axconfig 1.0.0

package/dist/auth/agents/opencode.js

@@ -0,0 +1,62 @@
+/**
+ * OpenCode auth detection and credential extraction.
+ */
+import { existsSync, readFileSync } from "node:fs";
+import { homedir } from "node:os";
+import path from "node:path";
+const AGENT_ID = "opencode";
+function getAuthFilePath() {
+    const xdgData = process.env.XDG_DATA_HOME ?? path.join(homedir(), ".local/share");
+    return path.join(xdgData, "opencode", "auth.json");
+}
+/** Check OpenCode auth status */
+function checkAuth() {
+    const authFile = getAuthFilePath();
+    if (!existsSync(authFile)) {
+        return { agentId: AGENT_ID, authenticated: false };
+    }
+    try {
+        const auth = JSON.parse(readFileSync(authFile, "utf8"));
+        const providers = Object.keys(auth);
+        const firstProvider = providers[0];
+        if (firstProvider !== undefined) {
+            const firstAuth = auth[firstProvider];
+            const method = firstAuth?.type === "oauth"
+                ? "OAuth"
+                : firstAuth?.type === "api"
+                    ? "API key"
+                    : "Well-known";
+            return {
+                agentId: AGENT_ID,
+                authenticated: true,
+                method: providers.length > 1
+                    ? `${method} (${providers.length} providers)`
+                    : method,
+                details: { providers },
+            };
+        }
+    }
+    catch {
+        // Invalid JSON
+    }
+    return { agentId: AGENT_ID, authenticated: false };
+}
+/** Extract OpenCode credentials */
+function extractCredentials() {
+    const authFile = getAuthFilePath();
+    if (!existsSync(authFile)) {
+        return undefined;
+    }
+    try {
+        const auth = JSON.parse(readFileSync(authFile, "utf8"));
+        const providers = Object.keys(auth);
+        if (providers.length > 0) {
+            return { agent: AGENT_ID, type: "oauth", data: auth };
+        }
+    }
+    catch {
+        // Invalid JSON
+    }
+    return undefined;
+}
+export { checkAuth, extractCredentials };

package/dist/auth/check-auth.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Auth detection for AI coding agents.
+ *
+ * Checks credential presence for each agent without making API calls.
+ */
+import type { AgentId } from "../types.js";
+import type { AuthStatus } from "./types.js";
+/** Check auth status for a specific agent */
+declare function checkAuth(agentId: AgentId): AuthStatus;
+/** Check auth status for all agents */
+declare function checkAllAuth(): AuthStatus[];
+export { checkAuth, checkAllAuth };
+export type { AuthStatus } from "./types.js";

package/dist/auth/check-auth.js

@@ -0,0 +1,24 @@
+/**
+ * Auth detection for AI coding agents.
+ *
+ * Checks credential presence for each agent without making API calls.
+ */
+import { checkAuth as checkClaudeCode } from "./agents/claude-code.js";
+import { checkAuth as checkCodex } from "./agents/codex.js";
+import { checkAuth as checkGemini } from "./agents/gemini.js";
+import { checkAuth as checkOpenCode } from "./agents/opencode.js";
+const AUTH_CHECKERS = {
+    "claude-code": checkClaudeCode,
+    codex: checkCodex,
+    gemini: checkGemini,
+    opencode: checkOpenCode,
+};
+/** Check auth status for a specific agent */
+function checkAuth(agentId) {
+    return AUTH_CHECKERS[agentId]();
+}
+/** Check auth status for all agents */
+function checkAllAuth() {
+    return Object.values(AUTH_CHECKERS).map((checker) => checker());
+}
+export { checkAuth, checkAllAuth };

package/dist/auth/extract-credentials.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Credential extraction for AI coding agents.
+ *
+ * Extracts full credential data from each agent's storage for export.
+ */
+import type { AgentId } from "../types.js";
+import type { Credentials } from "./types.js";
+/** Extract credentials for a specific agent */
+declare function extractCredentials(agentId: AgentId): Credentials | undefined;
+export { extractCredentials };
+export type { Credentials } from "./types.js";

package/dist/auth/extract-credentials.js

@@ -0,0 +1,20 @@
+/**
+ * Credential extraction for AI coding agents.
+ *
+ * Extracts full credential data from each agent's storage for export.
+ */
+import { extractCredentials as extractClaudeCode } from "./agents/claude-code.js";
+import { extractCredentials as extractCodex } from "./agents/codex.js";
+import { extractCredentials as extractGemini } from "./agents/gemini.js";
+import { extractCredentials as extractOpenCode } from "./agents/opencode.js";
+const EXTRACTORS = {
+    "claude-code": extractClaudeCode,
+    codex: extractCodex,
+    gemini: extractGemini,
+    opencode: extractOpenCode,
+};
+/** Extract credentials for a specific agent */
+function extractCredentials(agentId) {
+    return EXTRACTORS[agentId]();
+}
+export { extractCredentials };

package/dist/auth/get-access-token.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Access token extraction from agent credentials.
+ *
+ * Provides functions to extract access tokens from credentials
+ * and convert credentials to environment variables.
+ */
+import type { AgentId } from "../types.js";
+import type { Credentials } from "./types.js";
+/**
+ * Extract access token from credentials.
+ *
+ * Returns the primary access token (OAuth token or API key) from
+ * the credential data based on agent type.
+ */
+declare function getAccessToken(creds: Credentials): string | undefined;
+/**
+ * Get access token for an agent.
+ *
+ * Convenience function that extracts credentials and returns the access token.
+ *
+ * @example
+ * const token = getAgentAccessToken("claude-code");
+ * if (token) {
+ *   // Use token for API calls
+ * }
+ */
+declare function getAgentAccessToken(agentId: AgentId): string | undefined;
+/**
+ * Convert credentials to environment variables.
+ *
+ * Returns a record of environment variable names to values that can be
+ * used to authenticate the agent via environment.
+ */
+declare function credentialsToEnvironment(creds: Credentials): Record<string, string>;
+export { credentialsToEnvironment, getAccessToken, getAgentAccessToken };

package/dist/auth/get-access-token.js

@@ -0,0 +1,116 @@
+/**
+ * Access token extraction from agent credentials.
+ *
+ * Provides functions to extract access tokens from credentials
+ * and convert credentials to environment variables.
+ */
+import { extractCredentials } from "./extract-credentials.js";
+/**
+ * Extract access token from credentials.
+ *
+ * Returns the primary access token (OAuth token or API key) from
+ * the credential data based on agent type.
+ */
+function getAccessToken(creds) {
+    const data = creds.data;
+    switch (creds.agent) {
+        case "claude-code": {
+            if (creds.type === "oauth" && typeof data.accessToken === "string") {
+                return data.accessToken;
+            }
+            if (creds.type === "api-key" && typeof data.apiKey === "string") {
+                return data.apiKey;
+            }
+            break;
+        }
+        case "codex": {
+            if (creds.type === "api-key" && typeof data.apiKey === "string") {
+                return data.apiKey;
+            }
+            if (creds.type === "oauth" && typeof data.access_token === "string") {
+                return data.access_token;
+            }
+            break;
+        }
+        case "gemini": {
+            if (creds.type === "api-key" && typeof data.apiKey === "string") {
+                return data.apiKey;
+            }
+            if (creds.type === "oauth" && typeof data.access_token === "string") {
+                return data.access_token;
+            }
+            break;
+        }
+        case "opencode": {
+            // OpenCode stores provider tokens; return first available
+            for (const provider of Object.values(data)) {
+                if (provider &&
+                    typeof provider === "object" &&
+                    "access_token" in provider &&
+                    typeof provider.access_token === "string") {
+                    return provider.access_token;
+                }
+            }
+            break;
+        }
+    }
+    return undefined;
+}
+/**
+ * Get access token for an agent.
+ *
+ * Convenience function that extracts credentials and returns the access token.
+ *
+ * @example
+ * const token = getAgentAccessToken("claude-code");
+ * if (token) {
+ *   // Use token for API calls
+ * }
+ */
+function getAgentAccessToken(agentId) {
+    const creds = extractCredentials(agentId);
+    if (!creds)
+        return undefined;
+    return getAccessToken(creds);
+}
+/**
+ * Convert credentials to environment variables.
+ *
+ * Returns a record of environment variable names to values that can be
+ * used to authenticate the agent via environment.
+ */
+function credentialsToEnvironment(creds) {
+    const environment = {};
+    const data = creds.data;
+    switch (creds.agent) {
+        case "claude-code": {
+            if (creds.type === "oauth" && typeof data.accessToken === "string") {
+                environment.CLAUDE_CODE_OAUTH_TOKEN = data.accessToken;
+            }
+            else if (creds.type === "api-key" && typeof data.apiKey === "string") {
+                environment.ANTHROPIC_API_KEY = data.apiKey;
+            }
+            break;
+        }
+        case "codex": {
+            if (creds.type === "api-key" && typeof data.apiKey === "string") {
+                environment.OPENAI_API_KEY = data.apiKey;
+            }
+            // OAuth tokens for Codex require auth.json file, not env vars
+            break;
+        }
+        case "gemini": {
+            if (creds.type === "api-key" && typeof data.apiKey === "string") {
+                environment.GEMINI_API_KEY = data.apiKey;
+            }
+            // OAuth tokens for Gemini require oauth_creds.json file
+            break;
+        }
+        case "opencode": {
+            // OpenCode requires auth.json file, no env var support
+            break;
+        }
+    }
+    return environment;
+}
+export { credentialsToEnvironment, getAccessToken, getAgentAccessToken };

package/dist/auth/types.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Shared types for auth module.
+ */
+import type { AgentId } from "../types.js";
+/** Auth status for an agent */
+interface AuthStatus {
+    agentId: AgentId;
+    authenticated: boolean;
+    method?: string;
+    /** Additional details (e.g., provider list for opencode) */
+    details?: Record<string, unknown>;
+}
+/** Extracted credential data */
+interface Credentials {
+    agent: AgentId;
+    type: "oauth" | "api-key";
+    data: Record<string, unknown>;
+}
+export type { AuthStatus, Credentials };

package/dist/auth/types.js

@@ -0,0 +1,4 @@
+/**
+ * Shared types for auth module.
+ */
+export {};

package/dist/build-agent-config.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Build agent-specific configuration from CLI options.
+ */
+import type { AgentId, PermissionIssue } from "./types.js";
+/** Result of building agent config from CLI options */
+type AgentConfigResult = {
+    ok: true;
+    env: Record<string, string>;
+    warnings: PermissionIssue[];
+} | {
+    ok: false;
+    exitCode: number;
+    errors: PermissionIssue[];
+} | {
+    ok: false;
+    exitCode: number;
+    message: string;
+};
+/** Options for building agent config */
+interface BuildAgentConfigOptions {
+    agentId: AgentId;
+    allow: string | undefined;
+    deny: string | undefined;
+    output: string;
+}
+/**
+ * Build agent-specific config from CLI permission options.
+ *
+ * Parses --allow and --deny options, validates them against agent capabilities,
+ * and returns the environment variables needed to pass config to the agent.
+ */
+declare function buildAgentConfig(options: BuildAgentConfigOptions): AgentConfigResult;
+/**
+ * Format permission errors for display.
+ */
+declare function formatPermissionErrors(errors: PermissionIssue[]): string;
+/**
+ * Format permission warnings for display.
+ */
+declare function formatPermissionWarnings(warnings: PermissionIssue[]): string;
+export { buildAgentConfig, formatPermissionErrors, formatPermissionWarnings };

package/dist/build-agent-config.js

@@ -0,0 +1,79 @@
+/**
+ * Build agent-specific configuration from CLI options.
+ */
+import { getConfigBuilder } from "./builder.js";
+import { formatRule, parsePermissions } from "./parse-permissions.js";
+/**
+ * Build agent-specific config from CLI permission options.
+ *
+ * Parses --allow and --deny options, validates them against agent capabilities,
+ * and returns the environment variables needed to pass config to the agent.
+ */
+function buildAgentConfig(options) {
+    const { agentId, allow, deny, output } = options;
+    // Parse permissions
+    let axrunConfig = {};
+    if (allow !== undefined || deny !== undefined) {
+        try {
+            const permissions = parsePermissions(allow ? [allow] : [], deny ? [deny] : []);
+            axrunConfig = { permissions };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return {
+                ok: false,
+                exitCode: 2,
+                message: `Invalid permission syntax: ${message}`,
+            };
+        }
+    }
+    // Build agent-specific config
+    const configBuilder = getConfigBuilder(agentId);
+    if (!configBuilder) {
+        // No config builder for this agent - return empty config
+        return {
+            ok: true,
+            env: {},
+            warnings: [],
+        };
+    }
+    const buildResult = configBuilder.build(axrunConfig, output);
+    if (!buildResult.ok) {
+        return {
+            ok: false,
+            exitCode: 1,
+            errors: buildResult.errors,
+        };
+    }
+    return {
+        ok: true,
+        env: buildResult.env,
+        warnings: buildResult.warnings,
+    };
+}
+/**
+ * Format permission errors for display.
+ */
+function formatPermissionErrors(errors) {
+    const lines = [
+        "Error: Cannot run agent with specified permissions:",
+        "",
+    ];
+    for (const error of errors) {
+        const suggestionLines = error.suggestions.map((s) => `      • ${s}`);
+        lines.push(`  ✗ ${formatRule(error.rule)}`, `    ${error.reason}`, "    Suggestions:", ...suggestionLines, "");
+    }
+    return lines.join("\n");
+}
+/**
+ * Format permission warnings for display.
+ */
+function formatPermissionWarnings(warnings) {
+    const lines = [];
+    for (const warning of warnings) {
+        const suggestionLines = warning.suggestions.map((s) => `    • ${s}`);
+        lines.push(`⚠ Warning: Rule "${formatRule(warning.rule)}" was REMOVED`, `  ${warning.reason}`, "  Suggestions:", ...suggestionLines, "");
+    }
+    return lines.join("\n");
+}
+export { buildAgentConfig, formatPermissionErrors, formatPermissionWarnings };

package/dist/builder.d.ts

@@ -0,0 +1,19 @@
+/**
+ * ConfigBuilder registry.
+ *
+ * Each agent registers its ConfigBuilder to translate AxrunConfig
+ * into agent-specific configuration files.
+ */
+import type { AgentId, ConfigBuilder } from "./types.js";
+/**
+ * Register a config builder for an agent.
+ * Called by each agent's config-builder module on import.
+ */
+declare function registerConfigBuilder(builder: ConfigBuilder): void;
+/**
+ * Get the config builder for an agent.
+ *
+ * @returns The config builder, or undefined if not registered
+ */
+declare function getConfigBuilder(agentId: AgentId): ConfigBuilder | undefined;
+export { getConfigBuilder, registerConfigBuilder };

package/dist/builder.js

@@ -0,0 +1,27 @@
+/**
+ * ConfigBuilder registry.
+ *
+ * Each agent registers its ConfigBuilder to translate AxrunConfig
+ * into agent-specific configuration files.
+ */
+/** Registry of config builders by agent ID */
+const configBuilders = new Map();
+/**
+ * Register a config builder for an agent.
+ * Called by each agent's config-builder module on import.
+ */
+function registerConfigBuilder(builder) {
+    if (configBuilders.has(builder.agentId)) {
+        throw new Error(`ConfigBuilder for "${builder.agentId}" is already registered`);
+    }
+    configBuilders.set(builder.agentId, builder);
+}
+/**
+ * Get the config builder for an agent.
+ *
+ * @returns The config builder, or undefined if not registered
+ */
+function getConfigBuilder(agentId) {
+    return configBuilders.get(agentId);
+}
+export { getConfigBuilder, registerConfigBuilder };

package/dist/cli.d.ts

@@ -0,0 +1,10 @@
+#!/usr/bin/env node
+/**
+ * axconfig - AI agent configuration CLI.
+ *
+ * Manages configurations for AI coding agents.
+ */
+import "./agents/claude-code.js";
+import "./agents/codex.js";
+import "./agents/gemini.js";
+import "./agents/opencode.js";

package/dist/cli.js

@@ -0,0 +1,79 @@
+#!/usr/bin/env node
+/**
+ * axconfig - AI agent configuration CLI.
+ *
+ * Manages configurations for AI coding agents.
+ */
+import { Command } from "@commander-js/extra-typings";
+import packageJson from "../package.json" with { type: "json" };
+import { handleAuthExport, handleAuthList, handleAuthToken, } from "./commands/auth.js";
+import { handleCreate } from "./commands/create.js";
+import { AGENT_IDS } from "./types.js";
+// Import to trigger self-registration
+import "./agents/claude-code.js";
+import "./agents/codex.js";
+import "./agents/gemini.js";
+import "./agents/opencode.js";
+// Handle SIGINT gracefully
+process.on("SIGINT", () => {
+    console.error("\nInterrupted");
+    process.exit(130); // 128 + SIGINT(2)
+});
+const program = new Command()
+    .name(packageJson.name)
+    .description(packageJson.description)
+    .version(packageJson.version, "-V, --version")
+    .showHelpAfterError("(add --help for additional information)")
+    .showSuggestionAfterError()
+    .helpCommand(false)
+    .addHelpText("after", String.raw `
+Examples:
+  # Create config and source it in current shell
+  eval $(axconfig create --agent claude-code --output /tmp/cfg --allow read)
+
+  # List authenticated agents
+  axconfig auth list
+
+  # Filter to show only authenticated agents
+  axconfig auth list | tail -n +2 | awk -F'\t' '$2 == "authenticated"'
+
+  # Get access token for an agent
+  axconfig auth token --agent claude-code
+
+  # Export credentials for CI/CD
+  axconfig auth export --agent claude-code --output creds.json --no-password`);
+program
+    .command("create")
+    .description("Create agent-specific configuration")
+    .requiredOption("-a, --agent <agent>", `Agent to configure (${AGENT_IDS.join(", ")})`)
+    .requiredOption("--output <dir>", "Directory to write config files")
+    .option("--allow <rules>", "Comma-separated permissions to allow (e.g., 'read,glob,bash:git *')")
+    .option("--deny <rules>", "Comma-separated permissions to deny (e.g., 'bash:rm *,read:.env')")
+    .option("--format <format>", "Output format: env (shell export), json", "env")
+    .option("--with-credentials <file>", "Path to encrypted credentials file (from 'auth export')")
+    .action(handleCreate);
+// =============================================================================
+// Auth Commands
+// =============================================================================
+const auth = program
+    .command("auth")
+    .description("Manage agent credentials")
+    .helpCommand(false);
+auth
+    .command("list")
+    .description("List agents and their auth status")
+    .option("--json", "Output as JSON")
+    .action(handleAuthList);
+auth
+    .command("token")
+    .description("Get access token for an agent")
+    .requiredOption("-a, --agent <agent>", `Agent to get token from (${AGENT_IDS.join(", ")})`)
+    .action(handleAuthToken);
+auth
+    .command("export")
+    .description("Export credentials to encrypted file")
+    .requiredOption("-a, --agent <agent>", `Agent to export credentials from (${AGENT_IDS.join(", ")})`)
+    .requiredOption("--output <file>", "Output file path")
+    .option("--no-password", "Use default password (no prompt)")
+    .action(handleAuthExport);
+await program.parseAsync(process.argv);

package/dist/commands/auth.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Auth commands - manage agent credentials.
+ */
+/** Handle auth list command */
+declare function handleAuthList(options: {
+    json?: true;
+}): void;
+/** Handle auth token command */
+declare function handleAuthToken(options: {
+    agent: string;
+}): void;
+interface AuthExportOptions {
+    agent: string;
+    output: string;
+    password: boolean;
+}
+/** Handle auth export command */
+declare function handleAuthExport(options: AuthExportOptions): Promise<void>;
+export { handleAuthExport, handleAuthList, handleAuthToken };

package/dist/commands/auth.js

@@ -0,0 +1,87 @@
+/**
+ * Auth commands - manage agent credentials.
+ */
+import { renameSync, writeFileSync } from "node:fs";
+import promptPassword from "@inquirer/password";
+import { checkAllAuth } from "../auth/check-auth.js";
+import { extractCredentials } from "../auth/extract-credentials.js";
+import { getAccessToken } from "../auth/get-access-token.js";
+import { DEFAULT_PASSWORD, encrypt, toBase64 } from "../crypto.js";
+import { AGENT_IDS } from "../types.js";
+/** Handle auth list command */
+function handleAuthList(options) {
+    const statuses = checkAllAuth();
+    if (options.json) {
+        console.log(JSON.stringify(statuses, undefined, 2));
+    }
+    else {
+        printAuthTable(statuses);
+    }
+}
+/** Handle auth token command */
+function handleAuthToken(options) {
+    const { agent } = options;
+    // Validate agent
+    if (!AGENT_IDS.includes(agent)) {
+        console.error(`Error: Unknown agent '${agent}'`);
+        console.error(`Supported agents: ${AGENT_IDS.join(", ")}`);
+        process.exitCode = 2;
+        return;
+    }
+    const creds = extractCredentials(agent);
+    if (!creds) {
+        console.error(`Error: No credentials found for ${agent}`);
+        process.exitCode = 1;
+        return;
+    }
+    // Extract the token based on credential type
+    const token = getAccessToken(creds);
+    if (!token) {
+        console.error(`Error: No access token available for ${agent}`);
+        process.exitCode = 1;
+        return;
+    }
+    // Output just the token (no newline for piping)
+    process.stdout.write(token);
+}
+/** Handle auth export command */
+async function handleAuthExport(options) {
+    const { agent } = options;
+    // Validate agent
+    if (!AGENT_IDS.includes(agent)) {
+        console.error(`Error: Unknown agent '${agent}'`);
+        console.error(`Supported agents: ${AGENT_IDS.join(", ")}`);
+        process.exitCode = 2;
+        return;
+    }
+    const creds = extractCredentials(agent);
+    if (!creds) {
+        console.error(`Error: No credentials found for ${agent}`);
+        process.exitCode = 1;
+        return;
+    }
+    // Get password
+    const userPassword = options.password
+        ? await promptPassword({ message: "Encryption password" })
+        : DEFAULT_PASSWORD;
+    // Encrypt and write atomically (write to temp, then rename)
+    const encrypted = encrypt(JSON.stringify(creds), userPassword);
+    const file = { version: 1, agent, ...toBase64(encrypted) };
+    const temporaryFile = `${options.output}.tmp.${Date.now()}`;
+    writeFileSync(temporaryFile, JSON.stringify(file, undefined, 2), {
+        mode: 0o600,
+    });
+    renameSync(temporaryFile, options.output);
+    console.error(`Credentials exported to ${options.output}`);
+}
+/** Print auth status as TSV table */
+function printAuthTable(statuses) {
+    // Header row (UPPERCASE for visibility)
+    console.log("AGENT\tSTATUS\tMETHOD");
+    // Data rows
+    for (const s of statuses) {
+        const status = s.authenticated ? "authenticated" : "not_configured";
+        console.log(`${s.agentId}\t${status}\t${s.method ?? ""}`);
+    }
+}
+export { handleAuthExport, handleAuthList, handleAuthToken };