axauth 1.7.0 → 1.7.2

package/dist/auth/adapter.d.ts

@@ -64,6 +64,23 @@ interface RemoveOptions {
     /** Custom data directory for credentials */
     dataDir?: string;
 }
+/**
+ * Options for extracting credentials from a custom directory.
+ *
+ * **Agents without separation** (Claude, Codex, Gemini, Copilot):
+ * - `configDir` and `dataDir` are interchangeable
+ * - Either option specifies where to look for credentials
+ *
+ * **Agents with separation** (OpenCode):
+ * - `dataDir` must be provided to specify where credentials are stored
+ * - If only `configDir` is provided, returns undefined (use extractRawCredentials() for default location)
+ */
+interface ExtractOptions {
+    /** Custom config directory for settings/preferences */
+    configDir?: string;
+    /** Custom data directory for credentials */
+    dataDir?: string;
+}
 /**
  * Options for token extraction.
  *
@@ -118,12 +135,15 @@ interface AuthAdapter {
      */
     extractRawCredentials(): Credentials | undefined;
     /**
-     * Extract raw credentials from a specific directory.
+     * Extract raw credentials from custom directories.
+     *
+     * Used by token refresh and CI/CD to read credentials from temp directories.
+     * Returns undefined if no credentials found at the specified location.
      *
-     * Used by token refresh to read credentials from a temp directory.
-     * Returns undefined if no credentials found at that location.
+     * **Agents without separation**: Look in `configDir` or `dataDir` (interchangeable)
+     * **Agents with separation** (OpenCode): Look in `dataDir` for credentials
      */
-    extractRawCredentialsFromDirectory?(directory: string): Credentials | undefined;
+    extractRawCredentialsFromDirectory?(options: ExtractOptions): Credentials | undefined;
     /**
      * Install credentials to storage.
      *
@@ -163,4 +183,4 @@ interface AuthAdapter {
      */
     credentialsToEnvironment(creds: Credentials): Record<string, string>;
 }
-export type { AdapterCapabilities, AuthAdapter, InstallOptions, OperationResult, RemoveOptions, TokenOptions, };
+export type { AdapterCapabilities, AuthAdapter, ExtractOptions, InstallOptions, OperationResult, RemoveOptions, TokenOptions, };

package/dist/auth/agents/claude.js

@@ -28,7 +28,11 @@ const claudeCodeAdapter = {
             return undefined;
         return { agent: AGENT_ID, ...result };
     },
-    extractRawCredentialsFromDirectory(directory) {
+    extractRawCredentialsFromDirectory(options) {
+        // Claude doesn't separate config/data - use either directory
+        const directory = options.dataDir ?? options.configDir;
+        if (!directory)
+            return undefined;
         // Unwrap claudeAiOauth wrapper (matches loadFileCreds behavior)
         return extractCredsFromDirectory(AGENT_ID, directory, CREDS_FILE_NAME, (file) => {
             const data = file.claudeAiOauth;

package/dist/auth/agents/codex.js

@@ -24,7 +24,11 @@ const codexAdapter = {
     },
     checkAuth,
     extractRawCredentials,
-    extractRawCredentialsFromDirectory(directory) {
+    extractRawCredentialsFromDirectory(options) {
+        // Codex doesn't separate config/data - use either directory
+        const directory = options.dataDir ?? options.configDir;
+        if (!directory)
+            return undefined;
         const credentialsPath = path.join(directory, CREDS_FILE_NAME);
         try {
             if (!existsSync(credentialsPath))

package/dist/auth/agents/copilot.js

@@ -49,7 +49,11 @@ const copilotAdapter = {
             data: { accessToken: result.token, _source: result.source },
         };
     },
-    extractRawCredentialsFromDirectory(directory) {
+    extractRawCredentialsFromDirectory(options) {
+        // Copilot doesn't separate config/data - use either directory
+        const directory = options.dataDir ?? options.configDir;
+        if (!directory)
+            return undefined;
         return extractCredsFromDirectory(AGENT_ID, directory, CREDS_FILE_NAME);
     },
     installCredentials(creds, options) {

package/dist/auth/agents/gemini.js

@@ -49,7 +49,11 @@ const geminiAdapter = {
             },
         };
     },
-    extractRawCredentialsFromDirectory(directory) {
+    extractRawCredentialsFromDirectory(options) {
+        // Gemini doesn't separate config/data - use either directory
+        const directory = options.dataDir ?? options.configDir;
+        if (!directory)
+            return undefined;
         return extractCredsFromDirectory(AGENT_ID, directory, "oauth_creds.json");
     },
     installCredentials(creds, options) {

package/dist/auth/agents/opencode.js

@@ -26,6 +26,20 @@ function getDefaultAuthFilePath() {
     const dataDirectory = resolveAgentDataDirectory(AGENT_ID);
     return path.join(dataDirectory, CREDS_FILE_NAME);
 }
+/** Read and parse the auth file, returning undefined on any error */
+function readAuthFile(authFile) {
+    if (!existsSync(authFile))
+        return undefined;
+    try {
+        const content = JSON.parse(readFileSync(authFile, "utf8"));
+        if (typeof content !== "object" || content === null)
+            return undefined;
+        return content;
+    }
+    catch {
+        return undefined;
+    }
+}
 /** OpenCode authentication adapter */
 const opencodeAdapter = {
     agentId: AGENT_ID,
@@ -36,56 +50,42 @@ const opencodeAdapter = {
         installApiKey: true,
     },
     checkAuth() {
-        const authFile = getDefaultAuthFilePath();
-        if (!existsSync(authFile)) {
+        const auth = readAuthFile(getDefaultAuthFilePath());
+        if (!auth)
+            return { agentId: AGENT_ID, authenticated: false };
+        const providers = Object.keys(auth);
+        const firstProvider = providers[0];
+        if (firstProvider === undefined) {
             return { agentId: AGENT_ID, authenticated: false };
         }
-        try {
-            const auth = JSON.parse(readFileSync(authFile, "utf8"));
-            const providers = Object.keys(auth);
-            const firstProvider = providers[0];
-            if (firstProvider !== undefined) {
-                const firstAuth = auth[firstProvider];
-                const method = firstAuth?.type === "oauth"
-                    ? "OAuth"
-                    : firstAuth?.type === "api"
-                        ? "API key"
-                        : "Well-known";
-                return {
-                    agentId: AGENT_ID,
-                    authenticated: true,
-                    method: providers.length > 1
-                        ? `${method} (${providers.length} providers)`
-                        : method,
-                    details: { providers },
-                };
-            }
-        }
-        catch {
-            // Invalid JSON
-        }
-        return { agentId: AGENT_ID, authenticated: false };
+        const firstAuth = auth[firstProvider];
+        const method = firstAuth?.type === "oauth"
+            ? "OAuth"
+            : firstAuth?.type === "api"
+                ? "API key"
+                : "Well-known";
+        return {
+            agentId: AGENT_ID,
+            authenticated: true,
+            method: providers.length > 1
+                ? `${method} (${providers.length} providers)`
+                : method,
+            details: { providers },
+        };
     },
     extractRawCredentials() {
-        const authFile = getDefaultAuthFilePath();
-        if (!existsSync(authFile)) {
+        const auth = readAuthFile(getDefaultAuthFilePath());
+        if (!auth || Object.keys(auth).length === 0)
             return undefined;
-        }
-        try {
-            const auth = JSON.parse(readFileSync(authFile, "utf8"));
-            const providers = Object.keys(auth);
-            if (providers.length > 0) {
-                return { agent: AGENT_ID, type: "oauth", data: auth };
-            }
-        }
-        catch {
-            // Invalid JSON
-        }
-        return undefined;
+        return { agent: AGENT_ID, type: "oauth", data: auth };
     },
-    extractRawCredentialsFromDirectory(directory) {
+    extractRawCredentialsFromDirectory(options) {
+        // OpenCode stores credentials in dataDir only - configDir is for settings
+        // If dataDir not provided, return undefined (use extractRawCredentials() for default)
+        if (!options.dataDir)
+            return undefined;
         // Only return if there's at least one provider
-        return extractCredsFromDirectory(AGENT_ID, directory, CREDS_FILE_NAME, (data) => (Object.keys(data).length > 0 ? data : undefined));
+        return extractCredsFromDirectory(AGENT_ID, options.dataDir, CREDS_FILE_NAME, (data) => (Object.keys(data).length > 0 ? data : undefined));
     },
     installCredentials(creds, options) {
         // Resolve custom directory with validation (OpenCode supports separation)

package/dist/auth/refresh-credentials.js

@@ -96,7 +96,7 @@ async function refreshCredentials(creds, options) {
         }
         // 9. Read refreshed credentials from temp directory
         const { extractRawCredentialsFromDirectory } = await import("./registry.js");
-        const refreshedCredentials = extractRawCredentialsFromDirectory(creds.agent, credentialsDirectory);
+        const refreshedCredentials = extractRawCredentialsFromDirectory(creds.agent, { configDir: credentialsDirectory, dataDir: credentialsDirectory });
         if (!refreshedCredentials) {
             return { ok: false, error: "No credentials found after refresh" };
         }

package/dist/auth/registry.d.ts

@@ -5,7 +5,7 @@
  * delegating to the appropriate adapter based on agent ID.
  */
 import type { AgentCli } from "axshared";
-import type { AdapterCapabilities, AuthAdapter, InstallOptions, OperationResult, RemoveOptions, TokenOptions } from "./adapter.js";
+import type { AdapterCapabilities, AuthAdapter, ExtractOptions, InstallOptions, OperationResult, RemoveOptions, TokenOptions } from "./adapter.js";
 import type { AuthStatus } from "./types.js";
 import { type Credentials } from "./types.js";
 /**
@@ -60,15 +60,22 @@ declare function checkAllAuth(): AuthStatus[];
  */
 declare function extractRawCredentials(agentId: AgentCli): Credentials | undefined;
 /**
- * Extract raw credentials from a specific directory.
+ * Extract raw credentials from custom directories.
  *
- * Used by token refresh to read credentials from a temp directory.
+ * Used by token refresh and CI/CD to read credentials from temp directories.
  * Returns undefined if no credentials found or adapter doesn't support it.
  *
  * @example
- * const creds = extractRawCredentialsFromDirectory("claude", "/tmp/refresh-123");
+ * // For agents without separation (Claude, Codex, Gemini, Copilot)
+ * const creds = extractRawCredentialsFromDirectory("claude", { configDir: "/tmp/config" });
+ *
+ * // For agents with separation (OpenCode)
+ * const creds = extractRawCredentialsFromDirectory("opencode", {
+ *   configDir: "/tmp/config",
+ *   dataDir: "/tmp/data",
+ * });
  */
-declare function extractRawCredentialsFromDirectory(agentId: AgentCli, directory: string): Credentials | undefined;
+declare function extractRawCredentialsFromDirectory(agentId: AgentCli, options: ExtractOptions): Credentials | undefined;
 /**
  * Install credentials for an agent.
  *
@@ -159,5 +166,6 @@ declare function installCredentialsFromEnvironmentVariable(agent: AgentCli, opti
     ok: false;
     error: string;
 }>;
+export type { ExtractOptions } from "./adapter.js";
 export type { InstallFromEnvironmentOptions };
 export { checkAllAuth, checkAuth, credentialsToEnvironment, extractRawCredentials, extractRawCredentialsFromDirectory, getAccessToken, getAdapter, getAgentAccessToken, getAllAdapters, getCapabilities, getCredentialsEnvironmentVariableName, installCredentials, installCredentialsFromEnvironmentVariable, removeCredentials, };

package/dist/auth/registry.js

@@ -86,17 +86,24 @@ function extractRawCredentials(agentId) {
     return ADAPTERS[agentId].extractRawCredentials();
 }
 /**
- * Extract raw credentials from a specific directory.
+ * Extract raw credentials from custom directories.
  *
- * Used by token refresh to read credentials from a temp directory.
+ * Used by token refresh and CI/CD to read credentials from temp directories.
  * Returns undefined if no credentials found or adapter doesn't support it.
  *
  * @example
- * const creds = extractRawCredentialsFromDirectory("claude", "/tmp/refresh-123");
+ * // For agents without separation (Claude, Codex, Gemini, Copilot)
+ * const creds = extractRawCredentialsFromDirectory("claude", { configDir: "/tmp/config" });
+ *
+ * // For agents with separation (OpenCode)
+ * const creds = extractRawCredentialsFromDirectory("opencode", {
+ *   configDir: "/tmp/config",
+ *   dataDir: "/tmp/data",
+ * });
  */
-function extractRawCredentialsFromDirectory(agentId, directory) {
+function extractRawCredentialsFromDirectory(agentId, options) {
     const adapter = ADAPTERS[agentId];
-    return adapter.extractRawCredentialsFromDirectory?.(directory);
+    return adapter.extractRawCredentialsFromDirectory?.(options);
 }
 /**
  * Install credentials for an agent.

package/dist/crypto.d.ts

@@ -1,39 +1,24 @@
 /**
  * Encryption utilities for credential export/import.
  *
- * Uses AES-256-GCM with PBKDF2 key derivation.
+ * Re-exports core crypto from axshared and adds axauth-specific functionality.
  */
+import { type EncryptedData, type EncryptedDataBase64 } from "axshared";
+export { encrypt, fromBase64, toBase64 } from "axshared";
 /**
  * Derive default password from predictable seed.
  * Provides obfuscation, not security - attacker would need to understand derivation logic.
  */
 declare const DEFAULT_PASSWORD: string;
-/** Encrypted data structure */
-interface EncryptedData {
-    ciphertext: Buffer;
-    salt: Buffer;
-    iv: Buffer;
-    tag: Buffer;
-}
-/** Serialized encrypted file format */
-interface EncryptedFile {
+/** Serialized encrypted file format with axauth metadata */
+interface EncryptedFile extends EncryptedDataBase64 {
     version: 1;
     agent: string;
-    ciphertext: string;
-    salt: string;
-    iv: string;
-    tag: string;
 }
-/** Encrypt data with password */
-declare function encrypt(data: string, password: string): EncryptedData;
-/** Convert encrypted data to base64 for JSON serialization */
-declare function toBase64(encrypted: EncryptedData): Omit<EncryptedFile, "version" | "agent">;
-/** Convert base64 strings back to buffers */
-declare function fromBase64(file: Omit<EncryptedFile, "version" | "agent">): EncryptedData;
 /**
  * Try decrypting with default password first, then prompt for custom.
  * Returns decrypted string on success.
  */
 declare function tryDecrypt(encrypted: EncryptedData, promptFunction: () => Promise<string>): Promise<string>;
-export { DEFAULT_PASSWORD, encrypt, fromBase64, toBase64, tryDecrypt };
+export { DEFAULT_PASSWORD, tryDecrypt };
 export type { EncryptedFile };

package/dist/crypto.js

@@ -1,15 +1,11 @@
 /**
  * Encryption utilities for credential export/import.
  *
- * Uses AES-256-GCM with PBKDF2 key derivation.
+ * Re-exports core crypto from axshared and adds axauth-specific functionality.
  */
-import { createCipheriv, createDecipheriv, createHash, pbkdf2Sync, randomBytes, } from "node:crypto";
-const ALGORITHM = "aes-256-gcm";
-const ITERATIONS = 100_000;
-const KEY_LENGTH = 32;
-const SALT_LENGTH = 16;
-const IV_LENGTH = 12;
-const TAG_LENGTH = 16;
+import { createHash } from "node:crypto";
+import { decrypt, } from "axshared";
+export { encrypt, fromBase64, toBase64 } from "axshared";
 /**
  * Derive default password from predictable seed.
  * Provides obfuscation, not security - attacker would need to understand derivation logic.
@@ -18,48 +14,6 @@ const DEFAULT_PASSWORD = createHash("sha256")
     .update(["axauth", "credentials", "default", "v1"].join("."))
     .digest("base64")
     .slice(0, 32);
-/** Encrypt data with password */
-function encrypt(data, password) {
-    const salt = randomBytes(SALT_LENGTH);
-    const key = pbkdf2Sync(password, salt, ITERATIONS, KEY_LENGTH, "sha256");
-    const iv = randomBytes(IV_LENGTH);
-    const cipher = createCipheriv(ALGORITHM, key, iv, {
-        authTagLength: TAG_LENGTH,
-    });
-    const ciphertext = Buffer.concat([
-        cipher.update(data, "utf8"),
-        cipher.final(),
-    ]);
-    return { ciphertext, salt, iv, tag: cipher.getAuthTag() };
-}
-/** Decrypt data with password. Throws on wrong password. */
-function decrypt(encrypted, password) {
-    const key = pbkdf2Sync(password, encrypted.salt, ITERATIONS, KEY_LENGTH, "sha256");
-    const decipher = createDecipheriv(ALGORITHM, key, encrypted.iv, {
-        authTagLength: TAG_LENGTH,
-    });
-    decipher.setAuthTag(encrypted.tag);
-    return (decipher.update(encrypted.ciphertext).toString("utf8") +
-        decipher.final("utf8"));
-}
-/** Convert encrypted data to base64 for JSON serialization */
-function toBase64(encrypted) {
-    return {
-        ciphertext: encrypted.ciphertext.toString("base64"),
-        salt: encrypted.salt.toString("base64"),
-        iv: encrypted.iv.toString("base64"),
-        tag: encrypted.tag.toString("base64"),
-    };
-}
-/** Convert base64 strings back to buffers */
-function fromBase64(file) {
-    return {
-        ciphertext: Buffer.from(file.ciphertext, "base64"),
-        salt: Buffer.from(file.salt, "base64"),
-        iv: Buffer.from(file.iv, "base64"),
-        tag: Buffer.from(file.tag, "base64"),
-    };
-}
 /**
  * Try decrypting with default password first, then prompt for custom.
  * Returns decrypted string on success.
@@ -75,4 +29,4 @@ async function tryDecrypt(encrypted, promptFunction) {
         return decrypt(encrypted, password);
     }
 }
-export { DEFAULT_PASSWORD, encrypt, fromBase64, toBase64, tryDecrypt };
+export { DEFAULT_PASSWORD, tryDecrypt };

package/dist/index.d.ts

@@ -34,6 +34,6 @@ export type { AgentCli } from "axshared";
 export { AGENT_CLIS } from "axshared";
 export type { AdapterCapabilities, AuthAdapter, InstallOptions, OperationResult, RemoveOptions, } from "./auth/adapter.js";
 export type { AuthStatus, Credentials } from "./auth/types.js";
-export { checkAllAuth, checkAuth, credentialsToEnvironment, extractRawCredentials, extractRawCredentialsFromDirectory, getAccessToken, getAgentAccessToken, getCredentialsEnvironmentVariableName, installCredentials, installCredentialsFromEnvironmentVariable, removeCredentials, getAdapter, getAllAdapters, getCapabilities, type InstallFromEnvironmentOptions, } from "./auth/registry.js";
+export { checkAllAuth, checkAuth, credentialsToEnvironment, extractRawCredentials, extractRawCredentialsFromDirectory, getAccessToken, getAgentAccessToken, getCredentialsEnvironmentVariableName, installCredentials, installCredentialsFromEnvironmentVariable, removeCredentials, getAdapter, getAllAdapters, getCapabilities, type ExtractOptions, type InstallFromEnvironmentOptions, } from "./auth/registry.js";
 export { isCredentialExpired, isTokenExpired, } from "./auth/is-token-expired.js";
 export { refreshAndPersist, refreshCredentials, type RefreshAndPersistResult, type RefreshOptions, type RefreshResult, } from "./auth/refresh-credentials.js";

package/package.json

@@ -2,7 +2,7 @@
   "name": "axauth",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "1.7.0",
+  "version": "1.7.2",
   "description": "Authentication management library and CLI for AI coding agents",
   "repository": {
     "type": "git",
@@ -69,10 +69,10 @@
   "dependencies": {
     "@commander-js/extra-typings": "^14.0.0",
     "@inquirer/password": "^5.0.3",
-    "axconfig": "^3.2.0",
-    "axshared": "^1.7.0",
+    "axconfig": "^3.4.2",
+    "axshared": "^1.8.0",
     "commander": "^14.0.2",
-    "zod": "^4.3.4"
+    "zod": "^4.3.5"
   },
   "devDependencies": {
     "@eslint/compat": "^2.0.0",
@@ -80,18 +80,18 @@
     "@total-typescript/ts-reset": "^0.6.1",
     "@types/node": "^25.0.3",
     "@vitest/coverage-v8": "^4.0.16",
-    "@vitest/eslint-plugin": "^1.6.4",
+    "@vitest/eslint-plugin": "^1.6.5",
     "eslint": "^9.39.2",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-unicorn": "^62.0.0",
     "fta-check": "^1.5.1",
     "fta-cli": "^3.0.0",
     "globals": "^16.5.0",
-    "knip": "^5.78.0",
+    "knip": "^5.80.0",
     "prettier": "3.7.4",
     "semantic-release": "^25.0.2",
     "typescript": "^5.9.3",
-    "typescript-eslint": "^8.51.0",
+    "typescript-eslint": "^8.52.0",
     "vitest": "^4.0.16"
   }
 }