1#!/usr/bin/env bash
 2# Ensure pi agent auth.json has API keys from passage without overwriting OAuth tokens
 3# This script merges declarative API keys into ~/.pi/agent/auth.json while preserving
 4# OAuth tokens that pi manages automatically (github-copilot, vertex-anthropic, etc.)
 5
 6set -euo pipefail
 7
 8RUNTIME_AUTH="$HOME/.pi/agent/auth.json"
 9API_KEYS_FILE="$(dirname "$0")/auth-keys.json"
10
11# Required for merging JSON
12if ! command -v jq >/dev/null 2>&1; then
13	echo "⚠️  jq not found - cannot manage auth.json automatically"
14	echo "   Install jq or manually configure API keys in $RUNTIME_AUTH"
15	exit 1
16fi
17
18# Required for passage-based secret retrieval
19if ! command -v passage >/dev/null 2>&1; then
20	echo "⚠️  passage not found - API keys use passage for secret management"
21	echo "   Install passage (pass fork with age encryption) or update auth-keys.json"
22	exit 1
23fi
24
25# Create runtime auth directory if it doesn't exist
26mkdir -p "$(dirname "$RUNTIME_AUTH")"
27
28# Initialize with empty object if auth.json doesn't exist
29if [ ! -f "$RUNTIME_AUTH" ]; then
30	echo "⚙️  Creating $RUNTIME_AUTH..."
31	echo '{}' > "$RUNTIME_AUTH"
32	chmod 600 "$RUNTIME_AUTH"
33fi
34
35# Extract OAuth tokens (preserve these - managed by pi)
36# These are set via /login in pi and should never be declaratively managed
37TEMP_OAUTH=$(mktemp)
38jq -r '
39  {
40    "github-copilot": .["github-copilot"],
41    "vertex-anthropic": .["vertex-anthropic"],
42    "claude-pro": .["claude-pro"],
43    "chatgpt": .["chatgpt"],
44    "gemini-cli": .["gemini-cli"],
45    "antigravity": .["antigravity"]
46  } | with_entries(select(.value != null))
47' "$RUNTIME_AUTH" > "$TEMP_OAUTH"
48
49# Merge OAuth tokens with declarative API keys
50# API keys override any existing keys, but OAuth tokens are preserved
51TEMP_MERGED=$(mktemp)
52jq -s '.[0] * .[1]' "$TEMP_OAUTH" "$API_KEYS_FILE" > "$TEMP_MERGED"
53
54# Atomic update
55mv "$TEMP_MERGED" "$RUNTIME_AUTH"
56chmod 600 "$RUNTIME_AUTH"
57rm -f "$TEMP_OAUTH"
58
59echo "✅ Pi agent auth.json updated with API keys:"
60jq -r 'to_entries | .[] | select(.value.type == "api_key") | "   - \(.key): \(.value.key)"' "$RUNTIME_AUTH"
61
62# Show preserved OAuth tokens
63OAUTH_COUNT=$(jq -r '[to_entries | .[] | select(.value.type == "oauth")] | length' "$RUNTIME_AUTH")
64if [ "$OAUTH_COUNT" -gt 0 ]; then
65	echo ""
66	echo "→ Preserved OAuth tokens:"
67	jq -r 'to_entries | .[] | select(.value.type == "oauth") | "   - \(.key)"' "$RUNTIME_AUTH"
68fi