feat(droid): support encrypted auth.v2 file format

[wenyuanw]

Description

Support Factory Droid's new encrypted auth file format (auth.v2).

Factory (Droid) has migrated its local credential storage from plain-text JSON (~/.factory/auth.json) to an AES-256-GCM encrypted format using two files:

• ~/.factory/auth.v2.file — encrypted payload (iv:authTag:ciphertext, base64-encoded)
• ~/.factory/auth.v2.key — 256-bit encryption key (base64-encoded)

This PR updates the Droid auth module to:

1. Read the new v2 encrypted auth files, decrypting via crypto.createDecipheriv("aes-256-gcm").
2. Write back refreshed tokens in the same encrypted format when auto-refreshing expired tokens.
3. Fall back to legacy auth.json / auth.encrypted if v2 files are not present, ensuring backward compatibility.
4. Update the "not configured" error message to reference both v2 and legacy file paths.

Files Changed

File	Change
src/droid/auth.ts	Added tryParseAuthV2() for decryption, saveAuthV2() for re-encryption, updated loadAuthFromFiles() to prioritize v2 format
src/droid/fetcher.ts	Updated error message to mention auth.v2.* paths

Screencast

N/A — This is an internal auth resolution change with no UI modifications.

Checklist

• I read the extension guidelines
• I read the documentation about publishing
• I ran npm run build and tested this distribution build in Raycast
• I checked that files in the assets folder are used by the extension itself
• I checked that assets used in the README are located outside the metadata folder if they were not generated with our metadata tool

[raycastbot]

Thank you for your contribution! 🎉

🔔 @natsustan @alexibuild @AdrianBonpin you might want to have a look.

You can use this guide to learn how to check out the Pull Request locally in order to test it.

📋 Quick checkout commands

BRANCH="ext/agent-usage"
FORK_URL="https://github.com/wenyuanw/raycast-extensions.git"
EXTENSION_NAME="agent-usage"
REPO_NAME="raycast-extensions"

git clone -n --depth=1 --filter=tree:0 -b $BRANCH $FORK_URL
cd $REPO_NAME
git sparse-checkout set --no-cone "extensions/$EXTENSION_NAME"
git checkout
cd "extensions/$EXTENSION_NAME"
npm install && npm run dev

We're currently experiencing a high volume of incoming requests. As a result, the initial review may take up to 10-15 business days.

[greptile-apps]

Greptile Summary

This PR adds support for Factory Droid's new AES-256-GCM encrypted credential format (auth.v2.file / auth.v2.key), while maintaining full backward compatibility with the legacy plain-text auth.json / auth.encrypted files. The crypto implementation is correct — a fresh random IV is generated on every write, the GCM auth tag is stored alongside the ciphertext for integrity verification, and errors are caught gracefully so the extension falls back to legacy files when the v2 format is unavailable.

Key changes:

• tryParseAuthV2() — reads and AES-256-GCM-decrypts ~/.factory/auth.v2.file using the key from ~/.factory/auth.v2.key
• saveAuthV2() — re-encrypts refreshed tokens back to auth.v2.file in the same format
• loadAuthFromFiles() — prioritises v2 format, falls back to legacy paths
• fetcher.ts error message updated to surface both v2 and legacy paths
• CHANGELOG.md was not updated — a new entry with the {PR_MERGE_DATE} placeholder should be prepended per repo policy

Confidence Score: 5/5

Safe to merge — the crypto logic is sound and backward compatibility is preserved; only a missing CHANGELOG entry remains.

All findings are P2 (style/policy). The AES-256-GCM implementation is correct, error handling is robust, and the fallback to legacy files works as expected. The sole outstanding item is the missing CHANGELOG update, which does not affect runtime behaviour.

CHANGELOG.md — needs a new entry with the {PR_MERGE_DATE} placeholder prepended.

Important Files Changed

Filename	Overview
extensions/agent-usage/src/droid/auth.ts	Adds AES-256-GCM decryption (tryParseAuthV2) and re-encryption (saveAuthV2) for the new auth.v2.* file format; falls back to legacy plain-text files; crypto usage (random IV per write, GCM auth tag stored/verified) is correct.
extensions/agent-usage/src/droid/fetcher.ts	Minor error-message update to surface the new auth.v2.* paths alongside the legacy auth.* glob; no logic changes.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: extensions/agent-usage/CHANGELOG.md
Line: 1

Comment:
**CHANGELOG not updated for this PR**

The custom repo policy requires a new CHANGELOG entry for every pull request, using the `{PR_MERGE_DATE}` placeholder. The current top of the file still points to the previous release (`2026-03-16`).

Please prepend a new entry, for example:

```suggestion
## [Encrypted Auth v2 Support] - {PR_MERGE_DATE}

- Support Factory Droid's new `auth.v2.*` encrypted credential format (AES-256-GCM)
- Fall back to legacy `auth.json` / `auth.encrypted` when v2 files are absent

# Agent Usage Changelog
```

**Rule Used:** What: Ensure that CHANGELOG.md is created or updat... ([source](https://app.greptile.com/review/custom-context?memory=97cd51bc-963b-43f5-acc3-9ba85fe7bb2d))

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "chore: add changelog for Droid encrypted..." | Re-trigger Greptile}

[greptile-apps]

CHANGELOG not updated for this PR

The custom repo policy requires a new CHANGELOG entry for every pull request, using the {PR_MERGE_DATE} placeholder. The current top of the file still points to the previous release (2026-03-16).

Please prepend a new entry, for example:

Suggested change

	# Agent Usage Changelog
	## [Encrypted Auth v2 Support] - {PR_MERGE_DATE}
	- Support Factory Droid's new `auth.v2.*` encrypted credential format (AES-256-GCM)
	- Fall back to legacy `auth.json` / `auth.encrypted` when v2 files are absent
	# Agent Usage Changelog

Rule Used: What: Ensure that CHANGELOG.md is created or updat... (source)

Prompt To Fix With AI

This is a comment left during a code review.
Path: extensions/agent-usage/CHANGELOG.md
Line: 1

Comment:
**CHANGELOG not updated for this PR**

The custom repo policy requires a new CHANGELOG entry for every pull request, using the `{PR_MERGE_DATE}` placeholder. The current top of the file still points to the previous release (`2026-03-16`).

Please prepend a new entry, for example:

```suggestion
## [Encrypted Auth v2 Support] - {PR_MERGE_DATE}

- Support Factory Droid's new `auth.v2.*` encrypted credential format (AES-256-GCM)
- Fall back to legacy `auth.json` / `auth.encrypted` when v2 files are absent

# Agent Usage Changelog
```

**Rule Used:** What: Ensure that CHANGELOG.md is created or updat... ([source](https://app.greptile.com/review/custom-context?memory=97cd51bc-963b-43f5-acc3-9ba85fe7bb2d))

How can I resolve this? If you propose a fix, please make it concise.

[natsustan]

Crypto implementation is correct, backward compatibility is preserved, and error handling is solid.
Good to merge!