import type { CredentialStore, KeychainData, KeychainItemRef } from './credential-store.js'; /** * Path to Claude Code's "fallback" credentials file. * * On macOS, Claude Code 2.x prefers the Keychain item `Claude Code-credentials` * but falls back to this file when the item is absent. We never write the * Keychain item, so this file IS the source of truth for the active OAuth * token. On Linux/Windows, Claude Code reads `~/.claude.json` for `oauthAccount` * metadata and uses this file (when present) for tokens — same shape. * * Format: `{ "claudeAiOauth": { "accessToken", "refreshToken", "expiresAt", ... } }` * matching the Keychain blob exactly, so a write here is byte-equivalent to * the previous Keychain write. */ export declare function defaultCredentialsFilePath(): string; /** * Path to the per-config-dir credentials file (claude-switch profiles). * * Per-profile token storage lives under `/.credentials.json` so a * `claude` invocation with `CLAUDE_CONFIG_DIR=` reads the profile's * own token. Mirrors the per-config-dir Keychain item naming we used to * produce via SHA-256(configDir)[:8], but now it's just a file path under * the existing config dir — no service-name suffix needed. */ export declare function credentialsFileForConfigDir(configDir: string | null | undefined): string; /** * Stable hash for legacy per-config-dir item lookups, kept so callers that * previously addressed an item by its Keychain service-name suffix still * have a way to reconstruct the path. Same algorithm as the deprecated * `claudeKeychainServiceFor` (NFC-normalised absolute path, SHA-256 first * 8 chars). */ export declare function configDirHash(configDir: string): string; /** * Pure-fs adapter implementing `CredentialStore`. Cross-platform. No * external binary calls, no OS keyring, no dialogs. * * Security model documented honestly in SECURITY.md / README: * - tokens at rest in `~/.claude/.credentials.json` (mode 0600, parent 0700) * - protected against backups / cloud sync of the home dir only insofar * as those tools respect file permissions * - NOT protected against malicious processes running as the same user * - matches the model of gh CLI, AWS CLI, npm, Docker */ export declare class FileCredentialStore implements CredentialStore { /** * Test-mode kill switch. The historical flag CLAUDE_SWITCH_DISABLE_KEYCHAIN=1 * was set by the test runner to keep `npm test` from touching the developer's * real Keychain. Under Phase 24 file storage, the equivalent risk is writing * into the developer's real `~/.claude/.credentials.json` or * `~/.claude-switch/apikeys.json` during a test. Same flag, broader meaning: * "the store is disabled — behave as if nothing is persistent". * * Tests that exercise the real persistence path inject a temp-dir-backed * adapter via `deps.credentials` and don't need the flag. */ private disabled; available(): boolean; readOAuth(): KeychainData | null; writeOAuth(data: KeychainData): void; readOAuthForConfigDir(configDir: string | null): KeychainData | null; writeOAuthForConfigDir(configDir: string | null, data: KeychainData, _trustedBins?: string[]): void; deleteOAuthForConfigDir(configDir: string | null): boolean; readApiKey(email: string): string | null; writeApiKey(email: string, key: string): boolean; deleteApiKey(email: string): boolean; /** No-op under file storage — the Keychain item enumeration is meaningless * here. Kept on the port so the legacy `setup-keychain` command (deprecated * by Phase 24) still type-checks for the migration window. */ listOAuthKeychainItems(): KeychainItemRef[]; /** No-op under file storage. The partition-list concept doesn't apply to * files. Returns `false` so any caller that asks "did you widen it?" * understands nothing happened — there was nothing to widen. */ setPartitionList(_service: string, _account: string, _partitions: string): boolean; }