axauth 2.0.0 → 3.0.0

package/README.md

@@ -38,6 +38,7 @@ axauth list --json
 
 # Get access token for an agent (outputs raw token for piping)
 axauth token --agent claude
+axauth token --agent opencode --provider anthropic  # OpenCode requires --provider
 
 # Export credentials to encrypted file
 axauth export --agent claude --output creds.json
@@ -87,7 +88,7 @@ import {
   checkAuth, // Check single agent auth status
   checkAllAuth, // Check all agents' auth status
   getAgentAccessToken, // Get access token for an agent
-  extractRawCredentials, // Extract full credentials for export
+  findCredentials, // Find credentials from storage or environment
   installCredentials, // Install credentials to storage
   removeCredentials, // Remove credentials from storage
 
@@ -125,11 +126,16 @@ if (status.authenticated) {
 }
 
 // Get access token for API calls
-const token = getAgentAccessToken("claude");
+const token = await getAgentAccessToken("claude");
 if (token) {
   // Use token for API calls
 }
 
+// OpenCode requires explicit provider (multi-provider agent)
+const openCodeToken = await getAgentAccessToken("opencode", {
+  provider: "anthropic",
+});
+
 // Check adapter capabilities
 const caps = getCapabilities("gemini");
 if (!caps.keychain) {
@@ -146,9 +152,9 @@ import { getAdapter } from "axauth";
 
 const adapter = getAdapter("claude");
 
-// All adapters have the same interface
+// All adapters have the same interface (OpenCode requires { provider } option)
 const status = adapter.checkAuth();
-const creds = adapter.extractRawCredentials();
+const creds = adapter.findStoredCredentials(); // OpenCode: findStoredCredentials({ provider: "anthropic" })
 const token = adapter.getAccessToken(creds);
 const envVars = adapter.credentialsToEnvironment(creds);
 

package/dist/auth/adapter.d.ts

@@ -13,6 +13,11 @@ interface OperationResult {
     ok: boolean;
     message: string;
 }
+/** Result of finding stored credentials */
+interface StoredCredentials {
+    credentials: Credentials;
+    source: "keychain" | "file";
+}
 /**
  * Options for credential installation.
  *
@@ -22,7 +27,7 @@ interface OperationResult {
  * When no directories are provided, `storage` controls where credentials go:
  * - `"keychain"`: Store in macOS Keychain (if supported)
  * - `"file"`: Store in agent's default file location
- * - `undefined`: Use the `_source` marker in credentials, or default to file
+ * - `undefined`: Default to file storage
  *
  * **Agents without separation** (Claude, Codex, Gemini, Copilot):
  * - Config and data are stored in the same directory
@@ -36,7 +41,11 @@ interface OperationResult {
  * - If only `dataDir` provided, config uses default location
  */
 interface InstallOptions {
-    /** Storage type for default location (ignored if configDir/dataDir is set) */
+    /**
+     * Storage type for default location.
+     * Required when re-installing refreshed credentials to preserve original location.
+     * Ignored if configDir/dataDir is set.
+     */
     storage?: StorageType;
     /** Custom config directory for settings/preferences */
     configDir?: string;
@@ -65,7 +74,21 @@ interface RemoveOptions {
     dataDir?: string;
 }
 /**
- * Options for extracting credentials from a custom directory.
+ * Options for finding stored credentials.
+ *
+ * **Multi-provider agents** (OpenCode):
+ * - `provider` is required to specify which provider's credentials to return
+ * - Throws an error if provider is not specified
+ *
+ * **Single-provider agents** (Claude, Codex, Gemini, Copilot):
+ * - `provider` is ignored
+ */
+interface FindStoredCredentialsOptions {
+    /** Provider ID for multi-provider agents (required for OpenCode) */
+    provider?: string;
+}
+/**
+ * Options for loading credentials from a custom directory.
  *
  * **Agents without separation** (Claude, Codex, Gemini, Copilot):
  * - `configDir` and `dataDir` are interchangeable
@@ -73,13 +96,16 @@ interface RemoveOptions {
  *
  * **Agents with separation** (OpenCode):
  * - `dataDir` must be provided to specify where credentials are stored
- * - If only `configDir` is provided, returns undefined (use extractRawCredentials() for default location)
+ * - If only `configDir` is provided, returns undefined (use findStoredCredentials() for default location)
+ * - `provider` filters to a specific provider's credentials
  */
 interface ExtractOptions {
     /** Custom config directory for settings/preferences */
     configDir?: string;
     /** Custom data directory for credentials */
     dataDir?: string;
+    /** Provider ID for multi-provider agents (OpenCode) - filters to specific provider */
+    provider?: string;
 }
 /**
  * Options for token extraction.
@@ -94,6 +120,8 @@ interface TokenOptions {
     skipRefresh?: boolean;
     /** Timeout for refresh operation in ms (default: 30000) */
     refreshTimeout?: number;
+    /** Storage location for persisting refreshed credentials (default: "file") */
+    storage?: "keychain" | "file";
 }
 /** Capabilities that an adapter supports */
 interface AdapterCapabilities {
@@ -116,9 +144,9 @@ interface AdapterCapabilities {
  *
  * When resolving credentials, sources are checked in this order:
  *
- * 1. **Environment variables** (via `extractFromEnvironment`)
+ * 1. **Environment variables** (via `getEnvironmentCredentials`)
  * 2. **Vault** (external, via axvault server when configured)
- * 3. **Local storage** (keychain/file via `extractRawCredentials`)
+ * 3. **Local storage** (keychain/file via `findStoredCredentials`)
  *
  * Environment variables always take precedence to allow easy overrides
  * in CI/CD and development. Vault provides centralized credential
@@ -137,7 +165,7 @@ interface AuthAdapter {
      */
     checkAuth(): AuthStatus;
     /**
-     * Extract credentials from environment variables only.
+     * Get credentials from environment variables only.
      *
      * This is called before checking vault or local storage to ensure
      * environment variables have highest priority. Returns undefined if
@@ -145,22 +173,33 @@ interface AuthAdapter {
      *
      * @example
      * // For Claude, checks CLAUDE_CODE_OAUTH_TOKEN and ANTHROPIC_API_KEY
-     * const envCreds = adapter.extractFromEnvironment?.();
+     * const envCreds = adapter.getEnvironmentCredentials?.();
      * if (envCreds) return envCreds; // Env vars win over vault
      */
-    extractFromEnvironment?(): Credentials | undefined;
+    getEnvironmentCredentials?(): Credentials | undefined;
     /**
-     * Extract raw credentials for export.
+     * Find stored credentials and their source.
+     *
+     * Returns the full credential data from the first available storage location
+     * (keychain or file), along with the source it was found in. Returns undefined
+     * if not authenticated. Does not check environment variables.
+     *
+     * The returned `source` should be passed to `installCredentials()` when
+     * re-installing refreshed credentials to preserve the original storage location.
+     *
+     * **Multi-provider agents** (OpenCode):
+     * - `options.provider` is required - throws if not specified
+     * - Returns credentials for the specified provider only
      *
-     * Returns the full credential data from the first available source,
-     * suitable for encrypted export. Returns undefined if not authenticated.
+     * **Single-provider agents** (Claude, Codex, Gemini, Copilot):
+     * - `options` is ignored
      *
      * Note: The `data` field format is agent-specific and not standardized.
      * Use {@link getAccessToken} to extract the token in a uniform way.
      */
-    extractRawCredentials(): Credentials | undefined;
+    findStoredCredentials(options?: FindStoredCredentialsOptions): StoredCredentials | undefined;
     /**
-     * Extract raw credentials from custom directories.
+     * Load credentials from a custom directory.
      *
      * Used by token refresh and CI/CD to read credentials from temp directories.
      * Returns undefined if no credentials found at the specified location.
@@ -168,15 +207,16 @@ interface AuthAdapter {
      * **Agents without separation**: Look in `configDir` or `dataDir` (interchangeable)
      * **Agents with separation** (OpenCode): Look in `dataDir` for credentials
      */
-    extractRawCredentialsFromDirectory?(options: ExtractOptions): Credentials | undefined;
+    loadCredentialsFromDirectory?(options: ExtractOptions): Credentials | undefined;
     /**
      * Install credentials to storage.
      *
-     * When `options.path` is provided, credentials are written as a file to that
-     * path. Keychain storage is not available for custom paths.
+     * When `options.configDir`/`options.dataDir` is provided, credentials are
+     * written as a file to that directory. Keychain storage is not available for
+     * custom paths.
      *
-     * When `options.path` is not provided, credentials are written to the default
-     * location. The `storage` option or `_source` marker controls keychain vs file.
+     * When no directories are provided, credentials are written to the default
+     * location. The `storage` option controls keychain vs file (defaults to file).
      */
     installCredentials(creds: Credentials, options?: InstallOptions): OperationResult;
     /**
@@ -219,4 +259,4 @@ interface AuthAdapter {
      */
     getCredentialFilePath(directory: string): string;
 }
-export type { AdapterCapabilities, AuthAdapter, ExtractOptions, InstallOptions, OperationResult, RemoveOptions, TokenOptions, };
+export type { AdapterCapabilities, AuthAdapter, ExtractOptions, FindStoredCredentialsOptions, InstallOptions, OperationResult, RemoveOptions, StoredCredentials, TokenOptions, };

package/dist/auth/agents/claude-install.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Claude Code credential installation and removal.
+ */
+import type { InstallOptions, OperationResult, RemoveOptions } from "../adapter.js";
+import type { Credentials } from "../types.js";
+declare const CREDS_FILE_NAME = ".credentials.json";
+/** Install credentials to storage */
+declare function installCredentials(creds: Credentials, options?: InstallOptions): OperationResult;
+/** Remove credentials from storage */
+declare function removeCredentials(options?: RemoveOptions): OperationResult;
+export { CREDS_FILE_NAME, installCredentials, removeCredentials };

package/dist/auth/agents/claude-install.js

@@ -0,0 +1,80 @@
+/**
+ * Claude Code credential installation and removal.
+ */
+import path from "node:path";
+import { isMacOS } from "../keychain.js";
+import { resolveCustomDirectory } from "../validate-directories.js";
+import { AGENT_ID, deleteFileCreds, deleteKeychainCreds, getDefaultCredsFilePath, saveFileCreds, saveKeychainCreds, } from "./claude-storage.js";
+const CREDS_FILE_NAME = ".credentials.json";
+/** Install credentials to storage */
+function installCredentials(creds, options) {
+    const resolved = resolveCustomDirectory(AGENT_ID, options?.configDir, options?.dataDir);
+    if (!resolved.ok)
+        return resolved.error;
+    if (creds.type === "api-key") {
+        return {
+            ok: false,
+            message: "API key credentials cannot be installed (use ANTHROPIC_API_KEY env var)",
+        };
+    }
+    // Custom directory forces file storage (keychain only for default location)
+    if (resolved.customDir) {
+        const targetPath = path.join(resolved.customDir, CREDS_FILE_NAME);
+        if (saveFileCreds(creds.data, targetPath)) {
+            return { ok: true, message: `Installed credentials to ${targetPath}` };
+        }
+        return {
+            ok: false,
+            message: `Failed to install credentials to ${targetPath}`,
+        };
+    }
+    // Default location: use storage option or default to file
+    const targetStorage = options?.storage ?? "file";
+    if (targetStorage === "keychain") {
+        if (!isMacOS()) {
+            return {
+                ok: false,
+                message: "Keychain storage is only available on macOS",
+            };
+        }
+        if (saveKeychainCreds(creds.data)) {
+            return { ok: true, message: "Installed credentials to macOS Keychain" };
+        }
+        return { ok: false, message: "Failed to save to macOS Keychain" };
+    }
+    const defaultPath = getDefaultCredsFilePath();
+    if (saveFileCreds(creds.data, defaultPath)) {
+        return { ok: true, message: `Installed credentials to ${defaultPath}` };
+    }
+    return {
+        ok: false,
+        message: `Failed to install credentials to ${defaultPath}`,
+    };
+}
+/** Remove credentials from storage */
+function removeCredentials(options) {
+    const resolved = resolveCustomDirectory(AGENT_ID, options?.configDir, options?.dataDir);
+    if (!resolved.ok)
+        return resolved.error;
+    // Custom directory: only remove that specific file (no keychain)
+    if (resolved.customDir) {
+        const targetPath = path.join(resolved.customDir, CREDS_FILE_NAME);
+        if (deleteFileCreds(targetPath)) {
+            return { ok: true, message: `Removed ${targetPath}` };
+        }
+        return { ok: true, message: "No credentials file found at specified path" };
+    }
+    // Default location: remove from both keychain and default file
+    const removedFrom = [];
+    if (deleteKeychainCreds()) {
+        removedFrom.push("macOS Keychain");
+    }
+    if (deleteFileCreds()) {
+        removedFrom.push(getDefaultCredsFilePath());
+    }
+    if (removedFrom.length === 0) {
+        return { ok: true, message: "No credentials found" };
+    }
+    return { ok: true, message: `Removed from ${removedFrom.join(" and ")}` };
+}
+export { CREDS_FILE_NAME, installCredentials, removeCredentials };

package/dist/auth/agents/claude-storage.d.ts

@@ -19,18 +19,26 @@ declare function checkAuth(): {
     details?: Record<string, unknown>;
 };
 /**
- * Extract credentials from environment variables only.
+ * Get credentials from environment variables only.
  *
  * This is called before checking vault or local storage to ensure
  * environment variables have highest priority.
  */
-declare function extractFromEnvironment(): {
+declare function getEnvironmentCredentials(): {
     type: "oauth-credentials" | "oauth-token" | "api-key";
     data: Record<string, unknown>;
 } | undefined;
-/** Extract raw credentials from available sources */
-declare function extractRawCredentials(): {
+/**
+ * Find credentials from local storage only (keychain + file).
+ *
+ * This skips environment variable checks and only looks at local storage.
+ * Used as fallback after vault fetch fails.
+ *
+ * Returns credentials and their source for round-tripping during refresh.
+ */
+declare function findStoredCredentials(): {
     type: "oauth-credentials" | "oauth-token" | "api-key";
+    source: "keychain" | "file";
     data: Record<string, unknown>;
 } | undefined;
-export { AGENT_ID, checkAuth, deleteFileCreds, deleteKeychainCreds, extractFromEnvironment, extractRawCredentials, getDefaultCredsFilePath, saveFileCreds, saveKeychainCreds, };
+export { AGENT_ID, checkAuth, deleteFileCreds, deleteKeychainCreds, findStoredCredentials, getDefaultCredsFilePath, getEnvironmentCredentials, saveFileCreds, saveKeychainCreds, };

package/dist/auth/agents/claude-storage.js

@@ -82,12 +82,12 @@ function checkAuth() {
     return { authenticated: false };
 }
 /**
- * Extract credentials from environment variables only.
+ * Get credentials from environment variables only.
  *
  * This is called before checking vault or local storage to ensure
  * environment variables have highest priority.
  */
-function extractFromEnvironment() {
+function getEnvironmentCredentials() {
     if (process.env.CLAUDE_CODE_OAUTH_TOKEN) {
         return {
             type: "oauth-token",
@@ -103,35 +103,30 @@ function extractFromEnvironment() {
     return undefined;
 }
 /**
- * Extract credentials from local storage only (keychain + file).
+ * Find credentials from local storage only (keychain + file).
  *
  * This skips environment variable checks and only looks at local storage.
  * Used as fallback after vault fetch fails.
+ *
+ * Returns credentials and their source for round-tripping during refresh.
  */
-function extractFromLocalStorage() {
+function findStoredCredentials() {
     const keychainCreds = loadKeychainCreds();
     if (keychainCreds) {
         return {
             type: "oauth-credentials",
-            data: { ...keychainCreds, _source: "keychain" },
+            source: "keychain",
+            data: keychainCreds,
         };
     }
     const fileCreds = loadFileCreds();
     if (fileCreds) {
         return {
             type: "oauth-credentials",
-            data: { ...fileCreds, _source: "file" },
+            source: "file",
+            data: fileCreds,
         };
     }
     return undefined;
 }
-/** Extract raw credentials from available sources */
-function extractRawCredentials() {
-    // Check env vars first
-    const environmentCreds = extractFromEnvironment();
-    if (environmentCreds)
-        return environmentCreds;
-    // Fall back to local storage
-    return extractFromLocalStorage();
-}
-export { AGENT_ID, checkAuth, deleteFileCreds, deleteKeychainCreds, extractFromEnvironment, extractRawCredentials, getDefaultCredsFilePath, saveFileCreds, saveKeychainCreds, };
+export { AGENT_ID, checkAuth, deleteFileCreds, deleteKeychainCreds, findStoredCredentials, getDefaultCredsFilePath, getEnvironmentCredentials, saveFileCreds, saveKeychainCreds, };

package/dist/auth/agents/claude.js

@@ -5,10 +5,8 @@
  */
 import path from "node:path";
 import { extractCredsFromDirectory } from "../extract-creds-from-directory.js";
-import { isMacOS } from "../keychain.js";
-import { resolveCustomDirectory } from "../validate-directories.js";
-import { AGENT_ID, checkAuth, deleteFileCreds, deleteKeychainCreds, extractFromEnvironment, extractRawCredentials, getDefaultCredsFilePath, saveFileCreds, saveKeychainCreds, } from "./claude-storage.js";
-const CREDS_FILE_NAME = ".credentials.json";
+import { CREDS_FILE_NAME, installCredentials, removeCredentials, } from "./claude-install.js";
+import { AGENT_ID, checkAuth, findStoredCredentials as findStoredCredentialsInternal, getEnvironmentCredentials as getEnvironmentCredentialsInternal, } from "./claude-storage.js";
 /** Claude Code authentication adapter */
 const claudeCodeAdapter = {
     agentId: AGENT_ID,
@@ -22,19 +20,22 @@ const claudeCodeAdapter = {
         const result = checkAuth();
         return { agentId: AGENT_ID, ...result };
     },
-    extractFromEnvironment() {
-        const result = extractFromEnvironment();
+    getEnvironmentCredentials() {
+        const result = getEnvironmentCredentialsInternal();
         if (!result)
             return undefined;
-        return { agent: AGENT_ID, ...result };
+        return { agent: AGENT_ID, type: result.type, data: result.data };
     },
-    extractRawCredentials() {
-        const result = extractRawCredentials();
+    findStoredCredentials() {
+        const result = findStoredCredentialsInternal();
         if (!result)
             return undefined;
-        return { agent: AGENT_ID, ...result };
+        return {
+            credentials: { agent: AGENT_ID, type: result.type, data: result.data },
+            source: result.source,
+        };
     },
-    extractRawCredentialsFromDirectory(options) {
+    loadCredentialsFromDirectory(options) {
         // Claude doesn't separate config/data - use either directory
         const directory = options.dataDir ?? options.configDir;
         if (!directory)
@@ -47,84 +48,8 @@ const claudeCodeAdapter = {
                 : undefined;
         });
     },
-    installCredentials(creds, options) {
-        // Resolve custom directory with validation
-        const resolved = resolveCustomDirectory(AGENT_ID, options?.configDir, options?.dataDir);
-        if (!resolved.ok)
-            return resolved.error;
-        if (creds.type === "api-key") {
-            return {
-                ok: false,
-                message: "API key credentials cannot be installed (use ANTHROPIC_API_KEY env var)",
-            };
-        }
-        const { _source, ...oauthData } = creds.data;
-        // Custom directory forces file storage (keychain only for default location)
-        if (resolved.customDir) {
-            const targetPath = path.join(resolved.customDir, CREDS_FILE_NAME);
-            if (saveFileCreds(oauthData, targetPath)) {
-                return {
-                    ok: true,
-                    message: `Installed credentials to ${targetPath}`,
-                };
-            }
-            return {
-                ok: false,
-                message: `Failed to install credentials to ${targetPath}`,
-            };
-        }
-        // Default location: use storage option or _source marker
-        const targetStorage = options?.storage ?? (_source === "keychain" ? "keychain" : "file");
-        if (targetStorage === "keychain") {
-            if (!isMacOS()) {
-                return {
-                    ok: false,
-                    message: "Keychain storage is only available on macOS",
-                };
-            }
-            if (saveKeychainCreds(oauthData)) {
-                return { ok: true, message: "Installed credentials to macOS Keychain" };
-            }
-            return { ok: false, message: "Failed to save to macOS Keychain" };
-        }
-        const defaultPath = getDefaultCredsFilePath();
-        if (saveFileCreds(oauthData, defaultPath)) {
-            return { ok: true, message: `Installed credentials to ${defaultPath}` };
-        }
-        return {
-            ok: false,
-            message: `Failed to install credentials to ${defaultPath}`,
-        };
-    },
-    removeCredentials(options) {
-        // Resolve custom directory with validation
-        const resolved = resolveCustomDirectory(AGENT_ID, options?.configDir, options?.dataDir);
-        if (!resolved.ok)
-            return resolved.error;
-        // Custom directory: only remove that specific file (no keychain)
-        if (resolved.customDir) {
-            const targetPath = path.join(resolved.customDir, CREDS_FILE_NAME);
-            if (deleteFileCreds(targetPath)) {
-                return { ok: true, message: `Removed ${targetPath}` };
-            }
-            return {
-                ok: true,
-                message: "No credentials file found at specified path",
-            };
-        }
-        // Default location: remove from both keychain and default file
-        const removedFrom = [];
-        if (deleteKeychainCreds()) {
-            removedFrom.push("macOS Keychain");
-        }
-        if (deleteFileCreds()) {
-            removedFrom.push(getDefaultCredsFilePath());
-        }
-        if (removedFrom.length === 0) {
-            return { ok: true, message: "No credentials found" };
-        }
-        return { ok: true, message: `Removed from ${removedFrom.join(" and ")}` };
-    },
+    installCredentials,
+    removeCredentials,
     getAccessToken(creds) {
         const data = creds.data;
         if ((creds.type === "oauth-credentials" || creds.type === "oauth-token") &&

package/dist/auth/agents/codex-auth-check.d.ts

@@ -1,11 +1,12 @@
 /**
  * Codex auth status checking and credential extraction.
  */
+import type { StoredCredentials } from "../adapter.js";
 import type { AuthStatus, Credentials } from "../types.js";
 /** Check auth status across all sources */
 declare function checkAuth(): AuthStatus;
-/** Extract credentials from environment */
-declare function extractEnvironmentCredentials(): Credentials | undefined;
-/** Extract raw credentials from first available source */
-declare function extractRawCredentials(): Credentials | undefined;
-export { checkAuth, extractEnvironmentCredentials, extractRawCredentials };
+/** Get credentials from environment variables */
+declare function getEnvironmentCredentials(): Credentials | undefined;
+/** Find stored credentials from keychain or file */
+declare function findStoredCredentials(): StoredCredentials | undefined;
+export { checkAuth, findStoredCredentials, getEnvironmentCredentials };

package/dist/auth/agents/codex-auth-check.js

@@ -46,8 +46,8 @@ function checkAuth() {
         checkKeychainAuth() ??
         checkFileAuth() ?? { agentId: AGENT_ID, authenticated: false });
 }
-/** Extract credentials from environment */
-function extractEnvironmentCredentials() {
+/** Get credentials from environment variables */
+function getEnvironmentCredentials() {
     const environmentKey = getEnvironmentApiKey();
     if (environmentKey) {
         return {
@@ -58,44 +58,58 @@ function extractEnvironmentCredentials() {
     }
     return undefined;
 }
-/** Extract credentials from keychain */
+/** Extract credentials from keychain (internal, returns source) */
 function extractKeychainCredentials() {
     const keychainAuth = loadKeychainCreds();
     if (keychainAuth?.OPENAI_API_KEY) {
         return {
-            agent: AGENT_ID,
-            type: "api-key",
-            data: { apiKey: keychainAuth.OPENAI_API_KEY, _source: "keychain" },
+            credentials: {
+                agent: AGENT_ID,
+                type: "api-key",
+                data: { apiKey: keychainAuth.OPENAI_API_KEY },
+            },
+            source: "keychain",
         };
     }
     if (keychainAuth?.tokens) {
         return {
-            agent: AGENT_ID,
-            type: "oauth-credentials",
-            data: { ...keychainAuth, _source: "keychain" },
+            credentials: {
+                agent: AGENT_ID,
+                type: "oauth-credentials",
+                data: keychainAuth,
+            },
+            source: "keychain",
         };
     }
     return undefined;
 }
-/** Extract credentials from file */
+/** Extract credentials from file (internal, returns source) */
 function extractFileCredentials() {
     const fileAuth = loadFileCreds();
     if (fileAuth?.OPENAI_API_KEY) {
         return {
-            agent: AGENT_ID,
-            type: "api-key",
-            data: { apiKey: fileAuth.OPENAI_API_KEY },
+            credentials: {
+                agent: AGENT_ID,
+                type: "api-key",
+                data: { apiKey: fileAuth.OPENAI_API_KEY },
+            },
+            source: "file",
         };
     }
     if (fileAuth?.tokens) {
-        return { agent: AGENT_ID, type: "oauth-credentials", data: fileAuth };
+        return {
+            credentials: {
+                agent: AGENT_ID,
+                type: "oauth-credentials",
+                data: fileAuth,
+            },
+            source: "file",
+        };
     }
     return undefined;
 }
-/** Extract raw credentials from first available source */
-function extractRawCredentials() {
-    return (extractEnvironmentCredentials() ??
-        extractKeychainCredentials() ??
-        extractFileCredentials());
+/** Find stored credentials from keychain or file */
+function findStoredCredentials() {
+    return extractKeychainCredentials() ?? extractFileCredentials();
 }
-export { checkAuth, extractEnvironmentCredentials, extractRawCredentials };
+export { checkAuth, findStoredCredentials, getEnvironmentCredentials };

package/dist/auth/agents/codex-install.js

@@ -65,8 +65,7 @@ function installCodexCredentials(creds, options) {
     if (resolved.customDir) {
         return installToCustomDirectory(authContent, resolved.customDir);
     }
-    const sourceMarker = creds.data._source;
-    const targetStorage = options?.storage ?? (sourceMarker === "keychain" ? "keychain" : "file");
+    const targetStorage = options?.storage ?? "file";
     return installToDefaultLocation(authContent, targetStorage);
 }
 /** Remove Codex credentials */

package/dist/auth/agents/codex-storage.d.ts

@@ -34,7 +34,6 @@ declare function saveFileCreds(auth: CodexAuthJson, filePath?: string): boolean;
 declare function deleteFileCreds(filePath?: string): boolean;
 interface CredentialsData {
     apiKey?: string;
-    _source?: unknown;
     tokens?: CodexAuthJson["tokens"];
     [key: string]: unknown;
 }