axauth 1.0.0

package/dist/auth/agents/codex-config.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Codex configuration management.
+ */
+/** Get the codex home directory */
+declare function getCodexHome(): string;
+/** Get auth file path */
+declare function getAuthFilePath(): string;
+/** Compute the keychain key for Codex (matches Rust implementation) */
+declare function computeKeychainKey(codexHome: string): string;
+/** Update Codex config.toml to set credential storage type */
+declare function updateConfigStorage(useKeychain: boolean): void;
+export { computeKeychainKey, getAuthFilePath, getCodexHome, updateConfigStorage, };

package/dist/auth/agents/codex-config.js

@@ -0,0 +1,40 @@
+/**
+ * Codex configuration management.
+ */
+import { createHash } from "node:crypto";
+import { realpathSync } from "node:fs";
+import path from "node:path";
+import { codexConfigReader } from "axconfig";
+import { getResolvedConfigDirectory } from "../resolve-config-directory.js";
+/** Get the codex home directory */
+function getCodexHome() {
+    return getResolvedConfigDirectory(codexConfigReader);
+}
+/** Get auth file path */
+function getAuthFilePath() {
+    return path.join(getCodexHome(), "auth.json");
+}
+/** Compute the keychain key for Codex (matches Rust implementation) */
+function computeKeychainKey(codexHome) {
+    let canonicalPath;
+    try {
+        canonicalPath = realpathSync(codexHome);
+    }
+    catch {
+        canonicalPath = codexHome;
+    }
+    const hash = createHash("sha256").update(canonicalPath).digest("hex");
+    const truncated = hash.slice(0, 16);
+    return `cli|${truncated}`;
+}
+/** Update Codex config.toml to set credential storage type */
+function updateConfigStorage(useKeychain) {
+    const configDirectory = getCodexHome();
+    if (useKeychain) {
+        codexConfigReader.writeRaw(configDirectory, "cli_auth_credentials_store", "keyring");
+    }
+    else {
+        codexConfigReader.deleteRaw(configDirectory, "cli_auth_credentials_store");
+    }
+}
+export { computeKeychainKey, getAuthFilePath, getCodexHome, updateConfigStorage, };

package/dist/auth/agents/codex-storage.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Codex credential storage operations.
+ */
+interface CodexAuthJson {
+    OPENAI_API_KEY?: string | null;
+    tokens?: {
+        id_token?: string;
+        access_token?: string;
+        refresh_token?: string;
+    };
+    last_refresh?: string;
+}
+/** Get API key from environment */
+declare function getEnvironmentApiKey(): string | undefined;
+/** Check if keychain has API key */
+declare function hasKeychainApiKey(auth: CodexAuthJson | undefined): boolean;
+/** Check if keychain has OAuth tokens */
+declare function hasKeychainOAuth(auth: CodexAuthJson | undefined): boolean;
+/** Check if file has API key */
+declare function hasFileApiKey(auth: CodexAuthJson | undefined): boolean;
+/** Check if file has OAuth tokens */
+declare function hasFileOAuth(auth: CodexAuthJson | undefined): boolean;
+/** Load credentials from keychain */
+declare function loadKeychainCreds(): CodexAuthJson | undefined;
+/** Save credentials to keychain */
+declare function saveKeychainCreds(auth: CodexAuthJson): boolean;
+/** Delete credentials from keychain */
+declare function deleteKeychainCreds(): boolean;
+/** Load credentials from file */
+declare function loadFileCreds(): CodexAuthJson | undefined;
+/** Save credentials to file */
+declare function saveFileCreds(auth: CodexAuthJson, filePath?: string): boolean;
+/** Delete credentials from file */
+declare function deleteFileCreds(filePath?: string): boolean;
+interface CredentialsData {
+    apiKey?: string;
+    _source?: unknown;
+    tokens?: CodexAuthJson["tokens"];
+    [key: string]: unknown;
+}
+/** Build auth content from credentials data */
+declare function buildAuthContent(type: "oauth" | "api-key", data: CredentialsData): CodexAuthJson;
+export { buildAuthContent, deleteFileCreds, deleteKeychainCreds, getEnvironmentApiKey, hasFileApiKey, hasFileOAuth, hasKeychainApiKey, hasKeychainOAuth, loadFileCreds, loadKeychainCreds, saveFileCreds, saveKeychainCreds, };

package/dist/auth/agents/codex-storage.js

@@ -0,0 +1,82 @@
+/**
+ * Codex credential storage operations.
+ */
+import { deleteFile, loadJsonFile, saveJsonFile } from "../file-storage.js";
+import { deleteFromKeychain, loadFromKeychain, saveToKeychain, } from "../keychain.js";
+import { computeKeychainKey, getAuthFilePath, getCodexHome, } from "./codex-config.js";
+const KEYCHAIN_SERVICE = "Codex Auth";
+/** Get API key from environment */
+function getEnvironmentApiKey() {
+    return process.env.CODEX_API_KEY ?? process.env.OPENAI_API_KEY;
+}
+/** Check if keychain has API key */
+function hasKeychainApiKey(auth) {
+    return Boolean(auth?.OPENAI_API_KEY);
+}
+/** Check if keychain has OAuth tokens */
+function hasKeychainOAuth(auth) {
+    return Boolean(auth?.tokens?.access_token);
+}
+/** Check if file has API key */
+function hasFileApiKey(auth) {
+    return Boolean(auth?.OPENAI_API_KEY);
+}
+/** Check if file has OAuth tokens */
+function hasFileOAuth(auth) {
+    return Boolean(auth?.tokens?.access_token);
+}
+/** Load credentials from keychain */
+function loadKeychainCreds() {
+    const key = computeKeychainKey(getCodexHome());
+    const raw = loadFromKeychain(KEYCHAIN_SERVICE, key);
+    if (!raw)
+        return undefined;
+    try {
+        return JSON.parse(raw);
+    }
+    catch {
+        return undefined;
+    }
+}
+/** Save credentials to keychain */
+function saveKeychainCreds(auth) {
+    const key = computeKeychainKey(getCodexHome());
+    return saveToKeychain(KEYCHAIN_SERVICE, key, JSON.stringify(auth));
+}
+/** Delete credentials from keychain */
+function deleteKeychainCreds() {
+    const key = computeKeychainKey(getCodexHome());
+    return deleteFromKeychain(KEYCHAIN_SERVICE, key);
+}
+/** Load credentials from file */
+function loadFileCreds() {
+    return loadJsonFile(getAuthFilePath());
+}
+/** Save credentials to file */
+function saveFileCreds(auth, filePath) {
+    return saveJsonFile(filePath ?? getAuthFilePath(), auth, { mode: 0o600 });
+}
+/** Delete credentials from file */
+function deleteFileCreds(filePath) {
+    return deleteFile(filePath ?? getAuthFilePath());
+}
+/** Build auth content from credentials data */
+function buildAuthContent(type, data) {
+    if (type === "api-key") {
+        return { OPENAI_API_KEY: data.apiKey };
+    }
+    const { _source: _unused, ...rest } = data;
+    void _unused;
+    if ("tokens" in rest) {
+        const auth = rest;
+        if (!auth.last_refresh) {
+            auth.last_refresh = new Date().toISOString();
+        }
+        return auth;
+    }
+    return {
+        tokens: rest,
+        last_refresh: new Date().toISOString(),
+    };
+}
+export { buildAuthContent, deleteFileCreds, deleteKeychainCreds, getEnvironmentApiKey, hasFileApiKey, hasFileOAuth, hasKeychainApiKey, hasKeychainOAuth, loadFileCreds, loadKeychainCreds, saveFileCreds, saveKeychainCreds, };

package/dist/auth/agents/codex.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Codex auth adapter.
+ *
+ * Supports API key and OAuth via keychain (macOS) or file.
+ */
+import type { AuthAdapter } from "../adapter.js";
+/** Codex authentication adapter */
+declare const codexAdapter: AuthAdapter;
+export { codexAdapter };

package/dist/auth/agents/codex.js

@@ -0,0 +1,126 @@
+/**
+ * Codex auth adapter.
+ *
+ * Supports API key and OAuth via keychain (macOS) or file.
+ */
+import path from "node:path";
+import { ensureDirectory } from "../file-storage.js";
+import { isMacOS } from "../keychain.js";
+import { checkAuth, extractRawCredentials } from "./codex-auth-check.js";
+import { getAuthFilePath, getCodexHome, updateConfigStorage, } from "./codex-config.js";
+import { buildAuthContent, deleteFileCreds, deleteKeychainCreds, saveFileCreds, saveKeychainCreds, } from "./codex-storage.js";
+const AGENT_ID = "codex";
+/** Codex authentication adapter */
+const codexAdapter = {
+    agentId: AGENT_ID,
+    capabilities: {
+        keychain: true,
+        file: true,
+        environment: true,
+        installApiKey: true,
+    },
+    checkAuth,
+    extractRawCredentials,
+    installCredentials(creds, options) {
+        const authContent = buildAuthContent(creds.type, creds.data);
+        // Custom path forces file storage (keychain only for default location)
+        if (options?.path) {
+            const parentDirectory = path.dirname(options.path);
+            if (!ensureDirectory(parentDirectory)) {
+                return {
+                    ok: false,
+                    message: `Failed to create directory ${parentDirectory}`,
+                };
+            }
+            if (saveFileCreds(authContent, options.path)) {
+                return {
+                    ok: true,
+                    message: `Installed credentials to ${options.path}`,
+                };
+            }
+            return {
+                ok: false,
+                message: `Failed to install credentials to ${options.path}`,
+            };
+        }
+        // Default location: use storage option or _source marker
+        const sourceMarker = creds.data._source;
+        const targetStorage = options?.storage ?? (sourceMarker === "keychain" ? "keychain" : "file");
+        if (targetStorage === "keychain") {
+            if (!isMacOS()) {
+                return {
+                    ok: false,
+                    message: "Keychain storage is only available on macOS",
+                };
+            }
+            if (saveKeychainCreds(authContent)) {
+                updateConfigStorage(true);
+                return { ok: true, message: "Installed credentials to macOS Keychain" };
+            }
+            return { ok: false, message: "Failed to save to macOS Keychain" };
+        }
+        if (!ensureDirectory(getCodexHome())) {
+            return { ok: false, message: "Failed to create codex directory" };
+        }
+        if (saveFileCreds(authContent)) {
+            updateConfigStorage(false);
+            return {
+                ok: true,
+                message: `Installed credentials to ${getAuthFilePath()}`,
+            };
+        }
+        return { ok: false, message: "Failed to install credentials to file" };
+    },
+    removeCredentials(options) {
+        // Custom path: only remove that specific file (no keychain)
+        if (options?.path) {
+            if (deleteFileCreds(options.path)) {
+                return { ok: true, message: `Removed ${options.path}` };
+            }
+            return {
+                ok: true,
+                message: "No credentials file found at specified path",
+            };
+        }
+        // Default location: remove from both keychain and default file
+        const removedFrom = [];
+        if (deleteKeychainCreds()) {
+            removedFrom.push("macOS Keychain");
+        }
+        if (deleteFileCreds()) {
+            removedFrom.push(getAuthFilePath());
+        }
+        if (removedFrom.length === 0) {
+            return { ok: true, message: "No credentials found" };
+        }
+        return { ok: true, message: `Removed from ${removedFrom.join(" and ")}` };
+    },
+    getAccessToken(creds) {
+        const data = creds.data;
+        if (creds.type === "api-key" && typeof data.apiKey === "string") {
+            return data.apiKey;
+        }
+        if (creds.type === "oauth") {
+            // Direct access_token
+            if (typeof data.access_token === "string") {
+                return data.access_token;
+            }
+            // Nested under tokens (from keychain/file storage)
+            const tokens = data.tokens;
+            if (typeof tokens?.access_token === "string") {
+                return tokens.access_token;
+            }
+        }
+        return undefined;
+    },
+    credentialsToEnvironment(creds) {
+        const environment = {};
+        const data = creds.data;
+        if (creds.type === "api-key" && typeof data.apiKey === "string") {
+            environment.OPENAI_API_KEY = data.apiKey;
+        }
+        // OAuth tokens for Codex require auth.json file, not env vars
+        return environment;
+    },
+};
+export { codexAdapter };

package/dist/auth/agents/copilot-auth-check.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Copilot CLI token discovery.
+ *
+ * Finds the first available token from environment, keychain, file, or gh CLI.
+ */
+/** Token source for auth method display */
+type TokenSource = "environment" | "keychain" | "file" | "gh-cli";
+/** Result of finding an available token */
+interface TokenResult {
+    token: string;
+    source: TokenSource;
+    /** Environment variable name if source is "environment" */
+    environmentVariable?: string;
+}
+/** Find the first available token from any source */
+declare function findFirstAvailableToken(): TokenResult | undefined;
+export { findFirstAvailableToken };

package/dist/auth/agents/copilot-auth-check.js

@@ -0,0 +1,46 @@
+/**
+ * Copilot CLI token discovery.
+ *
+ * Finds the first available token from environment, keychain, file, or gh CLI.
+ */
+import { execFileSync } from "node:child_process";
+import { getEnvironmentToken, getEnvironmentTokenSource, loadFileToken, loadKeychainToken, } from "./copilot-storage.js";
+/** Try to get token from GitHub CLI */
+function getGhCliToken() {
+    try {
+        const result = execFileSync("gh", ["auth", "token"], {
+            encoding: "utf8",
+            stdio: ["pipe", "pipe", "pipe"],
+            timeout: 5000,
+        });
+        const token = result.trim();
+        // Reject classic PATs (ghp_ prefix) - copilot requires fine-grained tokens
+        if (token && !token.startsWith("ghp_")) {
+            return token;
+        }
+    }
+    catch {
+        // gh CLI not available or not authenticated
+    }
+    return undefined;
+}
+/** Find the first available token from any source */
+function findFirstAvailableToken() {
+    const environmentVariable = getEnvironmentTokenSource();
+    if (environmentVariable) {
+        const token = getEnvironmentToken();
+        if (token)
+            return { token, source: "environment", environmentVariable };
+    }
+    const keychainToken = loadKeychainToken();
+    if (keychainToken)
+        return { token: keychainToken, source: "keychain" };
+    const fileToken = loadFileToken();
+    if (fileToken)
+        return { token: fileToken, source: "file" };
+    const ghToken = getGhCliToken();
+    if (ghToken)
+        return { token: ghToken, source: "gh-cli" };
+    return undefined;
+}
+export { findFirstAvailableToken };

package/dist/auth/agents/copilot-storage.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Copilot CLI credential storage operations.
+ *
+ * Copilot CLI stores credentials in:
+ * - macOS Keychain: service "copilot-cli", account "<host>:<login>"
+ * - File: ~/.copilot/config.json with "copilot_tokens" field
+ */
+/** Get the copilot config directory */
+declare function getConfigDirectory(): string;
+/** Get the default config file path */
+declare function getConfigFilePath(): string;
+/** Load token from keychain */
+declare function loadKeychainToken(host?: string): string | undefined;
+/** Save token to keychain */
+declare function saveKeychainToken(token: string, host?: string): boolean;
+/** Delete token from keychain */
+declare function deleteKeychainToken(host?: string): boolean;
+/** Load token from config file */
+declare function loadFileToken(host?: string): string | undefined;
+/** Save token to config file */
+declare function saveFileToken(token: string, host?: string): boolean;
+/** Delete token from config file */
+declare function deleteFileToken(host?: string): boolean;
+/** Get token from environment variables (in priority order) */
+declare function getEnvironmentToken(): string | undefined;
+/** Get the name of the environment variable providing the token */
+declare function getEnvironmentTokenSource(): "COPILOT_GITHUB_TOKEN" | "GH_TOKEN" | "GITHUB_TOKEN" | undefined;
+/** Save token to a custom path (atomic write) */
+declare function saveTokenToPath(token: string, targetPath: string): boolean;
+/** Delete token from a custom path */
+declare function deleteTokenFromPath(targetPath: string): boolean;
+export { deleteFileToken, deleteKeychainToken, deleteTokenFromPath, getConfigDirectory, getConfigFilePath, getEnvironmentToken, getEnvironmentTokenSource, loadFileToken, loadKeychainToken, saveFileToken, saveKeychainToken, saveTokenToPath, };

package/dist/auth/agents/copilot-storage.js

@@ -0,0 +1,139 @@
+/**
+ * Copilot CLI credential storage operations.
+ *
+ * Copilot CLI stores credentials in:
+ * - macOS Keychain: service "copilot-cli", account "<host>:<login>"
+ * - File: ~/.copilot/config.json with "copilot_tokens" field
+ */
+import { existsSync, renameSync, unlinkSync, writeFileSync } from "node:fs";
+import path from "node:path";
+import { copilotConfigReader } from "axconfig";
+import { ensureDirectory, loadJsonFile, saveJsonFile, } from "../file-storage.js";
+import { deleteFromKeychain, isMacOS, loadFromKeychain, saveToKeychain, } from "../keychain.js";
+import { getResolvedConfigDirectory } from "../resolve-config-directory.js";
+const KEYCHAIN_SERVICE = "copilot-cli";
+const DEFAULT_HOST = "https://github.com";
+/** Get the copilot config directory */
+function getConfigDirectory() {
+    return getResolvedConfigDirectory(copilotConfigReader);
+}
+/** Get the default config file path */
+function getConfigFilePath() {
+    return path.join(getConfigDirectory(), "config.json");
+}
+/** Get the current username for keychain account */
+function getUsername() {
+    return process.env.USER ?? process.env.USERNAME ?? "user";
+}
+/** Build keychain account key */
+function getKeychainAccount(host = DEFAULT_HOST) {
+    return `${host}:${getUsername()}`;
+}
+/** Load token from keychain */
+function loadKeychainToken(host = DEFAULT_HOST) {
+    if (!isMacOS())
+        return undefined;
+    const account = getKeychainAccount(host);
+    return loadFromKeychain(KEYCHAIN_SERVICE, account);
+}
+/** Save token to keychain */
+function saveKeychainToken(token, host = DEFAULT_HOST) {
+    if (!isMacOS())
+        return false;
+    const account = getKeychainAccount(host);
+    return saveToKeychain(KEYCHAIN_SERVICE, account, token);
+}
+/** Delete token from keychain */
+function deleteKeychainToken(host = DEFAULT_HOST) {
+    if (!isMacOS())
+        return false;
+    const account = getKeychainAccount(host);
+    return deleteFromKeychain(KEYCHAIN_SERVICE, account);
+}
+/** Load config file */
+function loadConfig() {
+    return loadJsonFile(getConfigFilePath());
+}
+/** Save config file */
+function saveConfig(config) {
+    return saveJsonFile(getConfigFilePath(), config, { mode: 0o600 });
+}
+/** Load token from config file */
+function loadFileToken(host = DEFAULT_HOST) {
+    const config = loadConfig();
+    return config?.copilot_tokens?.[`${host}:${getUsername()}`];
+}
+/** Save token to config file */
+function saveFileToken(token, host = DEFAULT_HOST) {
+    const config = loadConfig() ?? {};
+    const key = `${host}:${getUsername()}`;
+    config.copilot_tokens = {
+        ...config.copilot_tokens,
+        [key]: token,
+    };
+    config.store_token_plaintext = true;
+    return saveConfig(config);
+}
+/** Delete token from config file */
+function deleteFileToken(host = DEFAULT_HOST) {
+    const config = loadConfig();
+    if (!config?.copilot_tokens)
+        return false;
+    const key = `${host}:${getUsername()}`;
+    if (!(key in config.copilot_tokens))
+        return false;
+    // Remove the token by filtering out the key
+    const remainingTokens = Object.fromEntries(Object.entries(config.copilot_tokens).filter(([k]) => k !== key));
+    // If no tokens left, remove the whole section
+    if (Object.keys(remainingTokens).length === 0) {
+        const rest = Object.fromEntries(Object.entries(config).filter(([k]) => k !== "copilot_tokens" && k !== "store_token_plaintext"));
+        return saveConfig(rest);
+    }
+    return saveConfig({ ...config, copilot_tokens: remainingTokens });
+}
+/** Get token from environment variables (in priority order) */
+function getEnvironmentToken() {
+    return (process.env.COPILOT_GITHUB_TOKEN ??
+        process.env.GH_TOKEN ??
+        process.env.GITHUB_TOKEN);
+}
+/** Get the name of the environment variable providing the token */
+function getEnvironmentTokenSource() {
+    if (process.env.COPILOT_GITHUB_TOKEN)
+        return "COPILOT_GITHUB_TOKEN";
+    if (process.env.GH_TOKEN)
+        return "GH_TOKEN";
+    if (process.env.GITHUB_TOKEN)
+        return "GITHUB_TOKEN";
+    return undefined;
+}
+/** Save token to a custom path (atomic write) */
+function saveTokenToPath(token, targetPath) {
+    const parentDirectory = path.dirname(targetPath);
+    if (!ensureDirectory(parentDirectory)) {
+        return false;
+    }
+    try {
+        const temporaryFile = `${targetPath}.tmp.${Date.now()}`;
+        writeFileSync(temporaryFile, JSON.stringify({ accessToken: token }, undefined, 2), { mode: 0o600 });
+        renameSync(temporaryFile, targetPath);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/** Delete token from a custom path */
+function deleteTokenFromPath(targetPath) {
+    if (!existsSync(targetPath)) {
+        return false;
+    }
+    try {
+        unlinkSync(targetPath);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export { deleteFileToken, deleteKeychainToken, deleteTokenFromPath, getConfigDirectory, getConfigFilePath, getEnvironmentToken, getEnvironmentTokenSource, loadFileToken, loadKeychainToken, saveFileToken, saveKeychainToken, saveTokenToPath, };

package/dist/auth/agents/copilot.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Copilot CLI auth adapter.
+ *
+ * Supports OAuth via keychain (macOS) or file, and GitHub token via env var.
+ * Also supports GitHub CLI (`gh auth login`) as a fallback.
+ */
+import type { AuthAdapter } from "../adapter.js";
+/** Copilot CLI authentication adapter */
+declare const copilotAdapter: AuthAdapter;
+export { copilotAdapter };