axusage 2.0.0 → 2.2.0

package/dist/adapters/chatgpt.js

@@ -1,5 +1,5 @@
-import { extractRawCredentials, getAccessToken } from "axauth";
 import { ApiError } from "../types/domain.js";
+import { getServiceAccessToken } from "../services/get-service-access-token.js";
 import { ChatGPTUsageResponse as ChatGPTUsageResponseSchema } from "../types/chatgpt.js";
 import { toServiceUsageData } from "./parse-chatgpt-usage.js";
 const API_URL = "https://chatgpt.com/backend-api/wham/usage";
@@ -12,24 +12,11 @@ const API_URL = "https://chatgpt.com/backend-api/wham/usage";
 export const chatGPTAdapter = {
     name: "ChatGPT",
     async fetchUsage() {
-        const credentials = extractRawCredentials("codex");
-        if (!credentials) {
-            return {
-                ok: false,
-                error: new ApiError("No Codex credentials found. Run 'codex' to authenticate."),
-            };
-        }
-        if (credentials.type !== "oauth") {
-            return {
-                ok: false,
-                error: new ApiError("ChatGPT usage API requires OAuth authentication. API key authentication is not supported for usage data."),
-            };
-        }
-        const accessToken = getAccessToken(credentials);
+        const accessToken = await getServiceAccessToken("chatgpt");
         if (!accessToken) {
             return {
                 ok: false,
-                error: new ApiError("Invalid OAuth credentials: missing access token."),
+                error: new ApiError("No Codex credentials found. Run 'codex' to authenticate."),
             };
         }
         try {

package/dist/adapters/claude.js

@@ -1,6 +1,6 @@
-import { extractRawCredentials, getAccessToken } from "axauth";
 import { z } from "zod";
 import { ApiError } from "../types/domain.js";
+import { getServiceAccessToken } from "../services/get-service-access-token.js";
 import { UsageResponse as UsageResponseSchema } from "../types/usage.js";
 import { coalesceClaudeUsageResponse } from "./coalesce-claude-usage-response.js";
 import { toServiceUsageData } from "./parse-claude-usage.js";
@@ -43,24 +43,11 @@ async function fetchPlanType(accessToken) {
 export const claudeAdapter = {
     name: "Claude",
     async fetchUsage() {
-        const credentials = extractRawCredentials("claude");
-        if (!credentials) {
-            return {
-                ok: false,
-                error: new ApiError("No Claude Code credentials found. Ensure Claude Code is installed and authenticated."),
-            };
-        }
-        if (credentials.type !== "oauth") {
-            return {
-                ok: false,
-                error: new ApiError("Claude Code usage API requires OAuth authentication. API key authentication is not supported for usage data."),
-            };
-        }
-        const accessToken = getAccessToken(credentials);
+        const accessToken = await getServiceAccessToken("claude");
         if (!accessToken) {
             return {
                 ok: false,
-                error: new ApiError("Invalid OAuth credentials: missing access token."),
+                error: new ApiError("No Claude credentials found. Run 'claude' to authenticate."),
             };
         }
         try {

package/dist/adapters/gemini.js

@@ -1,6 +1,6 @@
-import { getAgentAccessToken } from "axauth";
 import { ApiError } from "../types/domain.js";
 import { fetchGeminiQuota, fetchGeminiProject, } from "../services/gemini-api.js";
+import { getServiceAccessToken } from "../services/get-service-access-token.js";
 import { toServiceUsageData } from "./parse-gemini-usage.js";
 /**
  * Gemini service adapter using direct API access.
@@ -11,7 +11,7 @@ import { toServiceUsageData } from "./parse-gemini-usage.js";
 export const geminiAdapter = {
     name: "Gemini",
     async fetchUsage() {
-        const accessToken = getAgentAccessToken("gemini");
+        const accessToken = await getServiceAccessToken("gemini");
         if (!accessToken) {
             return {
                 ok: false,

package/dist/config/credential-sources.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Configuration for credential sources per service.
+ *
+ * Supports three modes:
+ * - "local": Use local credentials from axauth (default behavior)
+ * - "vault": Fetch credentials from axvault server
+ * - "auto": Try vault first if configured and credential name provided, fallback to local
+ */
+import { z } from "zod";
+/** Credential source type */
+declare const CredentialSourceType: z.ZodEnum<{
+    auto: "auto";
+    local: "local";
+    vault: "vault";
+}>;
+type CredentialSourceType = z.infer<typeof CredentialSourceType>;
+/** Resolved source config with normalized fields */
+interface ResolvedSourceConfig {
+    source: CredentialSourceType;
+    name: string | undefined;
+}
+/** Service IDs that support vault credentials (API-based services) */
+type VaultSupportedServiceId = "claude" | "chatgpt" | "gemini";
+/**
+ * All service IDs.
+ * Note: github-copilot uses GitHub token auth, not vault credentials,
+ * so it's excluded from VaultSupportedServiceId.
+ */
+type ServiceId = VaultSupportedServiceId | "github-copilot";
+/**
+ * Get the resolved source config for a specific service.
+ *
+ * @param service - Service ID (e.g., "claude", "chatgpt", "gemini")
+ * @returns Resolved config with source type and optional credential name
+ */
+declare function getServiceSourceConfig(service: ServiceId): ResolvedSourceConfig;
+export type { ServiceId, VaultSupportedServiceId };
+export { getServiceSourceConfig };

package/dist/config/credential-sources.js

@@ -0,0 +1,95 @@
+/**
+ * Configuration for credential sources per service.
+ *
+ * Supports three modes:
+ * - "local": Use local credentials from axauth (default behavior)
+ * - "vault": Fetch credentials from axvault server
+ * - "auto": Try vault first if configured and credential name provided, fallback to local
+ */
+import Conf from "conf";
+import { z } from "zod";
+/** Credential source type */
+const CredentialSourceType = z.enum(["auto", "local", "vault"]);
+/** Service source config - either a string shorthand or object with name */
+const ServiceSourceConfig = z.union([
+    CredentialSourceType,
+    z.object({
+        source: CredentialSourceType,
+        name: z.string().optional(),
+    }),
+]);
+/** Full sources config - map of service ID to source config */
+const SourcesConfig = z.record(z.string(), ServiceSourceConfig);
+// Lazy-initialized config instance
+let configInstance;
+function getConfig() {
+    if (!configInstance) {
+        configInstance = new Conf({
+            projectName: "axusage",
+            schema: {
+                sources: {
+                    type: "object",
+                    additionalProperties: true,
+                },
+            },
+        });
+    }
+    return configInstance;
+}
+/**
+ * Get the full credential source configuration.
+ *
+ * Priority:
+ * 1. AXUSAGE_SOURCES environment variable (flat JSON)
+ * 2. Config file sources key
+ * 3. Empty object (defaults apply per-service)
+ */
+function getCredentialSourceConfig() {
+    // Priority 1: Environment variable
+    const environmentVariable = process.env.AXUSAGE_SOURCES;
+    if (environmentVariable) {
+        try {
+            const parsed = SourcesConfig.parse(JSON.parse(environmentVariable));
+            return parsed;
+        }
+        catch (error) {
+            const reason = error instanceof SyntaxError
+                ? "invalid JSON syntax"
+                : "schema validation failed";
+            console.error(`Warning: AXUSAGE_SOURCES ${reason}, falling back to config file`);
+        }
+    }
+    // Priority 2: Config file
+    const config = getConfig();
+    const fileConfig = config.get("sources");
+    if (fileConfig) {
+        const parsed = SourcesConfig.safeParse(fileConfig);
+        if (parsed.success) {
+            return parsed.data;
+        }
+        console.error("Warning: Config file contains invalid sources, using defaults");
+    }
+    // Priority 3: Empty (defaults apply)
+    return {};
+}
+/**
+ * Get the resolved source config for a specific service.
+ *
+ * @param service - Service ID (e.g., "claude", "chatgpt", "gemini")
+ * @returns Resolved config with source type and optional credential name
+ */
+function getServiceSourceConfig(service) {
+    const config = getCredentialSourceConfig();
+    const serviceConfig = config[service];
+    // Default: auto mode with no credential name
+    if (serviceConfig === undefined) {
+        return { source: "auto", name: undefined };
+    }
+    // String shorthand: just the source type
+    if (typeof serviceConfig === "string") {
+        return { source: serviceConfig, name: undefined };
+    }
+    // Object: source and name
+    return { source: serviceConfig.source, name: serviceConfig.name };
+}
+export { getServiceSourceConfig };

package/dist/services/get-service-access-token.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Unified credential fetcher for services.
+ *
+ * Fetches access tokens based on per-service configuration:
+ * - "local": From local axauth credential store
+ * - "vault": From axvault server
+ * - "auto": Try vault first if configured, fallback to local
+ */
+import { type VaultSupportedServiceId } from "../config/credential-sources.js";
+/**
+ * Get access token for a service.
+ *
+ * Uses the configured credential source for the service:
+ * - "local": Fetch from local axauth credential store
+ * - "vault": Fetch from axvault server (requires credential name)
+ * - "auto": Try vault if configured and name provided, fallback to local
+ *
+ * @param service - Service ID (e.g., "claude", "chatgpt", "gemini")
+ * @returns Access token string or undefined if not available
+ *
+ * @example
+ * const token = await getServiceAccessToken("claude");
+ * if (!token) {
+ *   console.error("No credentials found for Claude");
+ * }
+ */
+declare function getServiceAccessToken(service: VaultSupportedServiceId): Promise<string | undefined>;
+export { getServiceAccessToken };

package/dist/services/get-service-access-token.js

@@ -0,0 +1,146 @@
+/**
+ * Unified credential fetcher for services.
+ *
+ * Fetches access tokens based on per-service configuration:
+ * - "local": From local axauth credential store
+ * - "vault": From axvault server
+ * - "auto": Try vault first if configured, fallback to local
+ */
+import { fetchVaultCredentials, getAgentAccessToken, isVaultConfigured, } from "axauth";
+import { getServiceSourceConfig, } from "../config/credential-sources.js";
+/** Map service IDs to agent IDs for axauth/vault */
+const SERVICE_TO_AGENT = {
+    claude: "claude",
+    chatgpt: "codex", // ChatGPT and Codex both use OpenAI API credentials
+    gemini: "gemini",
+};
+/**
+ * Extract access token from vault credentials.
+ *
+ * Different credential types store tokens differently:
+ * - oauth-credentials: access_token (Gemini style) or tokens.access_token (Codex/OpenAI style)
+ * - oauth-token: accessToken field (Claude style)
+ * - api-key: apiKey field
+ */
+function extractAccessToken(credentials) {
+    if (!credentials)
+        return undefined;
+    const { data } = credentials;
+    // Try accessToken first (Claude oauth-token style, camelCase)
+    if (typeof data.accessToken === "string") {
+        return data.accessToken;
+    }
+    // Try access_token at top level (Gemini oauth-credentials style, snake_case)
+    if (typeof data.access_token === "string") {
+        return data.access_token;
+    }
+    // Try tokens.access_token (Codex/OpenAI oauth-credentials style)
+    if (data.tokens &&
+        typeof data.tokens === "object" &&
+        "access_token" in data.tokens &&
+        typeof data.tokens.access_token === "string") {
+        return data.tokens.access_token;
+    }
+    // Try apiKey as fallback (api-key type)
+    if (typeof data.apiKey === "string") {
+        return data.apiKey;
+    }
+    return undefined;
+}
+/**
+ * Fetch access token from vault.
+ *
+ * @returns Access token string or undefined if not available
+ */
+async function fetchFromVault(agentId, credentialName) {
+    try {
+        const result = await fetchVaultCredentials({
+            agentId,
+            name: credentialName,
+        });
+        if (!result.ok) {
+            // Log warning for debugging, but don't fail hard
+            if (result.reason !== "not-configured" && result.reason !== "not-found") {
+                console.error(`[axusage] Vault fetch failed for ${agentId}/${credentialName}: ${result.reason}`);
+            }
+            return undefined;
+        }
+        const token = extractAccessToken(result.credentials);
+        if (!token) {
+            console.error(`[axusage] Vault credentials for ${agentId}/${credentialName} missing access token. ` +
+                `Credential type: ${result.credentials.type}`);
+        }
+        return token;
+    }
+    catch (error) {
+        console.error(`[axusage] Vault fetch error for ${agentId}/${credentialName}: ${error instanceof Error ? error.message : String(error)}`);
+        return undefined;
+    }
+}
+/**
+ * Fetch access token from local credential store.
+ *
+ * @returns Access token string or undefined if not available
+ */
+async function fetchFromLocal(agentId) {
+    try {
+        return await getAgentAccessToken(agentId);
+    }
+    catch (error) {
+        console.error(`[axusage] Local credential fetch error for ${agentId}: ${error instanceof Error ? error.message : String(error)}`);
+        return undefined;
+    }
+}
+/**
+ * Get access token for a service.
+ *
+ * Uses the configured credential source for the service:
+ * - "local": Fetch from local axauth credential store
+ * - "vault": Fetch from axvault server (requires credential name)
+ * - "auto": Try vault if configured and name provided, fallback to local
+ *
+ * @param service - Service ID (e.g., "claude", "chatgpt", "gemini")
+ * @returns Access token string or undefined if not available
+ *
+ * @example
+ * const token = await getServiceAccessToken("claude");
+ * if (!token) {
+ *   console.error("No credentials found for Claude");
+ * }
+ */
+async function getServiceAccessToken(service) {
+    const config = getServiceSourceConfig(service);
+    const agentId = SERVICE_TO_AGENT[service];
+    switch (config.source) {
+        case "local": {
+            return fetchFromLocal(agentId);
+        }
+        case "vault": {
+            if (!config.name) {
+                console.error(`[axusage] Vault source requires credential name for ${service}. ` +
+                    `Set {"${service}": {"source": "vault", "name": "your-name"}} in config.`);
+                return undefined;
+            }
+            const token = await fetchFromVault(agentId, config.name);
+            if (!token) {
+                // User explicitly selected vault but it failed - provide clear feedback
+                console.error(`[axusage] Vault credential fetch failed for ${service}. ` +
+                    `Check that vault is configured (AXVAULT env) and credential "${config.name}" exists.`);
+            }
+            return token;
+        }
+        case "auto": {
+            // Auto mode: try vault first if configured and name provided
+            if (config.name && isVaultConfigured()) {
+                const vaultToken = await fetchFromVault(agentId, config.name);
+                if (vaultToken) {
+                    return vaultToken;
+                }
+                // Fallback to local if vault failed
+            }
+            // No credential name or vault not configured: use local only
+            return fetchFromLocal(agentId);
+        }
+    }
+}
+export { getServiceAccessToken };

package/package.json

@@ -2,7 +2,7 @@
   "name": "axusage",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "2.0.0",
+  "version": "2.2.0",
   "description": "Monitor API usage across Claude, ChatGPT, GitHub Copilot, and Gemini from a single CLI",
   "repository": {
     "type": "git",
@@ -18,6 +18,24 @@
     "README.md",
     "LICENSE"
   ],
+  "scripts": {
+    "postinstall": "playwright install chromium",
+    "prepare": "git config core.hooksPath .githooks",
+    "prepublishOnly": "pnpm run rebuild",
+    "build": "tsc -p tsconfig.app.json",
+    "clean": "rm -rf dist *.tsbuildinfo",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "fta": "fta-check",
+    "knip": "knip",
+    "lint": "eslint",
+    "rebuild": "pnpm run clean && pnpm run build",
+    "start": "pnpm run rebuild && node bin/axusage",
+    "test": "vitest run",
+    "test:coverage": "vitest run --coverage",
+    "test:watch": "vitest",
+    "typecheck": "tsc -b --noEmit"
+  },
   "keywords": [
     "ai",
     "usage",
@@ -30,54 +48,34 @@
     "llm",
     "monitoring"
   ],
+  "packageManager": "pnpm@10.25.0",
   "engines": {
     "node": ">=22.14.0"
   },
   "dependencies": {
     "@commander-js/extra-typings": "^14.0.0",
-    "axauth": "^1.0.0",
+    "axauth": "^1.11.2",
     "chalk": "^5.6.2",
     "commander": "^14.0.2",
+    "conf": "^15.0.2",
     "env-paths": "^3.0.0",
     "playwright": "^1.57.0",
     "prom-client": "^15.1.3",
     "trash": "^10.0.1",
-    "zod": "^4.2.0"
+    "zod": "^4.3.5"
   },
   "devDependencies": {
-    "@eslint/compat": "^2.0.0",
-    "@eslint/js": "^9.39.2",
     "@total-typescript/ts-reset": "^0.6.1",
-    "@types/node": "^25.0.2",
-    "@vitest/coverage-v8": "^4.0.15",
-    "@vitest/eslint-plugin": "^1.5.2",
+    "@types/node": "^25.0.8",
+    "@vitest/coverage-v8": "^4.0.17",
     "eslint": "^9.39.2",
-    "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-unicorn": "^62.0.0",
-    "fta-check": "^1.5.0",
+    "eslint-config-axkit": "^1.0.0",
+    "fta-check": "^1.5.1",
     "fta-cli": "^3.0.0",
-    "globals": "^16.5.0",
-    "knip": "^5.73.4",
+    "knip": "^5.81.0",
     "prettier": "3.7.4",
     "semantic-release": "^25.0.2",
     "typescript": "^5.9.3",
-    "typescript-eslint": "^8.49.0",
-    "vitest": "^4.0.15"
-  },
-  "scripts": {
-    "postinstall": "playwright install chromium",
-    "build": "tsc -p tsconfig.app.json",
-    "clean": "rm -rf dist *.tsbuildinfo",
-    "format": "prettier --write .",
-    "format:check": "prettier --check .",
-    "fta": "fta-check",
-    "knip": "knip",
-    "lint": "eslint",
-    "rebuild": "pnpm run clean && pnpm run build",
-    "start": "pnpm run rebuild && node bin/axusage",
-    "test": "vitest run",
-    "test:coverage": "vitest run --coverage",
-    "test:watch": "vitest",
-    "typecheck": "tsc -b --noEmit"
+    "vitest": "^4.0.17"
   }
-}
+}