Module resolver 

Identity → env-var resolver.

Per-provider matrix of which env vars carry which credential. The GitHub PAT becomes both GITHUB_TOKEN and GH_TOKEN because both the official gh CLI and direct API consumers (curl, oct.js) read one or the other; emitting both is the lowest-friction way to make every common workflow Just Work.

Modules

oauth_status

Canonical-value enumeration for OAuth-class IdentityAccount.status.

Enums

OAuthProbeStatus

Result of probing a per-bundle OAuth token directory.

ProviderClass

What kind of credential a provider uses, and how inject_identity_env puts it into the agent’s env at spawn time. Per SPEC_OAUTH_IDENTITY_BUNDLES_2026_05_22.md §4.3.

ResolverError

Errors specific to the resolver. Every variant is recoverable (the spawn proceeds with whatever env vars resolved successfully) — they exist for tracing visibility, not control flow.

Functions

inject_identity_env

Inject identity-derived env vars into the spawn map for a block.

inject_identity_env_with_broker

inject_identity_env + optional broker handle so the OAuth-class branch can publish identitybundlebindings:changed:<bundle_id> on a status change discovered by the expiry probe. The broker is Option<Arc<Broker>> — None (the legacy entry point, kept for test ergonomics) skips the publish; in production both call sites (app_api.rs AgentSendCommand + websocket.rs AgentInputCommand) pass Some(broker.clone()) so the IdentityManager’s bindings table flips its status badge without a reload. Per spec §4.4.

probe_oauth_status

Cheap on-disk probe of the per-bundle OAuth token file for a provider. No network calls — just reads + parses the token JSON, then compares expiresAt against now_ms.

provider_class

Classify a provider id. None for unknown providers — the resolver logs and skips them.

provider_env_vars

Legacy convenience: env vars for an api-key provider. Delegates to provider_class; returns empty for oauth-class providers (their resolution path doesn’t go through string-secret env-var injection) and for unknown providers.

resolve_secret

Resolve a SecretRef to the plaintext credential string. Each backend has a distinct path: