() => null);
+		password = await backend.get(state.activeEmail);
+	}
 	if (password === null) return null;
 	return {
-		kind: "keychain",
+		kind: "file",
 		email: state.activeEmail,
 		password
 	};
 }
 /**
-* Persist credentials to the OS keychain and update the active-email
-* pointer. Returns `'unchanged'` (no keychain write) when the same email
-* + password is already stored — avoids triggering OS keychain prompts on
-* every call when the user re-runs `auth set` with the same input.
+* Persist credentials to the file backend and update the active-email
+* pointer. Returns `'unchanged'` (no file write) when the same email
+* + password is already stored — avoids unnecessary disk writes on every
+* call when the user re-runs `login` with the same input.
 */
 async function saveCredentials(email, password, opts = {}) {
 	if (!email) throw new Error("email is required");
@@ -6289,15 +6123,13 @@ async function saveCredentials(email, password, opts = {}) {
 	return { status };
 }
 /**
-* Read just the active-email pointer without touching the OS keychain.
-* Useful for surfaces like `auth status --json` that want to report
-* whether credentials are configured without triggering a Touch ID /
-* libsecret prompt for the password.
+* Read just the active-email pointer without loading the password from disk.
+* Useful for surfaces like `whoami` that want to report whether credentials
+* are configured without performing a full credential read.
 *
 * Returns the email and where it was found (`'env'` when
-* `AITCC_EMAIL` + `AITCC_PASSWORD` are present, `'keychain'` when the
-* `auth-state.json` pointer exists), or `null` when nothing is
-* configured.
+* `AITCC_EMAIL` + `AITCC_PASSWORD` are present, `'file'` when the
+* `auth-state.json` pointer exists), or `null` when nothing is configured.
 */
 async function getActiveCredentialEmail(opts = {}) {
 	const env = opts.env ?? process.env;
@@ -6308,22 +6140,18 @@ async function getActiveCredentialEmail(opts = {}) {
 	const state = await readAuthState();
 	if (!state) return null;
 	return {
-		kind: "keychain",
+		kind: "file",
 		email: state.activeEmail
 	};
 }
 /**
-* Remove the keychain entry and the auth-state pointer. Returns
+* Remove the file credential entry and the auth-state pointer. Returns
 * `existed: true` if either side previously held data.
 */
 async function deleteCredentials(opts = {}) {
 	const state = await readAuthState();
 	let backendExisted = false;
-	if (state) try {
-		backendExisted = (await resolveBackend(opts).clear(state.activeEmail)).existed;
-	} catch (err) {
-		if (err instanceof CredentialBackendUnsupportedError) {} else throw err;
-	}
+	if (state) backendExisted = (await resolveBackend(opts).clear(state.activeEmail)).existed;
 	const stateResult = await clearAuthState();
 	return { existed: backendExisted || stateResult.existed };
 }
@@ -6611,7 +6439,7 @@ async function runAuthSet(args, deps = {}) {
 		const message = err.message;
 		if (args.json) emitJson({
 			ok: false,
-			reason: "keychain-error",
+			reason: "save-error",
 			message
 		});
 		else process.stderr.write(`Failed to save credentials: ${message}\n`);
@@ -6623,7 +6451,7 @@ async function runAuthSet(args, deps = {}) {
 		email
 	});
 	else if (result.status === "unchanged") process.stdout.write("Credentials already saved (no change).\n");
-	else process.stdout.write(`Credentials saved for ${email} (keychain).\n`);
+	else process.stdout.write(`Credentials saved for ${email}.\n`);
 	return exitAfterFlush(ExitCode.Ok);
 }
 async function runAuthClear(args, deps = {}) {
@@ -6670,7 +6498,7 @@ async function runAuthClear(args, deps = {}) {
 		const message = err.message;
 		if (args.json) emitJson({
 			ok: false,
-			reason: "keychain-error",
+			reason: "clear-error",
 			message
 		});
 		else process.stderr.write(`Failed to clear credentials: ${message}\n`);
@@ -6706,7 +6534,7 @@ async function runAuthStatus(args, deps = {}) {
 		return exitAfterFlush(ExitCode.Ok);
 	}
 	if (active) {
-		const sourceLabel = active.kind === "env" ? "environment (AITCC_EMAIL/PASSWORD)" : "keychain";
+		const sourceLabel = active.kind === "env" ? "environment (AITCC_EMAIL/PASSWORD)" : "file";
 		process.stdout.write(`Email: ${active.email}\n`);
 		process.stdout.write(`Source: ${sourceLabel}\n`);
 	} else process.stdout.write("Email: (not configured)\n");
@@ -8094,10 +7922,10 @@ const defaultPromptDeps = {
 	}),
 	saveTarget: () => select({
 		message: "Where would you like to save the credentials?",
-		default: "keychain",
+		default: "file",
 		choices: [{
-			name: "OS keychain (recommended) — next login runs headlessly",
-			value: "keychain"
+			name: "File (~/.config/aitcc/credentials.json, perm 0600) — next login runs headlessly",
+			value: "file"
 		}, {
 			name: "Do not save — one-shot. (Tip: AITCC_EMAIL/AITCC_PASSWORD env for CI.)",
 			value: "none"
@@ -8140,7 +7968,7 @@ const loginCommand = defineCommand({
 		},
 		save: {
 			type: "string",
-			description: "Where to persist credentials when --email/--password* are passed: \"keychain\" or \"none\" (default)."
+			description: "Where to persist credentials when --email/--password* are passed: \"file\" or \"none\" (default). Credentials are stored in ~/.config/aitcc/credentials.json (perm 0600)."
 		},
 		"skip-onboarding": {
 			type: "boolean",
@@ -8159,7 +7987,7 @@ const loginCommand = defineCommand({
 			save: typeof args.save === "string" ? args.save : void 0
 		}, {
 			getCredentials: loadCredentials,
-			saveCredentials
+			saveCredentials: (email, password) => saveCredentials(email, password)
 		});
 	}
 });
@@ -8209,7 +8037,7 @@ async function runLoginCommand(args, deps) {
 		return exitAfterFlush(resolved.exitCode);
 	}
 	let saved = "skipped";
-	if (resolved.saveTarget === "keychain" && resolved.credentials !== null) {
+	if (resolved.saveTarget === "file" && resolved.credentials !== null) {
 		const save = deps.saveCredentials;
 		if (!save) {
 			emitError({
@@ -8222,13 +8050,13 @@ async function runLoginCommand(args, deps) {
 			const result = await save(resolved.credentials.email, resolved.credentials.password);
 			saved = result.status;
 			if (!args.json) if (result.status === "unchanged") process.stderr.write("Credentials already saved (no change).\n");
-			else process.stderr.write(`Credentials saved to OS keychain (${resolved.credentials.email}).\n`);
+			else process.stderr.write(`Credentials saved to ~/.config/aitcc/credentials.json (${resolved.credentials.email}).\n`);
 		} catch (err) {
 			const message = err.message;
 			emitError({
-				reason: "keychain-save-failed",
+				reason: "file-save-failed",
 				message
-			}, `Failed to save credentials to the OS keychain: ${message}\nOn Linux, install libsecret (\`secret-tool\`) and retry. Re-run with \`--save none\` to skip persistence.`);
+			}, `Failed to save credentials to file backend: ${message}\nCheck that ~/.config/aitcc/ is writable, or use AITCC_CREDENTIAL_FILE to specify a custom path.`);
 			return exitAfterFlush(ExitCode.Usage);
 		}
 	}
@@ -8289,15 +8117,16 @@ async function resolveCredentialsForLogin(args, deps, opts = {}) {
 		exitCode: ExitCode.Usage
 	};
 	let saveTarget;
-	if (args.save !== void 0) {
-		if (args.save !== "keychain" && args.save !== "none") return {
-			kind: "error",
-			reason: "invalid-save",
-			message: `--save must be "keychain" or "none" (got "${args.save}").`,
-			exitCode: ExitCode.Usage
-		};
-		saveTarget = args.save;
-	}
+	if (args.save !== void 0) if (args.save === "keychain") {
+		process.stderr.write("Warning: --save=keychain is deprecated. OS keychain support has been removed. Using --save=file instead (~/.config/aitcc/credentials.json, perm 0600).\n");
+		saveTarget = "file";
+	} else if (args.save !== "file" && args.save !== "none") return {
+		kind: "error",
+		reason: "invalid-save",
+		message: `--save must be "file" or "none" (got "${args.save}").`,
+		exitCode: ExitCode.Usage
+	};
+	else saveTarget = args.save;
 	if (args.email !== void 0 || args.password !== void 0 || args.passwordStdin) {
 		if (args.email === void 0 || args.email.trim().length === 0) return {
 			kind: "error",
@@ -8366,7 +8195,7 @@ async function resolveCredentialsForLogin(args, deps, opts = {}) {
 			return null;
 		});
 		if (fromStore) {
-			if (!args.json) process.stderr.write(`Using credentials from OS keychain for ${fromStore.email}. Pass --interactive to type a different account.
+			if (!args.json) process.stderr.write(`Using saved credentials for ${fromStore.email}. Pass --interactive to type a different account.
 `);
 			return {
 				kind: "ok",
@@ -9338,7 +9167,7 @@ function resolveVersion() {
 		if (typeof injected === "string" && injected.length > 0) return injected;
 	} catch {}
 	try {
-		return "0.1.36";
+		return "0.1.38";
 	} catch {}
 	return "0.0.0-dev";
 }
@@ -10395,7 +10224,7 @@ async function describeCredentialSource() {
 function formatCredentials(cred) {
 	if (cred.source === "none") return "none (run `aitcc login` to save)";
 	if (cred.source === "env") return `env (AITCC_EMAIL${cred.email ? ` = ${cred.email}` : ""})`;
-	return `keychain${cred.email ? ` (${cred.email})` : ""}`;
+	return `file (~/.config/aitcc/credentials.json)${cred.email ? ` (${cred.email})` : ""}`;
 }
 async function runBackgroundUpdateCheck(json) {
 	if (json) return;