axconfig 1.0.0

package/dist/agents/gemini.js

@@ -0,0 +1,156 @@
+/**
+ * Gemini CLI ConfigBuilder.
+ *
+ * Translates AxrunConfig into Gemini CLI's TOML policy format.
+ *
+ * Gemini CLI supports:
+ * - Tool permissions via [[rule]] with toolName
+ * - Bash patterns via commandPrefix
+ * - Does NOT support path restrictions
+ */
+import { mkdirSync, writeFileSync } from "node:fs";
+import path from "node:path";
+import { registerConfigBuilder } from "../builder.js";
+/** Gemini CLI tool name mapping */
+const TOOL_MAP = {
+    read: "read_file",
+    write: "write_file",
+    edit: "edit_file",
+    bash: "run_shell_command",
+    glob: "glob",
+    grep: "grep",
+    web: "web_fetch",
+};
+/** Gemini CLI capabilities */
+const CAPABILITIES = {
+    toolPermissions: true,
+    bashPatterns: true,
+    pathRestrictions: false, // Gemini doesn't support path patterns
+    canDenyRead: true,
+};
+/**
+ * Generate TOML rule for tool permissions.
+ */
+function generateToolRule(toolNames, decision, priority) {
+    if (toolNames.length === 0)
+        return "";
+    const toolNameValue = toolNames.length === 1 ? `"${toolNames[0]}"` : JSON.stringify(toolNames);
+    return `[[rule]]
+toolName = ${toolNameValue}
+decision = "${decision}"
+priority = ${priority}`;
+}
+/**
+ * Generate TOML rule for bash command patterns.
+ */
+function generateBashRule(patterns, decision, priority) {
+    if (patterns.length === 0)
+        return "";
+    const prefixValue = patterns.length === 1 ? `"${patterns[0]}"` : JSON.stringify(patterns);
+    return `[[rule]]
+toolName = "run_shell_command"
+commandPrefix = ${prefixValue}
+decision = "${decision}"
+priority = ${priority}`;
+}
+/**
+ * Build Gemini CLI configuration.
+ */
+function build(config, output) {
+    mkdirSync(output, { recursive: true });
+    const warnings = [];
+    const errors = [];
+    const permissions = config.permissions;
+    // Check for unsupported rules
+    if (permissions) {
+        // Check allow rules for path restrictions (not supported, will be dropped)
+        for (const rule of permissions.allow) {
+            if (rule.type === "path") {
+                warnings.push({
+                    rule,
+                    reason: "Gemini CLI does not support path restrictions",
+                    suggestions: [
+                        `Use "${rule.tool}" to allow all ${rule.tool} operations`,
+                        "Remove the path restriction",
+                    ],
+                });
+            }
+        }
+        // Check deny rules for path restrictions (not supported, must abort)
+        for (const rule of permissions.deny) {
+            if (rule.type === "path") {
+                errors.push({
+                    rule,
+                    reason: "Gemini CLI does not support path restrictions",
+                    suggestions: [
+                        `Use "${rule.tool}" to deny all ${rule.tool} operations`,
+                        "Use a different agent that supports path restrictions (e.g., claude-code)",
+                    ],
+                });
+            }
+        }
+    }
+    // If there are errors, abort
+    if (errors.length > 0) {
+        return { ok: false, errors };
+    }
+    // Create directory structure
+    const policiesDirectory = path.join(output, "policies");
+    mkdirSync(policiesDirectory, { recursive: true });
+    const rules = [];
+    if (permissions) {
+        // Collect tool permissions (excluding path rules which were warned about)
+        const allowTools = permissions.allow
+            .filter((r) => r.type === "tool")
+            .map((r) => TOOL_MAP[r.name]);
+        const denyTools = permissions.deny
+            .filter((r) => r.type === "tool")
+            .map((r) => TOOL_MAP[r.name]);
+        // Collect bash patterns
+        const allowBash = permissions.allow
+            .filter((r) => r.type === "bash")
+            .map((r) => r.pattern);
+        const denyBash = permissions.deny
+            .filter((r) => r.type === "bash")
+            .map((r) => r.pattern);
+        // Generate allow rules (high priority)
+        if (allowTools.length > 0) {
+            rules.push(generateToolRule(allowTools, "allow", 999));
+        }
+        if (allowBash.length > 0) {
+            rules.push(generateBashRule(allowBash, "allow", 998));
+        }
+        // Generate deny rules (medium priority)
+        if (denyTools.length > 0) {
+            rules.push(generateToolRule(denyTools, "deny", 500));
+        }
+        if (denyBash.length > 0) {
+            rules.push(generateBashRule(denyBash, "deny", 499));
+        }
+        // Default deny for shell commands not explicitly allowed
+        if (allowBash.length > 0 || denyBash.length > 0) {
+            rules.push(generateToolRule(["run_shell_command"], "deny", 1));
+        }
+    }
+    // Write policy file
+    const policyPath = path.join(policiesDirectory, "axconfig.toml");
+    const policyContent = rules.filter((r) => r !== "").join("\n\n");
+    writeFileSync(policyPath, policyContent || "# No rules\n");
+    // Write empty settings.json to prevent loading user settings
+    const settingsPath = path.join(output, "settings.json");
+    writeFileSync(settingsPath, "{}");
+    return {
+        ok: true,
+        env: { GEMINI_CLI_SYSTEM_SETTINGS_PATH: settingsPath },
+        warnings,
+    };
+}
+/** Gemini CLI ConfigBuilder */
+const geminiConfigBuilder = {
+    agentId: "gemini",
+    capabilities: CAPABILITIES,
+    build,
+};
+// Self-register on import
+registerConfigBuilder(geminiConfigBuilder);
+export { geminiConfigBuilder };

package/dist/agents/opencode.d.ts

@@ -0,0 +1,14 @@
+/**
+ * OpenCode ConfigBuilder.
+ *
+ * Translates AxrunConfig into OpenCode's opencode.json format.
+ *
+ * OpenCode supports:
+ * - Tool permissions via permission.{edit,bash,webfetch}
+ * - Bash patterns via permission.bash object with glob patterns
+ * - Does NOT support path restrictions
+ */
+import type { ConfigBuilder } from "../types.js";
+/** OpenCode ConfigBuilder */
+declare const openCodeConfigBuilder: ConfigBuilder;
+export { openCodeConfigBuilder };

package/dist/agents/opencode.js

@@ -0,0 +1,152 @@
+/**
+ * OpenCode ConfigBuilder.
+ *
+ * Translates AxrunConfig into OpenCode's opencode.json format.
+ *
+ * OpenCode supports:
+ * - Tool permissions via permission.{edit,bash,webfetch}
+ * - Bash patterns via permission.bash object with glob patterns
+ * - Does NOT support path restrictions
+ */
+import { mkdirSync, writeFileSync } from "node:fs";
+import path from "node:path";
+import { registerConfigBuilder } from "../builder.js";
+/** OpenCode capabilities */
+const CAPABILITIES = {
+    toolPermissions: true,
+    bashPatterns: true,
+    pathRestrictions: false, // OpenCode doesn't support path patterns
+    canDenyRead: true,
+};
+/**
+ * Build OpenCode configuration.
+ */
+function build(config, output) {
+    mkdirSync(output, { recursive: true });
+    const warnings = [];
+    const errors = [];
+    const permissions = config.permissions;
+    // Check for unsupported rules
+    if (permissions) {
+        // Path restrictions not supported - warn for allow, error for deny
+        for (const rule of permissions.allow) {
+            if (rule.type === "path") {
+                warnings.push({
+                    rule,
+                    reason: "OpenCode does not support path restrictions",
+                    suggestions: [
+                        `Use "${rule.tool}" to allow all ${rule.tool} operations`,
+                        "Remove the path restriction",
+                    ],
+                });
+            }
+        }
+        for (const rule of permissions.deny) {
+            if (rule.type === "path") {
+                errors.push({
+                    rule,
+                    reason: "OpenCode does not support path restrictions",
+                    suggestions: [
+                        `Use "${rule.tool}" to deny all ${rule.tool} operations`,
+                        "Use a different agent that supports path restrictions (e.g., claude-code)",
+                    ],
+                });
+            }
+        }
+    }
+    // If there are errors, abort
+    if (errors.length > 0) {
+        return { ok: false, errors };
+    }
+    const configPath = path.join(output, "opencode.json");
+    // Build permission config
+    const permissionConfig = {};
+    if (permissions) {
+        // Collect tool permissions
+        const allowedTools = new Set(permissions.allow
+            .filter((r) => r.type === "tool")
+            .map((r) => r.name));
+        const deniedTools = new Set(permissions.deny
+            .filter((r) => r.type === "tool")
+            .map((r) => r.name));
+        // Set edit permission (covers read, write, edit)
+        if (deniedTools.has("edit") || deniedTools.has("write")) {
+            permissionConfig.edit = "deny";
+        }
+        else if (allowedTools.has("edit") || allowedTools.has("write")) {
+            permissionConfig.edit = "allow";
+        }
+        else {
+            permissionConfig.edit = "deny"; // Default deny
+        }
+        // Set webfetch permission
+        if (deniedTools.has("web")) {
+            permissionConfig.webfetch = "deny";
+        }
+        else if (allowedTools.has("web")) {
+            permissionConfig.webfetch = "allow";
+        }
+        else {
+            permissionConfig.webfetch = "deny"; // Default deny
+        }
+        // Build bash permission with patterns
+        const allowBash = permissions.allow
+            .filter((r) => r.type === "bash")
+            .map((r) => r.pattern);
+        const denyBash = permissions.deny
+            .filter((r) => r.type === "bash")
+            .map((r) => r.pattern);
+        const bashAllowed = allowedTools.has("bash");
+        const bashDenied = deniedTools.has("bash");
+        if (bashDenied) {
+            // Deny all bash
+            permissionConfig.bash = "deny";
+        }
+        else if (allowBash.length > 0 || denyBash.length > 0) {
+            // Use pattern-based config
+            const bashConfig = {};
+            // Add allow patterns
+            for (const pattern of allowBash) {
+                bashConfig[pattern] = "allow";
+            }
+            // Add deny patterns
+            for (const pattern of denyBash) {
+                bashConfig[pattern] = "deny";
+            }
+            // Default deny for unmatched patterns
+            bashConfig["*"] = "deny";
+            permissionConfig.bash = bashConfig;
+        }
+        else if (bashAllowed) {
+            permissionConfig.bash = "allow";
+        }
+        else {
+            permissionConfig.bash = "deny"; // Default deny
+        }
+    }
+    else {
+        // No permissions = deny all
+        permissionConfig.edit = "deny";
+        permissionConfig.bash = "deny";
+        permissionConfig.webfetch = "deny";
+    }
+    // Write config file
+    const openCodeConfig = {
+        permission: permissionConfig,
+    };
+    writeFileSync(configPath, JSON.stringify(openCodeConfig, undefined, 2));
+    return {
+        ok: true,
+        env: { OPENCODE_CONFIG: configPath },
+        warnings,
+    };
+}
+/** OpenCode ConfigBuilder */
+const openCodeConfigBuilder = {
+    agentId: "opencode",
+    capabilities: CAPABILITIES,
+    build,
+};
+// Self-register on import
+registerConfigBuilder(openCodeConfigBuilder);
+export { openCodeConfigBuilder };

package/dist/auth/agents/claude-code.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Claude Code auth detection and credential extraction.
+ */
+import type { AuthStatus, Credentials } from "../types.js";
+/** Check Claude Code auth status */
+declare function checkAuth(): AuthStatus;
+/** Extract Claude Code credentials */
+declare function extractCredentials(): Credentials | undefined;
+export { checkAuth, extractCredentials };

package/dist/auth/agents/claude-code.js

@@ -0,0 +1,106 @@
+/**
+ * Claude Code auth detection and credential extraction.
+ */
+import { execSync } from "node:child_process";
+import { existsSync, readFileSync } from "node:fs";
+import { homedir } from "node:os";
+import path from "node:path";
+const AGENT_ID = "claude-code";
+/** Check Claude Code auth status */
+function checkAuth() {
+    // 1. Check env var first
+    if (process.env.CLAUDE_CODE_OAUTH_TOKEN) {
+        return { agentId: AGENT_ID, authenticated: true, method: "OAuth (env)" };
+    }
+    // 2. Check credentials store
+    if (process.platform === "darwin") {
+        // macOS: Keychain
+        try {
+            const result = execSync('security find-generic-password -a "$USER" -s "Claude Code-credentials" -w', { encoding: "utf8", stdio: ["pipe", "pipe", "pipe"] });
+            const creds = JSON.parse(result.trim());
+            if (creds.claudeAiOauth?.accessToken) {
+                const subType = creds.claudeAiOauth.subscriptionType;
+                return {
+                    agentId: AGENT_ID,
+                    authenticated: true,
+                    method: `OAuth (${subType ?? "keychain"})`,
+                };
+            }
+        }
+        catch {
+            // Not in keychain or access denied
+        }
+    }
+    else {
+        // Linux/Windows: Plaintext file
+        const configDirectory = process.env.CLAUDE_CONFIG_DIR ?? path.join(homedir(), ".claude");
+        const credsFile = path.join(configDirectory, ".credentials.json");
+        if (existsSync(credsFile)) {
+            try {
+                const creds = JSON.parse(readFileSync(credsFile, "utf8"));
+                if (creds.claudeAiOauth?.accessToken) {
+                    return { agentId: AGENT_ID, authenticated: true, method: "OAuth" };
+                }
+            }
+            catch {
+                // Invalid JSON
+            }
+        }
+    }
+    // 3. Check API key
+    if (process.env.ANTHROPIC_API_KEY) {
+        return { agentId: AGENT_ID, authenticated: true, method: "API key" };
+    }
+    return { agentId: AGENT_ID, authenticated: false };
+}
+/** Extract Claude Code credentials */
+function extractCredentials() {
+    // 1. Check env var first
+    if (process.env.CLAUDE_CODE_OAUTH_TOKEN) {
+        return {
+            agent: AGENT_ID,
+            type: "oauth",
+            data: { accessToken: process.env.CLAUDE_CODE_OAUTH_TOKEN },
+        };
+    }
+    // 2. Check credentials store
+    if (process.platform === "darwin") {
+        // macOS: Keychain
+        try {
+            const result = execSync('security find-generic-password -a "$USER" -s "Claude Code-credentials" -w', { encoding: "utf8", stdio: ["pipe", "pipe", "pipe"] });
+            const creds = JSON.parse(result.trim());
+            if (creds.claudeAiOauth) {
+                return { agent: AGENT_ID, type: "oauth", data: creds.claudeAiOauth };
+            }
+        }
+        catch {
+            // Not in keychain or access denied
+        }
+    }
+    else {
+        // Linux/Windows: Plaintext file
+        const configDirectory = process.env.CLAUDE_CONFIG_DIR ?? path.join(homedir(), ".claude");
+        const credsFile = path.join(configDirectory, ".credentials.json");
+        if (existsSync(credsFile)) {
+            try {
+                const creds = JSON.parse(readFileSync(credsFile, "utf8"));
+                if (creds.claudeAiOauth) {
+                    return { agent: AGENT_ID, type: "oauth", data: creds.claudeAiOauth };
+                }
+            }
+            catch {
+                // Invalid JSON
+            }
+        }
+    }
+    // 3. Check API key
+    if (process.env.ANTHROPIC_API_KEY) {
+        return {
+            agent: AGENT_ID,
+            type: "api-key",
+            data: { apiKey: process.env.ANTHROPIC_API_KEY },
+        };
+    }
+    return undefined;
+}
+export { checkAuth, extractCredentials };

package/dist/auth/agents/codex.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Codex auth detection and credential extraction.
+ */
+import type { AuthStatus, Credentials } from "../types.js";
+/** Check Codex auth status */
+declare function checkAuth(): AuthStatus;
+/** Extract Codex credentials */
+declare function extractCredentials(): Credentials | undefined;
+export { checkAuth, extractCredentials };

package/dist/auth/agents/codex.js

@@ -0,0 +1,75 @@
+/**
+ * Codex auth detection and credential extraction.
+ */
+import { existsSync, readFileSync } from "node:fs";
+import { homedir } from "node:os";
+import path from "node:path";
+const AGENT_ID = "codex";
+/** Check Codex auth status */
+function checkAuth() {
+    // Check env vars first
+    if (process.env.CODEX_API_KEY || process.env.OPENAI_API_KEY) {
+        return { agentId: AGENT_ID, authenticated: true, method: "API key (env)" };
+    }
+    // Check file
+    const codexHome = process.env.CODEX_HOME ?? path.join(homedir(), ".codex");
+    const authFile = path.join(codexHome, "auth.json");
+    if (existsSync(authFile)) {
+        try {
+            const auth = JSON.parse(readFileSync(authFile, "utf8"));
+            if (auth.OPENAI_API_KEY) {
+                return { agentId: AGENT_ID, authenticated: true, method: "API key" };
+            }
+            if (auth.tokens?.access_token) {
+                return {
+                    agentId: AGENT_ID,
+                    authenticated: true,
+                    method: "ChatGPT OAuth",
+                };
+            }
+        }
+        catch {
+            // Invalid JSON
+        }
+    }
+    return { agentId: AGENT_ID, authenticated: false };
+}
+/** Extract Codex credentials */
+function extractCredentials() {
+    // Check env vars first
+    const environmentKey = process.env.CODEX_API_KEY ?? process.env.OPENAI_API_KEY;
+    if (environmentKey) {
+        return {
+            agent: AGENT_ID,
+            type: "api-key",
+            data: { apiKey: environmentKey },
+        };
+    }
+    // Check file
+    const codexHome = process.env.CODEX_HOME ?? path.join(homedir(), ".codex");
+    const authFile = path.join(codexHome, "auth.json");
+    if (existsSync(authFile)) {
+        try {
+            const auth = JSON.parse(readFileSync(authFile, "utf8"));
+            if (auth.OPENAI_API_KEY) {
+                return {
+                    agent: AGENT_ID,
+                    type: "api-key",
+                    data: { apiKey: auth.OPENAI_API_KEY },
+                };
+            }
+            if (auth.tokens) {
+                return {
+                    agent: AGENT_ID,
+                    type: "oauth",
+                    data: auth.tokens,
+                };
+            }
+        }
+        catch {
+            // Invalid JSON
+        }
+    }
+    return undefined;
+}
+export { checkAuth, extractCredentials };

package/dist/auth/agents/gemini.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Gemini auth detection and credential extraction.
+ */
+import type { AuthStatus, Credentials } from "../types.js";
+/** Check Gemini auth status */
+declare function checkAuth(): AuthStatus;
+/** Extract Gemini credentials */
+declare function extractCredentials(): Credentials | undefined;
+export { checkAuth, extractCredentials };

package/dist/auth/agents/gemini.js

@@ -0,0 +1,97 @@
+/**
+ * Gemini auth detection and credential extraction.
+ */
+import { existsSync, readFileSync } from "node:fs";
+import { homedir } from "node:os";
+import path from "node:path";
+const AGENT_ID = "gemini";
+const GEMINI_DIR = path.join(homedir(), ".gemini");
+/** Check Gemini auth status */
+function checkAuth() {
+    const settingsFile = path.join(GEMINI_DIR, "settings.json");
+    if (!existsSync(settingsFile)) {
+        return { agentId: AGENT_ID, authenticated: false };
+    }
+    try {
+        const settings = JSON.parse(readFileSync(settingsFile, "utf8"));
+        const authType = settings.security?.auth?.selectedType;
+        switch (authType) {
+            case "oauth-personal": {
+                if (existsSync(path.join(GEMINI_DIR, "oauth_creds.json"))) {
+                    return {
+                        agentId: AGENT_ID,
+                        authenticated: true,
+                        method: "Google OAuth",
+                    };
+                }
+                break;
+            }
+            case "gemini-api-key": {
+                if (process.env.GEMINI_API_KEY) {
+                    return { agentId: AGENT_ID, authenticated: true, method: "API key" };
+                }
+                break;
+            }
+            case "vertex-ai": {
+                if ((process.env.GOOGLE_CLOUD_PROJECT &&
+                    process.env.GOOGLE_CLOUD_LOCATION) ||
+                    process.env.GOOGLE_API_KEY) {
+                    return {
+                        agentId: AGENT_ID,
+                        authenticated: true,
+                        method: "Vertex AI",
+                    };
+                }
+                break;
+            }
+            case "compute-default-credentials": {
+                return {
+                    agentId: AGENT_ID,
+                    authenticated: true,
+                    method: "Compute ADC",
+                };
+            }
+        }
+    }
+    catch {
+        // Invalid JSON
+    }
+    return { agentId: AGENT_ID, authenticated: false };
+}
+/** Extract Gemini credentials */
+function extractCredentials() {
+    const settingsFile = path.join(GEMINI_DIR, "settings.json");
+    if (!existsSync(settingsFile)) {
+        return undefined;
+    }
+    try {
+        const settings = JSON.parse(readFileSync(settingsFile, "utf8"));
+        const authType = settings.security?.auth?.selectedType;
+        if (authType === "oauth-personal") {
+            const oauthFile = path.join(GEMINI_DIR, "oauth_creds.json");
+            if (existsSync(oauthFile)) {
+                const oauthCreds = JSON.parse(readFileSync(oauthFile, "utf8"));
+                return { agent: AGENT_ID, type: "oauth", data: oauthCreds };
+            }
+        }
+        else if (authType === "gemini-api-key" && process.env.GEMINI_API_KEY) {
+            return {
+                agent: AGENT_ID,
+                type: "api-key",
+                data: { apiKey: process.env.GEMINI_API_KEY },
+            };
+        }
+        else if (authType === "vertex-ai" && process.env.GOOGLE_API_KEY) {
+            return {
+                agent: AGENT_ID,
+                type: "api-key",
+                data: { apiKey: process.env.GOOGLE_API_KEY },
+            };
+        }
+    }
+    catch {
+        // Invalid JSON
+    }
+    return undefined;
+}
+export { checkAuth, extractCredentials };

package/dist/auth/agents/opencode.d.ts

@@ -0,0 +1,9 @@
+/**
+ * OpenCode auth detection and credential extraction.
+ */
+import type { AuthStatus, Credentials } from "../types.js";
+/** Check OpenCode auth status */
+declare function checkAuth(): AuthStatus;
+/** Extract OpenCode credentials */
+declare function extractCredentials(): Credentials | undefined;
+export { checkAuth, extractCredentials };