@bjesuiter/codex-switcher 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 bjesuiter
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,128 @@
+# cdx
+
+CLI tool to switch between multiple OpenAI accounts for [OpenCode](https://opencode.ai).
+
+## Supported Configurations
+
+- **OpenAI Plus & Pro subscription accounts**: Log in to multiple OpenAI accounts via OAuth and switch the active auth credentials used by OpenCode.
+
+## Requirements
+
+- macOS (uses Keychain via the `security` command)
+- [Bun](https://bun.sh) runtime
+
+## Install
+
+```bash
+bun add -g @bjesuiter/codex-switch
+```
+
+This exposes the `cdx` binary globally.
+
+## Usage
+
+### Add your first account
+
+```bash
+cdx login
+```
+
+Opens your browser to authenticate with OpenAI. After successful login, your credentials are stored securely in macOS Keychain.
+
+### Switch between accounts
+
+```bash
+cdx switch
+```
+
+Interactive picker to select an account. Writes credentials to `~/.local/share/opencode/auth.json`.
+
+```bash
+cdx switch --next
+```
+
+Cycles to the next configured account without prompting.
+
+```bash
+cdx switch <account-id-or-label>
+```
+
+Switch directly to a specific account by ID or label.
+
+### Label accounts
+
+```bash
+cdx label
+```
+
+Interactive prompt to assign a friendly name to an account.
+
+```bash
+cdx label <account> <new-label>
+```
+
+Assign a label directly.
+
+### Interactive mode
+
+```bash
+cdx
+```
+
+Running `cdx` without arguments opens an interactive menu to:
+- List all configured accounts
+- Switch to a different account
+- Add a new account (OAuth login)
+- Remove an account
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `cdx` | Interactive mode |
+| `cdx login` | Add a new OpenAI account via OAuth |
+| `cdx switch` | Switch account (interactive picker) |
+| `cdx switch --next` | Cycle to next account |
+| `cdx switch <id>` | Switch to specific account |
+| `cdx label` | Label an account (interactive) |
+| `cdx label <account> <label>` | Assign label directly |
+| `cdx --help` | Show help |
+| `cdx --version` | Show version |
+
+## How It Works
+
+- OAuth credentials are stored securely in macOS Keychain
+- Account list is stored in `~/.config/cdx/accounts.json`
+- Active account credentials are written to `~/.local/share/opencode/auth.json`
+
+## For Developers
+
+### Install from source
+
+```bash
+git clone https://github.com/bjesuiter/codex-switcher.git
+cd codex-switcher
+bun install
+bun link
+```
+
+### Manual Configuration (Advanced)
+
+You can also manually add accounts to Keychain:
+
+```bash
+security add-generic-password -a "ACCOUNT_ID" -s "cdx-openai-ACCOUNT_ID" -w '{"refresh":"REFRESH","access":"ACCESS","expires":1234567890,"accountId":"ACCOUNT_ID"}' -U
+```
+
+And create the accounts list manually:
+
+```json
+{
+  "current": 0,
+  "accounts": [
+    { "accountId": "ACCOUNT_ID", "keychainService": "cdx-openai-ACCOUNT_ID" }
+  ]
+}
+```
+
+Save to `~/.config/cdx/accounts.json`.

package/cdx.mjs

@@ -0,0 +1,714 @@
+#!/usr/bin/env bun
+import { Command } from "commander";
+import projectVersion from "project-version";
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import path from "node:path";
+import os from "node:os";
+import { existsSync } from "node:fs";
+import * as p from "@clack/prompts";
+import { spawn } from "node:child_process";
+import { generatePKCE } from "@openauthjs/openauth/pkce";
+import { randomBytes } from "node:crypto";
+import http from "node:http";
+
+//#region lib/paths.ts
+const defaultConfigDir = path.join(os.homedir(), ".config", "cdx");
+const defaultPaths = {
+	configDir: defaultConfigDir,
+	configPath: path.join(defaultConfigDir, "accounts.json"),
+	authPath: path.join(os.homedir(), ".local", "share", "opencode", "auth.json")
+};
+let currentPaths = { ...defaultPaths };
+const getPaths = () => currentPaths;
+const setPaths = (paths) => {
+	currentPaths = {
+		...currentPaths,
+		...paths
+	};
+	if (paths.configDir && !paths.configPath) currentPaths.configPath = path.join(paths.configDir, "accounts.json");
+};
+const resetPaths = () => {
+	currentPaths = { ...defaultPaths };
+};
+const createTestPaths = (testDir) => ({
+	configDir: path.join(testDir, "config"),
+	configPath: path.join(testDir, "config", "accounts.json"),
+	authPath: path.join(testDir, "auth", "auth.json")
+});
+
+//#endregion
+//#region lib/auth.ts
+const writeAuthFile = async (payload) => {
+	const { authPath } = getPaths();
+	await mkdir(path.dirname(authPath), { recursive: true });
+	const authJson = { openai: {
+		type: "oauth",
+		refresh: payload.refresh,
+		access: payload.access,
+		expires: payload.expires,
+		accountId: payload.accountId
+	} };
+	await writeFile(authPath, JSON.stringify(authJson, null, 2), "utf8");
+};
+
+//#endregion
+//#region lib/config.ts
+const loadConfig = async () => {
+	const { configPath } = getPaths();
+	if (!existsSync(configPath)) throw new Error(`Missing config at ${configPath}. Create accounts.json to list Keychain services.`);
+	const raw = await readFile(configPath, "utf8");
+	const parsed = JSON.parse(raw);
+	if (!Array.isArray(parsed.accounts) || parsed.accounts.length === 0) throw new Error("accounts.json must include a non-empty accounts array.");
+	if (typeof parsed.current !== "number" || Number.isNaN(parsed.current)) parsed.current = 0;
+	return parsed;
+};
+const saveConfig = async (config) => {
+	const { configDir, configPath } = getPaths();
+	await mkdir(configDir, { recursive: true });
+	await writeFile(configPath, JSON.stringify(config, null, 2), "utf8");
+};
+const configExists = () => {
+	const { configPath } = getPaths();
+	return existsSync(configPath);
+};
+
+//#endregion
+//#region lib/keychain.ts
+const SERVICE_PREFIX = "cdx-openai-";
+const getKeychainService = (accountId) => {
+	return `${SERVICE_PREFIX}${accountId}`;
+};
+const runSecurity = (args) => {
+	const result = Bun.spawnSync({
+		cmd: ["security", ...args],
+		stderr: "pipe",
+		stdout: "pipe"
+	});
+	if (result.exitCode !== 0) {
+		const message = result.stderr.toString().trim();
+		throw new Error(message || "Keychain command failed");
+	}
+	return result.stdout.toString();
+};
+const runSecuritySafe = (args) => {
+	const result = Bun.spawnSync({
+		cmd: ["security", ...args],
+		stderr: "pipe",
+		stdout: "pipe"
+	});
+	return {
+		success: result.exitCode === 0,
+		output: result.exitCode === 0 ? result.stdout.toString() : result.stderr.toString()
+	};
+};
+const saveKeychainPayload = (accountId, payload) => {
+	runSecurity([
+		"add-generic-password",
+		"-a",
+		accountId,
+		"-s",
+		getKeychainService(accountId),
+		"-w",
+		JSON.stringify(payload),
+		"-U"
+	]);
+};
+const loadKeychainPayload = (accountId) => {
+	const raw = runSecurity([
+		"find-generic-password",
+		"-s",
+		getKeychainService(accountId),
+		"-w"
+	]).trim();
+	if (!raw) throw new Error(`No Keychain payload found for account ${accountId}.`);
+	const parsed = JSON.parse(raw);
+	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Keychain payload for account ${accountId} is missing required fields.`);
+	return parsed;
+};
+const deleteKeychainPayload = (accountId) => {
+	runSecurity([
+		"delete-generic-password",
+		"-s",
+		getKeychainService(accountId)
+	]);
+};
+const keychainPayloadExists = (accountId) => {
+	return runSecuritySafe([
+		"find-generic-password",
+		"-s",
+		getKeychainService(accountId)
+	]).success;
+};
+const listKeychainAccounts = () => {
+	const result = Bun.spawnSync({
+		cmd: ["security", "dump-keychain"],
+		stderr: "pipe",
+		stdout: "pipe"
+	});
+	if (result.exitCode !== 0) return [];
+	const output = result.stdout.toString();
+	const accounts = [];
+	const serviceRegex = new RegExp(`"svce"<blob>="${SERVICE_PREFIX}([^"]+)"`, "g");
+	let match;
+	while ((match = serviceRegex.exec(output)) !== null) if (match[1]) accounts.push(match[1]);
+	return [...new Set(accounts)];
+};
+
+//#endregion
+//#region lib/oauth/constants.ts
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
+const TOKEN_URL = "https://auth.openai.com/oauth/token";
+const REDIRECT_URI = "http://localhost:1455/auth/callback";
+const SCOPE = "openid profile email offline_access";
+const CALLBACK_PORT = 1455;
+
+//#endregion
+//#region lib/oauth/auth.ts
+const createState = () => {
+	return randomBytes(16).toString("hex");
+};
+const createAuthorizationFlow = async () => {
+	const pkce = await generatePKCE();
+	const state = createState();
+	const url = new URL(AUTHORIZE_URL);
+	url.searchParams.set("response_type", "code");
+	url.searchParams.set("client_id", CLIENT_ID);
+	url.searchParams.set("redirect_uri", REDIRECT_URI);
+	url.searchParams.set("scope", SCOPE);
+	url.searchParams.set("code_challenge", pkce.challenge);
+	url.searchParams.set("code_challenge_method", "S256");
+	url.searchParams.set("state", state);
+	url.searchParams.set("id_token_add_organizations", "true");
+	url.searchParams.set("codex_cli_simplified_flow", "true");
+	url.searchParams.set("originator", "codex_cli_rs");
+	return {
+		pkce,
+		state,
+		url: url.toString()
+	};
+};
+const exchangeAuthorizationCode = async (code, verifier) => {
+	const res = await fetch(TOKEN_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			grant_type: "authorization_code",
+			client_id: CLIENT_ID,
+			code,
+			code_verifier: verifier,
+			redirect_uri: REDIRECT_URI
+		})
+	});
+	if (!res.ok) return { type: "failed" };
+	const json = await res.json();
+	if (!json?.access_token || !json?.refresh_token || typeof json?.expires_in !== "number") return { type: "failed" };
+	return {
+		type: "success",
+		access: json.access_token,
+		refresh: json.refresh_token,
+		expires: Date.now() + json.expires_in * 1e3
+	};
+};
+const decodeJWT = (token) => {
+	try {
+		const parts = token.split(".");
+		if (parts.length !== 3) return null;
+		const payload = parts[1];
+		const decoded = Buffer.from(payload, "base64url").toString("utf-8");
+		return JSON.parse(decoded);
+	} catch {
+		return null;
+	}
+};
+const extractAccountId = (accessToken) => {
+	const payload = decodeJWT(accessToken);
+	if (!payload) return null;
+	const authClaim = payload["https://api.openai.com/auth"];
+	if (authClaim?.user_id) return authClaim.user_id;
+	return payload.sub ?? null;
+};
+
+//#endregion
+//#region lib/oauth/server.ts
+const AUTH_TIMEOUT_MS = 300 * 1e3;
+const SUCCESS_HTML = `<!DOCTYPE html>
+<html>
+<head>
+  <title>cdx - Login Successful</title>
+  <style>
+    body { font-family: system-ui, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #1a1a1a; color: #fff; }
+    .container { text-align: center; padding: 2rem; }
+    h1 { color: #10b981; margin-bottom: 1rem; }
+    p { color: #9ca3af; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>Login Successful!</h1>
+    <p>You can close this window and return to the terminal.</p>
+  </div>
+</body>
+</html>`;
+const startOAuthServer = (state) => {
+	let resolveCode = null;
+	let hasResolved = false;
+	const codePromise = new Promise((resolve) => {
+		resolveCode = resolve;
+	});
+	let server;
+	const finalize = (result) => {
+		if (hasResolved) return;
+		hasResolved = true;
+		if (resolveCode) resolveCode(result);
+		try {
+			server.close();
+		} catch {}
+	};
+	server = http.createServer((req, res) => {
+		try {
+			const url = new URL(req.url || "", "http://localhost");
+			if (url.pathname !== "/auth/callback") {
+				res.statusCode = 404;
+				res.end("Not found");
+				return;
+			}
+			if (url.searchParams.get("state") !== state) {
+				res.statusCode = 400;
+				res.end("State mismatch");
+				finalize(null);
+				return;
+			}
+			const code = url.searchParams.get("code");
+			if (!code) {
+				res.statusCode = 400;
+				res.end("Missing authorization code");
+				finalize(null);
+				return;
+			}
+			res.statusCode = 200;
+			res.setHeader("Content-Type", "text/html; charset=utf-8");
+			res.end(SUCCESS_HTML);
+			finalize({ code });
+		} catch {
+			res.statusCode = 500;
+			res.end("Internal error");
+			finalize(null);
+		}
+	});
+	return new Promise((resolve) => {
+		server.listen(CALLBACK_PORT, "127.0.0.1", () => {
+			const timeout = setTimeout(() => finalize(null), AUTH_TIMEOUT_MS);
+			resolve({
+				port: CALLBACK_PORT,
+				ready: true,
+				close: () => {
+					clearTimeout(timeout);
+					server.close();
+				},
+				waitForCode: () => codePromise
+			});
+		}).on("error", () => {
+			resolve({
+				port: CALLBACK_PORT,
+				ready: false,
+				close: () => {
+					try {
+						server.close();
+					} catch {}
+				},
+				waitForCode: async () => null
+			});
+		});
+	});
+};
+
+//#endregion
+//#region lib/oauth/login.ts
+const openBrowser = (url) => {
+	spawn(process.platform === "darwin" ? "open" : "xdg-open", [url], {
+		detached: true,
+		stdio: "ignore"
+	}).unref();
+};
+const addAccountToConfig = async (accountId, label) => {
+	let config;
+	if (configExists()) {
+		config = await loadConfig();
+		if (!config.accounts.some((a) => a.accountId === accountId)) config.accounts.push({
+			accountId,
+			keychainService: getKeychainService(accountId),
+			...label ? { label } : {}
+		});
+	} else config = {
+		current: 0,
+		accounts: [{
+			accountId,
+			keychainService: getKeychainService(accountId),
+			...label ? { label } : {}
+		}]
+	};
+	await saveConfig(config);
+};
+const performLogin = async () => {
+	p.intro("cdx login - Add OpenAI account");
+	const flow = await createAuthorizationFlow();
+	const server = await startOAuthServer(flow.state);
+	if (!server.ready) {
+		p.log.error("Failed to start local server on port 1455.");
+		p.log.info("Please ensure the port is not in use.");
+		return null;
+	}
+	const spinner = p.spinner();
+	p.log.info("Opening browser for authentication...");
+	openBrowser(flow.url);
+	spinner.start("Waiting for authentication...");
+	const result = await server.waitForCode();
+	server.close();
+	if (!result) {
+		spinner.stop("Authentication timed out or failed.");
+		return null;
+	}
+	spinner.message("Exchanging authorization code...");
+	const tokenResult = await exchangeAuthorizationCode(result.code, flow.pkce.verifier);
+	if (tokenResult.type === "failed") {
+		spinner.stop("Failed to exchange authorization code.");
+		return null;
+	}
+	const accountId = extractAccountId(tokenResult.access);
+	if (!accountId) {
+		spinner.stop("Failed to extract account ID from token.");
+		return null;
+	}
+	spinner.message("Saving credentials...");
+	saveKeychainPayload(accountId, {
+		refresh: tokenResult.refresh,
+		access: tokenResult.access,
+		expires: tokenResult.expires,
+		accountId
+	});
+	spinner.stop("Login successful!");
+	const labelInput = await p.text({
+		message: "Enter a label for this account (or press Enter to skip):",
+		placeholder: "e.g. Work, Personal"
+	});
+	const label = !p.isCancel(labelInput) && labelInput?.trim() ? labelInput.trim() : void 0;
+	await addAccountToConfig(accountId, label);
+	const displayName = label ?? accountId;
+	p.log.success(`Account "${displayName}" saved to Keychain and config.`);
+	p.outro("You can now use 'cdx switch' to activate this account.");
+	return { accountId };
+};
+
+//#endregion
+//#region lib/interactive.ts
+const getAccountDisplay = (accountId, isCurrent, label) => {
+	const name = label ? `${label} (${accountId})` : accountId;
+	return isCurrent ? `${name} (current)` : name;
+};
+const handleListAccounts = async () => {
+	if (!configExists()) {
+		p.log.warning("No accounts configured. Use 'Add account' to get started.");
+		return;
+	}
+	const config = await loadConfig();
+	const currentAccountId = config.accounts[config.current]?.accountId;
+	p.log.info("Configured accounts:");
+	for (const account of config.accounts) {
+		const marker = account.accountId === currentAccountId ? "→ " : "  ";
+		const displayName = account.label ? `${account.label} (${account.accountId})` : account.accountId;
+		const status = keychainPayloadExists(account.accountId) ? "" : " (missing credentials)";
+		p.log.message(`${marker}${displayName}${status}`);
+	}
+};
+const handleSwitchAccount = async () => {
+	if (!configExists()) {
+		p.log.warning("No accounts configured. Use 'Add account' first.");
+		return;
+	}
+	const config = await loadConfig();
+	if (config.accounts.length === 0) {
+		p.log.warning("No accounts found. Use 'Add account' first.");
+		return;
+	}
+	if (config.accounts.length === 1) {
+		p.log.info("Only one account configured. Nothing to switch.");
+		return;
+	}
+	const currentAccountId = config.accounts[config.current]?.accountId;
+	const options = config.accounts.map((account, index) => ({
+		value: index,
+		label: getAccountDisplay(account.accountId, account.accountId === currentAccountId, account.label)
+	}));
+	const selected = await p.select({
+		message: "Select account to activate:",
+		options
+	});
+	if (p.isCancel(selected)) {
+		p.log.info("Cancelled.");
+		return;
+	}
+	const selectedAccount = config.accounts[selected];
+	if (!selectedAccount) {
+		p.log.error("Invalid selection.");
+		return;
+	}
+	await writeAuthFile(loadKeychainPayload(selectedAccount.accountId));
+	config.current = selected;
+	await saveConfig(config);
+	const displayName = selectedAccount.label ?? selectedAccount.accountId;
+	p.log.success(`Switched to account ${displayName}`);
+};
+const handleAddAccount = async () => {
+	await performLogin();
+};
+const handleRemoveAccount = async () => {
+	if (!configExists()) {
+		p.log.warning("No accounts configured.");
+		return;
+	}
+	const config = await loadConfig();
+	if (config.accounts.length === 0) {
+		p.log.warning("No accounts to remove.");
+		return;
+	}
+	const currentAccountId = config.accounts[config.current]?.accountId;
+	const options = config.accounts.map((account) => ({
+		value: account.accountId,
+		label: getAccountDisplay(account.accountId, account.accountId === currentAccountId, account.label)
+	}));
+	const selected = await p.select({
+		message: "Select account to remove:",
+		options
+	});
+	if (p.isCancel(selected)) {
+		p.log.info("Cancelled.");
+		return;
+	}
+	const accountId = selected;
+	const confirmed = await p.confirm({
+		message: `Are you sure you want to remove account ${accountId}?`,
+		initialValue: false
+	});
+	if (p.isCancel(confirmed) || !confirmed) {
+		p.log.info("Cancelled.");
+		return;
+	}
+	try {
+		deleteKeychainPayload(accountId);
+	} catch {}
+	const previousAccountId = config.accounts[config.current]?.accountId;
+	config.accounts = config.accounts.filter((a) => a.accountId !== accountId);
+	if (config.accounts.length === 0) config.current = 0;
+	else if (accountId === previousAccountId) config.current = 0;
+	else {
+		const newIndex = config.accounts.findIndex((a) => a.accountId === previousAccountId);
+		config.current = newIndex >= 0 ? newIndex : 0;
+	}
+	await saveConfig(config);
+	p.log.success(`Removed account ${accountId}`);
+};
+const handleLabelAccount = async () => {
+	if (!configExists()) {
+		p.log.warning("No accounts configured.");
+		return;
+	}
+	const config = await loadConfig();
+	if (config.accounts.length === 0) {
+		p.log.warning("No accounts to label.");
+		return;
+	}
+	const currentAccountId = config.accounts[config.current]?.accountId;
+	const options = config.accounts.map((account) => ({
+		value: account.accountId,
+		label: getAccountDisplay(account.accountId, account.accountId === currentAccountId, account.label)
+	}));
+	const selected = await p.select({
+		message: "Select account to label:",
+		options
+	});
+	if (p.isCancel(selected)) {
+		p.log.info("Cancelled.");
+		return;
+	}
+	const accountId = selected;
+	const account = config.accounts.find((a) => a.accountId === accountId);
+	const labelInput = await p.text({
+		message: "Enter new label (or leave empty to remove label):",
+		placeholder: "e.g. Work, Personal",
+		initialValue: account?.label ?? ""
+	});
+	if (p.isCancel(labelInput)) {
+		p.log.info("Cancelled.");
+		return;
+	}
+	const newLabel = labelInput?.trim() || void 0;
+	const target = config.accounts.find((a) => a.accountId === accountId);
+	if (target) target.label = newLabel;
+	await saveConfig(config);
+	if (newLabel) p.log.success(`Account ${accountId} labeled as "${newLabel}".`);
+	else p.log.success(`Label removed from account ${accountId}.`);
+};
+const runInteractiveMode = async () => {
+	p.intro("cdx - OpenAI Account Switcher");
+	let running = true;
+	while (running) {
+		const keychainAccounts = listKeychainAccounts();
+		let currentInfo = "";
+		if (configExists()) try {
+			const config = await loadConfig();
+			const current = config.accounts[config.current];
+			if (current) currentInfo = ` (current: ${current.label ?? current.accountId})`;
+		} catch {}
+		const action = await p.select({
+			message: `What would you like to do?${currentInfo}`,
+			options: [
+				{
+					value: "list",
+					label: `List accounts (${keychainAccounts.length} in Keychain)`
+				},
+				{
+					value: "switch",
+					label: "Switch account"
+				},
+				{
+					value: "add",
+					label: "Add account (OAuth login)"
+				},
+				{
+					value: "remove",
+					label: "Remove account"
+				},
+				{
+					value: "label",
+					label: "Label account"
+				},
+				{
+					value: "exit",
+					label: "Exit"
+				}
+			]
+		});
+		if (p.isCancel(action)) {
+			running = false;
+			continue;
+		}
+		switch (action) {
+			case "list":
+				await handleListAccounts();
+				break;
+			case "switch":
+				await handleSwitchAccount();
+				break;
+			case "add":
+				await handleAddAccount();
+				break;
+			case "remove":
+				await handleRemoveAccount();
+				break;
+			case "label":
+				await handleLabelAccount();
+				break;
+			case "exit":
+				running = false;
+				break;
+		}
+		if (running && action !== "exit") p.log.message("");
+	}
+	p.outro("Goodbye!");
+};
+
+//#endregion
+//#region cdx.ts
+const switchNext = async () => {
+	const config = await loadConfig();
+	const nextIndex = (config.current + 1) % config.accounts.length;
+	const nextAccount = config.accounts[nextIndex];
+	if (!nextAccount?.accountId) throw new Error("Account entry missing accountId.");
+	const payload = loadKeychainPayload(nextAccount.accountId);
+	await writeAuthFile(payload);
+	config.current = nextIndex;
+	await saveConfig(config);
+	const displayName = nextAccount.label ?? payload.accountId;
+	process.stdout.write(`Switched to account ${displayName}\n`);
+};
+const switchToAccount = async (identifier) => {
+	const config = await loadConfig();
+	const index = config.accounts.findIndex((a) => a.accountId === identifier || a.label === identifier);
+	if (index === -1) throw new Error(`Account "${identifier}" not found. Use 'cdx login' to add it.`);
+	const account = config.accounts[index];
+	await writeAuthFile(loadKeychainPayload(account.accountId));
+	config.current = index;
+	await saveConfig(config);
+	const displayName = account.label ?? account.accountId;
+	process.stdout.write(`Switched to account ${displayName}\n`);
+};
+const interactiveMode = runInteractiveMode;
+const createProgram = (deps = {}) => {
+	const program = new Command();
+	const runLogin = deps.performLogin ?? performLogin;
+	program.name("cdx").description("OpenAI account switcher - manage multiple OpenAI Pro subscriptions").version(projectVersion, "-v, --version");
+	program.command("login").description("Add a new OpenAI account via OAuth").action(async () => {
+		try {
+			if (!await runLogin()) {
+				process.stderr.write("Login failed.\n");
+				process.exit(1);
+			}
+		} catch (error) {
+			const message = error instanceof Error ? error.message : String(error);
+			process.stderr.write(`${message}\n`);
+			process.exit(1);
+		}
+	});
+	program.command("switch").description("Switch OpenAI account (interactive picker, by name, or --next)").argument("[account-id]", "Account ID to switch to directly").option("-n, --next", "Cycle to the next configured account").action(async (accountId, options) => {
+		try {
+			if (options.next) await switchNext();
+			else if (accountId) await switchToAccount(accountId);
+			else await handleSwitchAccount();
+		} catch (error) {
+			const message = error instanceof Error ? error.message : String(error);
+			process.stderr.write(`${message}\n`);
+			process.exit(1);
+		}
+	});
+	program.command("label").description("Add or change label for an account").argument("[account]", "Account ID or current label to relabel").argument("[new-label]", "New label to assign").action(async (account, newLabel) => {
+		try {
+			if (account && newLabel) {
+				const config = await loadConfig();
+				const target = config.accounts.find((a) => a.accountId === account || a.label === account);
+				if (!target) throw new Error(`Account "${account}" not found. Use 'cdx login' to add it.`);
+				target.label = newLabel;
+				await saveConfig(config);
+				process.stdout.write(`Account ${target.accountId} labeled as "${newLabel}".\n`);
+			} else await handleLabelAccount();
+		} catch (error) {
+			const message = error instanceof Error ? error.message : String(error);
+			process.stderr.write(`${message}\n`);
+			process.exit(1);
+		}
+	});
+	program.command("version").description("Show CLI version").action(() => {
+		process.stdout.write(`${projectVersion}\n`);
+	});
+	program.action(async () => {
+		try {
+			await interactiveMode();
+		} catch (error) {
+			const message = error instanceof Error ? error.message : String(error);
+			process.stderr.write(`${message}\n`);
+			process.exit(1);
+		}
+	});
+	return program;
+};
+const main = async () => {
+	await createProgram().parseAsync(process.argv);
+};
+main().catch((error) => {
+	const message = error instanceof Error ? error.message : String(error);
+	process.stderr.write(`${message}\n`);
+	process.exit(1);
+});
+
+//#endregion
+export { createProgram, createTestPaths, getPaths, interactiveMode, loadConfig, resetPaths, runInteractiveMode, saveConfig, setPaths, switchNext, switchToAccount, writeAuthFile };

package/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "@bjesuiter/codex-switcher",
+  "version": "1.0.0",
+  "type": "module",
+  "description": "CLI tool to switch between multiple OpenAI accounts for OpenCode",
+  "bin": {
+    "cdx": "cdx.mjs"
+  },
+  "keywords": [
+    "openai",
+    "opencode",
+    "codex",
+    "account-switcher",
+    "cli"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/bjesuiter/codex-switcher.git"
+  },
+  "license": "MIT",
+  "author": "bjesuiter",
+  "dependencies": {
+    "@clack/prompts": "^0.11.0",
+    "@openauthjs/openauth": "^0.4.3",
+    "commander": "^14.0.2",
+    "project-version": "^2.0.0"
+  }
+}