axauth 1.1.0 → 1.2.0

package/dist/auth/adapter.d.ts

@@ -16,33 +16,53 @@ interface OperationResult {
 /**
  * Options for credential installation.
  *
- * When `path` is provided, credentials are always written as a file to that
- * path (keychain is only for default location). The `storage` option is ignored.
+ * When custom directories are provided, credentials are always written as files
+ * (keychain is only for default location). The `storage` option is ignored.
  *
- * When `path` is not provided, `storage` controls where credentials go:
+ * When no directories are provided, `storage` controls where credentials go:
  * - `"keychain"`: Store in macOS Keychain (if supported)
  * - `"file"`: Store in agent's default file location
  * - `undefined`: Use the `_source` marker in credentials, or default to file
+ *
+ * **Agents without separation** (Claude, Codex, Gemini, Copilot):
+ * - Config and data are stored in the same directory
+ * - `configDir` and `dataDir` are interchangeable (either works)
+ * - Providing different values for both will result in an error
+ *
+ * **Agents with separation** (OpenCode):
+ * - Config and data are stored in separate directories
+ * - `dataDir` controls where credentials go; `configDir` is for settings
+ * - If only `configDir` provided, credentials use default data location
+ * - If only `dataDir` provided, config uses default location
  */
 interface InstallOptions {
-    /** Storage type for default location (ignored if configDir is set) */
+    /** Storage type for default location (ignored if configDir/dataDir is set) */
     storage?: StorageType;
-    /** Custom config directory (forces file storage, keychain not available) */
+    /** Custom config directory for settings/preferences */
     configDir?: string;
+    /** Custom data directory for credentials */
+    dataDir?: string;
 }
 /**
  * Options for credential removal.
  *
- * When `configDir` is provided, only the credentials file in that directory
+ * When `dataDir` is provided, only the credentials file in that directory
  * is removed. Keychain credentials are not affected (keychain is only for
  * default location).
  *
- * When `configDir` is not provided, credentials are removed from all default
- * locations (keychain and/or default file path).
+ * **Agents without separation** (Claude, Codex, Gemini, Copilot):
+ * - `configDir` and `dataDir` are interchangeable
+ * - Either option specifies where to remove credentials from
+ *
+ * **Agents with separation** (OpenCode):
+ * - `dataDir` specifies where to remove credentials from
+ * - If only `configDir` provided, credentials are removed from default location
  */
 interface RemoveOptions {
-    /** Custom config directory (removes only this location, not keychain) */
+    /** Custom config directory for settings/preferences */
     configDir?: string;
+    /** Custom data directory for credentials */
+    dataDir?: string;
 }
 /**
  * Options for token extraction.

package/dist/auth/agents/{claude-code-storage.d.ts → claude-storage.d.ts}

@@ -3,10 +3,6 @@
  */
 /** Get default credentials file path */
 declare function getDefaultCredsFilePath(): string;
-/** Load OAuth credentials from keychain */
-declare function loadKeychainCreds(): Record<string, unknown> | undefined;
-/** Load OAuth credentials from file */
-declare function loadFileCreds(): Record<string, unknown> | undefined;
 /** Save credentials to keychain */
 declare function saveKeychainCreds(oauthData: Record<string, unknown>): boolean;
 /** Save credentials to file */
@@ -15,4 +11,16 @@ declare function saveFileCreds(oauthData: Record<string, unknown>, filePath: str
 declare function deleteKeychainCreds(): boolean;
 /** Delete credentials from file */
 declare function deleteFileCreds(filePath?: string): boolean;
-export { deleteFileCreds, deleteKeychainCreds, getDefaultCredsFilePath, loadFileCreds, loadKeychainCreds, saveFileCreds, saveKeychainCreds, };
+declare const AGENT_ID: "claude";
+/** Check if Claude is authenticated and return status */
+declare function checkAuth(): {
+    authenticated: boolean;
+    method?: string;
+    details?: Record<string, unknown>;
+};
+/** Extract raw credentials from available sources */
+declare function extractRawCredentials(): {
+    type: "oauth" | "api-key";
+    data: Record<string, unknown>;
+} | undefined;
+export { AGENT_ID, checkAuth, deleteFileCreds, deleteKeychainCreds, extractRawCredentials, getDefaultCredsFilePath, saveFileCreds, saveKeychainCreds, };

package/dist/auth/agents/{claude-code-storage.js → claude-storage.js}

@@ -62,4 +62,53 @@ function deleteKeychainCreds() {
 function deleteFileCreds(filePath) {
     return deleteFile(filePath ?? getDefaultCredsFilePath());
 }
-export { deleteFileCreds, deleteKeychainCreds, getDefaultCredsFilePath, loadFileCreds, loadKeychainCreds, saveFileCreds, saveKeychainCreds, };
+const AGENT_ID = "claude";
+/** Check if Claude is authenticated and return status */
+function checkAuth() {
+    if (process.env.CLAUDE_CODE_OAUTH_TOKEN) {
+        return { authenticated: true, method: "OAuth (env)" };
+    }
+    const keychainCreds = loadKeychainCreds();
+    if (keychainCreds) {
+        const subType = keychainCreds.subscriptionType;
+        return { authenticated: true, method: `OAuth (${subType ?? "keychain"})` };
+    }
+    if (loadFileCreds()) {
+        return { authenticated: true, method: "OAuth (file)" };
+    }
+    if (process.env.ANTHROPIC_API_KEY) {
+        return { authenticated: true, method: "API key" };
+    }
+    return { authenticated: false };
+}
+/** Extract raw credentials from available sources */
+function extractRawCredentials() {
+    if (process.env.CLAUDE_CODE_OAUTH_TOKEN) {
+        return {
+            type: "oauth",
+            data: { accessToken: process.env.CLAUDE_CODE_OAUTH_TOKEN },
+        };
+    }
+    const keychainCreds = loadKeychainCreds();
+    if (keychainCreds) {
+        return {
+            type: "oauth",
+            data: { ...keychainCreds, _source: "keychain" },
+        };
+    }
+    const fileCreds = loadFileCreds();
+    if (fileCreds) {
+        return {
+            type: "oauth",
+            data: { ...fileCreds, _source: "file" },
+        };
+    }
+    if (process.env.ANTHROPIC_API_KEY) {
+        return {
+            type: "api-key",
+            data: { apiKey: process.env.ANTHROPIC_API_KEY },
+        };
+    }
+    return undefined;
+}
+export { AGENT_ID, checkAuth, deleteFileCreds, deleteKeychainCreds, extractRawCredentials, getDefaultCredsFilePath, saveFileCreds, saveKeychainCreds, };

package/dist/auth/agents/{claude-code.js → claude.js}

@@ -5,8 +5,8 @@
  */
 import path from "node:path";
 import { isMacOS } from "../keychain.js";
-import { deleteFileCreds, deleteKeychainCreds, getDefaultCredsFilePath, loadFileCreds, loadKeychainCreds, saveFileCreds, saveKeychainCreds, } from "./claude-code-storage.js";
-const AGENT_ID = "claude";
+import { resolveCustomDirectory } from "../validate-directories.js";
+import { AGENT_ID, checkAuth, deleteFileCreds, deleteKeychainCreds, extractRawCredentials, getDefaultCredsFilePath, saveFileCreds, saveKeychainCreds, } from "./claude-storage.js";
 const CREDS_FILE_NAME = ".credentials.json";
 /** Claude Code authentication adapter */
 const claudeCodeAdapter = {
@@ -18,60 +18,20 @@ const claudeCodeAdapter = {
         installApiKey: false,
     },
     checkAuth() {
-        if (process.env.CLAUDE_CODE_OAUTH_TOKEN) {
-            return { agentId: AGENT_ID, authenticated: true, method: "OAuth (env)" };
-        }
-        const keychainCreds = loadKeychainCreds();
-        if (keychainCreds) {
-            const subType = keychainCreds.subscriptionType;
-            return {
-                agentId: AGENT_ID,
-                authenticated: true,
-                method: `OAuth (${subType ?? "keychain"})`,
-            };
-        }
-        if (loadFileCreds()) {
-            return { agentId: AGENT_ID, authenticated: true, method: "OAuth (file)" };
-        }
-        if (process.env.ANTHROPIC_API_KEY) {
-            return { agentId: AGENT_ID, authenticated: true, method: "API key" };
-        }
-        return { agentId: AGENT_ID, authenticated: false };
+        const result = checkAuth();
+        return { agentId: AGENT_ID, ...result };
     },
     extractRawCredentials() {
-        if (process.env.CLAUDE_CODE_OAUTH_TOKEN) {
-            return {
-                agent: AGENT_ID,
-                type: "oauth",
-                data: { accessToken: process.env.CLAUDE_CODE_OAUTH_TOKEN },
-            };
-        }
-        const keychainCreds = loadKeychainCreds();
-        if (keychainCreds) {
-            return {
-                agent: AGENT_ID,
-                type: "oauth",
-                data: { ...keychainCreds, _source: "keychain" },
-            };
-        }
-        const fileCreds = loadFileCreds();
-        if (fileCreds) {
-            return {
-                agent: AGENT_ID,
-                type: "oauth",
-                data: { ...fileCreds, _source: "file" },
-            };
-        }
-        if (process.env.ANTHROPIC_API_KEY) {
-            return {
-                agent: AGENT_ID,
-                type: "api-key",
-                data: { apiKey: process.env.ANTHROPIC_API_KEY },
-            };
-        }
-        return undefined;
+        const result = extractRawCredentials();
+        if (!result)
+            return undefined;
+        return { agent: AGENT_ID, ...result };
     },
     installCredentials(creds, options) {
+        // Resolve custom directory with validation
+        const resolved = resolveCustomDirectory(AGENT_ID, options?.configDir, options?.dataDir);
+        if (!resolved.ok)
+            return resolved.error;
         if (creds.type === "api-key") {
             return {
                 ok: false,
@@ -79,9 +39,9 @@ const claudeCodeAdapter = {
             };
         }
         const { _source, ...oauthData } = creds.data;
-        // Custom config directory forces file storage (keychain only for default location)
-        if (options?.configDir) {
-            const targetPath = path.join(options.configDir, CREDS_FILE_NAME);
+        // Custom directory forces file storage (keychain only for default location)
+        if (resolved.customDir) {
+            const targetPath = path.join(resolved.customDir, CREDS_FILE_NAME);
             if (saveFileCreds(oauthData, targetPath)) {
                 return {
                     ok: true,
@@ -117,9 +77,13 @@ const claudeCodeAdapter = {
         };
     },
     removeCredentials(options) {
-        // Custom config directory: only remove that specific file (no keychain)
-        if (options?.configDir) {
-            const targetPath = path.join(options.configDir, CREDS_FILE_NAME);
+        // Resolve custom directory with validation
+        const resolved = resolveCustomDirectory(AGENT_ID, options?.configDir, options?.dataDir);
+        if (!resolved.ok)
+            return resolved.error;
+        // Custom directory: only remove that specific file (no keychain)
+        if (resolved.customDir) {
+            const targetPath = path.join(resolved.customDir, CREDS_FILE_NAME);
             if (deleteFileCreds(targetPath)) {
                 return { ok: true, message: `Removed ${targetPath}` };
             }

package/dist/auth/agents/codex.js

@@ -6,6 +6,7 @@
 import path from "node:path";
 import { ensureDirectory } from "../file-storage.js";
 import { isMacOS } from "../keychain.js";
+import { resolveCustomDirectory } from "../validate-directories.js";
 import { checkAuth, extractRawCredentials } from "./codex-auth-check.js";
 import { getAuthFilePath, getCodexHome, updateConfigStorage, } from "./codex-config.js";
 import { buildAuthContent, deleteFileCreds, deleteKeychainCreds, saveFileCreds, saveKeychainCreds, } from "./codex-storage.js";
@@ -23,16 +24,20 @@ const codexAdapter = {
     checkAuth,
     extractRawCredentials,
     installCredentials(creds, options) {
+        // Resolve custom directory with validation
+        const resolved = resolveCustomDirectory(AGENT_ID, options?.configDir, options?.dataDir);
+        if (!resolved.ok)
+            return resolved.error;
         const authContent = buildAuthContent(creds.type, creds.data);
-        // Custom config directory forces file storage (keychain only for default location)
-        if (options?.configDir) {
-            if (!ensureDirectory(options.configDir)) {
+        // Custom directory forces file storage (keychain only for default location)
+        if (resolved.customDir) {
+            if (!ensureDirectory(resolved.customDir)) {
                 return {
                     ok: false,
-                    message: `Failed to create directory ${options.configDir}`,
+                    message: `Failed to create directory ${resolved.customDir}`,
                 };
             }
-            const targetPath = path.join(options.configDir, CREDS_FILE_NAME);
+            const targetPath = path.join(resolved.customDir, CREDS_FILE_NAME);
             if (saveFileCreds(authContent, targetPath)) {
                 return {
                     ok: true,
@@ -73,9 +78,13 @@ const codexAdapter = {
         return { ok: false, message: "Failed to install credentials to file" };
     },
     removeCredentials(options) {
-        // Custom config directory: only remove that specific file (no keychain)
-        if (options?.configDir) {
-            const targetPath = path.join(options.configDir, CREDS_FILE_NAME);
+        // Resolve custom directory with validation
+        const resolved = resolveCustomDirectory(AGENT_ID, options?.configDir, options?.dataDir);
+        if (!resolved.ok)
+            return resolved.error;
+        // Custom directory: only remove that specific file (no keychain)
+        if (resolved.customDir) {
+            const targetPath = path.join(resolved.customDir, CREDS_FILE_NAME);
             if (deleteFileCreds(targetPath)) {
                 return { ok: true, message: `Removed ${targetPath}` };
             }

package/dist/auth/agents/copilot.js

@@ -7,6 +7,7 @@
 import path from "node:path";
 import { ensureDirectory } from "../file-storage.js";
 import { isMacOS } from "../keychain.js";
+import { resolveCustomDirectory } from "../validate-directories.js";
 import { findFirstAvailableToken } from "./copilot-auth-check.js";
 import { deleteFileToken, deleteKeychainToken, deleteTokenFromPath, getConfigDirectory, getConfigFilePath, saveFileToken, saveKeychainToken, saveTokenToPath, } from "./copilot-storage.js";
 const AGENT_ID = "copilot";
@@ -48,6 +49,10 @@ const copilotAdapter = {
         };
     },
     installCredentials(creds, options) {
+        // Resolve custom directory with validation
+        const resolved = resolveCustomDirectory(AGENT_ID, options?.configDir, options?.dataDir);
+        if (!resolved.ok)
+            return resolved.error;
         if (creds.type === "api-key") {
             return {
                 ok: false,
@@ -60,9 +65,9 @@ const copilotAdapter = {
         if (!token) {
             return { ok: false, message: "No access token found in credentials" };
         }
-        // Custom config directory forces file storage
-        if (options?.configDir) {
-            const targetPath = path.join(options.configDir, CREDS_FILE_NAME);
+        // Custom directory forces file storage
+        if (resolved.customDir) {
+            const targetPath = path.join(resolved.customDir, CREDS_FILE_NAME);
             if (saveTokenToPath(token, targetPath)) {
                 return {
                     ok: true,
@@ -105,9 +110,13 @@ const copilotAdapter = {
         return { ok: false, message: "Failed to install credentials to file" };
     },
     removeCredentials(options) {
-        // Custom config directory: only remove that specific file
-        if (options?.configDir) {
-            const targetPath = path.join(options.configDir, CREDS_FILE_NAME);
+        // Resolve custom directory with validation
+        const resolved = resolveCustomDirectory(AGENT_ID, options?.configDir, options?.dataDir);
+        if (!resolved.ok)
+            return resolved.error;
+        // Custom directory: only remove that specific file
+        if (resolved.customDir) {
+            const targetPath = path.join(resolved.customDir, CREDS_FILE_NAME);
             if (deleteTokenFromPath(targetPath)) {
                 return { ok: true, message: `Removed ${targetPath}` };
             }

package/dist/auth/agents/gemini-install.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Gemini credential installation operations.
+ *
+ * Extracted from gemini.ts to reduce file complexity.
+ */
+import type { InstallOptions, OperationResult, RemoveOptions } from "../adapter.js";
+/** Install OAuth credentials to storage */
+declare function installOAuthCredentials(oauthData: Record<string, unknown>, source: string | undefined, options?: InstallOptions): OperationResult;
+/** Remove credentials from storage */
+declare function removeGeminiCredentials(options?: RemoveOptions): OperationResult;
+export { installOAuthCredentials, removeGeminiCredentials };

package/dist/auth/agents/gemini-install.js

@@ -0,0 +1,115 @@
+/**
+ * Gemini credential installation operations.
+ *
+ * Extracted from gemini.ts to reduce file complexity.
+ */
+import path from "node:path";
+import { ensureDirectory } from "../file-storage.js";
+import { isMacOS } from "../keychain.js";
+import { resolveCustomDirectory } from "../validate-directories.js";
+import { clearAuthTypeFromSettings, deleteKeychainCreds, deleteOAuthCreds, getDefaultOAuthPath, saveKeychainCreds, saveOAuthCreds, setAuthTypeInSettings, } from "./gemini-storage.js";
+const AGENT_ID = "gemini";
+const CREDS_FILE_NAME = "oauth_creds.json";
+/** Install OAuth credentials to storage */
+function installOAuthCredentials(oauthData, source, options) {
+    // Resolve custom directory with validation
+    const resolved = resolveCustomDirectory(AGENT_ID, options?.configDir, options?.dataDir);
+    if (!resolved.ok)
+        return resolved.error;
+    // Custom directory forces file storage
+    if (resolved.customDir) {
+        return installToCustomDirectory(oauthData, resolved.customDir);
+    }
+    // Default location: use storage option or _source marker
+    const targetStorage = options?.storage ?? (source === "keychain" ? "keychain" : "file");
+    if (targetStorage === "keychain") {
+        return installToKeychain(oauthData);
+    }
+    return installToDefaultFile(oauthData);
+}
+/** Install to custom directory */
+function installToCustomDirectory(oauthData, customDirectory) {
+    if (!ensureDirectory(customDirectory)) {
+        return {
+            ok: false,
+            message: `Failed to create directory ${customDirectory}`,
+        };
+    }
+    const targetPath = path.join(customDirectory, CREDS_FILE_NAME);
+    if (!saveOAuthCreds(oauthData, targetPath)) {
+        return {
+            ok: false,
+            message: `Failed to install credentials to ${targetPath}`,
+        };
+    }
+    if (!setAuthTypeInSettings("oauth-personal", customDirectory)) {
+        return { ok: false, message: "Failed to update settings" };
+    }
+    return { ok: true, message: `Installed credentials to ${targetPath}` };
+}
+/** Install to macOS Keychain */
+function installToKeychain(oauthData) {
+    if (!isMacOS()) {
+        return {
+            ok: false,
+            message: "Keychain storage is only available on macOS",
+        };
+    }
+    if (!saveKeychainCreds(oauthData)) {
+        return { ok: false, message: "Failed to save to macOS Keychain" };
+    }
+    if (!setAuthTypeInSettings("oauth-personal")) {
+        return { ok: false, message: "Failed to update settings" };
+    }
+    return { ok: true, message: "Installed credentials to macOS Keychain" };
+}
+/** Install to default file location */
+function installToDefaultFile(oauthData) {
+    const targetPath = getDefaultOAuthPath();
+    const targetDirectory = path.dirname(targetPath);
+    if (!ensureDirectory(targetDirectory)) {
+        return {
+            ok: false,
+            message: `Failed to create directory ${targetDirectory}`,
+        };
+    }
+    if (!saveOAuthCreds(oauthData, targetPath)) {
+        return { ok: false, message: "Failed to write OAuth credentials" };
+    }
+    if (!setAuthTypeInSettings("oauth-personal")) {
+        return { ok: false, message: "Failed to update settings" };
+    }
+    return { ok: true, message: `Installed credentials to ${targetPath}` };
+}
+/** Remove credentials from storage */
+function removeGeminiCredentials(options) {
+    // Resolve custom directory with validation
+    const resolved = resolveCustomDirectory(AGENT_ID, options?.configDir, options?.dataDir);
+    if (!resolved.ok)
+        return resolved.error;
+    // Custom directory: only remove that specific file
+    if (resolved.customDir) {
+        const targetPath = path.join(resolved.customDir, CREDS_FILE_NAME);
+        if (deleteOAuthCreds(targetPath)) {
+            return { ok: true, message: `Removed ${targetPath}` };
+        }
+        return { ok: true, message: "No credentials file found at specified path" };
+    }
+    // Default location: remove from keychain, file, and clear settings
+    const removedFrom = [];
+    if (deleteKeychainCreds()) {
+        removedFrom.push("macOS Keychain");
+    }
+    if (deleteOAuthCreds()) {
+        removedFrom.push(getDefaultOAuthPath());
+    }
+    // Always clear auth type setting to avoid stale configuration
+    if (clearAuthTypeFromSettings()) {
+        removedFrom.push("auth type from settings");
+    }
+    if (removedFrom.length === 0) {
+        return { ok: true, message: "No credentials found" };
+    }
+    return { ok: true, message: `Removed from ${removedFrom.join(" and ")}` };
+}
+export { installOAuthCredentials, removeGeminiCredentials };

package/dist/auth/agents/gemini.js

@@ -3,13 +3,9 @@
  *
  * Supports OAuth via keychain (macOS) or file. API key auth is env-var only.
  */
-import path from "node:path";
-import { ensureDirectory } from "../file-storage.js";
-import { isMacOS } from "../keychain.js";
 import { findCredentials } from "./gemini-auth-check.js";
-import { clearAuthTypeFromSettings, deleteKeychainCreds, deleteOAuthCreds, getDefaultOAuthPath, saveKeychainCreds, saveOAuthCreds, setAuthTypeInSettings, } from "./gemini-storage.js";
+import { installOAuthCredentials, removeGeminiCredentials, } from "./gemini-install.js";
 const AGENT_ID = "gemini";
-const CREDS_FILE_NAME = "oauth_creds.json";
 /** Gemini authentication adapter */
 const geminiAdapter = {
     agentId: AGENT_ID,
@@ -60,91 +56,10 @@ const geminiAdapter = {
             };
         }
         const { _source, ...oauthData } = creds.data;
-        // Custom config directory forces file storage (keychain only for default location)
-        if (options?.configDir) {
-            if (!ensureDirectory(options.configDir)) {
-                return {
-                    ok: false,
-                    message: `Failed to create directory ${options.configDir}`,
-                };
-            }
-            const targetPath = path.join(options.configDir, CREDS_FILE_NAME);
-            if (saveOAuthCreds(oauthData, targetPath)) {
-                // Also set auth type in settings.json at the target directory
-                if (!setAuthTypeInSettings("oauth-personal", options.configDir)) {
-                    return { ok: false, message: "Failed to update settings" };
-                }
-                return {
-                    ok: true,
-                    message: `Installed credentials to ${targetPath}`,
-                };
-            }
-            return {
-                ok: false,
-                message: `Failed to install credentials to ${targetPath}`,
-            };
-        }
-        // Default location: use storage option or _source marker
-        const targetStorage = options?.storage ?? (_source === "keychain" ? "keychain" : "file");
-        if (targetStorage === "keychain") {
-            if (!isMacOS()) {
-                return {
-                    ok: false,
-                    message: "Keychain storage is only available on macOS",
-                };
-            }
-            if (saveKeychainCreds(oauthData)) {
-                if (!setAuthTypeInSettings("oauth-personal")) {
-                    return { ok: false, message: "Failed to update settings" };
-                }
-                return { ok: true, message: "Installed credentials to macOS Keychain" };
-            }
-            return { ok: false, message: "Failed to save to macOS Keychain" };
-        }
-        // File storage
-        const targetPath = getDefaultOAuthPath();
-        const targetDirectory = path.dirname(targetPath);
-        if (!ensureDirectory(targetDirectory)) {
-            return {
-                ok: false,
-                message: `Failed to create directory ${targetDirectory}`,
-            };
-        }
-        if (!saveOAuthCreds(oauthData, targetPath)) {
-            return { ok: false, message: "Failed to write OAuth credentials" };
-        }
-        if (!setAuthTypeInSettings("oauth-personal")) {
-            return { ok: false, message: "Failed to update settings" };
-        }
-        return { ok: true, message: `Installed credentials to ${targetPath}` };
+        return installOAuthCredentials(oauthData, _source, options);
     },
     removeCredentials(options) {
-        // Custom config directory: only remove that specific file (no settings update)
-        if (options?.configDir) {
-            const targetPath = path.join(options.configDir, CREDS_FILE_NAME);
-            if (deleteOAuthCreds(targetPath)) {
-                return { ok: true, message: `Removed ${targetPath}` };
-            }
-            return {
-                ok: true,
-                message: "No credentials file found at specified path",
-            };
-        }
-        // Default location: remove from keychain, file, and clear settings
-        const removedFrom = [];
-        if (deleteKeychainCreds()) {
-            removedFrom.push("macOS Keychain");
-        }
-        if (deleteOAuthCreds()) {
-            removedFrom.push(getDefaultOAuthPath());
-        }
-        if (clearAuthTypeFromSettings()) {
-            removedFrom.push("auth type from settings.json");
-        }
-        if (removedFrom.length === 0) {
-            return { ok: true, message: "No credentials found" };
-        }
-        return { ok: true, message: `Removed from ${removedFrom.join(", ")}` };
+        return removeGeminiCredentials(options);
     },
     getAccessToken(creds) {
         const data = creds.data;

package/dist/auth/agents/opencode.d.ts

@@ -2,6 +2,10 @@
  * OpenCode auth adapter.
  *
  * Supports multi-provider auth via file only. No keychain or env var support.
+ *
+ * OpenCode follows XDG Base Directory Specification:
+ * - Config: ~/.config/opencode (XDG_CONFIG_HOME/opencode)
+ * - Data (auth): ~/.local/share/opencode (XDG_DATA_HOME/opencode)
  */
 import type { AuthAdapter } from "../adapter.js";
 /** OpenCode authentication adapter */

package/dist/auth/agents/opencode.js

@@ -2,16 +2,28 @@
  * OpenCode auth adapter.
  *
  * Supports multi-provider auth via file only. No keychain or env var support.
+ *
+ * OpenCode follows XDG Base Directory Specification:
+ * - Config: ~/.config/opencode (XDG_CONFIG_HOME/opencode)
+ * - Data (auth): ~/.local/share/opencode (XDG_DATA_HOME/opencode)
  */
 import { existsSync, mkdirSync, readFileSync, renameSync, unlinkSync, writeFileSync, } from "node:fs";
-import { homedir } from "node:os";
 import path from "node:path";
+import { resolveAgentDataDirectory } from "axshared";
+import { resolveCustomDirectory } from "../validate-directories.js";
 import { extractTokenFromEntry, OpenCodeAuth } from "./opencode-schema.js";
 const AGENT_ID = "opencode";
 const CREDS_FILE_NAME = "auth.json";
+/**
+ * Gets the default auth file path for OpenCode.
+ *
+ * Uses axshared's resolveAgentDataDirectory which respects:
+ * 1. OPENCODE_DATA_DIR environment variable
+ * 2. XDG_DATA_HOME/opencode (defaults to ~/.local/share/opencode)
+ */
 function getDefaultAuthFilePath() {
-    const xdgData = process.env.XDG_DATA_HOME ?? path.join(homedir(), ".local/share");
-    return path.join(xdgData, "opencode", "auth.json");
+    const dataDirectory = resolveAgentDataDirectory(AGENT_ID);
+    return path.join(dataDirectory, CREDS_FILE_NAME);
 }
 /** OpenCode authentication adapter */
 const opencodeAdapter = {
@@ -71,11 +83,13 @@ const opencodeAdapter = {
         return undefined;
     },
     installCredentials(creds, options) {
+        // Resolve custom directory with validation (OpenCode supports separation)
+        const resolved = resolveCustomDirectory(AGENT_ID, options?.configDir, options?.dataDir);
+        if (!resolved.ok)
+            return resolved.error;
         // OpenCode only supports file storage (no keychain)
-        // When configDir is provided, it should be the final opencode directory
-        // (e.g., /tmp/test/opencode) - credentials go directly there
-        const targetPath = options?.configDir
-            ? path.join(options.configDir, CREDS_FILE_NAME)
+        const targetPath = resolved.customDir
+            ? path.join(resolved.customDir, CREDS_FILE_NAME)
             : getDefaultAuthFilePath();
         const targetDirectory = path.dirname(targetPath);
         try {
@@ -100,10 +114,13 @@ const opencodeAdapter = {
         }
     },
     removeCredentials(options) {
-        // When configDir is provided, it should be the final opencode directory
-        // (e.g., /tmp/test/opencode) - credentials are at configDir/auth.json
-        const targetPath = options?.configDir
-            ? path.join(options.configDir, CREDS_FILE_NAME)
+        // Resolve custom directory with validation (OpenCode supports separation)
+        const resolved = resolveCustomDirectory(AGENT_ID, options?.configDir, options?.dataDir);
+        if (!resolved.ok)
+            return resolved.error;
+        // Use resolved custom directory or fall back to default
+        const targetPath = resolved.customDir
+            ? path.join(resolved.customDir, CREDS_FILE_NAME)
             : getDefaultAuthFilePath();
         if (!existsSync(targetPath)) {
             return { ok: true, message: "No credentials file found" };

package/dist/auth/registry.js

@@ -5,7 +5,7 @@
  * delegating to the appropriate adapter based on agent ID.
  */
 import { fromBase64, tryDecrypt } from "../crypto.js";
-import { claudeCodeAdapter } from "./agents/claude-code.js";
+import { claudeCodeAdapter } from "./agents/claude.js";
 import { codexAdapter } from "./agents/codex.js";
 import { copilotAdapter } from "./agents/copilot.js";
 import { geminiAdapter } from "./agents/gemini.js";

package/dist/auth/validate-directories.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Directory validation for auth adapters.
+ *
+ * Wraps axshared's resolveCustomDirectories for use in auth adapters.
+ */
+import type { AgentCli } from "axshared";
+import type { OperationResult } from "./adapter.js";
+/** Result of resolving custom directory with validation */
+type ResolveResult = {
+    ok: true;
+    customDir: string | undefined;
+} | {
+    ok: false;
+    error: OperationResult;
+};
+/**
+ * Validate directory options and resolve the custom data directory to use.
+ *
+ * Wraps axshared's resolveCustomDirectories, adapting the result for auth
+ * adapters and printing warnings to stderr.
+ *
+ * @see resolveCustomDirectories in axshared for behavior details
+ */
+declare function resolveCustomDirectory(agentId: AgentCli, configDirectory: string | undefined, dataDirectory: string | undefined): ResolveResult;
+export { resolveCustomDirectory };

package/dist/auth/validate-directories.js

@@ -0,0 +1,29 @@
+/**
+ * Directory validation for auth adapters.
+ *
+ * Wraps axshared's resolveCustomDirectories for use in auth adapters.
+ */
+import { resolveCustomDirectories } from "axshared";
+/**
+ * Validate directory options and resolve the custom data directory to use.
+ *
+ * Wraps axshared's resolveCustomDirectories, adapting the result for auth
+ * adapters and printing warnings to stderr.
+ *
+ * @see resolveCustomDirectories in axshared for behavior details
+ */
+function resolveCustomDirectory(agentId, configDirectory, dataDirectory) {
+    const result = resolveCustomDirectories(agentId, configDirectory, dataDirectory);
+    if (!result.ok) {
+        return {
+            ok: false,
+            error: { ok: false, message: result.error },
+        };
+    }
+    // Print warning to stderr if present
+    if (result.warning) {
+        console.error(`Warning: ${result.warning}`);
+    }
+    return { ok: true, customDir: result.dataDir };
+}
+export { resolveCustomDirectory };

package/dist/cli.js

@@ -61,12 +61,13 @@ program
     .command("remove-credentials")
     .description("Remove credentials from storage")
     .requiredOption("-a, --agent <agent>", `Agent to remove credentials from (${AGENT_CLIS.join(", ")})`)
-    .option("--config-dir <dir>", "Custom config directory (removes only this location, not keychain)")
-    .option("--path <file>", "[DEPRECATED: use --config-dir] Custom file path")
+    .option("--config-dir <dir>", "Custom config directory (for agents without separation, also sets data location)")
+    .option("--data-dir <dir>", "Custom data directory for credentials")
     .action((options) => {
     handleAuthRemove({
         ...options,
-        configDir: options.configDir ?? options.path,
+        configDir: options.configDir,
+        dataDir: options.dataDir,
     });
 });
 program
@@ -75,13 +76,14 @@ program
     .requiredOption("-a, --agent <agent>", `Agent to install credentials for (${AGENT_CLIS.join(", ")})`)
     .requiredOption("--input <file>", "Encrypted credentials file path")
     .option("--no-password", "Use default password (no prompt)")
-    .option("--config-dir <dir>", "Custom config directory (forces file storage, ignores --storage)")
-    .option("--path <file>", "[DEPRECATED: use --config-dir] Custom file path")
+    .option("--config-dir <dir>", "Custom config directory (for agents without separation, also sets data location)")
+    .option("--data-dir <dir>", "Custom data directory for credentials")
     .option("--storage <type>", "Storage type: keychain (macOS only) or file (for default location)")
     .action((options) => {
     void handleAuthInstall({
         ...options,
-        configDir: options.configDir ?? options.path,
+        configDir: options.configDir,
+        dataDir: options.dataDir,
     });
 });
 await program.parseAsync(process.argv);

package/dist/commands/auth.d.ts

@@ -21,6 +21,7 @@ declare function handleAuthExport(options: AuthExportOptions): Promise<void>;
 interface AuthRemoveOptions {
     agent: string;
     configDir?: string;
+    dataDir?: string;
 }
 /** Handle auth remove-credentials command */
 declare function handleAuthRemove(options: AuthRemoveOptions): void;

package/dist/commands/auth.js

@@ -81,7 +81,10 @@ function handleAuthRemove(options) {
     const agentId = validateAgent(options.agent);
     if (!agentId)
         return;
-    const result = removeCredentials(agentId, { configDir: options.configDir });
+    const result = removeCredentials(agentId, {
+        configDir: options.configDir,
+        dataDir: options.dataDir,
+    });
     if (result.ok) {
         console.error(result.message);
     }

package/dist/commands/install-credentials.d.ts

@@ -8,6 +8,7 @@ interface AuthInstallOptions {
     input: string;
     password: boolean;
     configDir?: string;
+    dataDir?: string;
     storage?: string;
 }
 /** Handle auth install-credentials command */

package/dist/commands/install-credentials.js

@@ -57,6 +57,7 @@ async function handleAuthInstall(options) {
         // Install credentials
         const result = installCredentials(creds, {
             configDir: options.configDir,
+            dataDir: options.dataDir,
             storage,
         });
         if (result.ok) {

package/package.json

@@ -2,7 +2,7 @@
   "name": "axauth",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Authentication management library and CLI for AI coding agents",
   "repository": {
     "type": "git",
@@ -69,8 +69,8 @@
   "dependencies": {
     "@commander-js/extra-typings": "^14.0.0",
     "@inquirer/password": "^5.0.3",
-    "axconfig": "^3.0.0",
-    "axshared": "^1.2.0",
+    "axconfig": "^3.2.0",
+    "axshared": "^1.5.0",
     "commander": "^14.0.2",
     "zod": "^4.3.4"
   },