@ait-co/console-cli 0.1.37 → 0.1.39

package/dist/cli.mjs

@@ -5851,28 +5851,6 @@ const appCommand = defineCommand({
 //#endregion
 //#region src/auth/backend.ts
 const CREDENTIAL_SERVICE = "aitcc.credentials";
-var CredentialBackendUnsupportedError = class extends Error {
-	platform;
-	hint;
-	constructor(platform, hint) {
-		super(`No supported credential backend for platform "${platform}". ${hint}`);
-		this.platform = platform;
-		this.hint = hint;
-		this.name = "CredentialBackendUnsupportedError";
-	}
-};
-var CredentialBackendCommandError = class extends Error {
-	command;
-	exitCode;
-	redactedStderr;
-	constructor(command, exitCode, redactedStderr) {
-		super(`Credential backend command "${command}" failed (exit=${exitCode ?? "null"}): ${redactedStderr}`);
-		this.command = command;
-		this.exitCode = exitCode;
-		this.redactedStderr = redactedStderr;
-		this.name = "CredentialBackendCommandError";
-	}
-};
 async function runCommand(command, opts) {
 	return new Promise((resolve, reject) => {
 		const child = spawn(command, [...opts.args], { stdio: [
@@ -5906,12 +5884,6 @@ function isCommandNotFound(err) {
 function stripTrailingNewline$1(s) {
 	return s.replace(/\r?\n$/, "");
 }
-function redactStderr(stderr) {
-	const trimmed = stderr.trim();
-	if (trimmed.length === 0) return "<no stderr>";
-	if (trimmed.length > 200) return `${trimmed.slice(0, 200)}… <truncated>`;
-	return trimmed;
-}
 //#endregion
 //#region src/auth/backends/file.ts
 function credentialFilePath() {
@@ -5981,283 +5953,73 @@ const FILE_BACKEND = {
 	}
 };
 //#endregion
-//#region src/auth/backends/linux.ts
-const MISSING_HINT_FULL$1 = "libsecret tools are missing. Install `libsecret-tools` (Debian/Ubuntu) or the equivalent and ensure a Secret Service provider (gnome-keyring / KWallet) is running.";
-const MISSING_HINT_SHORT$1 = "libsecret tools are missing. Install `libsecret-tools` and ensure a Secret Service provider is running.";
-const LINUX_BACKEND = {
-	name: "libsecret",
-	async get(account) {
-		let result;
-		try {
-			result = await runCommand("secret-tool", { args: [
-				"lookup",
-				"service",
-				CREDENTIAL_SERVICE,
-				"account",
-				account
-			] });
-		} catch (err) {
-			if (isCommandNotFound(err)) throw new CredentialBackendUnsupportedError("linux", MISSING_HINT_FULL$1);
-			throw err;
-		}
-		if (result.exitCode !== 0) {
-			if (result.stdout.length === 0) return null;
-			throw new CredentialBackendCommandError("secret-tool lookup", result.exitCode, redactStderr(result.stderr));
-		}
-		if (result.stdout.length === 0) return null;
-		const password = stripTrailingNewline$1(result.stdout);
-		return password.length > 0 ? password : null;
-	},
-	async set(account, password) {
-		let result;
-		try {
-			result = await runCommand("secret-tool", {
-				args: [
-					"store",
-					"--label",
-					"aitcc Toss Business credentials",
-					"service",
-					CREDENTIAL_SERVICE,
-					"account",
-					account
-				],
-				stdin: password
-			});
-		} catch (err) {
-			if (isCommandNotFound(err)) throw new CredentialBackendUnsupportedError("linux", MISSING_HINT_SHORT$1);
-			throw err;
-		}
-		if (result.exitCode !== 0) throw new CredentialBackendCommandError("secret-tool store", result.exitCode, redactStderr(result.stderr));
-	},
-	async clear(account) {
-		let result;
-		try {
-			result = await runCommand("secret-tool", { args: [
-				"clear",
-				"service",
-				CREDENTIAL_SERVICE,
-				"account",
-				account
-			] });
-		} catch (err) {
-			if (isCommandNotFound(err)) throw new CredentialBackendUnsupportedError("linux", "libsecret tools are missing.");
-			throw err;
-		}
-		if (result.exitCode !== 0) throw new CredentialBackendCommandError("secret-tool clear", result.exitCode, redactStderr(result.stderr));
-		return { existed: true };
-	}
-};
-//#endregion
-//#region src/auth/backends/macos.ts
-const MISSING_HINT = "macOS `security` is missing from PATH.";
-const MACOS_BACKEND = {
-	name: "macos-keychain",
-	async get(account) {
-		let result;
-		try {
-			result = await runCommand("security", { args: [
-				"find-generic-password",
-				"-s",
-				CREDENTIAL_SERVICE,
-				"-a",
-				account,
-				"-w"
-			] });
-		} catch (err) {
-			if (isCommandNotFound(err)) throw new CredentialBackendUnsupportedError("darwin", MISSING_HINT);
-			throw err;
-		}
-		if (result.exitCode === 44) return null;
-		if (result.exitCode !== 0) return null;
-		const password = stripTrailingNewline$1(result.stdout);
-		return password.length > 0 ? password : null;
-	},
-	async set(account, password) {
-		let result;
-		try {
-			result = await runCommand("security", { args: [
-				"add-generic-password",
-				"-U",
-				"-A",
-				"-s",
-				CREDENTIAL_SERVICE,
-				"-a",
-				account,
-				"-w",
-				password
-			] });
-		} catch (err) {
-			if (isCommandNotFound(err)) throw new CredentialBackendUnsupportedError("darwin", MISSING_HINT);
-			throw err;
-		}
-		if (result.exitCode !== 0) throw new CredentialBackendCommandError("security add-generic-password", result.exitCode, redactStderr(result.stderr));
-	},
-	async clear(account) {
-		let result;
-		try {
-			result = await runCommand("security", { args: [
-				"delete-generic-password",
-				"-s",
-				CREDENTIAL_SERVICE,
-				"-a",
-				account
-			] });
-		} catch (err) {
-			if (isCommandNotFound(err)) throw new CredentialBackendUnsupportedError("darwin", MISSING_HINT);
-			throw err;
-		}
-		if (result.exitCode === 44) return { existed: false };
-		if (result.exitCode === 0) return { existed: true };
-		throw new CredentialBackendCommandError("security delete-generic-password", result.exitCode, redactStderr(result.stderr));
+//#region src/auth/keychain-migration.ts
+/**
+* Attempt a one-time migration of a macOS Keychain credential entry to the
+* file backend. Silent on failure — the caller is expected to fall through
+* to "no credentials found" if migration is not possible.
+*
+* @param email  The email (= keychain account) to look up.
+*/
+async function migrateKeychainToFileIfNeeded(email) {
+	if (process.platform !== "darwin") return {
+		migrated: false,
+		reason: "non-darwin platform — skipping"
+	};
+	let result;
+	try {
+		result = await runCommand("security", { args: [
+			"find-generic-password",
+			"-s",
+			CREDENTIAL_SERVICE,
+			"-a",
+			email,
+			"-w"
+		] });
+	} catch (err) {
+		if (isCommandNotFound(err)) return {
+			migrated: false,
+			reason: "`security` not found"
+		};
+		return {
+			migrated: false,
+			reason: err.message
+		};
 	}
-};
-//#endregion
-//#region src/auth/backends/windows.ts
-const PS_HEADER = `
-$ErrorActionPreference = 'Stop';
-Add-Type @"
-using System;
-using System.Runtime.InteropServices;
-
-public class AitccCredApi {
-    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
-    public struct CREDENTIAL {
-        public uint Flags;
-        public uint Type;
-        public IntPtr TargetName;
-        public IntPtr Comment;
-        public System.Runtime.InteropServices.ComTypes.FILETIME LastWritten;
-        public uint CredentialBlobSize;
-        public IntPtr CredentialBlob;
-        public uint Persist;
-        public uint AttributeCount;
-        public IntPtr Attributes;
-        public IntPtr TargetAlias;
-        public IntPtr UserName;
-    }
-    [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredWriteW", CharSet = CharSet.Unicode)]
-    public static extern bool CredWrite([In] ref CREDENTIAL Credential, [In] uint Flags);
-    [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredReadW", CharSet = CharSet.Unicode)]
-    public static extern bool CredRead(string target, uint type, uint reservedFlag, out IntPtr CredentialPtr);
-    [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredDeleteW", CharSet = CharSet.Unicode)]
-    public static extern bool CredDelete(string target, uint type, uint flags);
-    [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredFree")]
-    public static extern void CredFree([In] IntPtr cred);
-}
-"@
-`;
-const MISSING_HINT_FULL = "`powershell.exe` is missing from PATH. Windows credential storage requires PowerShell.";
-const MISSING_HINT_SHORT = "`powershell.exe` is missing from PATH.";
-function targetName(account) {
-	return `${CREDENTIAL_SERVICE}/${account}`;
-}
-function powerShellArgs(script) {
-	return [
-		"-NoProfile",
-		"-NonInteractive",
-		"-Command",
-		script
-	];
-}
-function escapeSingleQuotes(s) {
-	return s.replace(/'/g, "''");
-}
-async function runPowerShell(script) {
+	if (result.exitCode !== 0) return {
+		migrated: false,
+		reason: `security exited ${result.exitCode ?? "null"}`
+	};
+	const password = stripTrailingNewline$1(result.stdout);
+	if (password.length === 0) return {
+		migrated: false,
+		reason: "empty password in keychain entry"
+	};
 	try {
-		return await runCommand("powershell.exe", { args: powerShellArgs(script) });
+		await FILE_BACKEND.set(email, password);
 	} catch (err) {
-		if (isCommandNotFound(err)) throw new CredentialBackendUnsupportedError("win32", MISSING_HINT_FULL);
-		throw err;
+		return {
+			migrated: false,
+			reason: `file write failed: ${err.message}`
+		};
 	}
+	try {
+		await runCommand("security", { args: [
+			"delete-generic-password",
+			"-s",
+			CREDENTIAL_SERVICE,
+			"-a",
+			email
+		] });
+	} catch {}
+	process.stderr.write(`기존 keychain 자격증명을 ~/.config/aitcc/credentials.json으로 이전했습니다.\n`);
+	return { migrated: true };
 }
-const WINDOWS_BACKEND = {
-	name: "windows-credential-manager",
-	async get(account) {
-		const result = await runPowerShell(`
-${PS_HEADER}
-$target = '${escapeSingleQuotes(targetName(account))}';
-$ptr = [IntPtr]::Zero;
-$ok = [AitccCredApi]::CredRead($target, 1, 0, [ref]$ptr);
-if (-not $ok) { exit 0; }
-$cred = [Runtime.InteropServices.Marshal]::PtrToStructure($ptr, [Type][AitccCredApi+CREDENTIAL]);
-$blob = New-Object byte[] $cred.CredentialBlobSize;
-[Runtime.InteropServices.Marshal]::Copy($cred.CredentialBlob, $blob, 0, $cred.CredentialBlobSize);
-$pw = [System.Text.Encoding]::Unicode.GetString($blob);
-[AitccCredApi]::CredFree($ptr);
-[Console]::Out.Write($pw);
-`);
-		if (result.exitCode !== 0) throw new CredentialBackendCommandError("powershell CredRead", result.exitCode, redactStderr(result.stderr));
-		return result.stdout.length > 0 ? result.stdout : null;
-	},
-	async set(account, password) {
-		const target = targetName(account);
-		const passwordHex = Buffer.from(password, "utf8").toString("hex");
-		const script = `
-${PS_HEADER}
-$target = '${escapeSingleQuotes(target)}';
-$user = '${escapeSingleQuotes(account)}';
-$pwHex = '${passwordHex}';
-$pwBytes = New-Object byte[] ($pwHex.Length / 2);
-for ($i = 0; $i -lt $pwBytes.Length; $i++) {
-  $pwBytes[$i] = [Convert]::ToByte($pwHex.Substring($i * 2, 2), 16);
-}
-$pwUtf16 = [System.Text.Encoding]::Unicode.GetBytes([System.Text.Encoding]::UTF8.GetString($pwBytes));
-$cred = New-Object AitccCredApi+CREDENTIAL;
-$cred.Type = 1;
-$cred.TargetName = [Runtime.InteropServices.Marshal]::StringToHGlobalUni($target);
-$cred.CredentialBlobSize = [uint32]$pwUtf16.Length;
-$cred.CredentialBlob = [Runtime.InteropServices.Marshal]::AllocHGlobal($pwUtf16.Length);
-[Runtime.InteropServices.Marshal]::Copy($pwUtf16, 0, $cred.CredentialBlob, $pwUtf16.Length);
-$cred.Persist = 2;
-$cred.UserName = [Runtime.InteropServices.Marshal]::StringToHGlobalUni($user);
-try {
-  $ok = [AitccCredApi]::CredWrite([ref]$cred, 0);
-  if (-not $ok) { Write-Error 'CredWrite failed'; exit 1; }
-} finally {
-  [Runtime.InteropServices.Marshal]::FreeHGlobal($cred.TargetName);
-  [Runtime.InteropServices.Marshal]::FreeHGlobal($cred.UserName);
-  [Runtime.InteropServices.Marshal]::FreeHGlobal($cred.CredentialBlob);
-}
-`;
-		let result;
-		try {
-			result = await runPowerShell(script);
-		} catch (err) {
-			if (err instanceof CredentialBackendUnsupportedError) throw new CredentialBackendUnsupportedError("win32", MISSING_HINT_SHORT);
-			throw err;
-		}
-		if (result.exitCode !== 0) throw new CredentialBackendCommandError("powershell CredWrite", result.exitCode, redactStderr(result.stderr));
-	},
-	async clear(account) {
-		const script = `
-${PS_HEADER}
-$target = '${escapeSingleQuotes(targetName(account))}';
-$ok = [AitccCredApi]::CredDelete($target, 1, 0);
-if ($ok) { [Console]::Out.Write('deleted'); } else { [Console]::Out.Write('absent'); }
-`;
-		let result;
-		try {
-			result = await runPowerShell(script);
-		} catch (err) {
-			if (err instanceof CredentialBackendUnsupportedError) throw new CredentialBackendUnsupportedError("win32", MISSING_HINT_SHORT);
-			throw err;
-		}
-		if (result.exitCode !== 0) throw new CredentialBackendCommandError("powershell CredDelete", result.exitCode, redactStderr(result.stderr));
-		return { existed: result.stdout.includes("deleted") };
-	}
-};
 //#endregion
 //#region src/auth/credentials.ts
 function resolveBackend(opts = {}) {
 	if (opts.override) return opts.override;
-	if (opts.useFile === true || process.env.AITCC_CREDENTIAL_BACKEND === "file") return FILE_BACKEND;
-	const platform = opts.platform ?? process.platform;
-	switch (platform) {
-		case "darwin": return MACOS_BACKEND;
-		case "linux": return LINUX_BACKEND;
-		case "win32": return WINDOWS_BACKEND;
-		default: throw new CredentialBackendUnsupportedError(platform, "Only macOS, Linux (libsecret), and Windows are supported.");
-	}
+	return FILE_BACKEND;
 }
 async function readAuthState() {
 	let raw;
@@ -6302,9 +6064,8 @@ async function clearAuthState() {
 /**
 * Resolve credentials from the highest-priority source available:
 *   1. `AITCC_EMAIL` + `AITCC_PASSWORD` env vars (CI single-shot use).
-*   2. File backend (`~/.config/aitcc/credentials.json`) when
-*      `AITCC_CREDENTIAL_BACKEND=file` is set or `opts.useFile` is true.
-*   3. OS keychain entry whose email is recorded in `auth-state.json`.
+*   2. File backend (`~/.config/aitcc/credentials.json`) — the only
+*      persistent store; email pointer lives in `auth-state.json`.
 *
 * Returns `null` when no source is configured. The discriminated `kind`
 * lets callers (e.g. the login flow) tell why a credential was found
@@ -6323,19 +6084,23 @@ async function loadCredentials(opts = {}) {
 	const state = await readAuthState();
 	if (!state) return null;
 	const backend = resolveBackend(opts);
-	const password = await backend.get(state.activeEmail);
+	let password = await backend.get(state.activeEmail);
+	if (password === null) {
+		await migrateKeychainToFileIfNeeded(state.activeEmail).catch(() => null);
+		password = await backend.get(state.activeEmail);
+	}
 	if (password === null) return null;
 	return {
-		kind: backend.name === "file" ? "file" : "keychain",
+		kind: "file",
 		email: state.activeEmail,
 		password
 	};
 }
 /**
-* Persist credentials to the OS keychain and update the active-email
-* pointer. Returns `'unchanged'` (no keychain write) when the same email
-* + password is already stored — avoids triggering OS keychain prompts on
-* every call when the user re-runs `auth set` with the same input.
+* Persist credentials to the file backend and update the active-email
+* pointer. Returns `'unchanged'` (no file write) when the same email
+* + password is already stored — avoids unnecessary disk writes on every
+* call when the user re-runs `login` with the same input.
 */
 async function saveCredentials(email, password, opts = {}) {
 	if (!email) throw new Error("email is required");
@@ -6358,15 +6123,13 @@ async function saveCredentials(email, password, opts = {}) {
 	return { status };
 }
 /**
-* Read just the active-email pointer without touching the OS keychain.
-* Useful for surfaces like `auth status --json` that want to report
-* whether credentials are configured without triggering a Touch ID /
-* libsecret prompt for the password.
+* Read just the active-email pointer without loading the password from disk.
+* Useful for surfaces like `whoami` that want to report whether credentials
+* are configured without performing a full credential read.
 *
 * Returns the email and where it was found (`'env'` when
-* `AITCC_EMAIL` + `AITCC_PASSWORD` are present, `'keychain'` when the
-* `auth-state.json` pointer exists), or `null` when nothing is
-* configured.
+* `AITCC_EMAIL` + `AITCC_PASSWORD` are present, `'file'` when the
+* `auth-state.json` pointer exists), or `null` when nothing is configured.
 */
 async function getActiveCredentialEmail(opts = {}) {
 	const env = opts.env ?? process.env;
@@ -6377,22 +6140,18 @@ async function getActiveCredentialEmail(opts = {}) {
 	const state = await readAuthState();
 	if (!state) return null;
 	return {
-		kind: env.AITCC_CREDENTIAL_BACKEND === "file" ? "file" : "keychain",
+		kind: "file",
 		email: state.activeEmail
 	};
 }
 /**
-* Remove the keychain entry and the auth-state pointer. Returns
+* Remove the file credential entry and the auth-state pointer. Returns
 * `existed: true` if either side previously held data.
 */
 async function deleteCredentials(opts = {}) {
 	const state = await readAuthState();
 	let backendExisted = false;
-	if (state) try {
-		backendExisted = (await resolveBackend(opts).clear(state.activeEmail)).existed;
-	} catch (err) {
-		if (err instanceof CredentialBackendUnsupportedError) {} else throw err;
-	}
+	if (state) backendExisted = (await resolveBackend(opts).clear(state.activeEmail)).existed;
 	const stateResult = await clearAuthState();
 	return { existed: backendExisted || stateResult.existed };
 }
@@ -6680,7 +6439,7 @@ async function runAuthSet(args, deps = {}) {
 		const message = err.message;
 		if (args.json) emitJson({
 			ok: false,
-			reason: "keychain-error",
+			reason: "save-error",
 			message
 		});
 		else process.stderr.write(`Failed to save credentials: ${message}\n`);
@@ -6692,7 +6451,7 @@ async function runAuthSet(args, deps = {}) {
 		email
 	});
 	else if (result.status === "unchanged") process.stdout.write("Credentials already saved (no change).\n");
-	else process.stdout.write(`Credentials saved for ${email} (keychain).\n`);
+	else process.stdout.write(`Credentials saved for ${email}.\n`);
 	return exitAfterFlush(ExitCode.Ok);
 }
 async function runAuthClear(args, deps = {}) {
@@ -6739,7 +6498,7 @@ async function runAuthClear(args, deps = {}) {
 		const message = err.message;
 		if (args.json) emitJson({
 			ok: false,
-			reason: "keychain-error",
+			reason: "clear-error",
 			message
 		});
 		else process.stderr.write(`Failed to clear credentials: ${message}\n`);
@@ -6775,7 +6534,7 @@ async function runAuthStatus(args, deps = {}) {
 		return exitAfterFlush(ExitCode.Ok);
 	}
 	if (active) {
-		const sourceLabel = active.kind === "env" ? "environment (AITCC_EMAIL/PASSWORD)" : "keychain";
+		const sourceLabel = active.kind === "env" ? "environment (AITCC_EMAIL/PASSWORD)" : "file";
 		process.stdout.write(`Email: ${active.email}\n`);
 		process.stdout.write(`Source: ${sourceLabel}\n`);
 	} else process.stdout.write("Email: (not configured)\n");
@@ -7074,8 +6833,11 @@ function readCredentials(path) {
 }
 function writeCredentials(path, map) {
 	const dir = join(path, "..");
-	if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
-	writeFileSync(path, JSON.stringify(map, null, 2) + "\n", {
+	if (!existsSync(dir)) mkdirSync(dir, {
+		recursive: true,
+		mode: 448
+	});
+	writeFileSync(path, `${JSON.stringify(map, null, 2)}\n`, {
 		encoding: "utf8",
 		mode: 384
 	});
@@ -7193,6 +6955,20 @@ function validateKeyName(raw) {
 	if (!NAME_REGEX.test(raw)) return "bad-chars";
 	return null;
 }
+/**
+* Resolve the ait profile name to save the Deploy Key under.
+*
+* - `noSaveProfile: true` → undefined (skip saving)
+* - `saveProfileOverride` present → use that name
+* - default → use `name` (the --name value)
+*
+* Exported for unit testing.
+*/
+function resolveProfileName(name, opts) {
+	if (opts.noSaveProfile) return void 0;
+	if (opts.saveProfileOverride) return opts.saveProfileOverride;
+	return name;
+}
 function parseAppsFlag(raw) {
 	const slugs = raw.split(",").map((s) => s.trim()).filter((s) => s.length > 0);
 	if (slugs.length === 0) return {
@@ -7286,7 +7062,12 @@ const createCommand = defineCommand({
 		},
 		"save-profile": {
 			type: "string",
-			description: "After issuing, save the key as an `ait` token profile (written to `~/.ait/credentials`). The named profile can then be used with `ait deploy --profile <name>` immediately. If omitted, the key is printed to stdout once and not persisted locally."
+			description: "Profile name for the ait token (defaults to --name). The key is written to `~/.ait/credentials` so `ait deploy --profile <name>` works immediately. Use --no-save-profile to skip."
+		},
+		"no-save-profile": {
+			type: "boolean",
+			default: false,
+			description: "Do not save the issued key to an ait token profile — print to stdout only (for CI pipes that store it elsewhere)."
 		},
 		json: {
 			type: "boolean",
@@ -7337,7 +7118,10 @@ const createCommand = defineCommand({
 				name,
 				target
 			}, session.cookies);
-			const saveProfileName = args["save-profile"] ? String(args["save-profile"]) : void 0;
+			const saveProfileName = resolveProfileName(name, {
+				noSaveProfile: args["no-save-profile"],
+				...args["save-profile"] ? { saveProfileOverride: String(args["save-profile"]) } : {}
+			});
 			let savedProfile;
 			let saveProfileWarning;
 			if (saveProfileName !== void 0) {
@@ -8163,21 +7947,14 @@ const defaultPromptDeps = {
 	}),
 	saveTarget: () => select({
 		message: "Where would you like to save the credentials?",
-		default: "keychain",
-		choices: [
-			{
-				name: "OS keychain (recommended) — next login runs headlessly",
-				value: "keychain"
-			},
-			{
-				name: "File (~/.config/aitcc/credentials.json, perm 0600) — use for SSH/headless sessions",
-				value: "file"
-			},
-			{
-				name: "Do not save — one-shot. (Tip: AITCC_EMAIL/AITCC_PASSWORD env for CI.)",
-				value: "none"
-			}
-		]
+		default: "file",
+		choices: [{
+			name: "File (~/.config/aitcc/credentials.json, perm 0600) — next login runs headlessly",
+			value: "file"
+		}, {
+			name: "Do not save — one-shot. (Tip: AITCC_EMAIL/AITCC_PASSWORD env for CI.)",
+			value: "none"
+		}]
 	})
 };
 const loginCommand = defineCommand({
@@ -8216,7 +7993,7 @@ const loginCommand = defineCommand({
 		},
 		save: {
 			type: "string",
-			description: "Where to persist credentials when --email/--password* are passed: \"keychain\", \"file\", or \"none\" (default). Use \"file\" for SSH/headless sessions where the OS keychain is unavailable."
+			description: "Where to persist credentials when --email/--password* are passed: \"file\" or \"none\" (default). Credentials are stored in ~/.config/aitcc/credentials.json (perm 0600)."
 		},
 		"skip-onboarding": {
 			type: "boolean",
@@ -8235,7 +8012,7 @@ const loginCommand = defineCommand({
 			save: typeof args.save === "string" ? args.save : void 0
 		}, {
 			getCredentials: loadCredentials,
-			saveCredentials: (email, password, useFile) => saveCredentials(email, password, { useFile: useFile === true })
+			saveCredentials: (email, password) => saveCredentials(email, password)
 		});
 	}
 });
@@ -8285,8 +8062,7 @@ async function runLoginCommand(args, deps) {
 		return exitAfterFlush(resolved.exitCode);
 	}
 	let saved = "skipped";
-	if ((resolved.saveTarget === "keychain" || resolved.saveTarget === "file") && resolved.credentials !== null) {
-		const useFile = resolved.saveTarget === "file";
+	if (resolved.saveTarget === "file" && resolved.credentials !== null) {
 		const save = deps.saveCredentials;
 		if (!save) {
 			emitError({
@@ -8296,22 +8072,13 @@ async function runLoginCommand(args, deps) {
 			return exitAfterFlush(ExitCode.Generic);
 		}
 		try {
-			const result = await save(resolved.credentials.email, resolved.credentials.password, useFile);
+			const result = await save(resolved.credentials.email, resolved.credentials.password);
 			saved = result.status;
 			if (!args.json) if (result.status === "unchanged") process.stderr.write("Credentials already saved (no change).\n");
-			else if (useFile) process.stderr.write(`Credentials saved to file backend (${resolved.credentials.email}).\n`);
-			else process.stderr.write(`Credentials saved to OS keychain (${resolved.credentials.email}).\n`);
+			else process.stderr.write(`Credentials saved to ~/.config/aitcc/credentials.json (${resolved.credentials.email}).\n`);
 		} catch (err) {
 			const message = err.message;
-			if (!useFile && process.platform === "darwin") emitError({
-				reason: "keychain-save-failed",
-				message
-			}, "keychain 접근에 실패했습니다.\nSSH/headless 세션이면 다음 중 하나를 시도하세요:\n  1) 데스크톱 GUI Mac에서: aitcc auth export --format=env (KR IP 필요)\n     SSH에서: AITCC_SESSION='...' aitcc auth import --from-env\n  2) 같은 SSH 세션에서 keychain unlock:\n     security unlock-keychain ~/Library/Keychains/login.keychain-db\n     (login 비밀번호 입력 후 재시도)\n  3) keychain 대신 파일 저장:\n     aitcc login --save=file (~/.config/aitcc/credentials.json, perm 0600)\n참고: https://github.com/apps-in-toss-community/console-cli/issues/176");
-			else if (!useFile) emitError({
-				reason: "keychain-save-failed",
-				message
-			}, `Failed to save credentials to the OS keychain: ${message}\nOn Linux, install libsecret (\`secret-tool\`) and retry. Re-run with \`--save none\` to skip persistence.`);
-			else emitError({
+			emitError({
 				reason: "file-save-failed",
 				message
 			}, `Failed to save credentials to file backend: ${message}\nCheck that ~/.config/aitcc/ is writable, or use AITCC_CREDENTIAL_FILE to specify a custom path.`);
@@ -8375,15 +8142,16 @@ async function resolveCredentialsForLogin(args, deps, opts = {}) {
 		exitCode: ExitCode.Usage
 	};
 	let saveTarget;
-	if (args.save !== void 0) {
-		if (args.save !== "keychain" && args.save !== "file" && args.save !== "none") return {
-			kind: "error",
-			reason: "invalid-save",
-			message: `--save must be "keychain", "file", or "none" (got "${args.save}").`,
-			exitCode: ExitCode.Usage
-		};
-		saveTarget = args.save;
-	}
+	if (args.save !== void 0) if (args.save === "keychain") {
+		process.stderr.write("Warning: --save=keychain is deprecated. OS keychain support has been removed. Using --save=file instead (~/.config/aitcc/credentials.json, perm 0600).\n");
+		saveTarget = "file";
+	} else if (args.save !== "file" && args.save !== "none") return {
+		kind: "error",
+		reason: "invalid-save",
+		message: `--save must be "file" or "none" (got "${args.save}").`,
+		exitCode: ExitCode.Usage
+	};
+	else saveTarget = args.save;
 	if (args.email !== void 0 || args.password !== void 0 || args.passwordStdin) {
 		if (args.email === void 0 || args.email.trim().length === 0) return {
 			kind: "error",
@@ -8452,7 +8220,7 @@ async function resolveCredentialsForLogin(args, deps, opts = {}) {
 			return null;
 		});
 		if (fromStore) {
-			if (!args.json) process.stderr.write(`Using credentials from OS keychain for ${fromStore.email}. Pass --interactive to type a different account.
+			if (!args.json) process.stderr.write(`Using saved credentials for ${fromStore.email}. Pass --interactive to type a different account.
 `);
 			return {
 				kind: "ok",
@@ -9424,7 +9192,7 @@ function resolveVersion() {
 		if (typeof injected === "string" && injected.length > 0) return injected;
 	} catch {}
 	try {
-		return "0.1.37";
+		return "0.1.39";
 	} catch {}
 	return "0.0.0-dev";
 }
@@ -10481,8 +10249,7 @@ async function describeCredentialSource() {
 function formatCredentials(cred) {
 	if (cred.source === "none") return "none (run `aitcc login` to save)";
 	if (cred.source === "env") return `env (AITCC_EMAIL${cred.email ? ` = ${cred.email}` : ""})`;
-	if (cred.source === "file") return `file (~/.config/aitcc/credentials.json)${cred.email ? ` (${cred.email})` : ""}`;
-	return `keychain${cred.email ? ` (${cred.email})` : ""}`;
+	return `file (~/.config/aitcc/credentials.json)${cred.email ? ` (${cred.email})` : ""}`;
 }
 async function runBackgroundUpdateCheck(json) {
 	if (json) return;