axexec 1.6.0 → 1.7.0

package/README.md

@@ -1,6 +1,6 @@
 # axexec
 
-Execution engine for AI coding agents. Translates abstract inputs to agent-specific formats, runs agents in complete isolation, and normalizes output to a standard event stream.
+Execution engine for AI coding agents. Translates abstract inputs to agent-specific formats, runs agents with credential/config isolation (not an OS sandbox), and normalizes output to a standard event stream.
 
 ## What axexec Does
 
@@ -8,7 +8,9 @@ axexec is the **translation layer** between high-level tooling and agent-specifi
 
 - **Input translation**: Credentials → agent-specific files, permissions → config files, model → CLI flags
 - **Output normalization**: Claude JSONL, Codex items, Gemini events, OpenCode SSE → unified `AxexecEvent` stream
-- **Complete isolation**: Agents run in temp directories with no access to user config or global credentials
+- **Credential/config isolation**: Agents are pointed at temp directories instead of your local agent config/credential locations
+
+axexec is **not** a security boundary. It does not restrict filesystem or network access; many adapters run in permissive non-interactive modes to avoid prompts. For real enforcement, run inside an external sandbox (container/VM).
 
 ## Installation
 
@@ -48,12 +50,15 @@ axexec -a gemini "Refactor the utils module"
 axexec -a opencode "Add logging"
 axexec -a copilot "Write tests"
 
+# Run with explicit credentials JSON (from axauth export)
+axexec -a claude --credentials-file ./creds.json "Review this PR"
+
 # Specify a model
 axexec -a claude --model opus "Review this PR"
 axexec -a gemini --model gemini-2.5-pro "Refactor utils"
 
 # Set permissions
-axexec -a claude --allow 'read,glob,bash:git *' "Check git history"
+axexec -a claude --allow 'read,glob,bash:git *' "Check git history"  # best-effort
 
 # Output normalized JSONL event stream
 axexec -a claude -f jsonl "Add tests" | jq 'select(.type == "tool.call")'
@@ -86,11 +91,13 @@ axexec --list-agents | tail -n +2 | awk -F'\t' '$3 ~ /openai/ {print $1}'
 
 ```
 -a, --agent <id>           Agent to use (claude, codex, gemini, opencode, copilot)
+--cwd <path>               Working directory for the agent process
+--credentials-file <path|-> Read credentials JSON from file (or '-' for stdin)
 -p, --prompt <text>        Prompt text (alternative to positional argument)
 -m, --model <model>        Model to use (agent-specific)
---provider <provider>      Provider for OpenCode (anthropic, openai, google)
---allow <perms>            Permission rules to allow (comma-separated)
---deny <perms>             Permission rules to deny (comma-separated)
+--provider <provider>      Provider for OpenCode (e.g., anthropic, openai, google, opencode)
+--allow <perms>            Allow permissions (best-effort, comma-separated)
+--deny <perms>             Deny permissions (best-effort, comma-separated)
 -f, --format <fmt>         Output format: jsonl, tsv (default: tsv, truncated on TTY)
 --raw-log <file>           Write raw agent output to file
 --debug                    Enable debug mode (logs unknown events)
@@ -103,15 +110,15 @@ axexec --list-agents | tail -n +2 | awk -F'\t' '$3 ~ /openai/ {print $1}'
 
 ## Supported Agents
 
-| Agent    | Package                   | API Key Env Var       |
-| -------- | ------------------------- | --------------------- |
-| claude   | @anthropic-ai/claude-code | ANTHROPIC_API_KEY     |
-| codex    | @openai/codex             | OPENAI_API_KEY        |
-| gemini   | @google/gemini-cli        | GEMINI_API_KEY        |
-| opencode | opencode-ai               | ANTHROPIC_API_KEY (†) |
-| copilot  | @github/copilot           | GITHUB_TOKEN          |
+| Agent    | Package                   | API Key Env Var         |
+| -------- | ------------------------- | ----------------------- |
+| claude   | @anthropic-ai/claude-code | ANTHROPIC_API_KEY       |
+| codex    | @openai/codex             | OPENAI_API_KEY          |
+| gemini   | @google/gemini-cli        | GEMINI_API_KEY          |
+| opencode | opencode-ai               | AX_OPENCODE_CREDENTIALS |
+| copilot  | @github/copilot           | GITHUB_TOKEN            |
 
-(†) OpenCode supports multiple providers via `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, or `GEMINI_API_KEY`.
+OpenCode requires `AX_OPENCODE_CREDENTIALS` with provider-specific credentials (see [CI/CD Credentials](#cicd-credentials)).
 
 ## Event Stream
 
@@ -170,8 +177,8 @@ For OpenCode, set `AX_OPENCODE_CREDENTIALS` with your credentials. The `provider
 field must match your `--provider` flag:
 
 ```bash
-# Anthropic (provider defaults to "anthropic" if omitted)
-AX_OPENCODE_CREDENTIALS='{"agent":"opencode","type":"api-key","data":{"apiKey":"sk-ant-..."}}' \
+# Anthropic
+AX_OPENCODE_CREDENTIALS='{"agent":"opencode","type":"api-key","provider":"anthropic","data":{"apiKey":"sk-ant-..."}}' \
   axexec -a opencode --provider anthropic -m claude-sonnet-4 "Hello"
 
 # OpenAI (provider must be specified in credentials)
@@ -185,7 +192,7 @@ AX_OPENCODE_CREDENTIALS='{"agent":"opencode","type":"api-key","provider":"openco
 
 ## Isolation
 
-axexec provides complete environment isolation:
+axexec provides credential/config isolation:
 
 1. Creates a temp directory for each session
 2. Installs credentials to the temp directory
@@ -193,11 +200,14 @@ axexec provides complete environment isolation:
 4. Sets environment variables to point agents at the temp directory
 5. Cleans up the temp directory after execution
 
-Codex runs with `--dangerously-bypass-approvals-and-sandbox`, so `--allow` /
-`--deny` do not constrain Codex. Run axexec inside an external sandbox if you
-need enforcement.
+axexec is intentionally **permissive** and should not be treated as a sandbox:
+
+- It does not enforce filesystem or network restrictions
+- `--allow` / `--deny` is best-effort and may be ignored or weakened by adapter "YOLO" switches
+- Agent-internal sandbox env vars (`GEMINI_SANDBOX`, `SEATBELT_PROFILE`) are excluded from subprocess environments
+- For enforcement, run axexec inside an external sandbox (container/VM)
 
-Agents **never** access:
+Agents are configured to avoid using your local agent config/credential locations:
 
 - User's home directory config (`~/.claude`, `~/.codex`, `~/.gemini`)
 - System keychain or credential managers
@@ -212,7 +222,7 @@ Add to your `CLAUDE.md` or `AGENTS.md`:
 
 Run `npx -y axexec --help` to learn available options.
 
-Use `axexec` when you need to run a supported agent in a fully isolated environment and consume a normalized event stream. It translates credentials and permissions to agent-specific formats so your automation stays consistent across providers.
+Use `axexec` when you need to run a supported agent with credential/config isolation and consume a normalized event stream. It translates credentials and permissions to agent-specific formats so your automation stays consistent across providers.
 ```
 
 ## License

package/dist/agents/copilot/stream-session.js

@@ -23,13 +23,9 @@ async function main() {
     const copilotArguments = [
         "-p",
         prompt,
-        "--allow-all-tools",
-        // Enable network access without confirmation prompts.
-        // Copilot requires user approval for URL access by default, but other
-        // agents (Gemini, OpenCode) allow it by default. For unified behavior,
-        // enable it. This matches how --allow-all-tools works for other operations.
-        // See: copilot-cli-decompiled/copilot-source/index.js line 418918
-        "--allow-all-urls",
+        // Always run in "YOLO" mode (no prompts). This is equivalent to
+        // --allow-all-tools --allow-all-paths --allow-all-urls.
+        "--yolo",
         ...extraArguments,
     ];
     // Record existing session files
@@ -55,6 +51,11 @@ async function main() {
         const copilotBin = process.env["AXEXEC_COPILOT_PATH"] ?? "copilot";
         const child = spawn(copilotBin, copilotArguments, {
             stdio: ["ignore", "pipe", "pipe"],
+            env: {
+                ...process.env,
+                // Auto-trust folders (avoids interactive trust prompts).
+                COPILOT_ALLOW_ALL: "true",
+            },
         });
         copilotProcess = child;
         // Pipe Copilot's stdout/stderr to our stderr (for debugging)

package/dist/agents/copilot/watch-session.js

@@ -13,7 +13,9 @@ import { existsSync, readdirSync, statSync, watch, } from "node:fs";
 import { homedir } from "node:os";
 import path from "node:path";
 /** Copilot session state directory */
-const SESSION_STATE_DIR = path.join(homedir(), ".copilot", "session-state");
+const SESSION_STATE_DIR = process.env["XDG_STATE_HOME"]
+    ? path.join(process.env["XDG_STATE_HOME"], ".copilot", "session-state")
+    : path.join(homedir(), ".copilot", "session-state");
 /** Session events filename inside session directories (new format) */
 const SESSION_EVENTS_FILE = "events.jsonl";
 /**

package/dist/agents/opencode/adapter.js

@@ -14,6 +14,7 @@
  * 7. Clean up server on completion
  */
 import { registerAdapter } from "../registry.js";
+import { buildPermissionEnvironment } from "./build-permission-environment.js";
 import { cleanupSession } from "./cleanup-session.js";
 import { createSessionStartEvent } from "./create-session-start-event.js";
 import { determineSessionSuccess } from "../../determine-session-success.js";
@@ -49,7 +50,13 @@ async function* streamSession(options) {
     process.on("SIGTERM", forwardSignal);
     try {
         // 1. Spawn server
-        const server = await spawnServer({ cwd, signal, env: options.configEnv });
+        const configEnvironment = options.configEnv ?? {};
+        const permissionEnvironment = buildPermissionEnvironment(configEnvironment);
+        const server = await spawnServer({
+            cwd,
+            signal,
+            env: { ...configEnvironment, ...permissionEnvironment },
+        });
         serverProcess = server.process;
         serverUrl = server.url;
         // 2. Connect to SSE and start streaming

package/dist/agents/opencode/build-permission-environment.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Builds permissive OpenCode environment variables for headless execution.
+ *
+ * When axconfig hasn't generated an explicit OPENCODE_CONFIG_DIR (via
+ * --allow/--deny), this injects allow-all permissions to avoid interactive
+ * prompts. OpenCode's default config includes "ask" permissions that would
+ * block headless execution.
+ */
+/**
+ * Returns environment variables for permissive OpenCode execution.
+ *
+ * Returns an empty object (don't override) if:
+ * - `OPENCODE_CONFIG_DIR` is set (axconfig's explicit permissions via --allow/--deny)
+ * - `OPENCODE_PERMISSION` is already set (caller's explicit permissions)
+ */
+declare function buildPermissionEnvironment(configEnvironment: Record<string, string>): Record<string, string>;
+export { buildPermissionEnvironment };

package/dist/agents/opencode/build-permission-environment.js

@@ -0,0 +1,31 @@
+/**
+ * Builds permissive OpenCode environment variables for headless execution.
+ *
+ * When axconfig hasn't generated an explicit OPENCODE_CONFIG_DIR (via
+ * --allow/--deny), this injects allow-all permissions to avoid interactive
+ * prompts. OpenCode's default config includes "ask" permissions that would
+ * block headless execution.
+ */
+/**
+ * Returns environment variables for permissive OpenCode execution.
+ *
+ * Returns an empty object (don't override) if:
+ * - `OPENCODE_CONFIG_DIR` is set (axconfig's explicit permissions via --allow/--deny)
+ * - `OPENCODE_PERMISSION` is already set (caller's explicit permissions)
+ */
+function buildPermissionEnvironment(configEnvironment) {
+    if (configEnvironment["OPENCODE_CONFIG_DIR"] !== undefined ||
+        configEnvironment["OPENCODE_PERMISSION"] !== undefined) {
+        return {};
+    }
+    return {
+        OPENCODE_PERMISSION: JSON.stringify({
+            "*": "allow",
+            doom_loop: "allow",
+            external_directory: "allow",
+            read: "allow",
+            question: "allow",
+        }),
+    };
+}
+export { buildPermissionEnvironment };

package/dist/agents/opencode/parse-sse-event.js

@@ -110,7 +110,9 @@ function parseSSEEvent(event, state) {
             {
                 type: "session.error",
                 code: "PERMISSION_REQUIRED",
-                message: `OpenCode requires permission: ${tool}. ${title}. Pre-configure permissions in OpenCode settings.`,
+                message: `OpenCode requires permission: ${tool}. ${title}. ` +
+                    `axexec runs OpenCode non-interactively, so permission prompts are treated as errors. ` +
+                    `Use axexec --allow/--deny to pre-configure permissions.`,
                 timestamp: Date.now(),
             },
         ];

package/dist/agents/opencode/spawn-server.js

@@ -4,6 +4,7 @@
  * Handles spawning the OpenCode server process and waiting for it to start.
  */
 import { spawn } from "node:child_process";
+import { buildBaseEnvironment } from "../../build-agent-environment.js";
 import { resolveBinary } from "../../resolve-binary.js";
 /** Error thrown when server fails to start */
 class ServerStartError extends Error {
@@ -27,10 +28,20 @@ async function spawnServer(options) {
             environmentVariable: "AXEXEC_OPENCODE_PATH",
             installHint: "npm install -g opencode-ai",
         });
+        // OpenCode supports several env-based configuration overrides (OPENCODE_*).
+        // Exclude them from the host environment so axexec can run with isolated
+        // temp config/data directories instead of inheriting user settings.
+        const baseEnvironment = buildBaseEnvironment([
+            "OPENCODE_CONFIG",
+            "OPENCODE_CONFIG_CONTENT",
+            "OPENCODE_CONFIG_DIR",
+            "OPENCODE_DATA_DIR",
+            "OPENCODE_PERMISSION",
+        ]);
         const child = spawn(bin, ["serve", "--port", "0"], {
             cwd,
             stdio: ["ignore", "pipe", "pipe"],
-            env: { ...process.env, ...env },
+            env: { ...baseEnvironment, ...env },
         });
         let stderrBuffer = "";
         let resolved = false;

package/dist/build-agent-environment.js

@@ -1,10 +1,18 @@
 const VAULT_ENV_EXCLUSIONS = ["AXVAULT", "AXVAULT_URL", "AXVAULT_API_KEY"];
+// Prevent upstream CLIs from enabling their own internal sandboxing based on
+// host environment variables. axexec is intentionally insecure-by-default and
+// does not rely on agent-internal sandboxing for enforcement.
+const AGENT_INTERNAL_SANDBOX_ENV_EXCLUSIONS = [
+    "GEMINI_SANDBOX",
+    "SEATBELT_PROFILE",
+];
 function isAxCredentialEnvironment(key) {
     return key.startsWith("AX_") && key.endsWith("_CREDENTIALS");
 }
 function buildBaseEnvironment(additionalExclusions = []) {
     const allExclusions = new Set([
         ...VAULT_ENV_EXCLUSIONS,
+        ...AGENT_INTERNAL_SANDBOX_ENV_EXCLUSIONS,
         ...additionalExclusions,
     ]);
     const entries = Object.entries(process.env).flatMap(([key, value]) => {

package/dist/build-execution-metadata.d.ts

@@ -1,6 +1,5 @@
-import type { AgentCli } from "axshared";
+import type { AgentCli, Credentials } from "axshared";
 import type { RunAgentOptions, ExecutionMetadata } from "./types/run-result.js";
-import type { Credentials } from "./credentials/credentials.js";
 import type { installCredentials } from "./credentials/install-credentials.js";
 type CredentialInstallResult = Awaited<ReturnType<typeof installCredentials>>;
 /**

package/dist/build-execution-metadata.js

@@ -19,7 +19,7 @@ function buildExecutionMetadata(agentId, options, credentialResult, credentials,
     if (credentials) {
         execution.credentials = {
             type: credentials.type,
-            provider: credentials.provider,
+            provider: credentials.agent === "opencode" ? credentials.provider : undefined,
         };
     }
     return execution;

package/dist/cli.d.ts

@@ -1,12 +1,11 @@
 #!/usr/bin/env node
 /**
- * axexec CLI - Unified agent execution with isolation.
+ * axexec CLI - Unified agent execution with credential/config isolation.
  *
- * Executes AI coding agents with complete environment isolation:
- * - Credentials written to temp directory
- * - Config/permissions written to temp directory
- * - Agent pointed at temp directory via env vars
- * - Normalized event stream output
+ * axexec is a headless runner and normalization layer. It isolates agent
+ * credentials/config from your local environment via temp directories, but it
+ * is not an OS sandbox and is intentionally permissive/non-interactive by
+ * default. Use an external sandbox (container/VM) for real enforcement.
  */
 import "./agents/claude-code/adapter.js";
 import "./agents/codex/adapter.js";

package/dist/cli.js

@@ -1,12 +1,11 @@
 #!/usr/bin/env node
 /**
- * axexec CLI - Unified agent execution with isolation.
+ * axexec CLI - Unified agent execution with credential/config isolation.
  *
- * Executes AI coding agents with complete environment isolation:
- * - Credentials written to temp directory
- * - Config/permissions written to temp directory
- * - Agent pointed at temp directory via env vars
- * - Normalized event stream output
+ * axexec is a headless runner and normalization layer. It isolates agent
+ * credentials/config from your local environment via temp directories, but it
+ * is not an OS sandbox and is intentionally permissive/non-interactive by
+ * default. Use an external sandbox (container/VM) for real enforcement.
  */
 import { Command } from "@commander-js/extra-typings";
 import packageJson from "../package.json" with { type: "json" };
@@ -17,14 +16,15 @@ import "./agents/gemini/adapter.js";
 import "./agents/opencode/adapter.js";
 import "./agents/copilot/adapter.js";
 import { listAdapters } from "./agents/registry.js";
+import { readStdin } from "./read-stdin.js";
+import { resolveCredentials } from "./resolve-credentials.js";
+import { parseOutputFormat } from "./resolve-output-mode.js";
+import { resolvePrompt } from "./resolve-prompt.js";
 import { runAgent } from "./run-agent.js";
-async function readStdin() {
-    let data = "";
-    for await (const chunk of process.stdin) {
-        data += typeof chunk === "string" ? chunk : chunk.toString("utf8");
-    }
-    return data.trimEnd();
-}
+import { validateAgent } from "./validate-agent.js";
+import { validateCwd } from "./validate-cwd.js";
+import { validateProviderOptions } from "./validate-opencode-options.js";
+import { validateStdinUsage } from "./validate-stdin-usage.js";
 const program = new Command()
     .name(packageJson.name)
     .description(packageJson.description)
@@ -33,11 +33,13 @@ const program = new Command()
     .showSuggestionAfterError()
     .option("--list-agents", "List available agents")
     .option("-a, --agent <id>", "Agent to use (required)")
+    .option("--cwd <path>", "Working directory for the agent process")
+    .option("--credentials-file <path|->", "Read credentials JSON from file (or '-' for stdin)")
     .option("-p, --prompt <text>", "Prompt text")
     .option("-m, --model <model>", "Model to use")
     .option("--provider <provider>", "Provider for OpenCode (required for OpenCode)")
-    .option("--allow <perms>", "Permission rules to allow (comma-separated)")
-    .option("--deny <perms>", "Permission rules to deny (comma-separated)")
+    .option("--allow <perms>", "Allow permissions (best-effort, comma-separated)")
+    .option("--deny <perms>", "Deny permissions (best-effort, comma-separated)")
     .option("-f, --format <fmt>", "Output format: jsonl, tsv (default: tsv, truncated on TTY)")
     .option("--raw-log <file>", "Write raw agent output to file")
     .option("--debug", "Enable debug mode")
@@ -48,9 +50,11 @@ const program = new Command()
 Requirements:
   Install the agent CLIs you plan to use: claude, codex, gemini, opencode, copilot.
   Override paths: AXEXEC_CLAUDE_PATH, AXEXEC_CODEX_PATH, AXEXEC_GEMINI_PATH, AXEXEC_OPENCODE_PATH, AXEXEC_COPILOT_PATH
+  Security: axexec is not a sandbox. Run inside an external sandbox for enforcement.
 
 Examples:
   axexec -a claude "Refactor auth flow"
+  axexec -a claude --credentials-file ./creds.json "Review this PR"
   axexec -a opencode --provider anthropic -m claude-sonnet-4 "Hello"
   axexec -a claude -f jsonl "Audit deps" | jq 'select(.type=="tool.call")'
   axexec --list-agents | tail -n +2 | cut -f1
@@ -65,71 +69,89 @@ Examples:
         }
         return;
     }
-    // Get prompt from flag, positional argument, or stdin (in priority order)
-    // Only read stdin if no prompt was provided via CLI arguments to avoid
-    // blocking in CI environments with open but unused stdin.
-    const needsStdinPrompt = !options.prompt && !positionalPrompt;
-    const stdinPrompt = needsStdinPrompt && !process.stdin.isTTY ? await readStdin() : undefined;
-    const prompt = (options.prompt ??
-        positionalPrompt ??
-        stdinPrompt)?.trimEnd();
-    if (!prompt) {
-        process.stderr.write("Error: prompt is required\n");
+    if (!options.agent) {
+        process.stderr.write("Error: --agent is required\n");
         process.stderr.write("Usage: axexec --agent <id> <prompt>\n");
         process.stderr.write("Try 'axexec --help' for more information.\n");
         process.exitCode = 2;
         return;
     }
-    if (!options.agent) {
-        process.stderr.write("Error: --agent is required\n");
-        process.stderr.write("Usage: axexec --agent <id> <prompt>\n");
-        process.stderr.write("Try 'axexec --help' for more information.\n");
+    // Validate agent ID early to provide clear error before processing credentials
+    const agentValidation = validateAgent(options.agent);
+    if (!agentValidation.ok) {
+        process.stderr.write(`${agentValidation.message}\n`);
+        process.exitCode = agentValidation.exitCode;
+        return;
+    }
+    // Validate --cwd if provided
+    if (options.cwd) {
+        const cwdResult = await validateCwd(options.cwd);
+        if (!cwdResult.ok) {
+            process.stderr.write(`Error: ${cwdResult.error}\n`);
+            process.exitCode = 2;
+            return;
+        }
+    }
+    const needsStdinPrompt = !options.prompt && !positionalPrompt;
+    const stdinResult = validateStdinUsage(options.credentialsFile, needsStdinPrompt, process.stdin.isTTY);
+    if (!stdinResult.ok) {
+        process.stderr.write(`Error: ${stdinResult.error}\n`);
         process.exitCode = 2;
         return;
     }
+    // Get prompt from flag, positional argument, or stdin (in priority order)
+    // Only read stdin if no prompt was provided via CLI arguments to avoid
+    // blocking in CI environments with open but unused stdin.
+    const stdinPrompt = needsStdinPrompt &&
+        !process.stdin.isTTY &&
+        options.credentialsFile !== "-"
+        ? await readStdin()
+        : undefined;
+    const promptResult = resolvePrompt({
+        promptFlag: options.prompt,
+        positionalPrompt,
+        stdinPrompt,
+    });
+    if (!promptResult.ok) {
+        process.stderr.write(`Error: ${promptResult.error}\n`);
+        process.exitCode = 2;
+        return;
+    }
+    const { prompt } = promptResult;
     // Validate format option
     let format;
     if (options.format) {
-        if (options.format === "jsonl" || options.format === "tsv") {
-            format = options.format;
-        }
-        else {
-            process.stderr.write(`Error: Invalid format '${options.format}'\n`);
-            process.stderr.write("Valid formats: jsonl, tsv\n");
+        const formatResult = parseOutputFormat(options.format);
+        if (!formatResult.ok) {
+            process.stderr.write(`Error: ${formatResult.error}\n`);
             process.exitCode = 2;
             return;
         }
+        format = formatResult.format;
     }
-    // Validate --provider is only used with OpenCode
-    if (options.provider && options.agent !== "opencode") {
-        process.stderr.write("Error: --provider is only supported for OpenCode agent\n");
+    // Resolve credentials from --credentials-file if specified.
+    const credentialsResult = await resolveCredentials(options.credentialsFile, readStdin, options.agent);
+    if (!credentialsResult.ok) {
+        process.stderr.write(`Error: ${credentialsResult.error}\n`);
         process.exitCode = 2;
         return;
     }
-    // Validate OpenCode requires --provider
-    if (options.agent === "opencode") {
-        // Check for deprecated provider/model format
-        if (options.model?.includes("/")) {
-            const [provider, model] = options.model.split("/", 2);
-            process.stderr.write("Error: Model format 'provider/model' is no longer supported\n");
-            process.stderr.write("Use separate --provider and --model flags:\n");
-            process.stderr.write(`  axexec -a opencode --provider ${provider} -m ${model} ...\n`);
-            process.exitCode = 2;
-            return;
-        }
-        // Require --provider for OpenCode
-        if (!options.provider) {
-            process.stderr.write("Error: OpenCode requires --provider\n");
-            process.stderr.write("  axexec -a opencode --provider anthropic -m claude-sonnet-4 ...\n");
-            process.exitCode = 2;
-            return;
-        }
+    const { credentials } = credentialsResult;
+    // Validate provider options
+    const providerResult = validateProviderOptions(options.agent, options.model, options.provider, credentials);
+    if (!providerResult.ok) {
+        process.stderr.write(`Error: ${providerResult.error}\n`);
+        process.exitCode = 2;
+        return;
     }
+    const { normalizedProvider } = providerResult;
     // Run agent
     const result = await runAgent(options.agent, {
         prompt,
+        cwd: options.cwd,
+        credentials,
         model: options.model,
-        provider: options.provider,
+        provider: normalizedProvider,
         allow: options.allow,
         deny: options.deny,
         format,
@@ -138,9 +160,8 @@ Examples:
         verbose: options.verbose,
         preserveGithubSha: options.preserveGithubSha,
     });
-    // Set exit code based on success
-    if (!result.success) {
-        // eslint-disable-next-line require-atomic-updates
+    // Set exit code based on success (only if not already set to a more specific code)
+    if (!result.success && process.exitCode === undefined) {
         process.exitCode = 1;
     }
 });

package/dist/credentials/get-credential-environment.d.ts

@@ -4,7 +4,7 @@
  * Each agent has its own env var requirements. This module extracts
  * the appropriate values from Credentials and returns them as env vars.
  */
-import type { Credentials } from "./credentials.js";
+import type { Credentials } from "axshared";
 /**
  * Gets additional environment variables for credential-based auth.
  *

package/dist/credentials/get-credential-environment.js

@@ -51,7 +51,7 @@ function getCredentialEnvironment(credentials) {
         }
         case "opencode": {
             // OpenCode supports multiple providers, env var depends on provider
-            const provider = credentials.provider ?? "anthropic";
+            const provider = credentials.provider;
             if (credentials.type === "api-key" && apiKey) {
                 switch (provider) {
                     case "anthropic": {

package/dist/credentials/install-credentials.d.ts

@@ -3,11 +3,10 @@
  *
  * Writes credentials to a temporary directory in agent-specific formats,
  * then returns the environment variables needed to point the agent at that
- * directory. This ensures complete isolation - agents never discover or use
- * locally installed credentials.
+ * directory. This ensures credential isolation: agents don't discover or use
+ * locally installed credentials/config.
  */
-import { type AgentCli } from "axshared";
-import type { Credentials } from "./credentials.js";
+import { type AgentCli, type Credentials } from "axshared";
 import type { InstallResult } from "./types.js";
 type WarningWriter = (message: string) => void;
 /**

package/dist/credentials/install-credentials.js

@@ -3,8 +3,8 @@
  *
  * Writes credentials to a temporary directory in agent-specific formats,
  * then returns the environment variables needed to point the agent at that
- * directory. This ensures complete isolation - agents never discover or use
- * locally installed credentials.
+ * directory. This ensures credential isolation: agents don't discover or use
+ * locally installed credentials/config.
  */
 import { mkdirSync } from "node:fs";
 import { mkdtemp, rm } from "node:fs/promises";
@@ -57,7 +57,9 @@ function installAgentCredentials(agentId, configDirectory, dataDirectory, creden
             break;
         }
         case "opencode": {
-            installOpenCodeCredentials(dataDirectory, credentials, warn);
+            if (credentials.agent === "opencode") {
+                installOpenCodeCredentials(dataDirectory, credentials, warn);
+            }
             break;
         }
         case "copilot": {

package/dist/credentials/write-agent-credentials.d.ts

@@ -5,7 +5,7 @@
  * write credentials in the agent-specific format, extracting what
  * they need from the canonical Credentials type.
  */
-import type { Credentials } from "./credentials.js";
+import type { Credentials } from "axshared";
 type WarningWriter = (message: string) => void;
 /**
  * Installs Claude credentials to a config directory.
@@ -54,5 +54,7 @@ declare function installGeminiCredentials(configDirectory: string, credentials:
  * - oauth-credentials: Written as { [provider]: { type: "oauth", ...data } }
  * - api-key: Written as { [provider]: { type: "api", key: "..." } }
  */
-declare function installOpenCodeCredentials(dataDirectory: string, credentials: Credentials, warn?: WarningWriter): void;
+declare function installOpenCodeCredentials(dataDirectory: string, credentials: Extract<Credentials, {
+    agent: "opencode";
+}>, warn?: WarningWriter): void;
 export { installClaudeCredentials, installCodexCredentials, installGeminiCredentials, installOpenCodeCredentials, };