axauth 1.0.0

package/dist/auth/file-storage.js

@@ -0,0 +1,63 @@
+/**
+ * File-based credential storage utilities.
+ */
+import { existsSync, mkdirSync, readFileSync, renameSync, unlinkSync, writeFileSync, } from "node:fs";
+import path from "node:path";
+/** Load JSON data from a file and cast to expected type */
+// eslint-disable-next-line @typescript-eslint/no-unnecessary-type-parameters
+function loadJsonFile(filePath) {
+    if (!existsSync(filePath)) {
+        return undefined;
+    }
+    try {
+        const data = JSON.parse(readFileSync(filePath, "utf8"));
+        return data;
+    }
+    catch {
+        return undefined;
+    }
+}
+/** Save JSON data to a file atomically */
+function saveJsonFile(filePath, data, options) {
+    try {
+        const directory = path.dirname(filePath);
+        if (!existsSync(directory)) {
+            mkdirSync(directory, { recursive: true });
+        }
+        const temporaryFile = `${filePath}.tmp.${Date.now()}`;
+        writeFileSync(temporaryFile, JSON.stringify(data, undefined, 2), {
+            mode: options?.mode ?? 0o600,
+        });
+        renameSync(temporaryFile, filePath);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/** Delete a file if it exists */
+function deleteFile(filePath) {
+    if (!existsSync(filePath)) {
+        return false;
+    }
+    try {
+        unlinkSync(filePath);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/** Ensure a directory exists */
+function ensureDirectory(directoryPath) {
+    try {
+        if (!existsSync(directoryPath)) {
+            mkdirSync(directoryPath, { recursive: true });
+        }
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export { deleteFile, ensureDirectory, loadJsonFile, saveJsonFile };

package/dist/auth/keychain.d.ts

@@ -0,0 +1,12 @@
+/**
+ * macOS Keychain utilities for credential storage.
+ */
+/** Check if running on macOS */
+declare function isMacOS(): boolean;
+/** Load data from macOS Keychain */
+declare function loadFromKeychain(service: string, account: string): string | undefined;
+/** Save data to macOS Keychain */
+declare function saveToKeychain(service: string, account: string, data: string): boolean;
+/** Delete entry from macOS Keychain */
+declare function deleteFromKeychain(service: string, account: string): boolean;
+export { deleteFromKeychain, isMacOS, loadFromKeychain, saveToKeychain };

package/dist/auth/keychain.js

@@ -0,0 +1,56 @@
+/**
+ * macOS Keychain utilities for credential storage.
+ */
+import { execFileSync } from "node:child_process";
+/** Check if running on macOS */
+function isMacOS() {
+    return process.platform === "darwin";
+}
+/** Load data from macOS Keychain */
+function loadFromKeychain(service, account) {
+    if (!isMacOS()) {
+        return undefined;
+    }
+    try {
+        const result = execFileSync("security", ["find-generic-password", "-a", account, "-s", service, "-w"], { encoding: "utf8", stdio: ["pipe", "pipe", "pipe"] });
+        return result.trim();
+    }
+    catch {
+        return undefined;
+    }
+}
+/** Save data to macOS Keychain */
+function saveToKeychain(service, account, data) {
+    if (!isMacOS()) {
+        return false;
+    }
+    try {
+        // First try to delete existing entry (ignore errors)
+        try {
+            execFileSync("security", ["delete-generic-password", "-a", account, "-s", service], { stdio: ["pipe", "pipe", "pipe"] });
+        }
+        catch {
+            // Ignore - might not exist
+        }
+        // Add new entry
+        execFileSync("security", ["add-generic-password", "-a", account, "-s", service, "-w", data], { stdio: ["pipe", "pipe", "pipe"] });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/** Delete entry from macOS Keychain */
+function deleteFromKeychain(service, account) {
+    if (!isMacOS()) {
+        return false;
+    }
+    try {
+        execFileSync("security", ["delete-generic-password", "-a", account, "-s", service], { stdio: ["pipe", "pipe", "pipe"] });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export { deleteFromKeychain, isMacOS, loadFromKeychain, saveToKeychain };

package/dist/auth/registry.d.ts

@@ -0,0 +1,109 @@
+/**
+ * Adapter registry - unified entry point for auth operations.
+ *
+ * Provides a single API for all agent authentication operations,
+ * delegating to the appropriate adapter based on agent ID.
+ */
+import type { AgentCli } from "axshared";
+import type { AdapterCapabilities, AuthAdapter, InstallOptions, OperationResult, RemoveOptions } from "./adapter.js";
+import type { AuthStatus, Credentials } from "./types.js";
+/**
+ * Get the adapter for an agent.
+ *
+ * @example
+ * const adapter = getAdapter("claude");
+ * const status = adapter.checkAuth();
+ */
+declare function getAdapter(agentId: AgentCli): AuthAdapter;
+/**
+ * Get all adapters.
+ *
+ * @example
+ * const adapters = getAllAdapters();
+ * const statuses = adapters.map(a => a.checkAuth());
+ */
+declare function getAllAdapters(): AuthAdapter[];
+/**
+ * Get adapter capabilities for an agent.
+ *
+ * @example
+ * const caps = getCapabilities("gemini");
+ * if (caps.keychain) { ... }
+ */
+declare function getCapabilities(agentId: AgentCli): AdapterCapabilities;
+/**
+ * Check auth status for an agent.
+ *
+ * @example
+ * const status = checkAuth("claude");
+ * if (status.authenticated) { ... }
+ */
+declare function checkAuth(agentId: AgentCli): AuthStatus;
+/**
+ * Check auth status for all agents.
+ *
+ * @example
+ * const statuses = checkAllAuth();
+ * const authenticated = statuses.filter(s => s.authenticated);
+ */
+declare function checkAllAuth(): AuthStatus[];
+/**
+ * Extract raw credentials for an agent.
+ *
+ * Note: The `data` field format is agent-specific and not standardized.
+ * Use {@link getAccessToken} to extract the token in a uniform way.
+ *
+ * @example
+ * const creds = extractRawCredentials("codex");
+ * if (creds) { await exportCredentials(creds); }
+ */
+declare function extractRawCredentials(agentId: AgentCli): Credentials | undefined;
+/**
+ * Install credentials for an agent.
+ *
+ * @example
+ * const result = installCredentials(creds, { storage: "keychain" });
+ * if (!result.ok) { console.error(result.message); }
+ */
+declare function installCredentials(creds: Credentials, options?: InstallOptions): OperationResult;
+/**
+ * Remove credentials for an agent.
+ *
+ * When `options.path` is provided, only the file at that path is removed.
+ * Keychain credentials are not affected (keychain is only for default location).
+ *
+ * @example
+ * // Remove from default location (keychain + default file)
+ * const result = removeCredentials("gemini");
+ *
+ * // Remove from custom path only (no keychain)
+ * const result = removeCredentials("gemini", { path: "/path/to/creds.json" });
+ */
+declare function removeCredentials(agentId: AgentCli, options?: RemoveOptions): OperationResult;
+/**
+ * Get access token from credentials.
+ *
+ * @example
+ * const token = getAccessToken(creds);
+ * if (token) { headers.Authorization = `Bearer ${token}`; }
+ */
+declare function getAccessToken(creds: Credentials): string | undefined;
+/**
+ * Get access token for an agent (convenience function).
+ *
+ * Extracts credentials and returns the access token in one call.
+ *
+ * @example
+ * const token = getAgentAccessToken("claude");
+ * if (token) { ... }
+ */
+declare function getAgentAccessToken(agentId: AgentCli): string | undefined;
+/**
+ * Convert credentials to environment variables.
+ *
+ * @example
+ * const env = credentialsToEnvironment(creds);
+ * Object.assign(process.env, env);
+ */
+declare function credentialsToEnvironment(creds: Credentials): Record<string, string>;
+export { checkAllAuth, checkAuth, credentialsToEnvironment, extractRawCredentials, getAccessToken, getAdapter, getAgentAccessToken, getAllAdapters, getCapabilities, installCredentials, removeCredentials, };

package/dist/auth/registry.js

@@ -0,0 +1,145 @@
+/**
+ * Adapter registry - unified entry point for auth operations.
+ *
+ * Provides a single API for all agent authentication operations,
+ * delegating to the appropriate adapter based on agent ID.
+ */
+import { claudeCodeAdapter } from "./agents/claude-code.js";
+import { codexAdapter } from "./agents/codex.js";
+import { copilotAdapter } from "./agents/copilot.js";
+import { geminiAdapter } from "./agents/gemini.js";
+import { opencodeAdapter } from "./agents/opencode.js";
+/** Registry of all adapters by agent ID */
+const ADAPTERS = {
+    claude: claudeCodeAdapter,
+    codex: codexAdapter,
+    copilot: copilotAdapter,
+    gemini: geminiAdapter,
+    opencode: opencodeAdapter,
+};
+/**
+ * Get the adapter for an agent.
+ *
+ * @example
+ * const adapter = getAdapter("claude");
+ * const status = adapter.checkAuth();
+ */
+function getAdapter(agentId) {
+    return ADAPTERS[agentId];
+}
+/**
+ * Get all adapters.
+ *
+ * @example
+ * const adapters = getAllAdapters();
+ * const statuses = adapters.map(a => a.checkAuth());
+ */
+function getAllAdapters() {
+    return Object.values(ADAPTERS);
+}
+/**
+ * Get adapter capabilities for an agent.
+ *
+ * @example
+ * const caps = getCapabilities("gemini");
+ * if (caps.keychain) { ... }
+ */
+function getCapabilities(agentId) {
+    return ADAPTERS[agentId].capabilities;
+}
+// Unified operations that delegate to the appropriate adapter
+/**
+ * Check auth status for an agent.
+ *
+ * @example
+ * const status = checkAuth("claude");
+ * if (status.authenticated) { ... }
+ */
+function checkAuth(agentId) {
+    return ADAPTERS[agentId].checkAuth();
+}
+/**
+ * Check auth status for all agents.
+ *
+ * @example
+ * const statuses = checkAllAuth();
+ * const authenticated = statuses.filter(s => s.authenticated);
+ */
+function checkAllAuth() {
+    return getAllAdapters().map((adapter) => adapter.checkAuth());
+}
+/**
+ * Extract raw credentials for an agent.
+ *
+ * Note: The `data` field format is agent-specific and not standardized.
+ * Use {@link getAccessToken} to extract the token in a uniform way.
+ *
+ * @example
+ * const creds = extractRawCredentials("codex");
+ * if (creds) { await exportCredentials(creds); }
+ */
+function extractRawCredentials(agentId) {
+    return ADAPTERS[agentId].extractRawCredentials();
+}
+/**
+ * Install credentials for an agent.
+ *
+ * @example
+ * const result = installCredentials(creds, { storage: "keychain" });
+ * if (!result.ok) { console.error(result.message); }
+ */
+function installCredentials(creds, options) {
+    return ADAPTERS[creds.agent].installCredentials(creds, options);
+}
+/**
+ * Remove credentials for an agent.
+ *
+ * When `options.path` is provided, only the file at that path is removed.
+ * Keychain credentials are not affected (keychain is only for default location).
+ *
+ * @example
+ * // Remove from default location (keychain + default file)
+ * const result = removeCredentials("gemini");
+ *
+ * // Remove from custom path only (no keychain)
+ * const result = removeCredentials("gemini", { path: "/path/to/creds.json" });
+ */
+function removeCredentials(agentId, options) {
+    return ADAPTERS[agentId].removeCredentials(options);
+}
+/**
+ * Get access token from credentials.
+ *
+ * @example
+ * const token = getAccessToken(creds);
+ * if (token) { headers.Authorization = `Bearer ${token}`; }
+ */
+function getAccessToken(creds) {
+    return ADAPTERS[creds.agent].getAccessToken(creds);
+}
+/**
+ * Get access token for an agent (convenience function).
+ *
+ * Extracts credentials and returns the access token in one call.
+ *
+ * @example
+ * const token = getAgentAccessToken("claude");
+ * if (token) { ... }
+ */
+function getAgentAccessToken(agentId) {
+    const creds = extractRawCredentials(agentId);
+    if (!creds)
+        return undefined;
+    return getAccessToken(creds);
+}
+/**
+ * Convert credentials to environment variables.
+ *
+ * @example
+ * const env = credentialsToEnvironment(creds);
+ * Object.assign(process.env, env);
+ */
+function credentialsToEnvironment(creds) {
+    return ADAPTERS[creds.agent].credentialsToEnvironment(creds);
+}
+export { checkAllAuth, checkAuth, credentialsToEnvironment, extractRawCredentials, getAccessToken, getAdapter, getAgentAccessToken, getAllAdapters, getCapabilities, installCredentials, removeCredentials, };

package/dist/auth/resolve-config-directory.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Utility to resolve config directories from axconfig readers.
+ *
+ * Checks the reader's env var override before falling back to the default.
+ */
+import type { ConfigReader } from "axconfig";
+/**
+ * Get the resolved config directory for a reader.
+ *
+ * Checks the env var specified by the reader first, then falls back
+ * to the reader's default config directory.
+ */
+declare function getResolvedConfigDirectory(reader: ConfigReader): string;
+export { getResolvedConfigDirectory };

package/dist/auth/resolve-config-directory.js

@@ -0,0 +1,16 @@
+/**
+ * Utility to resolve config directories from axconfig readers.
+ *
+ * Checks the reader's env var override before falling back to the default.
+ */
+/**
+ * Get the resolved config directory for a reader.
+ *
+ * Checks the env var specified by the reader first, then falls back
+ * to the reader's default config directory.
+ */
+function getResolvedConfigDirectory(reader) {
+    const environmentValue = process.env[reader.envVar];
+    return environmentValue ?? reader.defaultConfigDir();
+}
+export { getResolvedConfigDirectory };

package/dist/auth/types.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Shared types for auth module.
+ */
+import type { AgentCli } from "axshared";
+/** Auth status for an agent */
+interface AuthStatus {
+    agentId: AgentCli;
+    authenticated: boolean;
+    method?: string;
+    /** Additional details (e.g., provider list for opencode) */
+    details?: Record<string, unknown>;
+}
+/** Extracted credential data */
+interface Credentials {
+    agent: AgentCli;
+    type: "oauth" | "api-key";
+    data: Record<string, unknown>;
+}
+export type { AuthStatus, Credentials };

package/dist/auth/types.js

@@ -0,0 +1,4 @@
+/**
+ * Shared types for auth module.
+ */
+export {};

package/dist/cli.d.ts

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+/**
+ * axauth - AI agent authentication CLI.
+ *
+ * Manages credentials for AI coding agents.
+ */
+export {};

package/dist/cli.js

@@ -0,0 +1,74 @@
+#!/usr/bin/env node
+/**
+ * axauth - AI agent authentication CLI.
+ *
+ * Manages credentials for AI coding agents.
+ */
+import { Command } from "@commander-js/extra-typings";
+import packageJson from "../package.json" with { type: "json" };
+import { handleAuthExport, handleAuthInstall, handleAuthList, handleAuthRemove, handleAuthToken, } from "./commands/auth.js";
+import { AGENT_CLIS } from "axshared";
+// Handle SIGINT gracefully
+process.on("SIGINT", () => {
+    console.error("\nInterrupted");
+    process.exit(130); // 128 + SIGINT(2)
+});
+const program = new Command()
+    .name(packageJson.name)
+    .description(packageJson.description)
+    .version(packageJson.version, "-V, --version")
+    .showHelpAfterError("(add --help for additional information)")
+    .showSuggestionAfterError()
+    .helpCommand(false)
+    .addHelpText("after", String.raw `
+Examples:
+  # List authenticated agents
+  axauth list
+
+  # Filter to show only authenticated agents
+  axauth list | tail -n +2 | awk -F'\t' '$2 == "authenticated"'
+
+  # Get access token for an agent
+  axauth token --agent claude
+
+  # Export credentials for CI/CD
+  axauth export --agent claude --output creds.json --no-password
+
+  # Remove credentials (agent will prompt for login)
+  axauth remove-credentials --agent claude
+
+  # Install credentials from exported file
+  axauth install-credentials --agent claude --input creds.json`);
+program
+    .command("list")
+    .description("List agents and their auth status")
+    .option("--json", "Output as JSON")
+    .action(handleAuthList);
+program
+    .command("token")
+    .description("Get access token for an agent")
+    .requiredOption("-a, --agent <agent>", `Agent to get token from (${AGENT_CLIS.join(", ")})`)
+    .action(handleAuthToken);
+program
+    .command("export")
+    .description("Export credentials to encrypted file")
+    .requiredOption("-a, --agent <agent>", `Agent to export credentials from (${AGENT_CLIS.join(", ")})`)
+    .requiredOption("--output <file>", "Output file path")
+    .option("--no-password", "Use default password (no prompt)")
+    .action(handleAuthExport);
+program
+    .command("remove-credentials")
+    .description("Remove credentials from storage")
+    .requiredOption("-a, --agent <agent>", `Agent to remove credentials from (${AGENT_CLIS.join(", ")})`)
+    .option("--path <file>", "Custom file path (removes only this file, not keychain)")
+    .action(handleAuthRemove);
+program
+    .command("install-credentials")
+    .description("Install credentials from encrypted file")
+    .requiredOption("-a, --agent <agent>", `Agent to install credentials for (${AGENT_CLIS.join(", ")})`)
+    .requiredOption("--input <file>", "Encrypted credentials file path")
+    .option("--no-password", "Use default password (no prompt)")
+    .option("--path <file>", "Custom file path (forces file storage, ignores --storage)")
+    .option("--storage <type>", "Storage type: keychain (macOS only) or file (for default location)")
+    .action(handleAuthInstall);
+await program.parseAsync(process.argv);

package/dist/commands/auth.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Auth commands - manage agent credentials.
+ */
+/** Handle auth list command */
+declare function handleAuthList(options: {
+    json?: true;
+}): void;
+/** Handle auth token command */
+declare function handleAuthToken(options: {
+    agent: string;
+}): void;
+interface AuthExportOptions {
+    agent: string;
+    output: string;
+    password: boolean;
+}
+/** Handle auth export command */
+declare function handleAuthExport(options: AuthExportOptions): Promise<void>;
+interface AuthRemoveOptions {
+    agent: string;
+    path?: string;
+}
+/** Handle auth remove-credentials command */
+declare function handleAuthRemove(options: AuthRemoveOptions): void;
+interface AuthInstallOptions {
+    agent: string;
+    input: string;
+    password: boolean;
+    path?: string;
+    storage?: string;
+}
+/** Handle auth install-credentials command */
+declare function handleAuthInstall(options: AuthInstallOptions): Promise<void>;
+export { handleAuthExport, handleAuthInstall, handleAuthList, handleAuthRemove, handleAuthToken, };