axauth 1.0.0 → 1.1.0

package/README.md

@@ -1,46 +1,35 @@
 # axauth
 
-Authentication management library and CLI for AI coding agents.
+Unified authentication management for AI coding agents.
 
 ## Overview
 
-axauth manages credentials for AI coding agents. It can be used:
+axauth provides a consistent interface for managing credentials across multiple AI coding agent CLIs. It abstracts away the differences between agent-specific credential storage mechanisms (macOS Keychain, file-based storage, environment variables) and provides:
 
-1. **As a library** - imported to check auth status, extract tokens, and manage credentials programmatically
-2. **As a CLI** - standalone tool for managing agent credentials
+- **Auth status detection** - Check which agents are authenticated and via which method
+- **Credential extraction** - Extract tokens for API calls or export/import workflows
+- **Portable credential export** - Encrypted credential files for CI/CD and backup
+- **Multi-storage support** - Keychain (macOS), file storage, and environment variables
 
 ## Supported Agents
 
-- **claude-code** - Claude Code (Anthropic)
-- **codex** - Codex CLI (OpenAI)
-- **gemini** - Gemini CLI (Google)
-- **opencode** - OpenCode
+| Agent       | CLI        | Provider  | Auth Methods                               |
+| ----------- | ---------- | --------- | ------------------------------------------ |
+| Claude Code | `claude`   | Anthropic | OAuth (keychain/file), `ANTHROPIC_API_KEY` |
+| Codex CLI   | `codex`    | OpenAI    | ChatGPT OAuth, `OPENAI_API_KEY`            |
+| Gemini CLI  | `gemini`   | Google    | OAuth, `GEMINI_API_KEY`                    |
+| OpenCode    | `opencode` | Sst       | Multi-provider OAuth                       |
+| Copilot CLI | `copilot`  | GitHub    | OAuth, `GH_TOKEN`/`GITHUB_TOKEN`           |
 
-## Library API
-
-```typescript
-import { checkAuth, getAgentAccessToken, extractCredentials } from "axauth";
-
-// Check auth status for an agent
-const status = checkAuth("claude-code");
-if (status.authenticated) {
-  console.log(`Authenticated via ${status.method}`);
-}
+## Installation
 
-// Get access token for API calls
-const token = getAgentAccessToken("claude-code");
-if (token) {
-  // Use token for API calls
-}
-
-// Extract full credentials for export
-const creds = extractCredentials("claude-code");
-if (creds) {
-  // creds.accessToken, creds.refreshToken, etc.
-}
+```bash
+npm install axauth
+# or
+pnpm add axauth
 ```
 
-## CLI Commands
+## CLI Usage
 
 ```bash
 # List agents and their auth status
@@ -48,29 +37,31 @@ axauth list
 axauth list --json
 
 # Get access token for an agent (outputs raw token for piping)
-axauth token --agent claude-code
+axauth token --agent claude
 
 # Export credentials to encrypted file
-axauth export --agent claude-code --output creds.json
-axauth export --agent claude-code --output creds.json --no-password
-
-# Remove credentials (agent will prompt for login)
-axauth remove-credentials --agent claude-code
+axauth export --agent claude --output creds.json
+axauth export --agent claude --output creds.json --no-password
 
 # Install credentials from exported file
-axauth install-credentials --agent claude-code --input creds.json
+axauth install-credentials --agent claude --input creds.json
+axauth install-credentials --agent claude --input creds.json --config-dir /tmp/config
+
+# Remove credentials (agent will prompt for login on next use)
+axauth remove-credentials --agent claude
+axauth remove-credentials --agent claude --config-dir /tmp/config
 ```
 
-## Pipeline Examples
+### Pipeline Examples
 
 The CLI outputs TSV format for easy processing with standard Unix tools:
 
 ```bash
 # List all agents and their auth status
 axauth list
-# AGENT         STATUS          METHOD
-# claude-code   authenticated   OAuth (max)
-# codex         authenticated   ChatGPT OAuth
+# AGENT    STATUS          METHOD
+# claude   authenticated   OAuth (max)
+# codex    authenticated   ChatGPT OAuth
 # ...
 
 # Filter to show only authenticated agents
@@ -79,68 +70,194 @@ axauth list | tail -n +2 | awk -F'\t' '$2 == "authenticated"'
 # Count agents by status
 axauth list | tail -n +2 | cut -f2 | sort | uniq -c
 
-# Extract agent names as a list
-axauth list | tail -n +2 | cut -f1
-
 # Check if a specific agent is authenticated
-axauth list --json | jq -e '.[] | select(.agentId == "claude-code") | .authenticated'
+axauth list --json | jq -e '.[] | select(.agentId == "claude") | .authenticated'
 
-# Check Claude Code usage via OAuth endpoint
-curl -s -H "Authorization: Bearer $(axauth token --agent claude-code)" \
+# Use token with curl
+curl -s -H "Authorization: Bearer $(axauth token --agent claude)" \
   -H "anthropic-beta: oauth-2025-04-20" \
   https://api.anthropic.com/api/oauth/usage | jq .
 ```
 
-## Module Structure
+## Library API
 
+```typescript
+import {
+  // Core operations
+  checkAuth, // Check single agent auth status
+  checkAllAuth, // Check all agents' auth status
+  getAgentAccessToken, // Get access token for an agent
+  extractRawCredentials, // Extract full credentials for export
+  installCredentials, // Install credentials to storage
+  removeCredentials, // Remove credentials from storage
+
+  // Credential utilities
+  getAccessToken, // Extract token from credential object
+  credentialsToEnvironment, // Convert credentials to env vars
+  getCredentialsEnvironmentVariableName, // Get AX_*_CREDENTIALS var name
+  installCredentialsFromEnvironmentVariable, // Install from env var (CI/CD)
+
+  // Adapter access
+  getAdapter, // Get adapter for an agent
+  getAllAdapters, // Get all adapters
+  getCapabilities, // Check adapter capabilities
+} from "axauth";
+
+// Types
+import type {
+  AgentCli, // "claude" | "codex" | "gemini" | "opencode" | "copilot"
+  AuthStatus, // { agentId, authenticated, method?, details? }
+  Credentials, // { agent, type, data }
+  AuthAdapter, // Adapter interface
+  AdapterCapabilities, // { keychain, file, environment, installApiKey }
+} from "axauth";
 ```
-src/
-├── types.ts                # AgentId type definition
-├── crypto.ts               # AES-256-GCM encryption for credentials
-├── cli.ts                  # CLI entry point
-├── commands/
-│   └── auth.ts             # CLI command handlers
-└── auth/
-    ├── check-auth.ts       # Auth status detection
-    ├── extract-credentials.ts  # Credential extraction
-    ├── get-access-token.ts     # Token retrieval
-    ├── install-credentials.ts  # Credential installation
-    ├── remove-credentials.ts   # Credential removal
-    ├── keychain.ts         # macOS Keychain utilities
-    ├── file-storage.ts     # File I/O utilities
-    ├── types.ts            # Auth types
-    └── agents/             # Agent-specific implementations
-        ├── claude-code.ts
-        ├── codex.ts
-        ├── gemini.ts
-        └── opencode.ts
+
+### Examples
+
+```typescript
+import { checkAuth, getAgentAccessToken, getCapabilities } from "axauth";
+
+// Check auth status for an agent
+const status = checkAuth("claude");
+if (status.authenticated) {
+  console.log(`Authenticated via ${status.method}`);
+}
+
+// Get access token for API calls
+const token = getAgentAccessToken("claude");
+if (token) {
+  // Use token for API calls
+}
+
+// Check adapter capabilities
+const caps = getCapabilities("gemini");
+if (!caps.keychain) {
+  console.log("Gemini requires file storage on this platform");
+}
+```
+
+### Adapter Pattern
+
+Each agent implements the `AuthAdapter` interface, hiding storage complexity:
+
+```typescript
+import { getAdapter } from "axauth";
+
+const adapter = getAdapter("claude");
+
+// All adapters have the same interface
+const status = adapter.checkAuth();
+const creds = adapter.extractRawCredentials();
+const token = adapter.getAccessToken(creds);
+const envVars = adapter.credentialsToEnvironment(creds);
+
+// Check what the adapter supports
+console.log(adapter.capabilities);
+// { keychain: true, file: true, environment: true, installApiKey: false }
+```
+
+## Adapter Capabilities
+
+Each agent adapter declares its storage capabilities:
+
+| Agent    | Keychain | File | Environment | Install API Key |
+| -------- | :------: | :--: | :---------: | :-------------: |
+| claude   |  macOS   | Yes  |     Yes     |  No (env-only)  |
+| codex    |  macOS   | Yes  |     Yes     |  No (env-only)  |
+| gemini   |  macOS   | Yes  |     Yes     |  No (env-only)  |
+| opencode |    No    | Yes  |     Yes     |       No        |
+| copilot  |  macOS   | Yes  |     Yes     |  No (env-only)  |
+
+**Notes:**
+
+- **Keychain**: macOS Keychain support (not available on Linux/Windows)
+- **File**: File-based credential storage
+- **Environment**: Can read credentials from environment variables
+- **Install API Key**: Whether API keys can be installed (vs. read from env only)
+
+## Credential Export Format
+
+Exported credentials are encrypted with AES-256-GCM:
+
+```json
+{
+  "version": 1,
+  "agent": "claude",
+  "ciphertext": "<base64>",
+  "salt": "<base64>",
+  "iv": "<base64>",
+  "tag": "<base64>"
+}
 ```
 
-## Authentication Methods
+- Key derivation: PBKDF2 with SHA-256, 100,000 iterations
+- Use `--no-password` for CI/CD (uses a default password)
+- Files are written with `0o600` permissions
+
+## Environment Variables
+
+For CI/CD workflows, credentials can be passed via environment variables:
+
+| Agent    | Credential Env Var        |
+| -------- | ------------------------- |
+| claude   | `AX_CLAUDE_CREDENTIALS`   |
+| codex    | `AX_CODEX_CREDENTIALS`    |
+| gemini   | `AX_GEMINI_CREDENTIALS`   |
+| copilot  | `AX_COPILOT_CREDENTIALS`  |
+| opencode | `AX_OPENCODE_CREDENTIALS` |
+
+Use `installCredentialsFromEnvironmentVariable()` to install credentials from these variables programmatically.
 
-| Agent       | Methods                                    |
-| ----------- | ------------------------------------------ |
-| claude-code | OAuth (keychain/file) or ANTHROPIC_API_KEY |
-| codex       | ChatGPT OAuth or OPENAI_API_KEY            |
-| gemini      | OAuth or GEMINI_API_KEY                    |
-| opencode    | Multi-provider OAuth                       |
+## Config Directory Requirements
 
-## Agent Rule
+Some agents require specific directory name suffixes:
 
-Add to your `CLAUDE.md` or `AGENTS.md`:
+| Agent    | Directory Requirement    | Example              |
+| -------- | ------------------------ | -------------------- |
+| claude   | Any name                 | `/tmp/my-config`     |
+| codex    | Any name                 | `/tmp/my-config`     |
+| gemini   | Must end with `.gemini`  | `/tmp/home/.gemini`  |
+| copilot  | Must end with `.copilot` | `/tmp/home/.copilot` |
+| opencode | Must end with `opencode` | `/tmp/data/opencode` |
 
-```markdown
-# Rule: `axauth` Usage
+## Architecture
 
-Run `npx -y axauth --help` to learn available options.
+axauth follows the adapter pattern with a functional core:
 
-Use `axauth` to manage AI agent credentials. Check auth status with `axauth list`,
-get tokens with `axauth token`, and export/import credentials for CI/CD workflows.
 ```
+src/
+├── index.ts              # Public API exports
+├── cli.ts                # CLI entry point
+├── crypto.ts             # AES-256-GCM encryption
+├── commands/
+│   └── auth.ts           # CLI command handlers
+└── auth/
+    ├── adapter.ts        # AuthAdapter interface
+    ├── types.ts          # AuthStatus, Credentials types
+    ├── registry.ts       # Adapter registry and unified operations
+    └── agents/           # Agent-specific adapters
+        ├── claude-code.ts
+        ├── claude-code-storage.ts
+        ├── codex.ts
+        ├── codex-storage.ts
+        ├── codex-config.ts
+        ├── gemini.ts
+        ├── gemini-storage.ts
+        ├── gemini-auth-check.ts
+        ├── copilot.ts
+        ├── copilot-storage.ts
+        ├── copilot-auth-check.ts
+        └── opencode.ts
+```
+
+## Related Packages
 
-## Development Status
+axauth is part of the [a╳point](https://axpoint.dev) ecosystem:
 
-🚧 **Work in Progress**
+- **axshared** - Shared types and agent metadata
+- **axconfig** - Permission and configuration management
+- **axrun** - Agent execution and output normalization
 
 ## License
 

package/dist/auth/adapter.d.ts

@@ -25,23 +25,34 @@ interface OperationResult {
  * - `undefined`: Use the `_source` marker in credentials, or default to file
  */
 interface InstallOptions {
-    /** Storage type for default location (ignored if path is set) */
+    /** Storage type for default location (ignored if configDir is set) */
     storage?: StorageType;
-    /** Custom file path (forces file storage, keychain not available) */
-    path?: string;
+    /** Custom config directory (forces file storage, keychain not available) */
+    configDir?: string;
 }
 /**
  * Options for credential removal.
  *
- * When `path` is provided, only the file at that path is removed.
- * Keychain credentials are not affected (keychain is only for default location).
+ * When `configDir` is provided, only the credentials file in that directory
+ * is removed. Keychain credentials are not affected (keychain is only for
+ * default location).
  *
- * When `path` is not provided, credentials are removed from all default
+ * When `configDir` is not provided, credentials are removed from all default
  * locations (keychain and/or default file path).
  */
 interface RemoveOptions {
-    /** Custom file path to remove (only removes this file, not keychain) */
-    path?: string;
+    /** Custom config directory (removes only this location, not keychain) */
+    configDir?: string;
+}
+/**
+ * Options for token extraction.
+ *
+ * Some agents (like opencode) support multiple providers. Use the `provider`
+ * option to specify which provider's token to extract.
+ */
+interface TokenOptions {
+    /** Provider ID for multi-provider agents (e.g., "anthropic", "openai") */
+    provider?: string;
 }
 /** Capabilities that an adapter supports */
 interface AdapterCapabilities {
@@ -95,10 +106,10 @@ interface AuthAdapter {
     /**
      * Remove credentials from storage.
      *
-     * When `options.path` is provided, only the file at that path is removed.
-     * Keychain credentials are not affected.
+     * When `options.configDir` is provided, only the credentials file in that
+     * directory is removed. Keychain credentials are not affected.
      *
-     * When `options.path` is not provided, credentials are removed from all
+     * When `options.configDir` is not provided, credentials are removed from all
      * default locations (keychain and/or default file path).
      */
     removeCredentials(options?: RemoveOptions): OperationResult;
@@ -107,8 +118,11 @@ interface AuthAdapter {
      *
      * Returns the primary access token (OAuth token or API key) from
      * the credential data. Returns undefined if no token found.
+     *
+     * For multi-provider agents (like opencode), use `options.provider`
+     * to specify which provider's token to extract.
      */
-    getAccessToken(creds: Credentials): string | undefined;
+    getAccessToken(creds: Credentials, options?: TokenOptions): string | undefined;
     /**
      * Convert credentials to environment variables.
      *
@@ -118,4 +132,4 @@ interface AuthAdapter {
      */
     credentialsToEnvironment(creds: Credentials): Record<string, string>;
 }
-export type { AdapterCapabilities, AuthAdapter, InstallOptions, OperationResult, RemoveOptions, };
+export type { AdapterCapabilities, AuthAdapter, InstallOptions, OperationResult, RemoveOptions, TokenOptions, };

package/dist/auth/agents/claude-code-storage.js

@@ -4,7 +4,6 @@
 import { existsSync, readFileSync } from "node:fs";
 import { userInfo } from "node:os";
 import path from "node:path";
-import { claudeCodeConfigReader } from "axconfig";
 import { deleteFile, loadJsonFile, saveJsonFile } from "../file-storage.js";
 import { getResolvedConfigDirectory } from "../resolve-config-directory.js";
 import { deleteFromKeychain, loadFromKeychain, saveToKeychain, } from "../keychain.js";
@@ -15,7 +14,7 @@ function getUsername() {
 }
 /** Get default credentials file path */
 function getDefaultCredsFilePath() {
-    return path.join(getResolvedConfigDirectory(claudeCodeConfigReader), ".credentials.json");
+    return path.join(getResolvedConfigDirectory("claude"), ".credentials.json");
 }
 /** Load OAuth credentials from keychain */
 function loadKeychainCreds() {

package/dist/auth/agents/claude-code.js

@@ -3,9 +3,11 @@
  *
  * Supports OAuth via keychain (macOS) or file, and API key via env var.
  */
+import path from "node:path";
 import { isMacOS } from "../keychain.js";
 import { deleteFileCreds, deleteKeychainCreds, getDefaultCredsFilePath, loadFileCreds, loadKeychainCreds, saveFileCreds, saveKeychainCreds, } from "./claude-code-storage.js";
 const AGENT_ID = "claude";
+const CREDS_FILE_NAME = ".credentials.json";
 /** Claude Code authentication adapter */
 const claudeCodeAdapter = {
     agentId: AGENT_ID,
@@ -77,17 +79,18 @@ const claudeCodeAdapter = {
             };
         }
         const { _source, ...oauthData } = creds.data;
-        // Custom path forces file storage (keychain only for default location)
-        if (options?.path) {
-            if (saveFileCreds(oauthData, options.path)) {
+        // Custom config directory forces file storage (keychain only for default location)
+        if (options?.configDir) {
+            const targetPath = path.join(options.configDir, CREDS_FILE_NAME);
+            if (saveFileCreds(oauthData, targetPath)) {
                 return {
                     ok: true,
-                    message: `Installed credentials to ${options.path}`,
+                    message: `Installed credentials to ${targetPath}`,
                 };
             }
             return {
                 ok: false,
-                message: `Failed to install credentials to ${options.path}`,
+                message: `Failed to install credentials to ${targetPath}`,
             };
         }
         // Default location: use storage option or _source marker
@@ -114,10 +117,11 @@ const claudeCodeAdapter = {
         };
     },
     removeCredentials(options) {
-        // Custom path: only remove that specific file (no keychain)
-        if (options?.path) {
-            if (deleteFileCreds(options.path)) {
-                return { ok: true, message: `Removed ${options.path}` };
+        // Custom config directory: only remove that specific file (no keychain)
+        if (options?.configDir) {
+            const targetPath = path.join(options.configDir, CREDS_FILE_NAME);
+            if (deleteFileCreds(targetPath)) {
+                return { ok: true, message: `Removed ${targetPath}` };
             }
             return {
                 ok: true,

package/dist/auth/agents/codex-config.js

@@ -8,7 +8,7 @@ import { codexConfigReader } from "axconfig";
 import { getResolvedConfigDirectory } from "../resolve-config-directory.js";
 /** Get the codex home directory */
 function getCodexHome() {
-    return getResolvedConfigDirectory(codexConfigReader);
+    return getResolvedConfigDirectory("codex");
 }
 /** Get auth file path */
 function getAuthFilePath() {

package/dist/auth/agents/codex.js

@@ -10,6 +10,7 @@ import { checkAuth, extractRawCredentials } from "./codex-auth-check.js";
 import { getAuthFilePath, getCodexHome, updateConfigStorage, } from "./codex-config.js";
 import { buildAuthContent, deleteFileCreds, deleteKeychainCreds, saveFileCreds, saveKeychainCreds, } from "./codex-storage.js";
 const AGENT_ID = "codex";
+const CREDS_FILE_NAME = "auth.json";
 /** Codex authentication adapter */
 const codexAdapter = {
     agentId: AGENT_ID,
@@ -23,24 +24,24 @@ const codexAdapter = {
     extractRawCredentials,
     installCredentials(creds, options) {
         const authContent = buildAuthContent(creds.type, creds.data);
-        // Custom path forces file storage (keychain only for default location)
-        if (options?.path) {
-            const parentDirectory = path.dirname(options.path);
-            if (!ensureDirectory(parentDirectory)) {
+        // Custom config directory forces file storage (keychain only for default location)
+        if (options?.configDir) {
+            if (!ensureDirectory(options.configDir)) {
                 return {
                     ok: false,
-                    message: `Failed to create directory ${parentDirectory}`,
+                    message: `Failed to create directory ${options.configDir}`,
                 };
             }
-            if (saveFileCreds(authContent, options.path)) {
+            const targetPath = path.join(options.configDir, CREDS_FILE_NAME);
+            if (saveFileCreds(authContent, targetPath)) {
                 return {
                     ok: true,
-                    message: `Installed credentials to ${options.path}`,
+                    message: `Installed credentials to ${targetPath}`,
                 };
             }
             return {
                 ok: false,
-                message: `Failed to install credentials to ${options.path}`,
+                message: `Failed to install credentials to ${targetPath}`,
             };
         }
         // Default location: use storage option or _source marker
@@ -72,10 +73,11 @@ const codexAdapter = {
         return { ok: false, message: "Failed to install credentials to file" };
     },
     removeCredentials(options) {
-        // Custom path: only remove that specific file (no keychain)
-        if (options?.path) {
-            if (deleteFileCreds(options.path)) {
-                return { ok: true, message: `Removed ${options.path}` };
+        // Custom config directory: only remove that specific file (no keychain)
+        if (options?.configDir) {
+            const targetPath = path.join(options.configDir, CREDS_FILE_NAME);
+            if (deleteFileCreds(targetPath)) {
+                return { ok: true, message: `Removed ${targetPath}` };
             }
             return {
                 ok: true,

package/dist/auth/agents/copilot-storage.js

@@ -7,7 +7,6 @@
  */
 import { existsSync, renameSync, unlinkSync, writeFileSync } from "node:fs";
 import path from "node:path";
-import { copilotConfigReader } from "axconfig";
 import { ensureDirectory, loadJsonFile, saveJsonFile, } from "../file-storage.js";
 import { deleteFromKeychain, isMacOS, loadFromKeychain, saveToKeychain, } from "../keychain.js";
 import { getResolvedConfigDirectory } from "../resolve-config-directory.js";
@@ -15,7 +14,7 @@ const KEYCHAIN_SERVICE = "copilot-cli";
 const DEFAULT_HOST = "https://github.com";
 /** Get the copilot config directory */
 function getConfigDirectory() {
-    return getResolvedConfigDirectory(copilotConfigReader);
+    return getResolvedConfigDirectory("copilot");
 }
 /** Get the default config file path */
 function getConfigFilePath() {

package/dist/auth/agents/copilot.js

@@ -4,11 +4,13 @@
  * Supports OAuth via keychain (macOS) or file, and GitHub token via env var.
  * Also supports GitHub CLI (`gh auth login`) as a fallback.
  */
+import path from "node:path";
 import { ensureDirectory } from "../file-storage.js";
 import { isMacOS } from "../keychain.js";
 import { findFirstAvailableToken } from "./copilot-auth-check.js";
 import { deleteFileToken, deleteKeychainToken, deleteTokenFromPath, getConfigDirectory, getConfigFilePath, saveFileToken, saveKeychainToken, saveTokenToPath, } from "./copilot-storage.js";
 const AGENT_ID = "copilot";
+const CREDS_FILE_NAME = "token.json";
 /** Copilot CLI authentication adapter */
 const copilotAdapter = {
     agentId: AGENT_ID,
@@ -58,17 +60,18 @@ const copilotAdapter = {
         if (!token) {
             return { ok: false, message: "No access token found in credentials" };
         }
-        // Custom path forces file storage
-        if (options?.path) {
-            if (saveTokenToPath(token, options.path)) {
+        // Custom config directory forces file storage
+        if (options?.configDir) {
+            const targetPath = path.join(options.configDir, CREDS_FILE_NAME);
+            if (saveTokenToPath(token, targetPath)) {
                 return {
                     ok: true,
-                    message: `Installed credentials to ${options.path}`,
+                    message: `Installed credentials to ${targetPath}`,
                 };
             }
             return {
                 ok: false,
-                message: `Failed to install credentials to ${options.path}`,
+                message: `Failed to install credentials to ${targetPath}`,
             };
         }
         // Default location: use storage option or _source marker
@@ -102,10 +105,11 @@ const copilotAdapter = {
         return { ok: false, message: "Failed to install credentials to file" };
     },
     removeCredentials(options) {
-        // Custom path: only remove that specific file
-        if (options?.path) {
-            if (deleteTokenFromPath(options.path)) {
-                return { ok: true, message: `Removed ${options.path}` };
+        // Custom config directory: only remove that specific file
+        if (options?.configDir) {
+            const targetPath = path.join(options.configDir, CREDS_FILE_NAME);
+            if (deleteTokenFromPath(targetPath)) {
+                return { ok: true, message: `Removed ${targetPath}` };
             }
             return {
                 ok: true,

package/dist/auth/agents/gemini-auth-check.d.ts

@@ -1,16 +1,16 @@
 /**
  * Gemini CLI authentication checking.
  *
- * Determines auth status based on configured auth type and available credentials.
+ * Uses priority-ordered credential discovery: env → keychain → file.
  */
 /** Credential source for auth method display */
-type CredentialSource = "keychain" | "file" | "api-key" | "vertex-ai" | "adc";
+type CredentialSource = "keychain" | "file" | "api-key" | "vertex-ai";
 /** Result of finding available credentials */
 interface CredentialResult {
     source: CredentialSource;
     method: string;
     data?: Record<string, unknown>;
 }
-/** Find credentials based on configured auth type */
+/** Find credentials using priority-ordered discovery: env → keychain → file */
 declare function findCredentials(): CredentialResult | undefined;
 export { findCredentials };