axauth 1.11.2 → 2.0.0

package/dist/auth/adapter.d.ts

@@ -92,7 +92,7 @@ interface TokenOptions {
     provider?: string;
     /** Skip auto-refresh even for expired tokens (default: false) */
     skipRefresh?: boolean;
-    /** Timeout for refresh operation in ms (default: 10000) */
+    /** Timeout for refresh operation in ms (default: 30000) */
     refreshTimeout?: number;
 }
 /** Capabilities that an adapter supports */

package/dist/auth/format-run-error.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Helpers for formatting axexec run failures.
+ */
+import type { RunResult } from "axexec";
+declare function formatRunError(result: RunResult): string;
+export { formatRunError };

package/dist/auth/format-run-error.js

@@ -0,0 +1,25 @@
+/**
+ * Helpers for formatting axexec run failures.
+ */
+function findLastSessionError(events) {
+    for (let index = events.length - 1; index >= 0; index -= 1) {
+        const event = events[index];
+        if (!event)
+            continue;
+        if (event.type === "session.error")
+            return event;
+    }
+    return undefined;
+}
+function formatRunError(result) {
+    const errorEvent = findLastSessionError(result.events);
+    if (!errorEvent) {
+        return "Agent execution failed";
+    }
+    const detail = errorEvent.message.trim();
+    if (detail) {
+        return `Agent execution failed (${errorEvent.code}): ${detail}`;
+    }
+    return `Agent execution failed (${errorEvent.code})`;
+}
+export { formatRunError };

package/dist/auth/refresh-credentials.d.ts

@@ -21,10 +21,10 @@ type RefreshResult = {
     error: string;
 };
 /**
- * Refresh credentials by spawning the agent briefly.
+ * Refresh credentials by running the agent briefly.
  *
- * Creates an isolated temp config directory, installs credentials there,
- * and runs the agent with a minimal prompt to trigger its internal refresh.
+ * Uses axexec to run the agent in an isolated temp config directory,
+ * triggering its internal auth refresh mechanism.
  *
  * @param creds - The credentials to refresh (must contain refresh_token for OAuth)
  * @param options - Refresh options (timeout, provider for multi-provider agents)

package/dist/auth/refresh-credentials.js

@@ -4,127 +4,103 @@
  * Refreshes credentials by running the agent in an isolated temp config,
  * triggering its internal auth refresh mechanism.
  */
-import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
-import { tmpdir } from "node:os";
-import path from "node:path";
-import { buildAgentRuntimeEnvironment, getAgent, getAgentConfigSubdirectory, } from "axshared";
+import { cleanupCredentials, runAgent } from "axexec";
 import { buildRefreshedCredentials } from "./build-refreshed-credentials.js";
-import { spawnAgentWithFileMonitor } from "./spawn-agent-with-file-monitor.js";
-import { getFileStats } from "./wait-for-file-update.js";
+import { formatRunError } from "./format-run-error.js";
+import { mergeOpenCodeBundle, resolveRefreshCredentials, } from "./resolve-refresh-credentials.js";
+import { waitForRefreshedCredentials } from "./wait-for-refreshed-credentials.js";
 /** Default timeout for refresh operations in milliseconds */
 const DEFAULT_REFRESH_TIMEOUT_MS = 30_000;
-/**
- * Write agent-specific config to force file-based storage.
- *
- * This prevents the agent from using keychain credentials,
- * ensuring it reads/writes from our temp directory.
- */
-function writeForceFileConfig(agentId, temporaryDirectory) {
-    switch (agentId) {
-        case "codex": {
-            // Codex uses config.toml with cli_auth_credentials_store setting
-            writeFileSync(path.join(temporaryDirectory, "config.toml"), 'cli_auth_credentials_store = "file"\nmcp_oauth_credentials_store = "file"\n');
-            break;
-        }
-        case "copilot": {
-            // Copilot uses JSON config with store_token_plaintext flag
-            writeFileSync(path.join(temporaryDirectory, "config.json"), JSON.stringify({ store_token_plaintext: true }, undefined, 2));
-            break;
-        }
-        // Claude: keychain service name includes hash of CLAUDE_CONFIG_DIR,
-        //         so unique temp dir = unique keychain entry that won't exist
-        // Gemini: file storage behavior is controlled via the GEMINI_FORCE_FILE_STORAGE
-        //         environment variable, which is set by buildAgentRuntimeEnvironment and
-        //         later included in fullEnvironment when spawning the agent.
-        // OpenCode: file-only by design, no action needed
+async function safeCleanup(directory) {
+    try {
+        await cleanupCredentials(directory);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(`Warning: Failed to clean up temp directory '${directory}': ${message}`);
     }
 }
 /**
- * Refresh credentials by spawning the agent briefly.
+ * Refresh credentials by running the agent briefly.
  *
- * Creates an isolated temp config directory, installs credentials there,
- * and runs the agent with a minimal prompt to trigger its internal refresh.
+ * Uses axexec to run the agent in an isolated temp config directory,
+ * triggering its internal auth refresh mechanism.
  *
  * @param creds - The credentials to refresh (must contain refresh_token for OAuth)
  * @param options - Refresh options (timeout, provider for multi-provider agents)
  * @returns RefreshResult with new credentials or error
  */
 async function refreshCredentials(creds, options) {
-    const timeout = options?.timeout ?? DEFAULT_REFRESH_TIMEOUT_MS;
-    const agent = getAgent(creds.agent);
-    // 1. Create temp config directory
-    const temporaryDirectory = mkdtempSync(path.join(tmpdir(), `axauth-refresh-${creds.agent}-`));
+    const timeoutMs = options?.timeout ?? DEFAULT_REFRESH_TIMEOUT_MS;
+    const deadlineMs = Date.now() + timeoutMs;
+    const resolved = resolveRefreshCredentials(creds, options);
+    if (!resolved.ok) {
+        return { ok: false, error: resolved.error };
+    }
+    // Run agent with a minimal prompt to trigger internal token refresh.
+    // preserveConfigDirectory keeps the temp dir so we can read refreshed credentials.
+    const resultPromise = runAgent(resolved.credentials.agent, {
+        prompt: "ping",
+        credentials: resolved.credentials,
+        preserveConfigDirectory: true,
+    });
+    const timeoutMarker = { timedOut: true };
+    let timeoutId;
+    let raceResult;
     try {
-        // 2. Determine where credentials should be installed
-        // Some agents (Gemini, Copilot, OpenCode) require a subdirectory structure
-        const subdirectory = getAgentConfigSubdirectory(creds.agent);
-        const credentialsDirectory = subdirectory
-            ? path.join(temporaryDirectory, subdirectory)
-            : temporaryDirectory;
-        // 3. Ensure credentials directory exists before writing config
-        mkdirSync(credentialsDirectory, { recursive: true });
-        // 4. Write agent-specific config to force file storage
-        writeForceFileConfig(creds.agent, credentialsDirectory);
-        // 5. Install credentials to the appropriate directory
-        // Import dynamically to avoid circular dependency
-        const { installCredentials, getAdapter } = await import("./registry.js");
-        const installResult = installCredentials(creds, {
-            configDir: credentialsDirectory,
-            dataDir: credentialsDirectory,
-        });
-        if (!installResult.ok) {
-            return {
-                ok: false,
-                error: `Failed to install credentials: ${installResult.message}`,
-            };
-        }
-        // 5b. Get credential file path and record stats for file monitoring
-        const adapter = getAdapter(creds.agent);
-        const credentialFilePath = adapter.getCredentialFilePath(credentialsDirectory);
-        const beforeStats = getFileStats(credentialFilePath);
-        // 6. Build runtime environment
-        // Pass the full credentialsDirectory (which may include an agent-specific
-        // subdirectory, e.g. "~/.gemini/"); buildAgentRuntimeEnvironment will
-        // derive the parent directory internally for agents that use subdirectories.
-        const runtimeEnvironment = buildAgentRuntimeEnvironment(creds.agent, credentialsDirectory);
-        const fullEnvironment = {
-            ...process.env,
-            ...runtimeEnvironment,
-        };
-        // 7. Build CLI arguments using simplePromptArguments from agent
-        const cliArguments = agent.simplePromptArguments("ping", {
-            provider: options?.provider,
+        raceResult = await Promise.race([
+            resultPromise,
+            new Promise((resolve) => {
+                timeoutId = setTimeout(() => {
+                    resolve(timeoutMarker);
+                }, timeoutMs);
+            }),
+        ]);
+    }
+    catch (error) {
+        if (timeoutId)
+            clearTimeout(timeoutId);
+        const message = error instanceof Error ? error.message : String(error);
+        return { ok: false, error: `Agent execution failed: ${message}` };
+    }
+    if (timeoutId)
+        clearTimeout(timeoutId);
+    if ("timedOut" in raceResult) {
+        // runAgent has no cancellation API yet; return early and clean up later.
+        void resultPromise
+            .then((lateResult) => {
+            const directories = lateResult.execution.directories;
+            if (directories) {
+                return safeCleanup(directories.base);
+            }
+        })
+            .catch(() => {
+            // Swallow cleanup errors for late results.
         });
-        // 8. Spawn agent with file monitoring
-        // File monitoring starts before agent spawn to catch async writes that may
-        // occur during process execution (e.g., Gemini's async event handlers).
-        const { timedOut, exitCode, fileUpdated } = await spawnAgentWithFileMonitor(agent.cli, cliArguments, fullEnvironment, timeout, credentialFilePath, beforeStats);
-        if (timedOut) {
-            return { ok: false, error: "Refresh timed out" };
-        }
-        if (exitCode !== 0 && exitCode !== undefined) {
-            return { ok: false, error: `Agent exited with code ${exitCode}` };
+        return { ok: false, error: `Refresh timed out after ${timeoutMs}ms` };
+    }
+    const result = raceResult;
+    const { directories } = result.execution;
+    try {
+        if (!result.success) {
+            return { ok: false, error: formatRunError(result) };
         }
-        if (!fileUpdated) {
-            console.error(`Warning: Credential file "${credentialFilePath}" was not observed ` +
-                `to be updated. Proceeding may read stale credentials.`);
+        if (!directories) {
+            return { ok: false, error: "No directories in execution metadata" };
         }
-        // 9. Read refreshed credentials from temp directory
-        const { extractRawCredentialsFromDirectory } = await import("./registry.js");
-        const refreshedCredentials = extractRawCredentialsFromDirectory(creds.agent, { configDir: credentialsDirectory, dataDir: credentialsDirectory });
+        const refreshedCredentials = await waitForRefreshedCredentials(resolved.credentials.agent, directories, deadlineMs);
         if (!refreshedCredentials) {
             return { ok: false, error: "No credentials found after refresh" };
         }
-        return { ok: true, credentials: refreshedCredentials };
+        return {
+            ok: true,
+            credentials: mergeOpenCodeBundle(creds, refreshedCredentials, resolved.mergeProvider),
+        };
     }
     finally {
-        // 10. Clean up temp directory
-        try {
-            rmSync(temporaryDirectory, { recursive: true, force: true });
-        }
-        catch (error) {
-            const message = error instanceof Error ? error.message : String(error);
-            console.error(`Warning: Failed to clean up temp directory '${temporaryDirectory}': ${message}`);
+        if (directories) {
+            // Clean up the temp directory (use base to remove entire temp structure)
+            await safeCleanup(directories.base);
         }
     }
 }

package/dist/auth/resolve-refresh-credentials.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Resolve which credentials to use for refresh and how to merge results.
+ */
+import type { Credentials } from "./types.js";
+interface RefreshProviderOptions {
+    provider?: string;
+}
+type RefreshResolution = {
+    ok: true;
+    credentials: Credentials;
+    mergeProvider?: string;
+} | {
+    ok: false;
+    error: string;
+};
+declare function resolveRefreshCredentials(creds: Credentials, options?: RefreshProviderOptions): RefreshResolution;
+declare function mergeOpenCodeBundle(original: Credentials, refreshed: Credentials, mergeProvider?: string): Credentials;
+export { mergeOpenCodeBundle, resolveRefreshCredentials };

package/dist/auth/resolve-refresh-credentials.js

@@ -0,0 +1,51 @@
+/**
+ * Resolve which credentials to use for refresh and how to merge results.
+ */
+import { extractProviderCredentials, splitToPerProviderCredentials, } from "./agents/opencode-credentials.js";
+function resolveRefreshCredentials(creds, options) {
+    if (creds.agent !== "opencode") {
+        return { ok: true, credentials: creds };
+    }
+    if (creds.provider) {
+        return { ok: true, credentials: creds };
+    }
+    if (options?.provider) {
+        const providerCreds = extractProviderCredentials(creds, options.provider);
+        if (!providerCreds) {
+            return {
+                ok: false,
+                error: `No credentials found for provider '${options.provider}'`,
+            };
+        }
+        return {
+            ok: true,
+            credentials: providerCreds,
+            mergeProvider: providerCreds.provider,
+        };
+    }
+    const perProvider = splitToPerProviderCredentials(creds);
+    const refreshCreds = perProvider.find((cred) => cred.type === "oauth-credentials") ??
+        perProvider.at(0);
+    if (!refreshCreds) {
+        return { ok: false, error: "No provider credentials found for opencode" };
+    }
+    return {
+        ok: true,
+        credentials: refreshCreds,
+        mergeProvider: refreshCreds.provider,
+    };
+}
+function mergeOpenCodeBundle(original, refreshed, mergeProvider) {
+    if (original.agent !== "opencode")
+        return refreshed;
+    if (original.provider)
+        return refreshed;
+    if (!mergeProvider)
+        return refreshed;
+    const mergedData = { ...original.data, ...refreshed.data };
+    if ("_source" in original.data) {
+        mergedData._source = original.data._source;
+    }
+    return { ...refreshed, data: mergedData };
+}
+export { mergeOpenCodeBundle, resolveRefreshCredentials };

package/dist/auth/wait-for-refreshed-credentials.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Polls for refreshed credentials to appear after agent execution.
+ */
+import type { ExecutionDirectories } from "axexec";
+import type { Credentials } from "./types.js";
+declare function waitForRefreshedCredentials(agent: Credentials["agent"], directories: ExecutionDirectories, deadlineMs: number): Promise<Credentials | undefined>;
+export { waitForRefreshedCredentials };

package/dist/auth/wait-for-refreshed-credentials.js

@@ -0,0 +1,24 @@
+/**
+ * Polls for refreshed credentials to appear after agent execution.
+ */
+const CREDENTIAL_POLL_INTERVAL_MS = 200;
+function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function waitForRefreshedCredentials(agent, directories, deadlineMs) {
+    const { extractRawCredentialsFromDirectory } = await import("./registry.js");
+    for (;;) {
+        const refreshedCredentials = extractRawCredentialsFromDirectory(agent, {
+            configDir: directories.config,
+            dataDir: directories.data,
+        });
+        if (refreshedCredentials)
+            return refreshedCredentials;
+        const remaining = deadlineMs - Date.now();
+        if (remaining <= 0)
+            return undefined;
+        // Some agents write credentials asynchronously after exit; poll briefly.
+        await delay(Math.min(CREDENTIAL_POLL_INTERVAL_MS, remaining));
+    }
+}
+export { waitForRefreshedCredentials };

package/dist/cli.js

@@ -28,24 +28,29 @@ Examples:
   # List authenticated agents
   axauth list
 
-  # Filter to show only authenticated agents
-  axauth list | tail -n +2 | awk -F'\t' '$2 == "authenticated"'
-
   # Get access token for an agent
   axauth token --agent claude
 
-  # Export credentials for CI/CD
-  axauth export --agent claude --output creds.json --no-password
+  # Export/import credentials (file-based)
+  axauth export --agent claude --output creds.json
+  axauth install-credentials --agent claude --input creds.json
+
+  # For vault operations: export raw format (--no-encrypt)
+  # Note: install-credentials cannot consume raw exports
+  axauth export --agent claude --output creds.json --no-encrypt
 
   # Remove credentials (agent will prompt for login)
   axauth remove-credentials --agent claude
 
-  # Install credentials from exported file
-  axauth install-credentials --agent claude --input creds.json
+CI/CD with axvault (recommended):
+  # One-time: push local credentials to vault
+  axauth vault push --agent claude --name ci
+
+  # In CI/CD: fetch and install credentials
+  AXVAULT_URL=https://vault.example.com AXVAULT_API_KEY=axv_sk_xxx \
+    axauth vault fetch --agent claude --name ci --install
 
-  # Fetch credentials from vault (JSON config)
-  AXVAULT='{"url":"https://vault.example.com","apiKey":"axv_sk_xxx"}' \
-    axauth vault fetch --agent claude --name ci --install`);
+  # See "axauth vault --help" for full workflow documentation`);
 program
     .command("list")
     .description("List agents and their auth status")
@@ -118,7 +123,32 @@ program
 // Vault subcommand
 const vault = program
     .command("vault")
-    .description("Manage credentials stored in axvault server");
+    .description("Manage credentials stored in axvault server")
+    .addHelpText("after", String.raw `
+Workflow:
+  1. Push local credentials to vault (one-time setup from authenticated machine):
+     axauth vault push --agent claude --name ci
+
+  2. Fetch credentials in CI/CD (set AXVAULT_URL and AXVAULT_API_KEY):
+     axauth vault fetch --agent claude --name ci --install
+
+Environment variables:
+  AXVAULT           JSON config: {"url":"...","apiKey":"..."}
+  AXVAULT_URL       Vault server URL
+  AXVAULT_API_KEY   API key for authentication
+
+OpenCode multi-provider support:
+  OpenCode stores credentials for multiple providers (anthropic, openai, google).
+  Use --provider to push a single provider (fetch uses the stored name):
+
+    axauth vault push --agent opencode --provider anthropic --name ci-anthropic
+    axauth vault fetch --agent opencode --name ci-anthropic --install
+
+Quick reference:
+  vault push   Upload local credentials to vault (requires write access)
+  vault fetch  Download credentials from vault (requires read access)
+
+Use "axauth vault <command> --help" for detailed options.`);
 vault
     .command("fetch")
     .description("Fetch credentials from vault server")
@@ -167,6 +197,7 @@ vault
     .description("Push local credentials to vault server")
     .requiredOption("-a, --agent <agent>", `Agent to push credentials from (${AGENT_CLIS.join(", ")})`)
     .requiredOption("-n, --name <name>", "Credential name in vault (e.g., ci, prod)")
+    .option("-p, --provider <provider>", "Provider to push (opencode only; pushes single provider instead of all)")
     .addHelpText("after", String.raw `
 Environment variables (option 1 - single JSON):
   AXVAULT           JSON config: {"url":"...","apiKey":"..."}
@@ -179,6 +210,9 @@ Examples:
   # Push local Claude credentials to vault as "ci"
   axauth vault push --agent claude --name ci
 
+  # Push a single OpenCode provider to vault
+  axauth vault push --agent opencode --provider anthropic --name ci-anthropic
+
   # Push to a different vault instance
   AXVAULT_URL=https://vault.example.com AXVAULT_API_KEY=axv_sk_xxx \
     axauth vault push --agent gemini --name prod`)

package/dist/commands/vault.d.ts

@@ -22,6 +22,7 @@ declare function handleVaultFetch(options: VaultFetchOptions): Promise<void>;
 interface VaultPushOptions {
     agent: string;
     name: string;
+    provider?: string;
 }
 /**
  * Handle vault push command.

package/dist/commands/vault.js

@@ -2,6 +2,7 @@
  * Vault commands - fetch and push credentials to axvault server.
  */
 import { credentialsToEnvironment, extractRawCredentials, installCredentials, } from "../auth/registry.js";
+import { extractProviderCredentials } from "../auth/agents/opencode.js";
 import { fetchVaultCredentials, pushVaultCredentials, } from "../vault/vault-client.js";
 import { getVaultConfig } from "../vault/vault-config.js";
 import { validateAgent } from "./validate-agent.js";
@@ -132,6 +133,12 @@ async function handleVaultPush(options) {
     const agentId = validateAgent(options.agent);
     if (!agentId)
         return;
+    // Validate --provider is only used with opencode
+    if (options.provider && agentId !== "opencode") {
+        console.error("Error: --provider flag is only supported for opencode agent");
+        process.exitCode = 2;
+        return;
+    }
     // Check vault is configured
     const vaultConfig = getVaultConfig();
     if (!vaultConfig) {
@@ -140,13 +147,22 @@ async function handleVaultPush(options) {
         return;
     }
     // Extract local credentials
-    const credentials = extractRawCredentials(agentId);
-    if (!credentials) {
+    const rawCredentials = extractRawCredentials(agentId);
+    if (!rawCredentials) {
         console.error(`Error: No credentials found for ${agentId}`);
         console.error("Hint: Authenticate with the agent first, or use 'axauth list' to check status");
         process.exitCode = 1;
         return;
     }
+    // Handle per-provider extraction for OpenCode
+    const credentials = options.provider
+        ? extractProviderCredentials(rawCredentials, options.provider)
+        : rawCredentials;
+    if (!credentials) {
+        console.error(`Error: No credentials found for provider '${options.provider}'`);
+        process.exitCode = 1;
+        return;
+    }
     // Push to vault
     const result = await pushVaultCredentials({
         agentId,
@@ -158,6 +174,7 @@ async function handleVaultPush(options) {
         process.exitCode = 1;
         return;
     }
-    console.error(`Credentials pushed to vault: ${agentId}/${options.name}`);
+    const label = options.provider ? `${agentId}/${options.provider}` : agentId;
+    console.error(`Credentials pushed to vault: ${label} → ${options.name}`);
 }
 export { handleVaultFetch, handleVaultPush };

package/dist/vault/vault-client.js

@@ -14,6 +14,7 @@ const VaultCredentialResponse = z.object({
     name: z.string(),
     type: CredentialType,
     data: z.record(z.string(), z.unknown()),
+    provider: z.string().trim().min(1).optional(), // OpenCode provider support
     expiresAt: z.string().nullish(), // optional for oauth-token type
     updatedAt: z.string(),
 });
@@ -88,6 +89,7 @@ async function fetchVaultCredentials(options) {
             agent: options.agentId,
             type: body.type,
             data: body.data,
+            provider: body.provider,
         };
         return {
             ok: true,
@@ -142,6 +144,7 @@ async function pushVaultCredentials(options) {
             body: JSON.stringify({
                 type: options.credentials.type,
                 data: options.credentials.data,
+                provider: options.credentials.provider,
             }),
         });
         // Handle error responses

package/package.json

@@ -2,7 +2,7 @@
   "name": "axauth",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.11.2",
+  "version": "2.0.0",
   "description": "Authentication management library and CLI for AI coding agents",
   "repository": {
     "type": "git",
@@ -70,7 +70,8 @@
     "@commander-js/extra-typings": "^14.0.0",
     "@inquirer/password": "^5.0.3",
     "axconfig": "^3.6.0",
-    "axshared": "^1.9.0",
+    "axexec": "^1.1.0",
+    "axshared": "^2.0.0",
     "commander": "^14.0.2",
     "zod": "^4.3.5"
   },

package/dist/auth/spawn-agent-with-file-monitor.d.ts

@@ -1,20 +0,0 @@
-/**
- * Agent subprocess spawning with file monitoring.
- *
- * Starts file monitoring before agent spawn to catch async writes that may
- * occur during process execution (e.g., Gemini's async event handlers).
- */
-import { type SpawnResult } from "./spawn-agent.js";
-import { type FileStats } from "./wait-for-file-update.js";
-/**
- * Spawn agent and monitor a file for updates.
- *
- * File monitoring starts before agent spawn to catch writes that occur during
- * process execution, not just after exit.
- *
- * @returns Object with spawn result and whether file was updated
- */
-declare function spawnAgentWithFileMonitor(cli: string, arguments_: string[], environment: NodeJS.ProcessEnv, timeout: number, filePath: string, beforeStats: FileStats | undefined): Promise<SpawnResult & {
-    fileUpdated: boolean;
-}>;
-export { spawnAgentWithFileMonitor };

package/dist/auth/spawn-agent-with-file-monitor.js

@@ -1,57 +0,0 @@
-/**
- * Agent subprocess spawning with file monitoring.
- *
- * Starts file monitoring before agent spawn to catch async writes that may
- * occur during process execution (e.g., Gemini's async event handlers).
- */
-import { spawnAgent } from "./spawn-agent.js";
-import { getFileStats, waitForFileUpdate, } from "./wait-for-file-update.js";
-/**
- * Spawn agent and monitor a file for updates.
- *
- * File monitoring starts before agent spawn to catch writes that occur during
- * process execution, not just after exit.
- *
- * @returns Object with spawn result and whether file was updated
- */
-async function spawnAgentWithFileMonitor(cli, arguments_, environment, timeout, filePath, beforeStats) {
-    const fileMonitorAbort = new AbortController();
-    // Start file monitoring BEFORE spawning agent
-    const fileMonitorPromise = waitForFileUpdate(filePath, beforeStats, {
-        timeout: timeout + 5000,
-        signal: fileMonitorAbort.signal,
-    });
-    try {
-        // Spawn agent
-        const spawnResult = await spawnAgent(cli, arguments_, environment, timeout);
-        // On early exit, abort file monitor
-        if (spawnResult.timedOut ||
-            (spawnResult.exitCode !== 0 && spawnResult.exitCode !== undefined)) {
-            return { ...spawnResult, fileUpdated: false };
-        }
-        // Agent exited successfully - wait for in-flight writes
-        // Use 5s grace period to match previous behavior (some agents like Gemini
-        // may write credentials several seconds after process exit)
-        const gracePeriodMs = 5000;
-        const fileResult = await Promise.race([
-            fileMonitorPromise,
-            new Promise((resolve) => {
-                setTimeout(() => {
-                    resolve({ ok: false });
-                }, gracePeriodMs).unref();
-            }),
-        ]);
-        // Final check in case write completed after race
-        const finalStats = getFileStats(filePath);
-        const fileUpdated = fileResult.ok ||
-            (finalStats !== undefined &&
-                (beforeStats === undefined ||
-                    finalStats.mtimeMs !== beforeStats.mtimeMs ||
-                    finalStats.size !== beforeStats.size));
-        return { ...spawnResult, fileUpdated };
-    }
-    finally {
-        fileMonitorAbort.abort();
-    }
-}
-export { spawnAgentWithFileMonitor };

package/dist/auth/spawn-agent.d.ts

@@ -1,19 +0,0 @@
-/**
- * Agent subprocess spawning utility.
- */
-/** Result of spawning an agent process */
-interface SpawnResult {
-    timedOut: boolean;
-    exitCode: number | undefined;
-}
-/**
- * Spawn agent and wait for completion.
- *
- * Enforces a hard timeout - if the process doesn't exit after SIGTERM,
- * escalates to SIGKILL after a grace period and resolves anyway.
- *
- * @returns Object with timedOut flag and exit code
- */
-declare function spawnAgent(binary: string, arguments_: string[], environment: NodeJS.ProcessEnv, timeout: number): Promise<SpawnResult>;
-export { spawnAgent };
-export type { SpawnResult };

package/dist/auth/spawn-agent.js

@@ -1,63 +0,0 @@
-/**
- * Agent subprocess spawning utility.
- */
-import { spawn } from "node:child_process";
-/** Grace period before escalating SIGTERM to SIGKILL */
-const SIGKILL_GRACE_MS = 5000;
-/**
- * Spawn agent and wait for completion.
- *
- * Enforces a hard timeout - if the process doesn't exit after SIGTERM,
- * escalates to SIGKILL after a grace period and resolves anyway.
- *
- * @returns Object with timedOut flag and exit code
- */
-async function spawnAgent(binary, arguments_, environment, timeout) {
-    return new Promise((resolve) => {
-        const child = spawn(binary, arguments_, {
-            env: environment,
-            // Ignore stdin/stdout to prevent pipe buffer deadlocks, but inherit
-            // stderr so agent error messages are visible for debugging
-            stdio: ["ignore", "ignore", "inherit"],
-        });
-        let timedOut = false;
-        let resolved = false;
-        let killTimer;
-        const cleanup = () => {
-            clearTimeout(timer);
-            if (killTimer)
-                clearTimeout(killTimer);
-        };
-        const timer = setTimeout(() => {
-            if (!resolved) {
-                timedOut = true;
-                child.kill("SIGTERM");
-                // If process doesn't exit after SIGTERM, escalate to SIGKILL
-                // and resolve anyway to prevent indefinite hangs
-                killTimer = setTimeout(() => {
-                    if (!resolved) {
-                        child.kill("SIGKILL");
-                        resolved = true;
-                        cleanup();
-                        resolve({ timedOut: true, exitCode: undefined });
-                    }
-                }, SIGKILL_GRACE_MS);
-            }
-        }, timeout);
-        child.on("error", () => {
-            if (!resolved) {
-                resolved = true;
-                cleanup();
-                resolve({ timedOut: false, exitCode: 1 });
-            }
-        });
-        child.on("close", (code) => {
-            if (!resolved) {
-                resolved = true;
-                cleanup();
-                resolve({ timedOut, exitCode: code ?? undefined });
-            }
-        });
-    });
-}
-export { spawnAgent };

package/dist/auth/wait-for-file-update.d.ts

@@ -1,42 +0,0 @@
-/**
- * File change monitoring utility.
- *
- * Watches for file creation or modification using fs.watch,
- * used by token refresh to wait for credential files to be written.
- */
-import { type Stats } from "node:fs";
-/** File stats type for external use */
-type FileStats = Stats;
-/** Options for waiting on file changes */
-interface WaitOptions {
-    /** Maximum time to wait in milliseconds (default: 5000) */
-    timeout?: number;
-    /** AbortSignal to cancel waiting early */
-    signal?: AbortSignal;
-}
-/** Result of waiting for file change */
-type WaitResult = {
-    ok: true;
-    reason: "created" | "modified";
-} | {
-    ok: false;
-    reason: "timeout" | "error" | "aborted";
-    error?: string;
-};
-/**
- * Get file stats safely, returning undefined if file doesn't exist.
- */
-declare function getFileStats(filePath: string): Stats | undefined;
-/**
- * Wait for a file to be created or modified.
- *
- * Monitors the target file and resolves when:
- * - The file is created (if it didn't exist before)
- * - The file's mtime changes (if it existed before)
- *
- * Uses fs.watch on the parent directory for responsiveness, with a
- * polling fallback since fs.watch is documented as potentially unreliable.
- */
-declare function waitForFileUpdate(filePath: string, beforeStats: Stats | undefined, options?: WaitOptions): Promise<WaitResult>;
-export { getFileStats, waitForFileUpdate };
-export type { FileStats };

package/dist/auth/wait-for-file-update.js

@@ -1,128 +0,0 @@
-/**
- * File change monitoring utility.
- *
- * Watches for file creation or modification using fs.watch,
- * used by token refresh to wait for credential files to be written.
- */
-import { statSync, watch } from "node:fs";
-import path from "node:path";
-/**
- * Get file stats safely, returning undefined if file doesn't exist.
- */
-function getFileStats(filePath) {
-    try {
-        return statSync(filePath);
-    }
-    catch {
-        return undefined;
-    }
-}
-/** Check if the file was created or modified compared to before. */
-function checkFileChange(filePath, beforeStats) {
-    const currentStats = getFileStats(filePath);
-    // File was created
-    if (!beforeStats && currentStats) {
-        return { ok: true, reason: "created" };
-    }
-    // File was modified (mtime or size changed)
-    // Use !== instead of > to catch same-millisecond writes and handle
-    // filesystems with coarse timestamp resolution (ext3, HFS+, FAT32).
-    if (beforeStats &&
-        currentStats &&
-        (currentStats.mtimeMs !== beforeStats.mtimeMs ||
-            currentStats.size !== beforeStats.size)) {
-        return { ok: true, reason: "modified" };
-    }
-    return undefined;
-}
-/**
- * Wait for a file to be created or modified.
- *
- * Monitors the target file and resolves when:
- * - The file is created (if it didn't exist before)
- * - The file's mtime changes (if it existed before)
- *
- * Uses fs.watch on the parent directory for responsiveness, with a
- * polling fallback since fs.watch is documented as potentially unreliable.
- */
-async function waitForFileUpdate(filePath, beforeStats, options) {
-    const timeout = options?.timeout ?? 5000;
-    const signal = options?.signal;
-    const parentDirectory = path.dirname(filePath);
-    const fileName = path.basename(filePath);
-    // Check if already aborted
-    if (signal?.aborted) {
-        return { ok: false, reason: "aborted" };
-    }
-    // Check immediately (file might already be written)
-    const immediate = checkFileChange(filePath, beforeStats);
-    if (immediate) {
-        return immediate;
-    }
-    return new Promise((resolve) => {
-        let watcher;
-        let resolved = false;
-        let abortHandler;
-        const cleanup = (timeoutId, pollId) => {
-            if (resolved)
-                return;
-            resolved = true;
-            watcher?.close();
-            clearTimeout(timeoutId);
-            clearInterval(pollId);
-            if (abortHandler && signal) {
-                signal.removeEventListener("abort", abortHandler);
-            }
-        };
-        // Set timeout
-        const timeoutId = setTimeout(() => {
-            cleanup(timeoutId, pollIntervalId);
-            resolve({ ok: false, reason: "timeout" });
-        }, timeout);
-        // Polling fallback: fs.watch is documented as potentially unreliable,
-        // so we also poll periodically to catch changes if events are missed.
-        const pollIntervalId = setInterval(() => {
-            const result = checkFileChange(filePath, beforeStats);
-            if (result) {
-                cleanup(timeoutId, pollIntervalId);
-                resolve(result);
-            }
-        }, 100);
-        // Handle abort signal
-        if (signal) {
-            abortHandler = () => {
-                cleanup(timeoutId, pollIntervalId);
-                resolve({ ok: false, reason: "aborted" });
-            };
-            signal.addEventListener("abort", abortHandler);
-        }
-        // Watch parent directory for changes (for faster responsiveness)
-        try {
-            watcher = watch(parentDirectory, (_eventType, changedFile) => {
-                // Check when the filename matches OR when filename is null/undefined.
-                // Per Node.js docs, changedFile can be null on some platforms (e.g., Linux),
-                // so we check our target file whenever the filename isn't provided.
-                if (!changedFile || changedFile === fileName) {
-                    const result = checkFileChange(filePath, beforeStats);
-                    if (result) {
-                        cleanup(timeoutId, pollIntervalId);
-                        resolve(result);
-                    }
-                }
-            });
-            watcher.on("error", (error) => {
-                cleanup(timeoutId, pollIntervalId);
-                resolve({ ok: false, reason: "error", error: error.message });
-            });
-        }
-        catch (error) {
-            cleanup(timeoutId, pollIntervalId);
-            resolve({
-                ok: false,
-                reason: "error",
-                error: error instanceof Error ? error.message : String(error),
-            });
-        }
-    });
-}
-export { getFileStats, waitForFileUpdate };