voratiq 0.1.0-beta.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Voratiq
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,59 @@
+# Voratiq
+
+Run multiple AI coding agents in parallel, compare their results, and apply the best solution.
+
+![`voratiq run --spec specs/p1/agent-workspace-guardrails.md`](https://raw.githubusercontent.com/voratiq/voratiq/main/assets/run-demo.png)
+
+## Installation
+
+Voratiq is in public beta. Install via npm:
+
+```bash
+npm install -g voratiq@beta
+```
+
+### Requirements
+
+Core:
+
+- Node 20+
+- git
+- 1+ AI coding agent (Claude [(>=2.0.55)](https://github.com/anthropics/claude-code?tab=readme-ov-file#get-started), Codex [(>=0.66.0)](https://github.com/openai/codex?tab=readme-ov-file#quickstart), or Gemini [(>=0.19.4)](https://github.com/google-gemini/gemini-cli?tab=readme-ov-file#quick-install))
+
+Platform-specific:
+
+- macOS: `ripgrep`
+- Linux (Debian/Ubuntu): `bubblewrap`, `socat`, `ripgrep`
+
+See the [sandbox runtime docs](https://github.com/anthropic-experimental/sandbox-runtime/blob/1bafa66a2c3ebc52569fc0c1a868e85e778f66a0/README.md#platform-specific-dependencies) for installation instructions.
+
+Note: Windows is not currently supported.
+
+## Quick Start
+
+```bash
+# Initialize workspace
+voratiq init
+
+# Write a spec
+cat > specs/fix-auth.md <<EOF
+# Fix Session Timeout Bug
+Users are logged out after 5 minutes instead of 30.
+Sessions should honor SESSION_TIMEOUT_MS (default 30 minutes).
+EOF
+
+# Run agents in parallel
+voratiq run --spec specs/fix-auth.md
+
+# Review results
+voratiq review --run <run-id>
+
+# Apply the best solution
+voratiq apply --run <run-id> --agent <agent-id>
+```
+
+See the [docs](https://github.com/voratiq/voratiq/blob/main/docs/index.md) for core concepts, CLI reference, and guides on configuring agents, evals, runtime environments, and sandbox restrictions.
+
+## License
+
+Voratiq is available under the [MIT License](https://github.com/voratiq/voratiq/blob/main/LICENSE).

package/dist/auth/providers/claude/constants.d.ts

@@ -0,0 +1,7 @@
+export declare const CLAUDE_PROVIDER_ID: "claude";
+export declare const CLAUDE_SERVICE_NAME: "Claude Code-credentials";
+export declare const CLAUDE_CREDENTIAL_FILENAME: ".credentials.json";
+export declare const CLAUDE_CONFIG_DIRNAME: ".claude";
+export declare const CLAUDE_LOGIN_HINT: string;
+export declare const MAC_LOGIN_KEYCHAIN_HINT: string;
+export declare const CLAUDE_OAUTH_RELOGIN_HINT: string;

package/dist/auth/providers/claude/constants.js

@@ -0,0 +1,9 @@
+import { buildAuthFailedMessage } from "../messages.js";
+export const CLAUDE_PROVIDER_ID = "claude";
+export const CLAUDE_SERVICE_NAME = "Claude Code-credentials";
+export const CLAUDE_CREDENTIAL_FILENAME = ".credentials.json";
+export const CLAUDE_CONFIG_DIRNAME = ".claude";
+const CLAUDE_REAUTH_MESSAGE = buildAuthFailedMessage("Claude");
+export const CLAUDE_LOGIN_HINT = CLAUDE_REAUTH_MESSAGE;
+export const MAC_LOGIN_KEYCHAIN_HINT = CLAUDE_REAUTH_MESSAGE;
+export const CLAUDE_OAUTH_RELOGIN_HINT = CLAUDE_REAUTH_MESSAGE;

package/dist/auth/providers/claude/credentials.d.ts

@@ -0,0 +1,5 @@
+import type { StageOptions, VerifyOptions } from "../types.js";
+export declare function locateClaudeCredentials(options: VerifyOptions | StageOptions): Promise<string | undefined>;
+export declare function locateClaudeApiKey(options: VerifyOptions | StageOptions): Promise<string | undefined>;
+export declare function parseApiKeyFromClaudeConfig(content: string): string | undefined;
+export declare function validateClaudeCredentialSecret(secret: string): void;

package/dist/auth/providers/claude/credentials.js

@@ -0,0 +1,112 @@
+import { access } from "node:fs/promises";
+import { readFile } from "node:fs/promises";
+import { resolve as resolvePathNative } from "node:path";
+import { isMissing, resolveChildPath } from "../utils.js";
+import { CLAUDE_CONFIG_DIRNAME, CLAUDE_CREDENTIAL_FILENAME, CLAUDE_LOGIN_HINT, CLAUDE_OAUTH_RELOGIN_HINT, } from "./constants.js";
+import { ClaudeAuthProviderError } from "./error.js";
+export async function locateClaudeCredentials(options) {
+    for (const candidate of resolveClaudeConfigCandidates(options)) {
+        const credentialsPath = resolveChildPath(candidate, CLAUDE_CREDENTIAL_FILENAME);
+        try {
+            await access(credentialsPath);
+            return credentialsPath;
+        }
+        catch (error) {
+            if (!isMissing(error)) {
+                throw new ClaudeAuthProviderError(CLAUDE_LOGIN_HINT, { cause: error });
+            }
+        }
+    }
+    return undefined;
+}
+export async function locateClaudeApiKey(options) {
+    const { runtime: { homeDir }, } = options;
+    if (!homeDir) {
+        return undefined;
+    }
+    const configPath = resolveChildPath(homeDir, ".claude.json");
+    try {
+        const content = await readFile(configPath, "utf8");
+        return parseApiKeyFromClaudeConfig(content);
+    }
+    catch (error) {
+        if (isMissing(error)) {
+            return undefined;
+        }
+        throw new ClaudeAuthProviderError(CLAUDE_LOGIN_HINT, { cause: error });
+    }
+}
+export function parseApiKeyFromClaudeConfig(content) {
+    let parsed;
+    try {
+        parsed = JSON.parse(content);
+    }
+    catch (error) {
+        throw new ClaudeAuthProviderError(CLAUDE_LOGIN_HINT, { cause: error });
+    }
+    const key = parsed.primaryApiKey;
+    if (typeof key === "string" && key.trim().length > 0) {
+        return key.trim();
+    }
+    return undefined;
+}
+export function validateClaudeCredentialSecret(secret) {
+    const trimmed = secret?.trim();
+    if (!trimmed) {
+        throw new ClaudeAuthProviderError(buildMissingOauthMessage("empty secret"));
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(trimmed);
+    }
+    catch (error) {
+        throw new ClaudeAuthProviderError(CLAUDE_LOGIN_HINT, { cause: error });
+    }
+    const oauth = parsed.claudeAiOauth;
+    if (!oauth || typeof oauth !== "object") {
+        throw new ClaudeAuthProviderError(buildMissingOauthMessage("oauth payload missing"));
+    }
+    const { accessToken, refreshToken, expiresAt } = oauth;
+    if (!isNonEmptyString(accessToken)) {
+        throw new ClaudeAuthProviderError(buildMissingOauthMessage("access token missing"));
+    }
+    if (!isNonEmptyString(refreshToken)) {
+        throw new ClaudeAuthProviderError(buildMissingOauthMessage("refresh token missing"));
+    }
+    if (!isFiniteTimestamp(expiresAt)) {
+        throw new ClaudeAuthProviderError(buildMissingOauthMessage("expiry missing"));
+    }
+}
+function resolveClaudeConfigCandidates(options) {
+    const { runtime: { env, homeDir }, } = options;
+    const candidates = [];
+    const configured = env.CLAUDE_CONFIG_DIR?.trim();
+    if (configured) {
+        candidates.push(resolvePathNative(configured));
+    }
+    const xdg = env.XDG_CONFIG_HOME?.trim();
+    if (xdg) {
+        candidates.push(resolvePathNative(xdg, "claude"));
+    }
+    if (homeDir) {
+        candidates.push(resolveChildPath(homeDir, ".config", "claude"));
+        candidates.push(resolveChildPath(homeDir, CLAUDE_CONFIG_DIRNAME));
+    }
+    return candidates;
+}
+function isNonEmptyString(value) {
+    return typeof value === "string" && value.trim().length > 0;
+}
+function isFiniteTimestamp(value) {
+    if (typeof value === "number") {
+        return Number.isFinite(value);
+    }
+    if (typeof value === "string" && value.trim().length > 0) {
+        const parsed = Number.parseInt(value, 10);
+        return Number.isFinite(parsed);
+    }
+    return false;
+}
+function buildMissingOauthMessage(detail) {
+    return `${CLAUDE_OAUTH_RELOGIN_HINT} (${detail}).`;
+}

package/dist/auth/providers/claude/error.d.ts

@@ -0,0 +1,5 @@
+export declare class ClaudeAuthProviderError extends Error {
+    constructor(message: string, options?: {
+        cause?: unknown;
+    });
+}

package/dist/auth/providers/claude/error.js

@@ -0,0 +1,6 @@
+export class ClaudeAuthProviderError extends Error {
+    constructor(message, options) {
+        super(message, options);
+        this.name = "ClaudeAuthProviderError";
+    }
+}

package/dist/auth/providers/claude/keychain.d.ts

@@ -0,0 +1,4 @@
+import type { AuthRuntimeContext } from "../types.js";
+export declare function ensureKeychainCredential(runtime: AuthRuntimeContext): Promise<void>;
+export declare function readKeychainCredential(runtime: AuthRuntimeContext): Promise<string>;
+export declare function assertLoginKeychainExists(homeDir: string): Promise<void>;

package/dist/auth/providers/claude/keychain.js

@@ -0,0 +1,158 @@
+import { execFile } from "node:child_process";
+import { access, readdir, readFile } from "node:fs/promises";
+import { resolve as resolvePathNative } from "node:path";
+import { promisify } from "node:util";
+import { isMissing, resolveChildPath } from "../utils.js";
+import { CLAUDE_LOGIN_HINT, CLAUDE_SERVICE_NAME, MAC_LOGIN_KEYCHAIN_HINT, } from "./constants.js";
+import { ClaudeAuthProviderError } from "./error.js";
+const execFileAsync = promisify(execFile);
+const LOGIN_KEYCHAIN_FILENAMES = [
+    "login.keychain-db",
+    "login.keychain",
+];
+const TEST_KEYCHAIN_SECRET_PATH_ENV = "VORATIQ_TEST_KEYCHAIN_SECRET_PATH";
+export async function ensureKeychainCredential(runtime) {
+    await readKeychainCredential(runtime);
+}
+export async function readKeychainCredential(runtime) {
+    const testSecretPath = getTestKeychainSecretPath();
+    if (testSecretPath) {
+        return readTestSecret(testSecretPath);
+    }
+    await assertLoginKeychainExists(runtime.homeDir);
+    try {
+        const { stdout } = await execFileAsync("security", [
+            "find-generic-password",
+            "-s",
+            CLAUDE_SERVICE_NAME,
+            "-a",
+            runtime.username,
+            "-w",
+        ]);
+        return stdout;
+    }
+    catch (error) {
+        if (isMissingKeychainError(error)) {
+            throw new ClaudeAuthProviderError(MAC_LOGIN_KEYCHAIN_HINT, {
+                cause: error,
+            });
+        }
+        throw new ClaudeAuthProviderError(CLAUDE_LOGIN_HINT, { cause: error });
+    }
+}
+export async function assertLoginKeychainExists(homeDir) {
+    const testSecretPath = getTestKeychainSecretPath();
+    if (testSecretPath) {
+        await ensureTestSecretAvailable(testSecretPath);
+        return;
+    }
+    try {
+        const hasKeychain = await hasLoginKeychain(homeDir);
+        if (!hasKeychain) {
+            throw new ClaudeAuthProviderError(MAC_LOGIN_KEYCHAIN_HINT);
+        }
+    }
+    catch (error) {
+        if (error instanceof ClaudeAuthProviderError) {
+            throw error;
+        }
+        throw new ClaudeAuthProviderError(MAC_LOGIN_KEYCHAIN_HINT, {
+            cause: error,
+        });
+    }
+}
+async function hasLoginKeychain(homeDir) {
+    if (!homeDir) {
+        return false;
+    }
+    const keychainsRoot = resolveChildPath(homeDir, "Library", "Keychains");
+    let entries;
+    try {
+        entries = await readdir(keychainsRoot, { withFileTypes: true });
+    }
+    catch (error) {
+        if (isMissing(error)) {
+            return false;
+        }
+        throw error;
+    }
+    for (const entry of entries) {
+        if (isLoginKeychainName(entry.name) &&
+            (entry.isFile() || entry.isSymbolicLink())) {
+            return true;
+        }
+        if (entry.isDirectory()) {
+            const directoryPath = resolvePathNative(keychainsRoot, entry.name);
+            const hasKeychainFile = await directoryContainsLoginKeychain(directoryPath);
+            if (hasKeychainFile) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+async function directoryContainsLoginKeychain(directory) {
+    for (const filename of LOGIN_KEYCHAIN_FILENAMES) {
+        const candidatePath = resolvePathNative(directory, filename);
+        try {
+            await access(candidatePath);
+            return true;
+        }
+        catch (error) {
+            if (!isMissing(error)) {
+                throw error;
+            }
+        }
+    }
+    return false;
+}
+function isLoginKeychainName(name) {
+    return LOGIN_KEYCHAIN_FILENAMES.includes(name);
+}
+function isMissingKeychainError(error) {
+    if (error &&
+        typeof error === "object" &&
+        "stderr" in error &&
+        typeof error.stderr === "string") {
+        const stderr = error.stderr;
+        if (/errSecNoSuchKeychain/i.test(stderr)) {
+            return true;
+        }
+        if (/SecKeychainCopyDefault:.*could not be found/i.test(stderr)) {
+            return true;
+        }
+        if (/The specified keychain could not be found/i.test(stderr)) {
+            return true;
+        }
+    }
+    if (error instanceof Error && error.message) {
+        if (/errSecNoSuchKeychain/i.test(error.message)) {
+            return true;
+        }
+        if (/The specified keychain could not be found/i.test(error.message)) {
+            return true;
+        }
+    }
+    return false;
+}
+function getTestKeychainSecretPath() {
+    const override = process.env[TEST_KEYCHAIN_SECRET_PATH_ENV];
+    if (override && override.trim().length > 0) {
+        return override;
+    }
+    return undefined;
+}
+async function ensureTestSecretAvailable(path) {
+    try {
+        await access(path);
+    }
+    catch (error) {
+        throw new ClaudeAuthProviderError(MAC_LOGIN_KEYCHAIN_HINT, {
+            cause: error,
+        });
+    }
+}
+async function readTestSecret(path) {
+    await ensureTestSecretAvailable(path);
+    return readFile(path, "utf8");
+}

package/dist/auth/providers/claude.d.ts

@@ -0,0 +1,2 @@
+import type { AuthProvider } from "./types.js";
+export declare const claudeAuthProvider: AuthProvider;

package/dist/auth/providers/claude.js

@@ -0,0 +1,124 @@
+import { readFile } from "node:fs/promises";
+import { CLAUDE_CONFIG_DIRNAME, CLAUDE_CREDENTIAL_FILENAME, CLAUDE_LOGIN_HINT, CLAUDE_PROVIDER_ID, } from "./claude/constants.js";
+import { locateClaudeApiKey, locateClaudeCredentials, validateClaudeCredentialSecret, } from "./claude/credentials.js";
+import { ClaudeAuthProviderError } from "./claude/error.js";
+import { ensureKeychainCredential, readKeychainCredential, } from "./claude/keychain.js";
+import { disposeHandles, registerSandboxSecrets, stageSecretFile, } from "./secret-staging.js";
+import { teardownAuthProvider } from "./teardown.js";
+import { assertReadableFileOrThrow, composeSandboxEnvResult, createSandboxPaths, ensureDirectories, resolveChildPath, writeFileWithPermissions, } from "./utils.js";
+export const claudeAuthProvider = {
+    id: CLAUDE_PROVIDER_ID,
+    async verify(options) {
+        if (isMac(options.runtime.platform)) {
+            await ensureKeychainCredential(options.runtime);
+            return { status: "ok" };
+        }
+        const credentialsPath = await locateClaudeCredentials(options);
+        if (credentialsPath) {
+            return { status: "ok" };
+        }
+        const apiKey = await locateClaudeApiKey(options);
+        if (!apiKey) {
+            throw new ClaudeAuthProviderError(CLAUDE_LOGIN_HINT);
+        }
+        return { status: "ok" };
+    },
+    async stage(options) {
+        return stageClaudeCredentials(options);
+    },
+    async teardown(options) {
+        await teardownAuthProvider(options);
+    },
+};
+async function stageClaudeCredentials(options) {
+    const sandboxPaths = createSandboxPaths(options.agentRoot, {
+        config: [".config"],
+        cache: [".cache"],
+        data: [".local", "share"],
+        state: [".local", "state"],
+        logs: ["logs"],
+        debugLogs: ["logs", "debug"],
+        tmp: ["tmp"],
+    });
+    const claudeConfigDir = resolveChildPath(sandboxPaths.home, CLAUDE_CONFIG_DIRNAME);
+    const debugLogFile = resolveChildPath(sandboxPaths.debugLogs, "claude.log");
+    const sandboxCredentialPath = resolveChildPath(claudeConfigDir, CLAUDE_CREDENTIAL_FILENAME);
+    let stagedApiKey;
+    await ensureDirectories([...Object.values(sandboxPaths), claudeConfigDir]);
+    await writeFileWithPermissions(debugLogFile, "", { flag: "a" });
+    const secretHandles = [];
+    const stageCredential = async (payload) => {
+        validateClaudeCredentialSecret(payload);
+        const handle = await stageSecretFile(sandboxPaths.home, {
+            destinationPath: sandboxCredentialPath,
+            sourceBytes: Buffer.from(payload, "utf8"),
+            providerId: CLAUDE_PROVIDER_ID,
+            fileLabel: CLAUDE_CREDENTIAL_FILENAME,
+        });
+        secretHandles.push(handle);
+    };
+    try {
+        if (isMac(options.runtime.platform)) {
+            const secret = await readKeychainCredential(options.runtime);
+            if (!secret) {
+                throw new ClaudeAuthProviderError(CLAUDE_LOGIN_HINT);
+            }
+            await stageCredential(secret);
+        }
+        else {
+            const credentialsPath = await locateClaudeCredentials(options);
+            if (credentialsPath) {
+                await assertReadableFileOrThrow(credentialsPath, (cause) => new ClaudeAuthProviderError(CLAUDE_LOGIN_HINT, { cause }));
+                const credentialsContent = await readFile(credentialsPath, "utf8");
+                await stageCredential(credentialsContent);
+            }
+            else {
+                const apiKey = await locateClaudeApiKey(options);
+                if (!apiKey) {
+                    throw new ClaudeAuthProviderError(CLAUDE_LOGIN_HINT);
+                }
+                stagedApiKey = apiKey;
+                const apiKeyConfigPath = resolveChildPath(options.runtime.homeDir, ".claude.json");
+                await assertReadableFileOrThrow(apiKeyConfigPath, (cause) => new ClaudeAuthProviderError(CLAUDE_LOGIN_HINT, { cause }));
+                const apiKeyConfigContent = await readFile(apiKeyConfigPath, "utf8");
+                const handle = await stageSecretFile(sandboxPaths.home, {
+                    destinationPath: resolveChildPath(sandboxPaths.home, ".claude.json"),
+                    sourceBytes: Buffer.from(apiKeyConfigContent, "utf8"),
+                    providerId: CLAUDE_PROVIDER_ID,
+                    fileLabel: ".claude.json",
+                });
+                secretHandles.push(handle);
+            }
+        }
+    }
+    catch (error) {
+        await disposeHandles(secretHandles);
+        throw error;
+    }
+    registerSandboxSecrets(sandboxPaths.home, secretHandles);
+    const stagedEnv = buildSandboxEnvironment(sandboxPaths, claudeConfigDir, debugLogFile);
+    if (stagedApiKey) {
+        stagedEnv.ANTHROPIC_API_KEY = stagedApiKey;
+    }
+    return composeSandboxEnvResult(sandboxPaths.home, stagedEnv);
+}
+function buildSandboxEnvironment(paths, claudeConfigDir, debugLogFile) {
+    return {
+        CLAUDE_CONFIG_DIR: claudeConfigDir,
+        XDG_CONFIG_HOME: paths.config,
+        XDG_CACHE_HOME: paths.cache,
+        XDG_DATA_HOME: paths.data,
+        XDG_STATE_HOME: paths.state,
+        CLAUDE_CODE_DEBUG_LOGS_DIR: debugLogFile,
+        CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: "true",
+        DISABLE_AUTOUPDATER: "true",
+        DISABLE_ERROR_REPORTING: "true",
+        CLAUDE_CODE_ENABLE_TELEMETRY: "0",
+        TMPDIR: paths.tmp,
+        TEMP: paths.tmp,
+        TMP: paths.tmp,
+    };
+}
+function isMac(platform) {
+    return platform === "darwin";
+}

package/dist/auth/providers/codex.d.ts

@@ -0,0 +1,2 @@
+import type { AuthProvider } from "./types.js";
+export declare const codexAuthProvider: AuthProvider;

package/dist/auth/providers/codex.js

@@ -0,0 +1,93 @@
+import { constants as fsConstants } from "node:fs";
+import { access, readFile } from "node:fs/promises";
+import { buildAuthFailedMessage } from "./messages.js";
+import { disposeHandles, registerSandboxSecrets, stageSecretFile, } from "./secret-staging.js";
+import { teardownAuthProvider } from "./teardown.js";
+import { assertReadableFileOrThrow, composeSandboxEnvResult, copyOptionalFileWithPermissions, createSandboxPaths, ensureDirectories, isMissing, resolveChildPath, resolveProviderHome, } from "./utils.js";
+const { F_OK } = fsConstants;
+const CODEX_PROVIDER_ID = "codex";
+const CODEX_AUTH_FILENAME = "auth.json";
+const CODEX_CONFIG_FILENAME = "config.toml";
+const CODEX_LOGIN_HINT = buildAuthFailedMessage("Codex");
+export const codexAuthProvider = {
+    id: CODEX_PROVIDER_ID,
+    async verify(options) {
+        const authPath = await locateCodexAuthFile(options);
+        if (!authPath) {
+            throw new CodexAuthProviderError(CODEX_LOGIN_HINT);
+        }
+        await assertReadableFileOrThrow(authPath, (cause) => new CodexAuthProviderError(CODEX_LOGIN_HINT, { cause }));
+        return { status: "ok" };
+    },
+    async stage(options) {
+        const authPath = await locateCodexAuthFile(options);
+        if (!authPath) {
+            throw new CodexAuthProviderError(CODEX_LOGIN_HINT);
+        }
+        await assertReadableFileOrThrow(authPath, (cause) => new CodexAuthProviderError(CODEX_LOGIN_HINT, { cause }));
+        const sandboxPaths = createSandboxPaths(options.agentRoot, {
+            codex: [".codex"],
+            logs: ["Library", "Logs", "Codex"],
+            support: ["Library", "Application Support", "Codex"],
+        });
+        await ensureDirectories(Object.values(sandboxPaths));
+        const secretHandles = [];
+        try {
+            const credentialPath = resolveChildPath(sandboxPaths.codex, CODEX_AUTH_FILENAME);
+            const bytes = await readFile(authPath);
+            const handle = await stageSecretFile(sandboxPaths.home, {
+                destinationPath: credentialPath,
+                sourceBytes: bytes,
+                providerId: CODEX_PROVIDER_ID,
+                fileLabel: CODEX_AUTH_FILENAME,
+            });
+            secretHandles.push(handle);
+            await copyOptionalConfig(options, sandboxPaths.codex);
+        }
+        catch (error) {
+            await disposeHandles(secretHandles);
+            throw error;
+        }
+        registerSandboxSecrets(sandboxPaths.home, secretHandles);
+        const envResult = composeSandboxEnvResult(sandboxPaths.home, {
+            CODEX_HOME: sandboxPaths.codex,
+            RUST_BACKTRACE: "1",
+        });
+        return envResult;
+    },
+    async teardown(options) {
+        await teardownAuthProvider(options);
+    },
+};
+class CodexAuthProviderError extends Error {
+    constructor(message, options) {
+        super(message, options);
+        this.name = "CodexAuthProviderError";
+    }
+}
+async function locateCodexAuthFile(options) {
+    const codexHome = resolveProviderHome(options.runtime, "CODEX_HOME", ".codex");
+    if (!codexHome) {
+        return undefined;
+    }
+    const authPath = resolveChildPath(codexHome, CODEX_AUTH_FILENAME);
+    try {
+        await access(authPath, F_OK);
+        return authPath;
+    }
+    catch (error) {
+        if (isMissing(error)) {
+            return undefined;
+        }
+        throw new CodexAuthProviderError(CODEX_LOGIN_HINT, { cause: error });
+    }
+}
+async function copyOptionalConfig(options, sandboxPath) {
+    const codexHome = resolveProviderHome(options.runtime, "CODEX_HOME", ".codex");
+    if (!codexHome) {
+        return;
+    }
+    const configPath = resolveChildPath(codexHome, CODEX_CONFIG_FILENAME);
+    const destinationConfigPath = resolveChildPath(sandboxPath, CODEX_CONFIG_FILENAME);
+    await copyOptionalFileWithPermissions(configPath, destinationConfigPath, (cause) => new CodexAuthProviderError(CODEX_LOGIN_HINT, { cause }));
+}

package/dist/auth/providers/gemini.d.ts

@@ -0,0 +1,2 @@
+import type { AuthProvider } from "./types.js";
+export declare const geminiAuthProvider: AuthProvider;