octocode-shared 1.0.0

package/dist/credentials/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Credentials Module Exports
+ */
+export type { OAuthToken, StoredCredentials, StoreResult, DeleteResult, CredentialsStore, TokenSource, } from './types.js';
+export { initializeSecureStorage, isSecureStorageAvailable, isUsingSecureStorage, storeCredentials, getCredentials, type GetCredentialsOptions, getCredentialsSync, deleteCredentials, updateToken, invalidateCredentialsCache, getToken, getTokenSync, resolveToken, type ResolvedToken, getTokenWithRefresh, type TokenWithRefreshResult, resolveTokenWithRefresh, type ResolvedTokenWithRefresh, refreshAuthToken, type RefreshResult, resolveTokenFull, type FullTokenResolution, type GhCliTokenGetter, listStoredHosts, listStoredHostsSync, hasCredentials, hasCredentialsSync, isTokenExpired, isRefreshTokenExpired, getCredentialsFilePath, readCredentialsStore, encrypt, decrypt, ensureOctocodeDir, OCTOCODE_DIR, CREDENTIALS_FILE, KEY_FILE, ENV_TOKEN_VARS, getTokenFromEnv, getEnvTokenSource, hasEnvToken, TimeoutError, _setSecureStorageAvailable, _resetSecureStorageState, _getCacheStats, _resetCredentialsCache, } from './storage.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/credentials/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/credentials/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,YAAY,EACV,UAAU,EACV,iBAAiB,EACjB,WAAW,EACX,YAAY,EACZ,gBAAgB,EAChB,WAAW,GACZ,MAAM,YAAY,CAAC;AAGpB,OAAO,EAEL,uBAAuB,EACvB,wBAAwB,EACxB,oBAAoB,EAGpB,gBAAgB,EAChB,cAAc,EACd,KAAK,qBAAqB,EAC1B,kBAAkB,EAClB,iBAAiB,EACjB,WAAW,EAGX,0BAA0B,EAG1B,QAAQ,EACR,YAAY,EACZ,YAAY,EACZ,KAAK,aAAa,EAGlB,mBAAmB,EACnB,KAAK,sBAAsB,EAC3B,uBAAuB,EACvB,KAAK,wBAAwB,EAC7B,gBAAgB,EAChB,KAAK,aAAa,EAGlB,gBAAgB,EAChB,KAAK,mBAAmB,EACxB,KAAK,gBAAgB,EAGrB,eAAe,EACf,mBAAmB,EACnB,cAAc,EACd,kBAAkB,EAGlB,cAAc,EACd,qBAAqB,EAGrB,sBAAsB,EAGtB,oBAAoB,EACpB,OAAO,EACP,OAAO,EACP,iBAAiB,EAGjB,YAAY,EACZ,gBAAgB,EAChB,QAAQ,EACR,cAAc,EAGd,eAAe,EACf,iBAAiB,EACjB,WAAW,EAGX,YAAY,EAGZ,0BAA0B,EAC1B,wBAAwB,EACxB,cAAc,EACd,sBAAsB,GACvB,MAAM,cAAc,CAAC"}

package/dist/credentials/index.js

@@ -0,0 +1,42 @@
+import { C, E, K, O, T, H, I, G, _, z, d, y, A, g, w, c, D, f, B, h, j, p, q, F, i, e, v, a, t, b, n, o, x, l, r, m, k, s, u } from "../storage-DuH3rTiu.js";
+export {
+  C as CREDENTIALS_FILE,
+  E as ENV_TOKEN_VARS,
+  K as KEY_FILE,
+  O as OCTOCODE_DIR,
+  T as TimeoutError,
+  H as _getCacheStats,
+  I as _resetCredentialsCache,
+  G as _resetSecureStorageState,
+  _ as _setSecureStorageAvailable,
+  z as decrypt,
+  d as deleteCredentials,
+  y as encrypt,
+  A as ensureOctocodeDir,
+  g as getCredentials,
+  w as getCredentialsFilePath,
+  c as getCredentialsSync,
+  D as getEnvTokenSource,
+  f as getToken,
+  B as getTokenFromEnv,
+  h as getTokenSync,
+  j as getTokenWithRefresh,
+  p as hasCredentials,
+  q as hasCredentialsSync,
+  F as hasEnvToken,
+  i as initializeSecureStorage,
+  e as invalidateCredentialsCache,
+  v as isRefreshTokenExpired,
+  a as isSecureStorageAvailable,
+  t as isTokenExpired,
+  b as isUsingSecureStorage,
+  n as listStoredHosts,
+  o as listStoredHostsSync,
+  x as readCredentialsStore,
+  l as refreshAuthToken,
+  r as resolveToken,
+  m as resolveTokenFull,
+  k as resolveTokenWithRefresh,
+  s as storeCredentials,
+  u as updateToken
+};

package/dist/credentials/keychain.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Native Keychain Access
+ *
+ * Cross-platform secure credential storage using @napi-rs/keyring.
+ * This wraps the Rust keyring-rs library via napi-rs for native OS keychain access.
+ *
+ * Supported platforms (prebuilt binaries):
+ * - macOS: Keychain Access (darwin-arm64, darwin-x64)
+ * - Windows: Credential Manager (win32-x64, win32-arm64, win32-ia32)
+ * - Linux: Secret Service API via libsecret (linux-x64-gnu, linux-x64-musl, linux-arm64-gnu, etc.)
+ * - FreeBSD: Secret Service API
+ *
+ * This replaces the previous custom implementation with a battle-tested library,
+ * following the same pattern as gh CLI's use of zalando/go-keyring.
+ */
+/**
+ * Check if native keychain is available on this platform.
+ * With @napi-rs/keyring, this is always true since it has prebuilt binaries
+ * for all supported platforms.
+ */
+export declare function isKeychainAvailable(): boolean;
+/**
+ * Store a password in the system keychain
+ * @param service - Service name (app identifier)
+ * @param account - Account identifier (e.g., hostname)
+ * @param password - Password/data to store
+ */
+export declare function setPassword(service: string, account: string, password: string): Promise<void>;
+/**
+ * Get a password from the system keychain
+ * @param service - Service name (app identifier)
+ * @param account - Account identifier (e.g., hostname)
+ * @returns Password/data or null if not found
+ */
+export declare function getPassword(service: string, account: string): Promise<string | null>;
+/**
+ * Delete a password from the system keychain
+ * @param service - Service name (app identifier)
+ * @param account - Account identifier (e.g., hostname)
+ * @returns true if deleted, false if not found
+ */
+export declare function deletePassword(service: string, account: string): Promise<boolean>;
+/**
+ * Find all credentials for a service
+ * @param service - Service name (app identifier)
+ * @returns Array of {account, password} objects
+ */
+export declare function findCredentials(service: string): Promise<{
+    account: string;
+    password: string;
+}[]>;
+//# sourceMappingURL=keychain.d.ts.map

package/dist/credentials/keychain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.d.ts","sourceRoot":"","sources":["../../src/credentials/keychain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAQH;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAI7C;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAGf;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CASxB;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAQlB;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,EAAE,CAAC,CAQlD"}

package/dist/credentials/storage.d.ts

@@ -0,0 +1,367 @@
+/**
+ * Token Storage Utility
+ *
+ * Stores OAuth tokens securely using:
+ * 1. System keychain (native OS commands) - preferred for desktop environments
+ * 2. Encrypted file fallback (~/.octocode/credentials.json) - for CI/server
+ *
+ * Behavior matches gh CLI's credential storage approach.
+ */
+import type { StoredCredentials, StoreResult, DeleteResult, CredentialsStore, TokenSource } from './types.js';
+/**
+ * Timeout error for keyring operations
+ */
+export declare class TimeoutError extends Error {
+    constructor(message: string);
+}
+export declare const OCTOCODE_DIR: string;
+export declare const CREDENTIALS_FILE: string;
+export declare const KEY_FILE: string;
+/**
+ * Invalidate cache for a hostname (call after credential changes)
+ * @param hostname - Hostname to invalidate, or undefined to clear all
+ */
+export declare function invalidateCredentialsCache(hostname?: string): void;
+/**
+ * Get cache statistics (for debugging/monitoring)
+ * @internal
+ */
+export declare function _getCacheStats(): {
+    size: number;
+    entries: Array<{
+        hostname: string;
+        age: number;
+        valid: boolean;
+    }>;
+};
+/**
+ * Reset cache state (for testing)
+ * @internal
+ */
+export declare function _resetCredentialsCache(): void;
+/**
+ * Environment variable names for token lookup (in priority order)
+ */
+export declare const ENV_TOKEN_VARS: readonly ["OCTOCODE_TOKEN", "GH_TOKEN", "GITHUB_TOKEN"];
+/**
+ * Get token from environment variables
+ *
+ * Checks environment variables in priority order:
+ * 1. OCTOCODE_TOKEN - octocode-specific token
+ * 2. GH_TOKEN - GitHub CLI compatible
+ * 3. GITHUB_TOKEN - GitHub Actions native
+ *
+ * @returns Token string or null if not found in any env var
+ */
+export declare function getTokenFromEnv(): string | null;
+/**
+ * Get the source of an environment variable token
+ *
+ * @returns The env var name that contains the token, or null if none found
+ */
+export declare function getEnvTokenSource(): TokenSource;
+/**
+ * Check if token is available from environment variables
+ */
+export declare function hasEnvToken(): boolean;
+/**
+ * Initialize secure storage by checking keychain availability.
+ * Call this before using any credential functions to ensure keychain is checked.
+ *
+ * Note: Migration from file to keychain happens lazily on first credential access,
+ * not at startup. This avoids triggering keychain permission prompts on every app launch.
+ *
+ * @returns true if secure storage (native keychain) is available
+ */
+export declare function initializeSecureStorage(): Promise<boolean>;
+/**
+ * Check if secure storage (native keychain) is available
+ */
+export declare function isSecureStorageAvailable(): boolean;
+/**
+ * Force set secure storage availability (for testing)
+ * @internal
+ */
+export declare function _setSecureStorageAvailable(available: boolean): void;
+/**
+ * Reset secure storage state (for testing)
+ * @internal
+ */
+export declare function _resetSecureStorageState(): void;
+/**
+ * Encrypt data for file storage
+ */
+export declare function encrypt(data: string): string;
+/**
+ * Decrypt data from file storage
+ */
+export declare function decrypt(encryptedData: string): string;
+/**
+ * Ensure .octocode directory exists with secure permissions (0o700)
+ */
+export declare function ensureOctocodeDir(): void;
+/**
+ * Read credentials store from file
+ */
+export declare function readCredentialsStore(): CredentialsStore;
+/**
+ * Store credentials using keyring-first strategy (like gh CLI)
+ *
+ * Flow:
+ * 1. Try keyring with timeout
+ * 2. On success: remove from file storage (clean migration)
+ * 3. On failure: fallback to encrypted file storage
+ * 4. Invalidate cache to ensure fresh reads
+ *
+ * @returns StoreResult with insecureStorageUsed flag
+ */
+export declare function storeCredentials(credentials: StoredCredentials): Promise<StoreResult>;
+/**
+ * Options for getCredentials
+ */
+export interface GetCredentialsOptions {
+    /** Bypass cache and fetch fresh credentials from storage */
+    bypassCache?: boolean;
+}
+/**
+ * Get credentials using keyring-first strategy (like gh CLI)
+ *
+ * Flow:
+ * 1. Check in-memory cache (unless bypassed)
+ * 2. Try keyring with timeout
+ * 3. Fallback to file storage (with lazy migration to keyring)
+ * 4. Cache result for future calls
+ *
+ * @param hostname - GitHub hostname (default: 'github.com')
+ * @param options - Optional settings (e.g., bypassCache)
+ * @returns Stored credentials or null if not found
+ */
+export declare function getCredentials(hostname?: string, options?: GetCredentialsOptions): Promise<StoredCredentials | null>;
+/**
+ * Get credentials synchronously (file storage only)
+ *
+ * ⚠️ WARNING: This only reads from file storage, not keyring.
+ * Use getCredentials() (async) for the full keyring-first lookup.
+ * This sync version is kept for backward compatibility only.
+ *
+ * @param hostname - GitHub hostname (default: 'github.com')
+ * @returns Stored credentials from file or null if not found
+ */
+export declare function getCredentialsSync(hostname?: string): StoredCredentials | null;
+/**
+ * Delete credentials from both keyring and file storage
+ *
+ * Flow:
+ * 1. Delete from keyring (with timeout, best-effort)
+ * 2. Delete from file storage
+ * 3. Return combined result with details
+ *
+ * @returns DeleteResult with details about what was deleted
+ */
+export declare function deleteCredentials(hostname?: string): Promise<DeleteResult>;
+/**
+ * List all stored hostnames (from both keyring and file)
+ */
+export declare function listStoredHosts(): Promise<string[]>;
+/**
+ * List stored hosts synchronously (file storage only)
+ *
+ * ⚠️ WARNING: This only lists file storage, not keyring.
+ * Use listStoredHosts() (async) for full list.
+ */
+export declare function listStoredHostsSync(): string[];
+/**
+ * Check if credentials exist for a hostname
+ */
+export declare function hasCredentials(hostname?: string): Promise<boolean>;
+/**
+ * Check if credentials exist synchronously (file storage only)
+ *
+ * ⚠️ WARNING: This only checks file storage, not keyring.
+ * Use hasCredentials() (async) for full check.
+ */
+export declare function hasCredentialsSync(hostname?: string): boolean;
+/**
+ * Update token for a hostname (used for refresh)
+ */
+export declare function updateToken(hostname: string, token: StoredCredentials['token']): Promise<boolean>;
+/**
+ * Get the credentials storage location (for display purposes)
+ */
+export declare function getCredentialsFilePath(): string;
+/**
+ * Alias for isSecureStorageAvailable (for backward compatibility)
+ */
+export declare function isUsingSecureStorage(): boolean;
+/**
+ * Check if token is expired (for GitHub Apps with expiring tokens)
+ */
+export declare function isTokenExpired(credentials: StoredCredentials): boolean;
+/**
+ * Check if refresh token is expired
+ */
+export declare function isRefreshTokenExpired(credentials: StoredCredentials): boolean;
+/**
+ * Get token from stored credentials (keychain/file only)
+ *
+ * Convenience function that retrieves credentials and returns just the token string.
+ * Checks for token expiration before returning.
+ *
+ * NOTE: This does NOT check environment variables. Use resolveToken() for full resolution.
+ * NOTE: This does NOT refresh expired tokens. Use getTokenWithRefresh() for auto-refresh.
+ *
+ * @param hostname - GitHub hostname (default: 'github.com')
+ * @returns Token string or null if not found/expired
+ */
+export declare function getToken(hostname?: string): Promise<string | null>;
+/**
+ * Result of a token refresh operation
+ */
+export interface RefreshResult {
+    success: boolean;
+    username?: string;
+    hostname?: string;
+    error?: string;
+}
+/**
+ * Refresh an expired OAuth token using the refresh token
+ *
+ * @param hostname - GitHub hostname (default: 'github.com')
+ * @param clientId - OAuth client ID (default: octocode client ID)
+ * @returns RefreshResult with success status and error details
+ */
+export declare function refreshAuthToken(hostname?: string, clientId?: string): Promise<RefreshResult>;
+/**
+ * Result of getting a token with refresh capability
+ */
+export interface TokenWithRefreshResult {
+    token: string | null;
+    source: 'stored' | 'refreshed' | 'none';
+    username?: string;
+    refreshError?: string;
+}
+/**
+ * Get token with automatic refresh for expired tokens
+ *
+ * This is the recommended function for getting stored tokens. It will:
+ * 1. Check if credentials exist
+ * 2. If token is expired and has a refresh token, attempt to refresh
+ * 3. Return the valid token or null
+ *
+ * NOTE: This does NOT check environment variables. Use resolveTokenWithRefresh()
+ * for full resolution including env vars.
+ *
+ * @param hostname - GitHub hostname (default: 'github.com')
+ * @param clientId - OAuth client ID for refresh (default: octocode client ID)
+ * @returns TokenWithRefreshResult with token, source, and any refresh errors
+ */
+export declare function getTokenWithRefresh(hostname?: string, clientId?: string): Promise<TokenWithRefreshResult>;
+/**
+ * Token resolution result with source tracking
+ */
+export interface ResolvedToken {
+    token: string;
+    source: TokenSource;
+}
+/**
+ * Resolve token using the full priority chain
+ *
+ * Priority order:
+ * 1. OCTOCODE_TOKEN env var
+ * 2. GH_TOKEN env var
+ * 3. GITHUB_TOKEN env var
+ * 4. Native keychain (most secure for desktop)
+ * 5. Encrypted file storage (~/.octocode/credentials.json)
+ *
+ * NOTE: This does NOT refresh expired tokens. Use resolveTokenWithRefresh() for auto-refresh.
+ *
+ * @param hostname - GitHub hostname (default: 'github.com')
+ * @returns ResolvedToken with token and source, or null if not found
+ */
+export declare function resolveToken(hostname?: string): Promise<ResolvedToken | null>;
+/**
+ * Extended resolved token result with refresh support
+ */
+export interface ResolvedTokenWithRefresh extends ResolvedToken {
+    /** Whether the token was refreshed during resolution */
+    wasRefreshed?: boolean;
+    /** Username associated with the token (if from storage) */
+    username?: string;
+    /** Error message if refresh was attempted but failed */
+    refreshError?: string;
+}
+/**
+ * Resolve token with automatic refresh for expired tokens
+ *
+ * This is the recommended function for token resolution. It will:
+ * 1. Check environment variables first (OCTOCODE_TOKEN, GH_TOKEN, GITHUB_TOKEN)
+ * 2. Check stored credentials (keychain → file)
+ * 3. If stored token is expired and has a refresh token, attempt to refresh
+ * 4. Return the valid token with source information
+ *
+ * Priority order:
+ * 1. OCTOCODE_TOKEN env var
+ * 2. GH_TOKEN env var
+ * 3. GITHUB_TOKEN env var
+ * 4. Stored credentials with auto-refresh (keychain → file)
+ *
+ * @param hostname - GitHub hostname (default: 'github.com')
+ * @param clientId - OAuth client ID for refresh (default: octocode client ID)
+ * @returns ResolvedTokenWithRefresh with token, source, and refresh status
+ */
+export declare function resolveTokenWithRefresh(hostname?: string, clientId?: string): Promise<ResolvedTokenWithRefresh | null>;
+/**
+ * Full token resolution result including gh CLI fallback
+ */
+export interface FullTokenResolution {
+    /** The resolved token */
+    token: string;
+    /** Source of the token */
+    source: TokenSource | 'gh-cli';
+    /** Whether the token was refreshed during resolution */
+    wasRefreshed?: boolean;
+    /** Username associated with the token (if from storage) */
+    username?: string;
+    /** Error message if refresh was attempted but failed */
+    refreshError?: string;
+}
+/**
+ * Callback type for getting gh CLI token
+ */
+export type GhCliTokenGetter = (hostname?: string) => string | null | Promise<string | null>;
+/**
+ * Full token resolution with gh CLI fallback
+ *
+ * This is the recommended function for complete token resolution across all sources.
+ * Uses in-memory cache (5-minute TTL) for performance, with automatic invalidation
+ * on credential updates/refresh.
+ *
+ * Priority order:
+ * 1. OCTOCODE_TOKEN env var
+ * 2. GH_TOKEN env var
+ * 3. GITHUB_TOKEN env var
+ * 4. Octocode storage with auto-refresh (keychain → file, cached)
+ * 5. gh CLI token (fallback via callback)
+ *
+ * @param options - Resolution options
+ * @param options.hostname - GitHub hostname (default: 'github.com')
+ * @param options.clientId - OAuth client ID for refresh (default: octocode client ID)
+ * @param options.getGhCliToken - Callback to get gh CLI token (optional)
+ * @returns FullTokenResolution with token, source, and metadata, or null if not found
+ */
+export declare function resolveTokenFull(options?: {
+    hostname?: string;
+    clientId?: string;
+    getGhCliToken?: GhCliTokenGetter;
+}): Promise<FullTokenResolution | null>;
+/**
+ * Get token synchronously (file storage only)
+ *
+ * ⚠️ WARNING: This only reads from file storage, not keyring.
+ * Use getToken() (async) for the full keyring-first lookup.
+ *
+ * @param hostname - GitHub hostname (default: 'github.com')
+ * @returns Token string or null if not found/expired
+ */
+export declare function getTokenSync(hostname?: string): string | null;
+//# sourceMappingURL=storage.d.ts.map

package/dist/credentials/storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../src/credentials/storage.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAaH,OAAO,KAAK,EACV,iBAAiB,EACjB,WAAW,EACX,YAAY,EACZ,gBAAgB,EAChB,WAAW,EAEZ,MAAM,YAAY,CAAC;AAcpB;;GAEG;AACH,qBAAa,YAAa,SAAQ,KAAK;gBACzB,OAAO,EAAE,MAAM;CAI5B;AA+BD,eAAO,MAAM,YAAY,QAA0B,CAAC;AACpD,eAAO,MAAM,gBAAgB,QAAyC,CAAC;AACvE,eAAO,MAAM,QAAQ,QAA6B,CAAC;AAiCnD;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAMlE;AAED;;;GAGG;AACH,wBAAgB,cAAc,IAAI;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CACnE,CAYA;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI,IAAI,CAE7C;AAMD;;GAEG;AACH,eAAO,MAAM,cAAc,yDAIjB,CAAC;AAEX;;;;;;;;;GASG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,IAAI,CAQ/C;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,WAAW,CAQ/C;AAED;;GAEG;AACH,wBAAgB,WAAW,IAAI,OAAO,CAErC;AAMD;;;;;;;;GAQG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,OAAO,CAAC,CAYhE;AAED;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,OAAO,CAQlD;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,SAAS,EAAE,OAAO,GAAG,IAAI,CAInE;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,IAAI,IAAI,CAI/C;AAoFD;;GAEG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAY5C;AAED;;GAEG;AACH,wBAAgB,OAAO,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM,CAiBrD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,IAAI,CAIxC;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,gBAAgB,CAsBvD;AAkGD;;;;;;;;;;GAUG;AACH,wBAAsB,gBAAgB,CACpC,WAAW,EAAE,iBAAiB,GAC7B,OAAO,CAAC,WAAW,CAAC,CAiDtB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,4DAA4D;IAC5D,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,cAAc,CAClC,QAAQ,GAAE,MAAqB,EAC/B,OAAO,CAAC,EAAE,qBAAqB,GAC9B,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC,CAuBnC;AA6CD;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,GAAE,MAAqB,GAC9B,iBAAiB,GAAG,IAAI,CAI1B;AAED;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,GAAE,MAAqB,GAC9B,OAAO,CAAC,YAAY,CAAC,CA2CvB;AAED;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CA4BzD;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,EAAE,CAG9C;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,QAAQ,GAAE,MAAqB,GAC9B,OAAO,CAAC,OAAO,CAAC,CAElB;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,GAAE,MAAqB,GAAG,OAAO,CAE3E;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,iBAAiB,CAAC,OAAO,CAAC,GAChC,OAAO,CAAC,OAAO,CAAC,CAYlB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,CAK/C;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,OAAO,CAE9C;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAgBtE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAa7E;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,QAAQ,CAC5B,QAAQ,GAAE,MAAqB,GAC9B,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAaxB;AAgBD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;GAMG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,GAAE,MAAyB,EACnC,QAAQ,GAAE,MAA0B,GACnC,OAAO,CAAC,aAAa,CAAC,CAwDxB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,MAAM,EAAE,QAAQ,GAAG,WAAW,GAAG,MAAM,CAAC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,GAAE,MAAyB,EACnC,QAAQ,GAAE,MAA0B,GACnC,OAAO,CAAC,sBAAsB,CAAC,CA8CjC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,WAAW,CAAC;CACrB;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,YAAY,CAChC,QAAQ,GAAE,MAAqB,GAC9B,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAwB/B;AAED;;GAEG;AACH,MAAM,WAAW,wBAAyB,SAAQ,aAAa;IAC7D,wDAAwD;IACxD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,wDAAwD;IACxD,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,uBAAuB,CAC3C,QAAQ,GAAE,MAAyB,EACnC,QAAQ,GAAE,MAA0B,GACnC,OAAO,CAAC,wBAAwB,GAAG,IAAI,CAAC,CAqC1C;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,yBAAyB;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,0BAA0B;IAC1B,MAAM,EAAE,WAAW,GAAG,QAAQ,CAAC;IAC/B,wDAAwD;IACxD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,wDAAwD;IACxD,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,CAC7B,QAAQ,CAAC,EAAE,MAAM,KACd,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;AAE5C;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,CAAC,EAAE;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,gBAAgB,CAAC;CAClC,GAAG,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAiBtC;AA2DD;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAAC,QAAQ,GAAE,MAAqB,GAAG,MAAM,GAAG,IAAI,CAa3E"}

package/dist/credentials/types.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Credential Types
+ *
+ * Shared types for OAuth tokens and credential storage across octocode packages.
+ */
+/**
+ * OAuth token structure
+ */
+export interface OAuthToken {
+    token: string;
+    tokenType: 'oauth';
+    scopes?: string[];
+    refreshToken?: string;
+    expiresAt?: string;
+    refreshTokenExpiresAt?: string;
+}
+/**
+ * Stored credentials for a GitHub host
+ */
+export interface StoredCredentials {
+    hostname: string;
+    username: string;
+    token: OAuthToken;
+    gitProtocol: 'ssh' | 'https';
+    createdAt: string;
+    updatedAt: string;
+}
+/**
+ * Result from storing credentials (keyring-first strategy)
+ */
+export interface StoreResult {
+    success: boolean;
+    /** True if fallback to encrypted file was used (keyring unavailable/failed) */
+    insecureStorageUsed: boolean;
+}
+/**
+ * Result from deleting credentials
+ */
+export interface DeleteResult {
+    success: boolean;
+    deletedFromKeyring: boolean;
+    deletedFromFile: boolean;
+}
+/**
+ * Storage interface for credentials (file fallback)
+ */
+export interface CredentialsStore {
+    version: number;
+    credentials: Record<string, StoredCredentials>;
+}
+/**
+ * Token source identifier for debugging and display
+ *
+ * Priority order:
+ * 1. Environment variables (OCTOCODE_TOKEN > GH_TOKEN > GITHUB_TOKEN)
+ * 2. Native keychain (most secure for desktop)
+ * 3. Encrypted file fallback (secure for headless)
+ * 4. gh CLI stored token (external fallback)
+ */
+export type TokenSource = 'env:OCTOCODE_TOKEN' | 'env:GH_TOKEN' | 'env:GITHUB_TOKEN' | 'keychain' | 'file' | 'gh-cli' | null;
+//# sourceMappingURL=types.d.ts.map

package/dist/credentials/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/credentials/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAElB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,UAAU,CAAC;IAClB,WAAW,EAAE,KAAK,GAAG,OAAO,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,+EAA+E;IAC/E,mBAAmB,EAAE,OAAO,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,eAAe,EAAE,OAAO,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;CAChD;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,WAAW,GACnB,oBAAoB,GACpB,cAAc,GACd,kBAAkB,GAClB,UAAU,GACV,MAAM,GACN,QAAQ,GACR,IAAI,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Octocode Shared
+ *
+ * Shared utilities for Octocode packages:
+ * - Credential management with keytar and encrypted file storage
+ * - Platform detection utilities
+ * - Session persistence
+ */
+export * from './credentials/index.js';
+export * from './platform/index.js';
+export * from './session/index.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,cAAc,wBAAwB,CAAC;AAGvC,cAAc,qBAAqB,CAAC;AAGpC,cAAc,oBAAoB,CAAC"}

package/dist/index.js

@@ -0,0 +1,67 @@
+import { C, E, K, O, T, H, I, G, _, z, d, y, A, g, w, c, D, f, B, h, j, p, q, F, i, e, v, a, t, b, n, o, x, l, r, m, k, s, u } from "./storage-DuH3rTiu.js";
+import { H as H2, g as g2, e as e2, c as c2, d as d2, b as b2, a as a2, i as i2 } from "./platform-1V_81nPi.js";
+import { S, _ as _2, d as d3, f as f2, b as b3, g as g3, a as a3, e as e3, c as c3, h as h2, i as i3, r as r2, j as j2, u as u2, w as w2 } from "./storage-D-QEqQEn.js";
+export {
+  C as CREDENTIALS_FILE,
+  E as ENV_TOKEN_VARS,
+  H2 as HOME,
+  K as KEY_FILE,
+  O as OCTOCODE_DIR,
+  S as SESSION_FILE,
+  T as TimeoutError,
+  H as _getCacheStats,
+  I as _resetCredentialsCache,
+  G as _resetSecureStorageState,
+  _2 as _resetSessionState,
+  _ as _setSecureStorageAvailable,
+  z as decrypt,
+  d as deleteCredentials,
+  d3 as deleteSession,
+  y as encrypt,
+  A as ensureOctocodeDir,
+  f2 as flushSession,
+  b3 as flushSessionSync,
+  g2 as getAppDataPath,
+  e2 as getArchitecture,
+  g as getCredentials,
+  w as getCredentialsFilePath,
+  c as getCredentialsSync,
+  D as getEnvTokenSource,
+  c2 as getLocalAppDataPath,
+  g3 as getOrCreateSession,
+  d2 as getPlatformName,
+  a3 as getSessionId,
+  f as getToken,
+  B as getTokenFromEnv,
+  h as getTokenSync,
+  j as getTokenWithRefresh,
+  p as hasCredentials,
+  q as hasCredentialsSync,
+  F as hasEnvToken,
+  e3 as incrementErrors,
+  c3 as incrementPromptCalls,
+  h2 as incrementRateLimits,
+  i3 as incrementToolCalls,
+  i as initializeSecureStorage,
+  e as invalidateCredentialsCache,
+  b2 as isLinux,
+  a2 as isMac,
+  v as isRefreshTokenExpired,
+  a as isSecureStorageAvailable,
+  t as isTokenExpired,
+  b as isUsingSecureStorage,
+  i2 as isWindows,
+  n as listStoredHosts,
+  o as listStoredHostsSync,
+  x as readCredentialsStore,
+  r2 as readSession,
+  l as refreshAuthToken,
+  j2 as resetSessionStats,
+  r as resolveToken,
+  m as resolveTokenFull,
+  k as resolveTokenWithRefresh,
+  s as storeCredentials,
+  u2 as updateSessionStats,
+  u as updateToken,
+  w2 as writeSession
+};

package/dist/platform/index.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Platform Module Exports
+ */
+export { isWindows, isMac, isLinux, HOME, getAppDataPath, getLocalAppDataPath, getPlatformName, getArchitecture, } from './platform.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/platform/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/platform/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,SAAS,EACT,KAAK,EACL,OAAO,EACP,IAAI,EACJ,cAAc,EACd,mBAAmB,EACnB,eAAe,EACf,eAAe,GAChB,MAAM,eAAe,CAAC"}

package/dist/platform/index.js

@@ -0,0 +1,11 @@
+import { H, g, e, c, d, b, a, i } from "../platform-1V_81nPi.js";
+export {
+  H as HOME,
+  g as getAppDataPath,
+  e as getArchitecture,
+  c as getLocalAppDataPath,
+  d as getPlatformName,
+  b as isLinux,
+  a as isMac,
+  i as isWindows
+};