axauth 1.0.0

package/dist/commands/auth.js

@@ -0,0 +1,155 @@
+/**
+ * Auth commands - manage agent credentials.
+ */
+import { existsSync, readFileSync, renameSync, writeFileSync } from "node:fs";
+import promptPassword from "@inquirer/password";
+import { checkAllAuth, extractRawCredentials, getAccessToken, installCredentials, removeCredentials, } from "../auth/registry.js";
+import { DEFAULT_PASSWORD, encrypt, fromBase64, toBase64, tryDecrypt, } from "../crypto.js";
+import { AGENT_CLIS } from "axshared";
+/** Validate agent ID. Returns undefined if valid, sets exitCode and returns error message if invalid. */
+function validateAgent(agent) {
+    if (!AGENT_CLIS.includes(agent)) {
+        console.error(`Error: Unknown agent '${agent}'`);
+        console.error(`Supported agents: ${AGENT_CLIS.join(", ")}`);
+        process.exitCode = 2;
+        return undefined;
+    }
+    return agent;
+}
+/** Handle auth list command */
+function handleAuthList(options) {
+    const statuses = checkAllAuth();
+    if (options.json) {
+        console.log(JSON.stringify(statuses, undefined, 2));
+    }
+    else {
+        printAuthTable(statuses);
+    }
+}
+/** Handle auth token command */
+function handleAuthToken(options) {
+    const agentId = validateAgent(options.agent);
+    if (!agentId)
+        return;
+    const creds = extractRawCredentials(agentId);
+    if (!creds) {
+        console.error(`Error: No credentials found for ${agentId}`);
+        process.exitCode = 1;
+        return;
+    }
+    // Extract the token based on credential type
+    const token = getAccessToken(creds);
+    if (!token) {
+        console.error(`Error: No access token available for ${agentId}`);
+        process.exitCode = 1;
+        return;
+    }
+    // Output just the token (no newline for piping)
+    process.stdout.write(token);
+}
+/** Handle auth export command */
+async function handleAuthExport(options) {
+    const agentId = validateAgent(options.agent);
+    if (!agentId)
+        return;
+    const creds = extractRawCredentials(agentId);
+    if (!creds) {
+        console.error(`Error: No credentials found for ${agentId}`);
+        process.exitCode = 1;
+        return;
+    }
+    // Get password
+    const userPassword = options.password
+        ? await promptPassword({ message: "Encryption password" })
+        : DEFAULT_PASSWORD;
+    // Encrypt and write atomically (write to temp, then rename)
+    const encrypted = encrypt(JSON.stringify(creds), userPassword);
+    const file = { version: 1, agent: agentId, ...toBase64(encrypted) };
+    const temporaryFile = `${options.output}.tmp.${Date.now()}`;
+    writeFileSync(temporaryFile, JSON.stringify(file, undefined, 2), {
+        mode: 0o600,
+    });
+    renameSync(temporaryFile, options.output);
+    console.error(`Credentials exported to ${options.output}`);
+}
+/** Print auth status as TSV table */
+function printAuthTable(statuses) {
+    // Header row (UPPERCASE for visibility)
+    console.log("AGENT\tSTATUS\tMETHOD");
+    // Data rows
+    for (const s of statuses) {
+        const status = s.authenticated ? "authenticated" : "not_configured";
+        console.log(`${s.agentId}\t${status}\t${s.method ?? ""}`);
+    }
+}
+/** Handle auth remove-credentials command */
+function handleAuthRemove(options) {
+    const agentId = validateAgent(options.agent);
+    if (!agentId)
+        return;
+    const result = removeCredentials(agentId, { path: options.path });
+    if (result.ok) {
+        console.error(result.message);
+    }
+    else {
+        console.error(`Error: ${result.message}`);
+        process.exitCode = 1;
+    }
+}
+/** Handle auth install-credentials command */
+async function handleAuthInstall(options) {
+    const agentId = validateAgent(options.agent);
+    if (!agentId)
+        return;
+    // Validate storage option
+    const validStorageTypes = ["keychain", "file"];
+    let storage;
+    if (options.storage !== undefined) {
+        if (!validStorageTypes.includes(options.storage)) {
+            console.error(`Error: Invalid storage type '${options.storage}'`);
+            console.error(`Valid options: ${validStorageTypes.join(", ")}`);
+            process.exitCode = 2;
+            return;
+        }
+        storage = options.storage;
+    }
+    // Check if file exists
+    if (!existsSync(options.input)) {
+        console.error(`Error: Credentials file not found: ${options.input}`);
+        process.exitCode = 1;
+        return;
+    }
+    try {
+        const fileContent = JSON.parse(readFileSync(options.input, "utf8"));
+        // Verify agent matches
+        if (fileContent.agent !== agentId) {
+            console.error(`Error: Credentials file is for '${fileContent.agent}', not '${agentId}'`);
+            process.exitCode = 1;
+            return;
+        }
+        // Decrypt credentials (tries default password first, then prompts if needed)
+        const decrypted = await tryDecrypt(fromBase64(fileContent), () => promptPassword({ message: "Decryption password" }));
+        const creds = JSON.parse(decrypted);
+        // Verify decrypted credentials match the requested agent (defense-in-depth)
+        if (creds.agent !== agentId) {
+            console.error(`Error: Decrypted credentials are for '${creds.agent}', not '${agentId}'`);
+            process.exitCode = 1;
+            return;
+        }
+        // Install credentials
+        const result = installCredentials(creds, { path: options.path, storage });
+        if (result.ok) {
+            console.error(result.message);
+        }
+        else {
+            console.error(`Error: ${result.message}`);
+            process.exitCode = 1;
+        }
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(`Error: Failed to install credentials: ${message}`);
+        process.exitCode = 1;
+    }
+}
+export { handleAuthExport, handleAuthInstall, handleAuthList, handleAuthRemove, handleAuthToken, };

package/dist/crypto.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Encryption utilities for credential export/import.
+ *
+ * Uses AES-256-GCM with PBKDF2 key derivation.
+ */
+/**
+ * Derive default password from predictable seed.
+ * Provides obfuscation, not security - attacker would need to understand derivation logic.
+ */
+declare const DEFAULT_PASSWORD: string;
+/** Encrypted data structure */
+interface EncryptedData {
+    ciphertext: Buffer;
+    salt: Buffer;
+    iv: Buffer;
+    tag: Buffer;
+}
+/** Serialized encrypted file format */
+interface EncryptedFile {
+    version: 1;
+    agent: string;
+    ciphertext: string;
+    salt: string;
+    iv: string;
+    tag: string;
+}
+/** Encrypt data with password */
+declare function encrypt(data: string, password: string): EncryptedData;
+/** Convert encrypted data to base64 for JSON serialization */
+declare function toBase64(encrypted: EncryptedData): Omit<EncryptedFile, "version" | "agent">;
+/** Convert base64 strings back to buffers */
+declare function fromBase64(file: Omit<EncryptedFile, "version" | "agent">): EncryptedData;
+/**
+ * Try decrypting with default password first, then prompt for custom.
+ * Returns decrypted string on success.
+ */
+declare function tryDecrypt(encrypted: EncryptedData, promptFunction: () => Promise<string>): Promise<string>;
+export { DEFAULT_PASSWORD, encrypt, fromBase64, toBase64, tryDecrypt };
+export type { EncryptedFile };

package/dist/crypto.js

@@ -0,0 +1,78 @@
+/**
+ * Encryption utilities for credential export/import.
+ *
+ * Uses AES-256-GCM with PBKDF2 key derivation.
+ */
+import { createCipheriv, createDecipheriv, createHash, pbkdf2Sync, randomBytes, } from "node:crypto";
+const ALGORITHM = "aes-256-gcm";
+const ITERATIONS = 100_000;
+const KEY_LENGTH = 32;
+const SALT_LENGTH = 16;
+const IV_LENGTH = 12;
+const TAG_LENGTH = 16;
+/**
+ * Derive default password from predictable seed.
+ * Provides obfuscation, not security - attacker would need to understand derivation logic.
+ */
+const DEFAULT_PASSWORD = createHash("sha256")
+    .update(["axauth", "credentials", "default", "v1"].join("."))
+    .digest("base64")
+    .slice(0, 32);
+/** Encrypt data with password */
+function encrypt(data, password) {
+    const salt = randomBytes(SALT_LENGTH);
+    const key = pbkdf2Sync(password, salt, ITERATIONS, KEY_LENGTH, "sha256");
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv, {
+        authTagLength: TAG_LENGTH,
+    });
+    const ciphertext = Buffer.concat([
+        cipher.update(data, "utf8"),
+        cipher.final(),
+    ]);
+    return { ciphertext, salt, iv, tag: cipher.getAuthTag() };
+}
+/** Decrypt data with password. Throws on wrong password. */
+function decrypt(encrypted, password) {
+    const key = pbkdf2Sync(password, encrypted.salt, ITERATIONS, KEY_LENGTH, "sha256");
+    const decipher = createDecipheriv(ALGORITHM, key, encrypted.iv, {
+        authTagLength: TAG_LENGTH,
+    });
+    decipher.setAuthTag(encrypted.tag);
+    return (decipher.update(encrypted.ciphertext).toString("utf8") +
+        decipher.final("utf8"));
+}
+/** Convert encrypted data to base64 for JSON serialization */
+function toBase64(encrypted) {
+    return {
+        ciphertext: encrypted.ciphertext.toString("base64"),
+        salt: encrypted.salt.toString("base64"),
+        iv: encrypted.iv.toString("base64"),
+        tag: encrypted.tag.toString("base64"),
+    };
+}
+/** Convert base64 strings back to buffers */
+function fromBase64(file) {
+    return {
+        ciphertext: Buffer.from(file.ciphertext, "base64"),
+        salt: Buffer.from(file.salt, "base64"),
+        iv: Buffer.from(file.iv, "base64"),
+        tag: Buffer.from(file.tag, "base64"),
+    };
+}
+/**
+ * Try decrypting with default password first, then prompt for custom.
+ * Returns decrypted string on success.
+ */
+async function tryDecrypt(encrypted, promptFunction) {
+    // Try default password first
+    try {
+        return decrypt(encrypted, DEFAULT_PASSWORD);
+    }
+    catch {
+        // Default password failed, prompt user
+        const password = await promptFunction();
+        return decrypt(encrypted, password);
+    }
+}
+export { DEFAULT_PASSWORD, encrypt, fromBase64, toBase64, tryDecrypt };

package/dist/index.d.ts

@@ -0,0 +1,37 @@
+/**
+ * axauth - Authentication management library for AI coding agents.
+ *
+ * @example
+ * // Get access token for an agent
+ * import { getAgentAccessToken, checkAuth } from "axauth";
+ *
+ * const token = getAgentAccessToken("claude");
+ * if (token) {
+ *   // Use token for API calls
+ * }
+ *
+ * // Or check auth status first
+ * const status = checkAuth("claude");
+ * if (status.authenticated) {
+ *   console.log(`Authenticated via ${status.method}`);
+ * }
+ *
+ * @example
+ * // Use the adapter API
+ * import { getAdapter, getCapabilities } from "axauth";
+ *
+ * const adapter = getAdapter("claude");
+ * const status = adapter.checkAuth();
+ * const creds = adapter.extractCredentials();
+ *
+ * // Check what an agent supports
+ * const caps = getCapabilities("gemini");
+ * if (!caps.keychain) {
+ *   console.log("Gemini doesn't support keychain storage");
+ * }
+ */
+export type { AgentCli } from "axshared";
+export { AGENT_CLIS } from "axshared";
+export type { AdapterCapabilities, AuthAdapter, InstallOptions, OperationResult, RemoveOptions, } from "./auth/adapter.js";
+export type { AuthStatus, Credentials } from "./auth/types.js";
+export { checkAllAuth, checkAuth, credentialsToEnvironment, extractRawCredentials, getAccessToken, getAgentAccessToken, installCredentials, removeCredentials, getAdapter, getAllAdapters, getCapabilities, } from "./auth/registry.js";

package/dist/index.js

@@ -0,0 +1,39 @@
+/**
+ * axauth - Authentication management library for AI coding agents.
+ *
+ * @example
+ * // Get access token for an agent
+ * import { getAgentAccessToken, checkAuth } from "axauth";
+ *
+ * const token = getAgentAccessToken("claude");
+ * if (token) {
+ *   // Use token for API calls
+ * }
+ *
+ * // Or check auth status first
+ * const status = checkAuth("claude");
+ * if (status.authenticated) {
+ *   console.log(`Authenticated via ${status.method}`);
+ * }
+ *
+ * @example
+ * // Use the adapter API
+ * import { getAdapter, getCapabilities } from "axauth";
+ *
+ * const adapter = getAdapter("claude");
+ * const status = adapter.checkAuth();
+ * const creds = adapter.extractCredentials();
+ *
+ * // Check what an agent supports
+ * const caps = getCapabilities("gemini");
+ * if (!caps.keychain) {
+ *   console.log("Gemini doesn't support keychain storage");
+ * }
+ */
+export { AGENT_CLIS } from "axshared";
+// Registry - unified entry point for all operations
+export { 
+// Core operations
+checkAllAuth, checkAuth, credentialsToEnvironment, extractRawCredentials, getAccessToken, getAgentAccessToken, installCredentials, removeCredentials, 
+// Adapter access
+getAdapter, getAllAdapters, getCapabilities, } from "./auth/registry.js";

package/package.json

@@ -0,0 +1,96 @@
+{
+  "name": "axauth",
+  "author": "Łukasz Jerciński",
+  "license": "MIT",
+  "version": "1.0.0",
+  "description": "Authentication management library and CLI for AI coding agents",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Jercik/axauth.git"
+  },
+  "homepage": "https://github.com/Jercik/axauth#readme",
+  "bugs": {
+    "url": "https://github.com/Jercik/axauth/issues"
+  },
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "bin": {
+    "axauth": "bin/axauth"
+  },
+  "files": [
+    "bin/",
+    "dist/",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "prepare": "git config core.hooksPath .githooks",
+    "prepublishOnly": "pnpm run rebuild",
+    "build": "tsc -p tsconfig.app.json",
+    "clean": "rm -rf dist *.tsbuildinfo",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "fta": "fta-check",
+    "knip": "knip",
+    "lint": "eslint",
+    "rebuild": "pnpm run clean && pnpm run build",
+    "start": "pnpm -s run rebuild && node bin/axauth",
+    "test": "vitest run",
+    "test:coverage": "vitest run --coverage",
+    "test:watch": "vitest",
+    "typecheck": "tsc -b --noEmit"
+  },
+  "keywords": [
+    "ai",
+    "agent",
+    "cli",
+    "auth",
+    "authentication",
+    "credentials",
+    "claude-code",
+    "codex",
+    "gemini",
+    "opencode",
+    "llm",
+    "automation",
+    "coding-assistant"
+  ],
+  "packageManager": "pnpm@10.26.1",
+  "engines": {
+    "node": ">=22.14.0"
+  },
+  "dependencies": {
+    "@commander-js/extra-typings": "^14.0.0",
+    "@inquirer/password": "^5.0.3",
+    "axconfig": "^2.0.0",
+    "axshared": "^1.1.0",
+    "commander": "^14.0.2"
+  },
+  "devDependencies": {
+    "@eslint/compat": "^2.0.0",
+    "@eslint/js": "^9.39.2",
+    "@total-typescript/ts-reset": "^0.6.1",
+    "@types/node": "^25.0.3",
+    "@vitest/coverage-v8": "^4.0.16",
+    "@vitest/eslint-plugin": "^1.6.4",
+    "eslint": "^9.39.2",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-unicorn": "^62.0.0",
+    "fta-check": "^1.5.1",
+    "fta-cli": "^3.0.0",
+    "globals": "^16.5.0",
+    "knip": "^5.78.0",
+    "prettier": "3.7.4",
+    "semantic-release": "^25.0.2",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.51.0",
+    "vitest": "^4.0.16"
+  }
+}