axauth 1.0.0

package/dist/auth/agents/copilot.js

@@ -0,0 +1,144 @@
+/**
+ * Copilot CLI auth adapter.
+ *
+ * Supports OAuth via keychain (macOS) or file, and GitHub token via env var.
+ * Also supports GitHub CLI (`gh auth login`) as a fallback.
+ */
+import { ensureDirectory } from "../file-storage.js";
+import { isMacOS } from "../keychain.js";
+import { findFirstAvailableToken } from "./copilot-auth-check.js";
+import { deleteFileToken, deleteKeychainToken, deleteTokenFromPath, getConfigDirectory, getConfigFilePath, saveFileToken, saveKeychainToken, saveTokenToPath, } from "./copilot-storage.js";
+const AGENT_ID = "copilot";
+/** Copilot CLI authentication adapter */
+const copilotAdapter = {
+    agentId: AGENT_ID,
+    capabilities: {
+        keychain: true,
+        file: true,
+        environment: true,
+        installApiKey: false,
+    },
+    checkAuth() {
+        const result = findFirstAvailableToken();
+        if (!result) {
+            return { agentId: AGENT_ID, authenticated: false };
+        }
+        const methodMap = {
+            environment: `Token (${result.environmentVariable})`,
+            keychain: "Token (keychain)",
+            file: "Token (file)",
+            "gh-cli": "GitHub CLI",
+        };
+        return {
+            agentId: AGENT_ID,
+            authenticated: true,
+            method: methodMap[result.source],
+        };
+    },
+    extractRawCredentials() {
+        const result = findFirstAvailableToken();
+        if (!result)
+            return undefined;
+        return {
+            agent: AGENT_ID,
+            type: "oauth",
+            data: { accessToken: result.token, _source: result.source },
+        };
+    },
+    installCredentials(creds, options) {
+        if (creds.type === "api-key") {
+            return {
+                ok: false,
+                message: "API key credentials cannot be installed (use COPILOT_GITHUB_TOKEN env var)",
+            };
+        }
+        const token = typeof creds.data.accessToken === "string"
+            ? creds.data.accessToken
+            : undefined;
+        if (!token) {
+            return { ok: false, message: "No access token found in credentials" };
+        }
+        // Custom path forces file storage
+        if (options?.path) {
+            if (saveTokenToPath(token, options.path)) {
+                return {
+                    ok: true,
+                    message: `Installed credentials to ${options.path}`,
+                };
+            }
+            return {
+                ok: false,
+                message: `Failed to install credentials to ${options.path}`,
+            };
+        }
+        // Default location: use storage option or _source marker
+        const sourceMarker = creds.data._source;
+        const targetStorage = options?.storage ?? (sourceMarker === "keychain" ? "keychain" : "file");
+        if (targetStorage === "keychain") {
+            if (!isMacOS()) {
+                return {
+                    ok: false,
+                    message: "Keychain storage is only available on macOS",
+                };
+            }
+            if (saveKeychainToken(token)) {
+                return { ok: true, message: "Installed credentials to macOS Keychain" };
+            }
+            return { ok: false, message: "Failed to save to macOS Keychain" };
+        }
+        // File storage
+        if (!ensureDirectory(getConfigDirectory())) {
+            return {
+                ok: false,
+                message: "Failed to create copilot config directory",
+            };
+        }
+        if (saveFileToken(token)) {
+            return {
+                ok: true,
+                message: `Installed credentials to ${getConfigFilePath()}`,
+            };
+        }
+        return { ok: false, message: "Failed to install credentials to file" };
+    },
+    removeCredentials(options) {
+        // Custom path: only remove that specific file
+        if (options?.path) {
+            if (deleteTokenFromPath(options.path)) {
+                return { ok: true, message: `Removed ${options.path}` };
+            }
+            return {
+                ok: true,
+                message: "No credentials file found at specified path",
+            };
+        }
+        // Default location: remove from both keychain and config file
+        const removedFrom = [];
+        if (deleteKeychainToken()) {
+            removedFrom.push("macOS Keychain");
+        }
+        if (deleteFileToken()) {
+            removedFrom.push(getConfigFilePath());
+        }
+        if (removedFrom.length === 0) {
+            return { ok: true, message: "No credentials found" };
+        }
+        return { ok: true, message: `Removed from ${removedFrom.join(" and ")}` };
+    },
+    getAccessToken(creds) {
+        const data = creds.data;
+        if (typeof data.accessToken === "string") {
+            return data.accessToken;
+        }
+        return undefined;
+    },
+    credentialsToEnvironment(creds) {
+        const environment = {};
+        const data = creds.data;
+        if (typeof data.accessToken === "string") {
+            environment.COPILOT_GITHUB_TOKEN = data.accessToken;
+        }
+        return environment;
+    },
+};
+export { copilotAdapter };

package/dist/auth/agents/gemini-auth-check.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Gemini CLI authentication checking.
+ *
+ * Determines auth status based on configured auth type and available credentials.
+ */
+/** Credential source for auth method display */
+type CredentialSource = "keychain" | "file" | "api-key" | "vertex-ai" | "adc";
+/** Result of finding available credentials */
+interface CredentialResult {
+    source: CredentialSource;
+    method: string;
+    data?: Record<string, unknown>;
+}
+/** Find credentials based on configured auth type */
+declare function findCredentials(): CredentialResult | undefined;
+export { findCredentials };

package/dist/auth/agents/gemini-auth-check.js

@@ -0,0 +1,73 @@
+/**
+ * Gemini CLI authentication checking.
+ *
+ * Determines auth status based on configured auth type and available credentials.
+ */
+import { existsSync } from "node:fs";
+import { getAuthType, getDefaultOAuthPath, loadKeychainCreds, loadOAuthCreds, } from "./gemini-storage.js";
+/** Check OAuth credentials (keychain first, then file) */
+function checkOAuthCredentials() {
+    const keychainCreds = loadKeychainCreds();
+    if (keychainCreds) {
+        return {
+            source: "keychain",
+            method: "Google OAuth (keychain)",
+            data: keychainCreds,
+        };
+    }
+    if (existsSync(getDefaultOAuthPath())) {
+        const fileCreds = loadOAuthCreds();
+        if (fileCreds) {
+            return {
+                source: "file",
+                method: "Google OAuth (file)",
+                data: fileCreds,
+            };
+        }
+    }
+    return undefined;
+}
+/** Check API key credentials */
+function checkApiKeyCredentials() {
+    if (process.env.GEMINI_API_KEY) {
+        return {
+            source: "api-key",
+            method: "API key",
+            data: { apiKey: process.env.GEMINI_API_KEY },
+        };
+    }
+    return undefined;
+}
+/** Check Vertex AI credentials */
+function checkVertexAiCredentials() {
+    const hasVertexEnvironment = (process.env.GOOGLE_CLOUD_PROJECT && process.env.GOOGLE_CLOUD_LOCATION) ||
+        process.env.GOOGLE_API_KEY;
+    if (hasVertexEnvironment) {
+        return {
+            source: "vertex-ai",
+            method: "Vertex AI",
+            data: process.env.GOOGLE_API_KEY
+                ? { apiKey: process.env.GOOGLE_API_KEY }
+                : undefined,
+        };
+    }
+    return undefined;
+}
+/** Find credentials based on configured auth type */
+function findCredentials() {
+    const authType = getAuthType();
+    if (authType === "oauth-personal") {
+        return checkOAuthCredentials();
+    }
+    if (authType === "gemini-api-key") {
+        return checkApiKeyCredentials();
+    }
+    if (authType === "vertex-ai") {
+        return checkVertexAiCredentials();
+    }
+    if (authType === "compute-default-credentials") {
+        return { source: "adc", method: "Compute ADC" };
+    }
+    return undefined;
+}
+export { findCredentials };

package/dist/auth/agents/gemini-storage.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Gemini credential storage operations.
+ */
+/** Get default OAuth credentials file path */
+declare function getDefaultOAuthPath(): string;
+/** Get current auth type from settings */
+declare function getAuthType(): string | undefined;
+/** Clear auth type from settings */
+declare function clearAuthTypeFromSettings(): boolean;
+/** Set auth type in settings */
+declare function setAuthTypeInSettings(authType: string): boolean;
+/** Load OAuth credentials from file */
+declare function loadOAuthCreds(): Record<string, unknown> | undefined;
+/** Load OAuth credentials from keychain */
+declare function loadKeychainCreds(): Record<string, unknown> | undefined;
+/** Save OAuth credentials to keychain */
+declare function saveKeychainCreds(data: Record<string, unknown>): boolean;
+/** Delete OAuth credentials from keychain */
+declare function deleteKeychainCreds(): boolean;
+/** Save OAuth credentials to file */
+declare function saveOAuthCreds(data: Record<string, unknown>, filePath?: string): boolean;
+/** Delete OAuth credentials file */
+declare function deleteOAuthCreds(filePath?: string): boolean;
+export { clearAuthTypeFromSettings, deleteKeychainCreds, deleteOAuthCreds, getAuthType, getDefaultOAuthPath, loadKeychainCreds, loadOAuthCreds, saveKeychainCreds, saveOAuthCreds, setAuthTypeInSettings, };

package/dist/auth/agents/gemini-storage.js

@@ -0,0 +1,69 @@
+/**
+ * Gemini credential storage operations.
+ */
+import path from "node:path";
+import { geminiConfigReader } from "axconfig";
+import { deleteFile, loadJsonFile, saveJsonFile } from "../file-storage.js";
+import { deleteFromKeychain, loadFromKeychain, saveToKeychain, } from "../keychain.js";
+import { getResolvedConfigDirectory } from "../resolve-config-directory.js";
+const KEYCHAIN_SERVICE = "gemini-cli-oauth";
+const KEYCHAIN_ACCOUNT = "main-account";
+/** Get the Gemini config directory */
+function getConfigDirectory() {
+    return getResolvedConfigDirectory(geminiConfigReader);
+}
+/** Get default OAuth credentials file path */
+function getDefaultOAuthPath() {
+    return path.join(getConfigDirectory(), "oauth_creds.json");
+}
+/** Get current auth type from settings */
+function getAuthType() {
+    const result = geminiConfigReader.readRaw(getConfigDirectory(), "security.auth.selectedType");
+    if (result.ok && typeof result.value === "string") {
+        return result.value;
+    }
+    return undefined;
+}
+/** Clear auth type from settings */
+function clearAuthTypeFromSettings() {
+    const result = geminiConfigReader.deleteRaw(getConfigDirectory(), "security.auth.selectedType");
+    return result.ok && result.deleted;
+}
+/** Set auth type in settings */
+function setAuthTypeInSettings(authType) {
+    const result = geminiConfigReader.writeRaw(getConfigDirectory(), "security.auth.selectedType", authType);
+    return result.ok;
+}
+/** Load OAuth credentials from file */
+function loadOAuthCreds() {
+    return loadJsonFile(getDefaultOAuthPath());
+}
+/** Load OAuth credentials from keychain */
+function loadKeychainCreds() {
+    const raw = loadFromKeychain(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT);
+    if (!raw)
+        return undefined;
+    try {
+        return JSON.parse(raw);
+    }
+    catch {
+        return undefined;
+    }
+}
+/** Save OAuth credentials to keychain */
+function saveKeychainCreds(data) {
+    return saveToKeychain(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT, JSON.stringify(data));
+}
+/** Delete OAuth credentials from keychain */
+function deleteKeychainCreds() {
+    return deleteFromKeychain(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT);
+}
+/** Save OAuth credentials to file */
+function saveOAuthCreds(data, filePath) {
+    return saveJsonFile(filePath ?? getDefaultOAuthPath(), data, { mode: 0o600 });
+}
+/** Delete OAuth credentials file */
+function deleteOAuthCreds(filePath) {
+    return deleteFile(filePath ?? getDefaultOAuthPath());
+}
+export { clearAuthTypeFromSettings, deleteKeychainCreds, deleteOAuthCreds, getAuthType, getDefaultOAuthPath, loadKeychainCreds, loadOAuthCreds, saveKeychainCreds, saveOAuthCreds, setAuthTypeInSettings, };

package/dist/auth/agents/gemini.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Gemini auth adapter.
+ *
+ * Supports OAuth via keychain (macOS) or file. API key auth is env-var only.
+ */
+import type { AuthAdapter } from "../adapter.js";
+/** Gemini authentication adapter */
+declare const geminiAdapter: AuthAdapter;
+export { geminiAdapter };

package/dist/auth/agents/gemini.js

@@ -0,0 +1,157 @@
+/**
+ * Gemini auth adapter.
+ *
+ * Supports OAuth via keychain (macOS) or file. API key auth is env-var only.
+ */
+import path from "node:path";
+import { ensureDirectory } from "../file-storage.js";
+import { isMacOS } from "../keychain.js";
+import { findCredentials } from "./gemini-auth-check.js";
+import { clearAuthTypeFromSettings, deleteKeychainCreds, deleteOAuthCreds, getDefaultOAuthPath, saveKeychainCreds, saveOAuthCreds, setAuthTypeInSettings, } from "./gemini-storage.js";
+const AGENT_ID = "gemini";
+/** Gemini authentication adapter */
+const geminiAdapter = {
+    agentId: AGENT_ID,
+    capabilities: {
+        keychain: true,
+        file: true,
+        environment: true,
+        installApiKey: false,
+    },
+    checkAuth() {
+        const result = findCredentials();
+        if (!result) {
+            return { agentId: AGENT_ID, authenticated: false };
+        }
+        return {
+            agentId: AGENT_ID,
+            authenticated: true,
+            method: result.method,
+        };
+    },
+    extractRawCredentials() {
+        const result = findCredentials();
+        if (!result || !result.data)
+            return undefined;
+        const credType = result.source === "api-key" || result.source === "vertex-ai"
+            ? "api-key"
+            : "oauth";
+        return {
+            agent: AGENT_ID,
+            type: credType,
+            data: {
+                ...result.data,
+                _source: result.source === "keychain" ? "keychain" : "file",
+            },
+        };
+    },
+    installCredentials(creds, options) {
+        if (creds.type === "api-key") {
+            return {
+                ok: false,
+                message: "API key credentials cannot be installed (use GEMINI_API_KEY env var)",
+            };
+        }
+        const { _source, ...oauthData } = creds.data;
+        // Custom path forces file storage (keychain only for default location)
+        if (options?.path) {
+            const targetDirectory = path.dirname(options.path);
+            if (!ensureDirectory(targetDirectory)) {
+                return {
+                    ok: false,
+                    message: `Failed to create directory ${targetDirectory}`,
+                };
+            }
+            if (saveOAuthCreds(oauthData, options.path)) {
+                return {
+                    ok: true,
+                    message: `Installed credentials to ${options.path}`,
+                };
+            }
+            return {
+                ok: false,
+                message: `Failed to install credentials to ${options.path}`,
+            };
+        }
+        // Default location: use storage option or _source marker
+        const targetStorage = options?.storage ?? (_source === "keychain" ? "keychain" : "file");
+        if (targetStorage === "keychain") {
+            if (!isMacOS()) {
+                return {
+                    ok: false,
+                    message: "Keychain storage is only available on macOS",
+                };
+            }
+            if (saveKeychainCreds(oauthData)) {
+                if (!setAuthTypeInSettings("oauth-personal")) {
+                    return { ok: false, message: "Failed to update settings" };
+                }
+                return { ok: true, message: "Installed credentials to macOS Keychain" };
+            }
+            return { ok: false, message: "Failed to save to macOS Keychain" };
+        }
+        // File storage
+        const targetPath = getDefaultOAuthPath();
+        const targetDirectory = path.dirname(targetPath);
+        if (!ensureDirectory(targetDirectory)) {
+            return {
+                ok: false,
+                message: `Failed to create directory ${targetDirectory}`,
+            };
+        }
+        if (!saveOAuthCreds(oauthData, targetPath)) {
+            return { ok: false, message: "Failed to write OAuth credentials" };
+        }
+        if (!setAuthTypeInSettings("oauth-personal")) {
+            return { ok: false, message: "Failed to update settings" };
+        }
+        return { ok: true, message: `Installed credentials to ${targetPath}` };
+    },
+    removeCredentials(options) {
+        // Custom path: only remove that specific file (no settings update)
+        if (options?.path) {
+            if (deleteOAuthCreds(options.path)) {
+                return { ok: true, message: `Removed ${options.path}` };
+            }
+            return {
+                ok: true,
+                message: "No credentials file found at specified path",
+            };
+        }
+        // Default location: remove from keychain, file, and clear settings
+        const removedFrom = [];
+        if (deleteKeychainCreds()) {
+            removedFrom.push("macOS Keychain");
+        }
+        if (deleteOAuthCreds()) {
+            removedFrom.push(getDefaultOAuthPath());
+        }
+        if (clearAuthTypeFromSettings()) {
+            removedFrom.push("auth type from settings.json");
+        }
+        if (removedFrom.length === 0) {
+            return { ok: true, message: "No credentials found" };
+        }
+        return { ok: true, message: `Removed from ${removedFrom.join(", ")}` };
+    },
+    getAccessToken(creds) {
+        const data = creds.data;
+        if (creds.type === "api-key" && typeof data.apiKey === "string") {
+            return data.apiKey;
+        }
+        if (creds.type === "oauth" && typeof data.access_token === "string") {
+            return data.access_token;
+        }
+        return undefined;
+    },
+    credentialsToEnvironment(creds) {
+        const environment = {};
+        const data = creds.data;
+        if (creds.type === "api-key" && typeof data.apiKey === "string") {
+            environment.GEMINI_API_KEY = data.apiKey;
+        }
+        // OAuth tokens for Gemini require oauth_creds.json file
+        return environment;
+    },
+};
+export { geminiAdapter };

package/dist/auth/agents/opencode.d.ts

@@ -0,0 +1,9 @@
+/**
+ * OpenCode auth adapter.
+ *
+ * Supports multi-provider auth via file only. No keychain or env var support.
+ */
+import type { AuthAdapter } from "../adapter.js";
+/** OpenCode authentication adapter */
+declare const opencodeAdapter: AuthAdapter;
+export { opencodeAdapter };

package/dist/auth/agents/opencode.js

@@ -0,0 +1,128 @@
+/**
+ * OpenCode auth adapter.
+ *
+ * Supports multi-provider auth via file only. No keychain or env var support.
+ */
+import { existsSync, mkdirSync, readFileSync, renameSync, unlinkSync, writeFileSync, } from "node:fs";
+import { homedir } from "node:os";
+import path from "node:path";
+const AGENT_ID = "opencode";
+function getDefaultAuthFilePath() {
+    const xdgData = process.env.XDG_DATA_HOME ?? path.join(homedir(), ".local/share");
+    return path.join(xdgData, "opencode", "auth.json");
+}
+/** OpenCode authentication adapter */
+const opencodeAdapter = {
+    agentId: AGENT_ID,
+    capabilities: {
+        keychain: false,
+        file: true,
+        environment: false,
+        installApiKey: true,
+    },
+    checkAuth() {
+        const authFile = getDefaultAuthFilePath();
+        if (!existsSync(authFile)) {
+            return { agentId: AGENT_ID, authenticated: false };
+        }
+        try {
+            const auth = JSON.parse(readFileSync(authFile, "utf8"));
+            const providers = Object.keys(auth);
+            const firstProvider = providers[0];
+            if (firstProvider !== undefined) {
+                const firstAuth = auth[firstProvider];
+                const method = firstAuth?.type === "oauth"
+                    ? "OAuth"
+                    : firstAuth?.type === "api"
+                        ? "API key"
+                        : "Well-known";
+                return {
+                    agentId: AGENT_ID,
+                    authenticated: true,
+                    method: providers.length > 1
+                        ? `${method} (${providers.length} providers)`
+                        : method,
+                    details: { providers },
+                };
+            }
+        }
+        catch {
+            // Invalid JSON
+        }
+        return { agentId: AGENT_ID, authenticated: false };
+    },
+    extractRawCredentials() {
+        const authFile = getDefaultAuthFilePath();
+        if (!existsSync(authFile)) {
+            return undefined;
+        }
+        try {
+            const auth = JSON.parse(readFileSync(authFile, "utf8"));
+            const providers = Object.keys(auth);
+            if (providers.length > 0) {
+                return { agent: AGENT_ID, type: "oauth", data: auth };
+            }
+        }
+        catch {
+            // Invalid JSON
+        }
+        return undefined;
+    },
+    installCredentials(creds, options) {
+        // OpenCode only supports file storage (no keychain)
+        const targetPath = options?.path ?? getDefaultAuthFilePath();
+        const targetDirectory = path.dirname(targetPath);
+        try {
+            // Ensure directory exists
+            if (!existsSync(targetDirectory)) {
+                mkdirSync(targetDirectory, { recursive: true });
+            }
+            // OpenCode stores auth data directly as the file content
+            const temporaryFile = `${targetPath}.tmp.${Date.now()}`;
+            writeFileSync(temporaryFile, JSON.stringify(creds.data, undefined, 2), {
+                mode: 0o600,
+            });
+            renameSync(temporaryFile, targetPath);
+            return { ok: true, message: `Installed credentials to ${targetPath}` };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return {
+                ok: false,
+                message: `Failed to install credentials: ${message}`,
+            };
+        }
+    },
+    removeCredentials(options) {
+        const targetPath = options?.path ?? getDefaultAuthFilePath();
+        if (!existsSync(targetPath)) {
+            return { ok: true, message: "No credentials file found" };
+        }
+        try {
+            unlinkSync(targetPath);
+            return { ok: true, message: `Removed ${targetPath}` };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return { ok: false, message: `Failed to remove credentials: ${message}` };
+        }
+    },
+    getAccessToken(creds) {
+        const data = creds.data;
+        // OpenCode stores provider tokens; return first available
+        for (const provider of Object.values(data)) {
+            if (provider &&
+                typeof provider === "object" &&
+                "access_token" in provider &&
+                typeof provider.access_token === "string") {
+                return provider.access_token;
+            }
+        }
+        return undefined;
+    },
+    credentialsToEnvironment() {
+        // OpenCode requires auth.json file, no env var support
+        return {};
+    },
+};
+export { opencodeAdapter };

package/dist/auth/file-storage.d.ts

@@ -0,0 +1,14 @@
+/**
+ * File-based credential storage utilities.
+ */
+/** Load JSON data from a file and cast to expected type */
+declare function loadJsonFile<T extends object>(filePath: string): T | undefined;
+/** Save JSON data to a file atomically */
+declare function saveJsonFile(filePath: string, data: unknown, options?: {
+    mode?: number;
+}): boolean;
+/** Delete a file if it exists */
+declare function deleteFile(filePath: string): boolean;
+/** Ensure a directory exists */
+declare function ensureDirectory(directoryPath: string): boolean;
+export { deleteFile, ensureDirectory, loadJsonFile, saveJsonFile };