axauth 3.1.2 → 3.1.5

package/dist/auth/adapter.d.ts

@@ -51,6 +51,8 @@ interface InstallOptions {
     configDir?: string;
     /** Custom data directory for credentials */
     dataDir?: string;
+    /** Provider ID for multi-provider agents (required for OpenCode) */
+    provider?: string;
 }
 /**
  * Options for credential removal.

package/dist/auth/agents/claude.js

@@ -24,14 +24,14 @@ const claudeCodeAdapter = {
         const result = getEnvironmentCredentialsInternal();
         if (!result)
             return undefined;
-        return { agent: AGENT_ID, type: result.type, data: result.data };
+        return { type: result.type, data: result.data };
     },
     findStoredCredentials() {
         const result = findStoredCredentialsInternal();
         if (!result)
             return undefined;
         return {
-            credentials: { agent: AGENT_ID, type: result.type, data: result.data },
+            credentials: { type: result.type, data: result.data },
             source: result.source,
         };
     },

package/dist/auth/agents/codex-auth-check.js

@@ -51,7 +51,6 @@ function getEnvironmentCredentials() {
     const environmentKey = getEnvironmentApiKey();
     if (environmentKey) {
         return {
-            agent: AGENT_ID,
             type: "api-key",
             data: { apiKey: environmentKey },
         };
@@ -64,7 +63,6 @@ function extractKeychainCredentials() {
     if (keychainAuth?.OPENAI_API_KEY) {
         return {
             credentials: {
-                agent: AGENT_ID,
                 type: "api-key",
                 data: { apiKey: keychainAuth.OPENAI_API_KEY },
             },
@@ -74,7 +72,6 @@ function extractKeychainCredentials() {
     if (keychainAuth?.tokens) {
         return {
             credentials: {
-                agent: AGENT_ID,
                 type: "oauth-credentials",
                 data: keychainAuth,
             },
@@ -89,7 +86,6 @@ function extractFileCredentials() {
     if (fileAuth?.OPENAI_API_KEY) {
         return {
             credentials: {
-                agent: AGENT_ID,
                 type: "api-key",
                 data: { apiKey: fileAuth.OPENAI_API_KEY },
             },
@@ -99,7 +95,6 @@ function extractFileCredentials() {
     if (fileAuth?.tokens) {
         return {
             credentials: {
-                agent: AGENT_ID,
                 type: "oauth-credentials",
                 data: fileAuth,
             },

package/dist/auth/agents/codex.js

@@ -35,7 +35,7 @@ const codexAdapter = {
             const data = parsed;
             // Determine type from data structure
             const type = data.api_key ? "api-key" : "oauth-credentials";
-            return { agent: AGENT_ID, type, data };
+            return { type, data };
         }
         catch {
             return undefined;

package/dist/auth/agents/copilot-storage.d.ts

@@ -9,13 +9,24 @@
 declare function getConfigDirectory(): string;
 /** Get the default config file path */
 declare function getConfigFilePath(): string;
-/** Load token from keychain */
-declare function loadKeychainToken(host?: string): string | undefined;
+/**
+ * Load token from keychain.
+ *
+ * Searches by service only — the Copilot CLI stores credentials under the
+ * GitHub username (from the OAuth response), which may differ in case from
+ * the OS username ($USER). Service-only search avoids that mismatch.
+ */
+declare function loadKeychainToken(): string | undefined;
 /** Save token to keychain */
 declare function saveKeychainToken(token: string, host?: string): boolean;
 /** Delete token from keychain */
-declare function deleteKeychainToken(host?: string): boolean;
-/** Load token from config file */
+declare function deleteKeychainToken(): boolean;
+/**
+ * Load token from config file.
+ *
+ * Matches by host prefix — the Copilot CLI stores tokens under the GitHub
+ * username (from OAuth), which may differ in case from $USER.
+ */
 declare function loadFileToken(host?: string): string | undefined;
 /** Save token to config file */
 declare function saveFileToken(token: string, host?: string): boolean;

package/dist/auth/agents/copilot-storage.js

@@ -8,7 +8,7 @@
 import { existsSync, renameSync, unlinkSync, writeFileSync } from "node:fs";
 import path from "node:path";
 import { ensureDirectory, loadJsonFile, saveJsonFile, } from "../file-storage.js";
-import { deleteFromKeychain, isMacOS, loadFromKeychain, saveToKeychain, } from "../keychain.js";
+import { deleteFromKeychainByService, isMacOS, loadFromKeychainByService, saveToKeychain, } from "../keychain.js";
 import { getResolvedConfigDirectory } from "../resolve-config-directory.js";
 const KEYCHAIN_SERVICE = "copilot-cli";
 const DEFAULT_HOST = "https://github.com";
@@ -24,30 +24,28 @@ function getConfigFilePath() {
 function getUsername() {
     return process.env.USER ?? process.env.USERNAME ?? "user";
 }
-/** Build keychain account key */
-function getKeychainAccount(host = DEFAULT_HOST) {
-    return `${host}:${getUsername()}`;
-}
-/** Load token from keychain */
-function loadKeychainToken(host = DEFAULT_HOST) {
-    if (!isMacOS())
-        return undefined;
-    const account = getKeychainAccount(host);
-    return loadFromKeychain(KEYCHAIN_SERVICE, account);
+/**
+ * Load token from keychain.
+ *
+ * Searches by service only — the Copilot CLI stores credentials under the
+ * GitHub username (from the OAuth response), which may differ in case from
+ * the OS username ($USER). Service-only search avoids that mismatch.
+ */
+function loadKeychainToken() {
+    return loadFromKeychainByService(KEYCHAIN_SERVICE);
 }
 /** Save token to keychain */
 function saveKeychainToken(token, host = DEFAULT_HOST) {
     if (!isMacOS())
         return false;
-    const account = getKeychainAccount(host);
+    // Remove any existing entry first (handles username case mismatches)
+    deleteFromKeychainByService(KEYCHAIN_SERVICE);
+    const account = `${host}:${getUsername()}`;
     return saveToKeychain(KEYCHAIN_SERVICE, account, token);
 }
 /** Delete token from keychain */
-function deleteKeychainToken(host = DEFAULT_HOST) {
-    if (!isMacOS())
-        return false;
-    const account = getKeychainAccount(host);
-    return deleteFromKeychain(KEYCHAIN_SERVICE, account);
+function deleteKeychainToken() {
+    return deleteFromKeychainByService(KEYCHAIN_SERVICE);
 }
 /** Load config file */
 function loadConfig() {
@@ -57,17 +55,36 @@ function loadConfig() {
 function saveConfig(config) {
     return saveJsonFile(getConfigFilePath(), config, { mode: 0o600 });
 }
-/** Load token from config file */
+/** Find the first token key matching a host prefix */
+function findTokenKeyForHost(tokens, host) {
+    const prefix = `${host}:`;
+    return Object.keys(tokens).find((key) => key.startsWith(prefix));
+}
+/**
+ * Load token from config file.
+ *
+ * Matches by host prefix — the Copilot CLI stores tokens under the GitHub
+ * username (from OAuth), which may differ in case from $USER.
+ */
 function loadFileToken(host = DEFAULT_HOST) {
     const config = loadConfig();
-    return config?.copilot_tokens?.[`${host}:${getUsername()}`];
+    if (!config?.copilot_tokens)
+        return undefined;
+    const key = findTokenKeyForHost(config.copilot_tokens, host);
+    return key ? config.copilot_tokens[key] : undefined;
 }
 /** Save token to config file */
 function saveFileToken(token, host = DEFAULT_HOST) {
     const config = loadConfig() ?? {};
     const key = `${host}:${getUsername()}`;
+    // Rebuild tokens without any stale entry for this host (handles username case mismatches)
+    const existing = config.copilot_tokens ?? {};
+    const staleKey = findTokenKeyForHost(existing, host);
+    const filtered = staleKey && staleKey !== key
+        ? Object.fromEntries(Object.entries(existing).filter(([k]) => k !== staleKey))
+        : existing;
     config.copilot_tokens = {
-        ...config.copilot_tokens,
+        ...filtered,
         [key]: token,
     };
     config.store_token_plaintext = true;
@@ -78,12 +95,10 @@ function deleteFileToken(host = DEFAULT_HOST) {
     const config = loadConfig();
     if (!config?.copilot_tokens)
         return false;
-    const key = `${host}:${getUsername()}`;
-    if (!(key in config.copilot_tokens))
+    const key = findTokenKeyForHost(config.copilot_tokens, host);
+    if (!key)
         return false;
-    // Remove the token by filtering out the key
     const remainingTokens = Object.fromEntries(Object.entries(config.copilot_tokens).filter(([k]) => k !== key));
-    // If no tokens left, remove the whole section
     if (Object.keys(remainingTokens).length === 0) {
         const rest = Object.fromEntries(Object.entries(config).filter(([k]) => k !== "copilot_tokens" && k !== "store_token_plaintext"));
         return saveConfig(rest);

package/dist/auth/agents/copilot.js

@@ -27,8 +27,8 @@ const copilotAdapter = {
         }
         const methodMap = {
             environment: `Token (${result.environmentVariable})`,
-            keychain: "Token (keychain)",
-            file: "Token (file)",
+            keychain: "OAuth (keychain)",
+            file: "OAuth (file)",
             "gh-cli": "GitHub CLI",
         };
         return {
@@ -42,7 +42,6 @@ const copilotAdapter = {
         if (!token)
             return undefined;
         return {
-            agent: AGENT_ID,
             type: "oauth-token",
             data: { accessToken: token },
         };
@@ -55,7 +54,6 @@ const copilotAdapter = {
         const source = result.source === "keychain" ? "keychain" : "file";
         return {
             credentials: {
-                agent: AGENT_ID,
                 type: "oauth-token",
                 data: { accessToken: result.token },
             },

package/dist/auth/agents/gemini.js

@@ -34,7 +34,6 @@ const geminiAdapter = {
         if (!result?.data)
             return undefined;
         return {
-            agent: AGENT_ID,
             type: "api-key",
             data: result.data,
         };
@@ -47,7 +46,6 @@ const geminiAdapter = {
         if (result.source === "api-key" || result.source === "vertex-ai") {
             return {
                 credentials: {
-                    agent: AGENT_ID,
                     type: "api-key",
                     data: result.data,
                 },
@@ -57,7 +55,6 @@ const geminiAdapter = {
         // OAuth credentials from keychain or file - return source separately
         return {
             credentials: {
-                agent: AGENT_ID,
                 type: "oauth-credentials",
                 data: result.data,
             },

package/dist/auth/agents/opencode-credentials.js

@@ -44,8 +44,6 @@ function buildCredentials(provider, entry) {
     if (!parsed.success)
         return undefined;
     return {
-        agent: AGENT_ID,
-        provider,
         type: mapToCredentialType(parsed.data),
         data: entry,
     };

package/dist/auth/agents/opencode-storage.js

@@ -21,15 +21,16 @@ function installCredentials(creds, options) {
         if (!existsSync(targetDirectory)) {
             mkdirSync(targetDirectory, { recursive: true, mode: 0o700 });
         }
-        // OpenCode requires per-provider credentials
-        if (creds.agent !== "opencode" || !creds.provider) {
+        // OpenCode requires per-provider credentials via options
+        const rawProvider = options?.provider;
+        if (!rawProvider) {
             return {
                 ok: false,
-                message: "Bundled credential format is no longer supported for OpenCode; please provide per-provider credentials.",
+                message: "OpenCode requires provider option for credential installation.",
             };
         }
         // Validate provider key is non-empty (defensive check for programmatic use)
-        const provider = creds.provider.trim();
+        const provider = rawProvider.trim();
         if (provider.length === 0) {
             return { ok: false, message: "Provider name cannot be empty" };
         }

package/dist/auth/agents/opencode.js

@@ -76,9 +76,7 @@ const opencodeAdapter = {
         }
         return {
             credentials: {
-                agent: AGENT_ID,
                 type: mapToCredentialType(parsed.data),
-                provider: normalizedProvider,
                 data: entry,
             },
             source: "file",
@@ -108,9 +106,7 @@ const opencodeAdapter = {
             if (!parsed.success)
                 return undefined;
             return {
-                agent: AGENT_ID,
                 type: mapToCredentialType(parsed.data),
-                provider: targetProvider,
                 data: entry,
             };
         }

package/dist/auth/build-refreshed-credentials.d.ts

@@ -1,18 +1,18 @@
 /**
- * Build refreshed credentials with provider context preserved.
+ * Build refreshed credentials from refresh operation output.
  */
 import type { Credentials } from "./types.js";
 /**
- * Build refreshed credentials, preserving provider context.
+ * Build refreshed credentials from the refresh operation.
  *
- * For OpenCode (per-provider), extracts the specific provider's refreshed data.
- * For other agents, uses the refreshed data directly.
+ * Returns the refreshed type and data. Provider context is handled
+ * by the caller, not embedded in credentials.
  *
- * @param originalCreds - Original credentials
+ * @param _originalCreds - Original credentials (reserved for future validation)
  * @param refreshedCreds - Credentials returned from refresh operation
  * @returns Built credentials or error message
  */
-declare function buildRefreshedCredentials(originalCreds: Credentials, refreshedCreds: Credentials): {
+declare function buildRefreshedCredentials(_originalCreds: Credentials, refreshedCreds: Credentials): {
     ok: true;
     credentials: Credentials;
 } | {

package/dist/auth/build-refreshed-credentials.js

@@ -1,60 +1,20 @@
 /**
- * Build refreshed credentials with provider context preserved.
+ * Build refreshed credentials from refresh operation output.
  */
 /**
- * Build refreshed credentials, preserving provider context.
+ * Build refreshed credentials from the refresh operation.
  *
- * For OpenCode (per-provider), extracts the specific provider's refreshed data.
- * For other agents, uses the refreshed data directly.
+ * Returns the refreshed type and data. Provider context is handled
+ * by the caller, not embedded in credentials.
  *
- * @param originalCreds - Original credentials
+ * @param _originalCreds - Original credentials (reserved for future validation)
  * @param refreshedCreds - Credentials returned from refresh operation
  * @returns Built credentials or error message
  */
-function buildRefreshedCredentials(originalCreds, refreshedCreds) {
-    // OpenCode per-provider refresh: verify provider matches and use data directly
-    if (originalCreds.agent === "opencode" && originalCreds.provider) {
-        const normalizedProvider = originalCreds.provider.trim();
-        // refreshedCreds from loadCredentialsFromDirectory is now per-provider format:
-        // - refreshedCreds.provider = the provider name
-        // - refreshedCreds.data = the provider's auth entry directly
-        if (refreshedCreds.agent !== "opencode") {
-            return {
-                ok: false,
-                error: `Provider '${normalizedProvider}' not found in refreshed credentials`,
-            };
-        }
-        // TypeScript narrows to OpenCodeCredentials which has provider as required
-        // (z.string().trim().min(1) in axshared) - NOT optional despite Credentials union
-        if (refreshedCreds.provider.trim() !== normalizedProvider) {
-            return {
-                ok: false,
-                error: `Provider '${normalizedProvider}' not found in refreshed credentials`,
-            };
-        }
-        return {
-            ok: true,
-            credentials: {
-                agent: originalCreds.agent,
-                type: refreshedCreds.type,
-                provider: normalizedProvider,
-                data: refreshedCreds.data,
-            },
-        };
-    }
-    // Standard agent refresh: use refreshed data
-    // Both originalCreds and refreshedCreds are standard agents here (not OpenCode)
-    if (originalCreds.agent === "opencode") {
-        // TypeScript narrowing: unreachable, but satisfies type checker
-        return {
-            ok: false,
-            error: "Unexpected OpenCode credential without provider",
-        };
-    }
+function buildRefreshedCredentials(_originalCreds, refreshedCreds) {
     return {
         ok: true,
         credentials: {
-            agent: originalCreds.agent,
             type: refreshedCreds.type,
             data: refreshedCreds.data,
         },

package/dist/auth/extract-creds-from-directory.js

@@ -31,7 +31,7 @@ function extractCredsFromDirectory(agentId, directory, fileName, transform) {
         const data = transform ? transform(record) : record;
         if (!data)
             return undefined;
-        return { agent: agentId, type: "oauth-credentials", data };
+        return { type: "oauth-credentials", data };
     }
     catch {
         return undefined;

package/dist/auth/install-from-environment.js

@@ -63,13 +63,6 @@ async function installCredentialsFromEnvironmentCore(parameters) {
     }
     // Install all credentials
     for (const credentials of credentialsList.credentials) {
-        // Defense-in-depth: verify each credential matches the target agent
-        if (credentials.agent !== parameters.agent) {
-            return {
-                ok: false,
-                error: `Credential agent mismatch: expected '${parameters.agent}', got '${credentials.agent}'`,
-            };
-        }
         const result = parameters.installCredentials(credentials, {
             configDir: parameters.configDir,
             dataDir: parameters.dataDir,

package/dist/auth/keychain.d.ts

@@ -9,4 +9,8 @@ declare function loadFromKeychain(service: string, account: string): string | un
 declare function saveToKeychain(service: string, account: string, data: string): boolean;
 /** Delete entry from macOS Keychain */
 declare function deleteFromKeychain(service: string, account: string): boolean;
-export { deleteFromKeychain, isMacOS, loadFromKeychain, saveToKeychain };
+/** Load data from macOS Keychain by service only (any account) */
+declare function loadFromKeychainByService(service: string): string | undefined;
+/** Delete entry from macOS Keychain by service only (first match) */
+declare function deleteFromKeychainByService(service: string): boolean;
+export { deleteFromKeychain, deleteFromKeychainByService, isMacOS, loadFromKeychain, loadFromKeychainByService, saveToKeychain, };

package/dist/auth/keychain.js

@@ -53,4 +53,32 @@ function deleteFromKeychain(service, account) {
         return false;
     }
 }
-export { deleteFromKeychain, isMacOS, loadFromKeychain, saveToKeychain };
+/** Load data from macOS Keychain by service only (any account) */
+function loadFromKeychainByService(service) {
+    if (!isMacOS()) {
+        return undefined;
+    }
+    try {
+        const result = execFileSync("security", ["find-generic-password", "-s", service, "-w"], { encoding: "utf8", stdio: ["pipe", "pipe", "pipe"] });
+        return result.trim();
+    }
+    catch {
+        return undefined;
+    }
+}
+/** Delete entry from macOS Keychain by service only (first match) */
+function deleteFromKeychainByService(service) {
+    if (!isMacOS()) {
+        return false;
+    }
+    try {
+        execFileSync("security", ["delete-generic-password", "-s", service], {
+            stdio: ["pipe", "pipe", "pipe"],
+        });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export { deleteFromKeychain, deleteFromKeychainByService, isMacOS, loadFromKeychain, loadFromKeychainByService, saveToKeychain, };

package/dist/auth/refresh-credentials.d.ts

@@ -4,6 +4,7 @@
  * Refreshes credentials by running the agent in an isolated temp config,
  * triggering its internal auth refresh mechanism.
  */
+import type { AgentCli } from "axshared";
 import { type Credentials } from "./types.js";
 /** Options for credential refresh */
 interface RefreshOptions {
@@ -32,7 +33,7 @@ type RefreshResult = {
  * @param options - Refresh options (timeout, provider for multi-provider agents)
  * @returns RefreshResult with new credentials or error
  */
-declare function refreshCredentials(creds: Credentials, options?: RefreshOptions): Promise<RefreshResult>;
+declare function refreshCredentials(agentId: AgentCli, creds: Credentials, options?: RefreshOptions): Promise<RefreshResult>;
 /** Result of refresh and persist operation */
 type RefreshAndPersistResult = {
     ok: true;
@@ -42,7 +43,7 @@ type RefreshAndPersistResult = {
     staleCredentials: Credentials;
 };
 /** Install function type for refreshAndPersist */
-type InstallFunction = (creds: Credentials, options?: {
+type InstallFunction = (agentId: AgentCli, creds: Credentials, options?: {
     storage?: "keychain" | "file";
 }) => {
     ok: boolean;
@@ -55,12 +56,13 @@ type InstallFunction = (creds: Credentials, options?: {
  * 1. Refreshes credentials via agent subprocess
  * 2. Persists refreshed credentials to the specified storage location
  *
+ * @param agentId - Agent identifier
  * @param creds - Original credentials
  * @param installFunction - Function to install credentials (avoids circular import)
  * @param options - Refresh options including storage type
  * @returns Refreshed credentials or original credentials on failure
  */
-declare function refreshAndPersist(creds: Credentials, installFunction: InstallFunction, options?: RefreshOptions): Promise<RefreshAndPersistResult>;
+declare function refreshAndPersist(agentId: AgentCli, creds: Credentials, installFunction: InstallFunction, options?: RefreshOptions): Promise<RefreshAndPersistResult>;
 /** Result of refreshing an opaque credential blob */
 type RefreshBlobResult = {
     ok: true;
@@ -70,6 +72,11 @@ type RefreshBlobResult = {
     ok: false;
     error: string;
 };
+/** Options for refreshBlob, extending refresh options with routing metadata */
+interface RefreshBlobOptions extends RefreshOptions {
+    /** Agent identifier (required — comes from vault column) */
+    agent: AgentCli;
+}
 /**
  * Refresh credentials from an opaque blob.
  *
@@ -78,9 +85,9 @@ type RefreshBlobResult = {
  * never needs to understand the blob's internal structure.
  *
  * @param blob - Opaque credential blob (expected to be a Credentials object)
- * @param options - Refresh options (timeout)
+ * @param options - Refresh options with agent and optional provider
  * @returns RefreshBlobResult with new blob and expiresAt, or error
  */
-declare function refreshBlob(blob: unknown, options?: RefreshOptions): Promise<RefreshBlobResult>;
+declare function refreshBlob(blob: unknown, options: RefreshBlobOptions): Promise<RefreshBlobResult>;
 export { refreshAndPersist, refreshBlob, refreshCredentials };
 export type { RefreshAndPersistResult, RefreshBlobResult, RefreshOptions, RefreshResult, };

package/dist/auth/refresh-credentials.js

@@ -32,7 +32,7 @@ async function safeCleanup(directory) {
  * @param options - Refresh options (timeout, provider for multi-provider agents)
  * @returns RefreshResult with new credentials or error
  */
-async function refreshCredentials(creds, options) {
+async function refreshCredentials(agentId, creds, options) {
     const timeoutMs = options?.timeout ?? DEFAULT_REFRESH_TIMEOUT_MS;
     const deadlineMs = Date.now() + timeoutMs;
     const resolved = resolveRefreshCredentials(creds);
@@ -41,12 +41,8 @@ async function refreshCredentials(creds, options) {
     }
     // Run agent with a minimal prompt to trigger internal token refresh.
     // preserveConfigDirectory keeps the temp dir so we can read refreshed credentials.
-    // For OpenCode, use explicit provider option or fall back to credentials.provider.
-    const provider = options?.provider ??
-        (resolved.credentials.agent === "opencode"
-            ? resolved.credentials.provider
-            : undefined);
-    const resultPromise = runAgent(resolved.credentials.agent, {
+    const provider = options?.provider;
+    const resultPromise = runAgent(agentId, {
         prompt: "ping",
         credentials: resolved.credentials,
         provider,
@@ -96,7 +92,7 @@ async function refreshCredentials(creds, options) {
         if (!directories) {
             return { ok: false, error: "No directories in execution metadata" };
         }
-        const refreshedCredentials = await waitForRefreshedCredentials(resolved.credentials.agent, directories, deadlineMs, { provider });
+        const refreshedCredentials = await waitForRefreshedCredentials(agentId, directories, deadlineMs, { provider });
         if (!refreshedCredentials) {
             return { ok: false, error: "No credentials found after refresh" };
         }
@@ -123,20 +119,23 @@ async function refreshCredentials(creds, options) {
  * 1. Refreshes credentials via agent subprocess
  * 2. Persists refreshed credentials to the specified storage location
  *
+ * @param agentId - Agent identifier
  * @param creds - Original credentials
  * @param installFunction - Function to install credentials (avoids circular import)
  * @param options - Refresh options including storage type
  * @returns Refreshed credentials or original credentials on failure
  */
-async function refreshAndPersist(creds, installFunction, options) {
-    const result = await refreshCredentials(creds, options);
+async function refreshAndPersist(agentId, creds, installFunction, options) {
+    const result = await refreshCredentials(agentId, creds, options);
     if (!result.ok) {
         console.error(`Warning: Token refresh failed: ${result.error}`);
         return { ok: false, staleCredentials: creds };
     }
     // Persist refreshed credentials back to storage
     const storage = options?.storage ?? "file";
-    const installResult = installFunction(result.credentials, { storage });
+    const installResult = installFunction(agentId, result.credentials, {
+        storage,
+    });
     if (!installResult.ok) {
         console.error(`Warning: Failed to save refreshed credentials: ${installResult.message}`);
     }
@@ -150,7 +149,7 @@ async function refreshAndPersist(creds, installFunction, options) {
  * never needs to understand the blob's internal structure.
  *
  * @param blob - Opaque credential blob (expected to be a Credentials object)
- * @param options - Refresh options (timeout)
+ * @param options - Refresh options with agent and optional provider
  * @returns RefreshBlobResult with new blob and expiresAt, or error
  */
 async function refreshBlob(blob, options) {
@@ -160,7 +159,7 @@ async function refreshBlob(blob, options) {
         return { ok: false, error: "Invalid credential format" };
     }
     // Refresh using existing function
-    const result = await refreshCredentials(credentials, options);
+    const result = await refreshCredentials(options.agent, credentials, options);
     if (!result.ok) {
         return { ok: false, error: result.error };
     }

package/dist/auth/registry.d.ts

@@ -92,7 +92,7 @@ declare function findCredentialsFromDirectory(agentId: AgentCli, options: Extrac
  * const result = installCredentials(creds, { storage: "keychain" });
  * if (!result.ok) { console.error(result.message); }
  */
-declare function installCredentials(creds: Credentials, options?: InstallOptions): OperationResult;
+declare function installCredentials(agentId: AgentCli, creds: Credentials, options?: InstallOptions): OperationResult;
 /**
  * Remove credentials for an agent.
  *
@@ -117,7 +117,7 @@ declare function removeCredentials(agentId: AgentCli, options?: RemoveOptions):
  * const token = await getAccessToken(creds);
  * const token = await getAccessToken(creds, { skipRefresh: true });
  */
-declare function getAccessToken(creds: Credentials, options?: TokenOptions): Promise<string | undefined>;
+declare function getAccessToken(agentId: AgentCli, creds: Credentials, options?: TokenOptions): Promise<string | undefined>;
 /**
  * Get access token for an agent by ID.
  *
@@ -136,7 +136,7 @@ declare function getAgentAccessToken(agentId: AgentCli, options?: TokenOptions):
  * const env = credentialsToEnvironment(creds);
  * Object.assign(process.env, env);
  */
-declare function credentialsToEnvironment(creds: Credentials): Record<string, string>;
+declare function credentialsToEnvironment(agentId: AgentCli, creds: Credentials): Record<string, string>;
 /**
  * Get the conventional environment variable name for agent credentials.
  *

package/dist/auth/registry.js

@@ -128,8 +128,8 @@ function findCredentialsFromDirectory(agentId, options) {
  * const result = installCredentials(creds, { storage: "keychain" });
  * if (!result.ok) { console.error(result.message); }
  */
-function installCredentials(creds, options) {
-    return ADAPTERS[creds.agent].installCredentials(creds, options);
+function installCredentials(agentId, creds, options) {
+    return ADAPTERS[agentId].installCredentials(creds, options);
 }
 /**
  * Remove credentials for an agent.
@@ -157,8 +157,8 @@ function removeCredentials(agentId, options) {
  * const token = await getAccessToken(creds);
  * const token = await getAccessToken(creds, { skipRefresh: true });
  */
-async function getAccessToken(creds, options) {
-    const token = ADAPTERS[creds.agent].getAccessToken(creds, options);
+async function getAccessToken(agentId, creds, options) {
+    const token = ADAPTERS[agentId].getAccessToken(creds, options);
     // No token found
     if (!token)
         return undefined;
@@ -177,13 +177,13 @@ async function getAccessToken(creds, options) {
     if (expired !== true)
         return token; // Valid or no expiry info
     // Refresh and persist
-    const result = await refreshAndPersist(creds, installCredentials, {
+    const result = await refreshAndPersist(agentId, creds, (aid, c, installOptions) => installCredentials(aid, c, installOptions), {
         timeout: options?.refreshTimeout,
         provider: options?.provider,
         storage: options?.storage,
     });
     const finalCreds = result.ok ? result.credentials : result.staleCredentials;
-    return ADAPTERS[creds.agent].getAccessToken(finalCreds, options);
+    return ADAPTERS[agentId].getAccessToken(finalCreds, options);
 }
 /**
  * Get access token for an agent by ID.
@@ -202,7 +202,7 @@ async function getAgentAccessToken(agentId, options) {
     if (!stored)
         return undefined;
     // Pass the source to getAccessToken so refresh preserves storage location
-    return getAccessToken(stored.credentials, {
+    return getAccessToken(agentId, stored.credentials, {
         ...options,
         storage: options?.storage ?? stored.source,
     });
@@ -214,8 +214,8 @@ async function getAgentAccessToken(agentId, options) {
  * const env = credentialsToEnvironment(creds);
  * Object.assign(process.env, env);
  */
-function credentialsToEnvironment(creds) {
-    return ADAPTERS[creds.agent].credentialsToEnvironment(creds);
+function credentialsToEnvironment(agentId, creds) {
+    return ADAPTERS[agentId].credentialsToEnvironment(creds);
 }
 /**
  * Get the conventional environment variable name for agent credentials.
@@ -251,7 +251,7 @@ function getCredentialsEnvironmentVariableName(agent) {
 function installCredentialsFromEnvironmentVariable(agent, options) {
     return installCredentialsFromEnvironmentCore({
         agent,
-        installCredentials,
+        installCredentials: (creds, installOptions) => installCredentials(agent, creds, installOptions),
         configDir: options?.configDir,
         dataDir: options?.dataDir,
     });

package/dist/auth/wait-for-refreshed-credentials.d.ts

@@ -1,11 +1,12 @@
 /**
  * Polls for refreshed credentials to appear after agent execution.
  */
+import type { AgentCli } from "axshared";
 import type { ExecutionDirectories } from "axexec";
 import type { Credentials } from "./types.js";
 interface WaitOptions {
     /** Provider ID for multi-provider agents (OpenCode) */
     provider?: string;
 }
-declare function waitForRefreshedCredentials(agent: Credentials["agent"], directories: ExecutionDirectories, deadlineMs: number, options?: WaitOptions): Promise<Credentials | undefined>;
+declare function waitForRefreshedCredentials(agent: AgentCli, directories: ExecutionDirectories, deadlineMs: number, options?: WaitOptions): Promise<Credentials | undefined>;
 export { waitForRefreshedCredentials };

package/dist/cli.js

@@ -84,6 +84,7 @@ program
 program
     .command("encrypt")
     .description("Encrypt raw credentials to encrypted format")
+    .requiredOption("-a, --agent <agent>", `Agent the credentials belong to (${AGENT_CLIS.join(", ")})`)
     .requiredOption("--input <file>", "Raw credentials file path")
     .option("--output <file>", "Output file path (use - for stdout)")
     .option("--no-password", "Use default password (no prompt)")
@@ -161,12 +162,11 @@ vault
     .option("--json", "Pretty-print JSON output")
     .addHelpText("after", `
 Environment variables (option 1 - single JSON):
-  AXVAULT           JSON config: {"url":"...","apiKey":"...","credentialName":"..."}
+  AXVAULT           JSON config: {"url":"...","apiKey":"..."}
 
 Environment variables (option 2 - individual):
   AXVAULT_URL       Vault server URL (required)
   AXVAULT_API_KEY   API key for authentication (required)
-  AXVAULT_CREDENTIAL  Default credential name (optional)
 
 Output modes:
   (default)   Output credentials as JSON

package/dist/commands/auth.js

@@ -37,7 +37,7 @@ async function handleAuthToken(options) {
         return;
     }
     // Extract the token based on credential type
-    const token = await getAccessToken(creds, { provider: options.provider });
+    const token = await getAccessToken(agentId, creds, { provider: options.provider });
     if (!token) {
         const providerHint = options.provider
             ? ` for provider '${options.provider}'`

package/dist/commands/encrypt.d.ts

@@ -4,6 +4,7 @@
  * Encrypts raw credentials to encrypted format.
  */
 interface EncryptOptions {
+    agent: string;
     input: string;
     output?: string;
     password: boolean;

package/dist/commands/encrypt.js

@@ -7,9 +7,13 @@ import { existsSync, readFileSync, renameSync, writeFileSync } from "node:fs";
 import promptPassword from "@inquirer/password";
 import { parseCredentialsOrArray } from "../auth/types.js";
 import { DEFAULT_PASSWORD, encrypt, toBase64 } from "../crypto.js";
+import { validateAgent } from "./validate-agent.js";
 /** Handle encrypt command */
 async function handleEncrypt(options) {
     const isStdout = options.output === "-";
+    const agentId = validateAgent(options.agent);
+    if (!agentId)
+        return;
     if (!options.output) {
         console.error("Error: --output is required (use - for stdout)");
         process.exitCode = 2;
@@ -42,24 +46,6 @@ async function handleEncrypt(options) {
             process.exitCode = 1;
             return;
         }
-        // Extract agent ID and validate all credentials are for the same agent
-        const firstCred = Array.isArray(creds) ? creds[0] : creds;
-        if (!firstCred) {
-            console.error("Error: No credentials found in input file");
-            process.exitCode = 1;
-            return;
-        }
-        const agentId = firstCred.agent;
-        // For arrays, verify all credentials are for the same agent
-        if (Array.isArray(creds)) {
-            const mixedAgent = creds.find((c) => c.agent !== agentId);
-            if (mixedAgent) {
-                console.error(`Error: Mixed agents in credentials array (found '${mixedAgent.agent}', expected '${agentId}')`);
-                console.error("All credentials in an array must be for the same agent");
-                process.exitCode = 1;
-                return;
-            }
-        }
         // Get password
         const userPassword = options.password
             ? await promptPassword({ message: "Encryption password" })

package/dist/commands/install-credentials.js

@@ -10,7 +10,7 @@ import { parseCredentials } from "../auth/types.js";
 import { fromBase64, tryDecrypt } from "../crypto.js";
 import { validateAgent } from "./validate-agent.js";
 /** Parse decrypted content as single credential or array of credentials */
-function parseDecryptedCredentials(parsed, agentId) {
+function parseDecryptedCredentials(parsed) {
     // Handle array of credentials (OpenCode per-provider format)
     if (Array.isArray(parsed)) {
         const credentials = [];
@@ -19,13 +19,6 @@ function parseDecryptedCredentials(parsed, agentId) {
             if (!cred) {
                 return { ok: false, error: "Invalid credentials format in array" };
             }
-            // Defense-in-depth: verify each credential matches the target agent
-            if (cred.agent !== agentId) {
-                return {
-                    ok: false,
-                    error: `Credential agent mismatch: expected '${agentId}', got '${cred.agent}'`,
-                };
-            }
             credentials.push(cred);
         }
         if (credentials.length === 0) {
@@ -38,13 +31,6 @@ function parseDecryptedCredentials(parsed, agentId) {
     if (!cred) {
         return { ok: false, error: "Invalid credentials format" };
     }
-    // Defense-in-depth: verify credential matches the target agent
-    if (cred.agent !== agentId) {
-        return {
-            ok: false,
-            error: `Decrypted credentials are for '${cred.agent}', not '${agentId}'`,
-        };
-    }
     return { ok: true, credentials: [cred] };
 }
 /** Handle auth install-credentials command */
@@ -87,7 +73,7 @@ async function handleAuthInstall(options) {
         });
         const parsed = JSON.parse(decrypted);
         // Parse and validate credentials (handles both single and array formats)
-        const parseResult = parseDecryptedCredentials(parsed, agentId);
+        const parseResult = parseDecryptedCredentials(parsed);
         if (!parseResult.ok) {
             console.error(`Error: ${parseResult.error}`);
             process.exitCode = 1;
@@ -95,7 +81,7 @@ async function handleAuthInstall(options) {
         }
         // Install all credentials
         for (const cred of parseResult.credentials) {
-            const result = installCredentials(cred, {
+            const result = installCredentials(agentId, cred, {
                 configDir: options.configDir,
                 dataDir: options.dataDir,
                 storage,

package/dist/commands/vault.js

@@ -73,7 +73,7 @@ async function handleVaultFetch(options) {
     }
     if (options.env) {
         // Output shell export commands (for eval/source)
-        const environmentVariables = credentialsToEnvironment(credentials);
+        const environmentVariables = credentialsToEnvironment(agentId, credentials);
         const environmentEntries = Object.entries(environmentVariables);
         if (environmentEntries.length === 0) {
             console.error("Warning: No environment variables to export for this credential type");
@@ -92,7 +92,7 @@ async function handleVaultFetch(options) {
     }
     else if (options.install) {
         // Install credentials locally (writes to file)
-        const installResult = installCredentials(credentials, {
+        const installResult = installCredentials(agentId, credentials, {
             configDir: options.configDir,
             dataDir: options.dataDir,
         });
@@ -169,6 +169,7 @@ async function handleVaultPush(options) {
         agentId,
         name: options.name,
         credentials,
+        provider: options.provider,
     });
     if (!result.ok) {
         console.error(`Error: ${FAILURE_MESSAGES[result.reason]}`);

package/dist/vault/vault-client.d.ts

@@ -59,6 +59,8 @@ interface VaultPushOptions {
     name: string;
     /** Credentials to push */
     credentials: Credentials;
+    /** Provider for multi-provider agents (e.g., "anthropic" for OpenCode) */
+    provider?: string;
 }
 /**
  * Push credentials to the axvault server.
@@ -72,7 +74,7 @@ interface VaultPushOptions {
  * const result = await pushVaultCredentials({
  *   agentId: "claude",
  *   name: "ci",
- *   credentials: { agent: "claude", type: "oauth-credentials", data: { ... } }
+ *   credentials: { type: "oauth-credentials", data: { ... } }
  * });
  * if (result.ok) {
  *   console.log("Credentials pushed successfully");

package/dist/vault/vault-client.js

@@ -105,7 +105,7 @@ async function fetchVaultCredentials(options) {
  * const result = await pushVaultCredentials({
  *   agentId: "claude",
  *   name: "ci",
- *   credentials: { agent: "claude", type: "oauth-credentials", data: { ... } }
+ *   credentials: { type: "oauth-credentials", data: { ... } }
  * });
  * if (result.ok) {
  *   console.log("Credentials pushed successfully");
@@ -128,15 +128,11 @@ async function pushVaultCredentials(options) {
                 Accept: "application/json",
                 "User-Agent": "axauth-vault-client",
             },
-            // agent and name are in the URL path (RESTful resource identifier);
-            // body contains only the credential payload to avoid redundancy
             body: JSON.stringify({
+                agent: options.agentId,
                 type: options.credentials.type,
                 data: options.credentials.data,
-                // Include provider only for OpenCode credentials
-                ...(options.credentials.agent === "opencode" && {
-                    provider: options.credentials.provider,
-                }),
+                ...(options.provider !== undefined && { provider: options.provider }),
             }),
         });
         // Handle error responses

package/dist/vault/vault-config.d.ts

@@ -11,8 +11,6 @@ interface VaultConfig {
     url: string;
     /** API key for authentication */
     apiKey: string;
-    /** Default credential name to fetch (e.g., "ci", "prod") */
-    credentialName?: string;
 }
 /**
  * Get vault configuration from environment variables.
@@ -20,23 +18,21 @@ interface VaultConfig {
  * Supports two configuration methods (checked in order):
  *
  * 1. Single JSON env var:
- *    - `AXVAULT`: JSON object with url, apiKey, and optional credentialName
+ *    - `AXVAULT`: JSON object with url and apiKey
  *
  * 2. Individual env vars:
  *    - `AXVAULT_URL`: Vault server URL (required)
  *    - `AXVAULT_API_KEY`: API key for authentication (required)
- *    - `AXVAULT_CREDENTIAL`: Default credential name (optional)
  *
  * @returns Vault configuration if configured, undefined otherwise
  *
  * @example
  * // Option 1: Single JSON env var
- * // AXVAULT='{"url":"https://vault.axkit.dev","apiKey":"axv_sk_xxx","credentialName":"ci"}'
+ * // AXVAULT='{"url":"https://vault.axkit.dev","apiKey":"axv_sk_xxx"}'
  *
  * // Option 2: Individual env vars
  * // AXVAULT_URL=https://vault.axkit.dev
  * // AXVAULT_API_KEY=axv_sk_xxx
- * // AXVAULT_CREDENTIAL=ci
  *
  * const config = getVaultConfig();
  * if (config) {

package/dist/vault/vault-config.js

@@ -7,11 +7,12 @@
  */
 import { z } from "zod";
 /** Zod schema for vault config JSON */
-const VaultConfigJson = z.object({
+const VaultConfigJson = z
+    .object({
     url: z.string(),
     apiKey: z.string(),
-    credentialName: z.string().optional(),
-});
+})
+    .strict();
 /**
  * Validate and normalize a vault URL.
  *
@@ -44,7 +45,6 @@ function parseVaultConfigJson() {
         return {
             url,
             apiKey: parsed.apiKey,
-            credentialName: parsed.credentialName,
         };
     }
     catch {
@@ -58,23 +58,21 @@ function parseVaultConfigJson() {
  * Supports two configuration methods (checked in order):
  *
  * 1. Single JSON env var:
- *    - `AXVAULT`: JSON object with url, apiKey, and optional credentialName
+ *    - `AXVAULT`: JSON object with url and apiKey
  *
  * 2. Individual env vars:
  *    - `AXVAULT_URL`: Vault server URL (required)
  *    - `AXVAULT_API_KEY`: API key for authentication (required)
- *    - `AXVAULT_CREDENTIAL`: Default credential name (optional)
  *
  * @returns Vault configuration if configured, undefined otherwise
  *
  * @example
  * // Option 1: Single JSON env var
- * // AXVAULT='{"url":"https://vault.axkit.dev","apiKey":"axv_sk_xxx","credentialName":"ci"}'
+ * // AXVAULT='{"url":"https://vault.axkit.dev","apiKey":"axv_sk_xxx"}'
  *
  * // Option 2: Individual env vars
  * // AXVAULT_URL=https://vault.axkit.dev
  * // AXVAULT_API_KEY=axv_sk_xxx
- * // AXVAULT_CREDENTIAL=ci
  *
  * const config = getVaultConfig();
  * if (config) {
@@ -98,7 +96,6 @@ function getVaultConfig() {
     return {
         url,
         apiKey,
-        credentialName: process.env.AXVAULT_CREDENTIAL,
     };
 }
 /**

package/package.json

@@ -2,7 +2,7 @@
   "name": "axauth",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "3.1.2",
+  "version": "3.1.5",
   "description": "Authentication management library and CLI for AI coding agents",
   "repository": {
     "type": "git",
@@ -70,8 +70,8 @@
     "@commander-js/extra-typings": "^14.0.0",
     "@inquirer/password": "^5.0.4",
     "axconfig": "^3.6.3",
-    "axexec": "^1.7.0",
-    "axshared": "^4.0.0",
+    "axexec": "^2.0.0",
+    "axshared": "^5.0.0",
     "commander": "^14.0.2",
     "zod": "^4.3.5"
   },