npm - @bjesuiter/codex-switcher - Versions diffs - 1.2.0 → 1.4.0 - Mend

@bjesuiter/codex-switcher 1.2.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/cdx.mjs CHANGED Viewed

@@ -1,35 +1,101 @@
 #!/usr/bin/env bun
 import { Command } from "commander";
+import * as p from "@clack/prompts";
 import { existsSync } from "node:fs";
 import { mkdir, readFile, rm, writeFile } from "node:fs/promises";
 import path from "node:path";
 import os from "node:os";
-import * as p from "@clack/prompts";
 import { spawn } from "node:child_process";
+import { deletePassword, getPassword, listBackends, setPassword, useBackend } from "cross-keychain";
+import { createInterface } from "node:readline/promises";
 import { generatePKCE } from "@openauthjs/openauth/pkce";
 import { randomBytes } from "node:crypto";
 import http from "node:http";
 //#region package.json
-var version = "1.2.0";
+var version = "1.4.0";
+//#endregion
+//#region lib/commands/errors.ts
+const exitWithCommandError = (error) => {
+	const message = error instanceof Error ? error.message : String(error);
+	process.stderr.write(`${message}\n`);
+	process.exit(1);
+};
+//#endregion
+//#region lib/platform/path-resolver.ts
+const envValue = (env, key) => {
+	const value = env[key];
+	if (!value) return void 0;
+	const trimmed = value.trim();
+	return trimmed.length > 0 ? trimmed : void 0;
+};
+const resolvePiAuthPath = (env, homeDir, platform) => {
+	const piAgentDir = envValue(env, "PI_CODING_AGENT_DIR");
+	if (piAgentDir) return platform === "win32" ? path.win32.join(piAgentDir, "auth.json") : path.join(piAgentDir, "auth.json");
+	return platform === "win32" ? path.win32.join(homeDir, ".pi", "agent", "auth.json") : path.join(homeDir, ".pi", "agent", "auth.json");
+};
+const resolveXdgPaths = (env, homeDir, platform) => {
+	const configHome = envValue(env, "XDG_CONFIG_HOME") ?? path.join(homeDir, ".config");
+	const dataHome = envValue(env, "XDG_DATA_HOME") ?? path.join(homeDir, ".local", "share");
+	const configDir = path.join(configHome, "cdx");
+	return {
+		profile: "xdg",
+		configDir,
+		configPath: path.join(configDir, "accounts.json"),
+		authPath: path.join(dataHome, "opencode", "auth.json"),
+		codexAuthPath: path.join(homeDir, ".codex", "auth.json"),
+		piAuthPath: resolvePiAuthPath(env, homeDir, platform)
+	};
+};
+const resolveWindowsPaths = (env, homeDir) => {
+	const winPath = path.win32;
+	const appData = envValue(env, "APPDATA") ?? winPath.join(homeDir, "AppData", "Roaming");
+	const localAppData = envValue(env, "LOCALAPPDATA") ?? winPath.join(homeDir, "AppData", "Local");
+	const configDir = winPath.join(appData, "cdx");
+	return {
+		profile: "windows-appdata",
+		configDir,
+		configPath: winPath.join(configDir, "accounts.json"),
+		authPath: winPath.join(localAppData, "opencode", "auth.json"),
+		codexAuthPath: winPath.join(homeDir, ".codex", "auth.json"),
+		piAuthPath: resolvePiAuthPath(env, homeDir, "win32")
+	};
+};
+const resolveRuntimePaths = (input) => {
+	if (input.platform === "win32") return resolveWindowsPaths(input.env, input.homeDir);
+	return resolveXdgPaths(input.env, input.homeDir, input.platform);
+};
 //#endregion
 //#region lib/paths.ts
-const defaultConfigDir = path.join(os.homedir(), ".config", "cdx");
-const resolvePiAuthPath = () => {
-	const piAgentDir = process.env.PI_CODING_AGENT_DIR?.trim();
-	if (piAgentDir) return path.join(piAgentDir, "auth.json");
-	return path.join(os.homedir(), ".pi", "agent", "auth.json");
-};
-const createDefaultPaths = () => ({
-	configDir: defaultConfigDir,
-	configPath: path.join(defaultConfigDir, "accounts.json"),
-	authPath: path.join(os.homedir(), ".local", "share", "opencode", "auth.json"),
-	codexAuthPath: path.join(os.homedir(), ".codex", "auth.json"),
-	piAuthPath: resolvePiAuthPath()
+const toPathConfig = (paths) => ({
+	configDir: paths.configDir,
+	configPath: paths.configPath,
+	authPath: paths.authPath,
+	codexAuthPath: paths.codexAuthPath,
+	piAuthPath: paths.piAuthPath
 });
-let currentPaths = createDefaultPaths();
+const createDefaultPaths = () => {
+	const resolved = resolveRuntimePaths({
+		platform: process.platform,
+		env: process.env,
+		homeDir: os.homedir()
+	});
+	return {
+		paths: toPathConfig(resolved),
+		resolution: {
+			platform: process.platform,
+			profile: resolved.profile
+		}
+	};
+};
+const initial = createDefaultPaths();
+let currentPaths = initial.paths;
+let currentResolution = initial.resolution;
 const getPaths = () => currentPaths;
+const getPathResolutionInfo = () => currentResolution;
 const setPaths = (paths) => {
 	currentPaths = {
 		...currentPaths,
@@ -38,7 +104,9 @@ const setPaths = (paths) => {
 	if (paths.configDir && !paths.configPath) currentPaths.configPath = path.join(paths.configDir, "accounts.json");
 };
 const resetPaths = () => {
-	currentPaths = createDefaultPaths();
+	const next = createDefaultPaths();
+	currentPaths = next.paths;
+	currentResolution = next.resolution;
 };
 const createTestPaths = (testDir) => ({
 	configDir: path.join(testDir, "config"),
@@ -149,11 +217,71 @@ const configExists = () => {
 	return existsSync(configPath);
 };
+//#endregion
+//#region lib/platform/browser.ts
+const getBrowserLauncher = (platform = process.platform, url) => {
+	if (platform === "darwin") return {
+		command: "open",
+		args: [url],
+		label: "open"
+	};
+	if (platform === "win32") return {
+		command: "cmd",
+		args: [
+			"/c",
+			"start",
+			"",
+			url
+		],
+		label: "cmd /c start"
+	};
+	return {
+		command: "xdg-open",
+		args: [url],
+		label: "xdg-open"
+	};
+};
+const isCommandAvailable = (command, platform = process.platform) => {
+	const probe = platform === "win32" ? "where" : "which";
+	return Bun.spawnSync({
+		cmd: [probe, command],
+		stdout: "pipe",
+		stderr: "pipe"
+	}).exitCode === 0;
+};
+const getBrowserLauncherCapability = (platform = process.platform) => {
+	const launcher = getBrowserLauncher(platform, "https://example.com");
+	return {
+		command: launcher.command,
+		label: launcher.label,
+		available: isCommandAvailable(launcher.command, platform)
+	};
+};
+const openBrowserUrl = (url, spawnImpl = spawn) => {
+	const launcher = getBrowserLauncher(process.platform, url);
+	try {
+		spawnImpl(launcher.command, launcher.args, {
+			detached: true,
+			stdio: "ignore"
+		}).unref();
+		return {
+			ok: true,
+			launcher
+		};
+	} catch (error) {
+		return {
+			ok: false,
+			launcher,
+			error: error instanceof Error ? error.message : String(error)
+		};
+	}
+};
 //#endregion
 //#region lib/keychain.ts
-const SERVICE_PREFIX = "cdx-openai-";
+const SERVICE_PREFIX$2 = "cdx-openai-";
 const getKeychainService = (accountId) => {
-	return `${SERVICE_PREFIX}${accountId}`;
+	return `${SERVICE_PREFIX$2}${accountId}`;
 };
 const runSecurity = (args) => {
 	const result = Bun.spawnSync({
@@ -225,12 +353,300 @@ const listKeychainAccounts = () => {
 	if (result.exitCode !== 0) return [];
 	const output = result.stdout.toString();
 	const accounts = [];
-	const serviceRegex = new RegExp(`"svce"<blob>="${SERVICE_PREFIX}([^"]+)"`, "g");
+	const serviceRegex = new RegExp(`"svce"<blob>="${SERVICE_PREFIX$2}([^"]+)"`, "g");
 	let match;
 	while ((match = serviceRegex.exec(output)) !== null) if (match[1]) accounts.push(match[1]);
 	return [...new Set(accounts)];
 };
+//#endregion
+//#region lib/secrets/fallback-consent.ts
+const CONSENT_FILE = "secure-store-fallback-consent.json";
+const CONSENT_ENV_BYPASS = "CDX_ALLOW_SECURE_STORE_FALLBACK";
+const isBypassEnabled = () => {
+	const value = process.env[CONSENT_ENV_BYPASS];
+	if (!value) return false;
+	return [
+		"1",
+		"true",
+		"yes",
+		"y"
+	].includes(value.trim().toLowerCase());
+};
+const consentFilePath = () => path.join(getPaths().configDir, CONSENT_FILE);
+const loadConsentMap = async () => {
+	try {
+		const raw = await readFile(consentFilePath(), "utf8");
+		return JSON.parse(raw).accepted ?? {};
+	} catch {
+		return {};
+	}
+};
+const saveConsentMap = async (accepted) => {
+	const { configDir } = getPaths();
+	await mkdir(configDir, { recursive: true });
+	const payload = { accepted };
+	await writeFile(consentFilePath(), JSON.stringify(payload, null, 2), "utf8");
+};
+const promptConsent = async (message) => {
+	if (!process.stdin.isTTY || !process.stdout.isTTY) return false;
+	process.stdout.write(`\n${message}\n\n`);
+	const rl = createInterface({
+		input: process.stdin,
+		output: process.stdout
+	});
+	try {
+		const normalized = (await rl.question("Do you want to continue with this fallback? [y/N]: ")).trim().toLowerCase();
+		return normalized === "y" || normalized === "yes";
+	} finally {
+		rl.close();
+	}
+};
+const ensureFallbackConsent = async (scope, warningMessage) => {
+	if (isBypassEnabled()) return;
+	const accepted = await loadConsentMap();
+	if (accepted[scope]) return;
+	if (!await promptConsent(warningMessage)) throw new Error(`Secure-store fallback usage was not approved for '${scope}'. Re-run in an interactive terminal to confirm, or set ${CONSENT_ENV_BYPASS}=1 if you accept the fallback risk.`);
+	accepted[scope] = { acceptedAt: (/* @__PURE__ */ new Date()).toISOString() };
+	await saveConsentMap(accepted);
+};
+//#endregion
+//#region lib/secrets/linux-cross-keychain.ts
+const SERVICE_PREFIX$1 = "cdx-openai-";
+const LINUX_FALLBACK_SCOPE = "linux:cross-keychain:secret-service";
+let backendInitPromise$1 = null;
+let selectedBackend$1 = null;
+const tryUseBackend$1 = async (backendId) => {
+	try {
+		await useBackend(backendId);
+		return true;
+	} catch {
+		return false;
+	}
+};
+const selectBackend$1 = async () => {
+	const backends = await listBackends();
+	const available = new Set(backends.map((backend) => backend.id));
+	if (available.has("native-linux") && await tryUseBackend$1("native-linux")) return "native-linux";
+	if (available.has("secret-service") && await tryUseBackend$1("secret-service")) return "secret-service";
+	if (await tryUseBackend$1("native-linux")) return "native-linux";
+	if (await tryUseBackend$1("secret-service")) return "secret-service";
+	throw new Error("Unable to initialize Linux secure-store backend via cross-keychain.");
+};
+const ensureLinuxBackend = async (options = {}) => {
+	if (!backendInitPromise$1) backendInitPromise$1 = (async () => {
+		selectedBackend$1 = await selectBackend$1();
+	})();
+	try {
+		await backendInitPromise$1;
+	} catch {
+		backendInitPromise$1 = null;
+		selectedBackend$1 = null;
+		throw new Error("Unable to initialize Linux secure-store backend via cross-keychain.");
+	}
+	if (options.forWrite && selectedBackend$1 === "secret-service") await ensureFallbackConsent(LINUX_FALLBACK_SCOPE, "⚠ Security warning: only the cross-keychain Linux fallback backend is available.\nThis path relies on shell-based `secret-tool` operations for Secret Service access.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while helper commands run.");
+};
+const getLinuxCrossKeychainService = (accountId) => `${SERVICE_PREFIX$1}${accountId}`;
+const parsePayload$1 = (accountId, raw) => {
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch {
+		throw new Error(`Stored credential payload for account ${accountId} is not valid JSON.`);
+	}
+	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
+	return parsed;
+};
+const withService$1 = async (accountId, run, options = {}) => {
+	await ensureLinuxBackend(options);
+	return run(getLinuxCrossKeychainService(accountId));
+};
+const saveLinuxCrossKeychainPayload = async (accountId, payload) => withService$1(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
+const loadLinuxCrossKeychainPayload = async (accountId) => {
+	const raw = await withService$1(accountId, (service) => getPassword(service, accountId));
+	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
+	return parsePayload$1(accountId, raw);
+};
+const deleteLinuxCrossKeychainPayload = async (accountId) => withService$1(accountId, (service) => deletePassword(service, accountId));
+const linuxCrossKeychainPayloadExists = async (accountId) => withService$1(accountId, async (service) => await getPassword(service, accountId) !== null);
+//#endregion
+//#region lib/secrets/windows-cross-keychain.ts
+const SERVICE_PREFIX = "cdx-openai-";
+const WINDOWS_FALLBACK_SCOPE = "win32:cross-keychain:windows";
+let backendInitPromise = null;
+let selectedBackend = null;
+const tryUseBackend = async (backendId) => {
+	try {
+		await useBackend(backendId);
+		return true;
+	} catch {
+		return false;
+	}
+};
+const selectBackend = async () => {
+	const backends = await listBackends();
+	const available = new Set(backends.map((backend) => backend.id));
+	if (available.has("native-windows") && await tryUseBackend("native-windows")) return "native-windows";
+	if (available.has("windows") && await tryUseBackend("windows")) return "windows";
+	if (await tryUseBackend("native-windows")) return "native-windows";
+	if (await tryUseBackend("windows")) return "windows";
+	throw new Error("Unable to initialize Windows credential backend via cross-keychain.");
+};
+const ensureWindowsBackend = async (options = {}) => {
+	if (!backendInitPromise) backendInitPromise = (async () => {
+		selectedBackend = await selectBackend();
+	})();
+	try {
+		await backendInitPromise;
+	} catch {
+		backendInitPromise = null;
+		selectedBackend = null;
+		throw new Error("Unable to initialize Windows credential backend via cross-keychain.");
+	}
+	if (options.forWrite && selectedBackend === "windows") await ensureFallbackConsent(WINDOWS_FALLBACK_SCOPE, "⚠ Security warning: only the cross-keychain Windows fallback backend is available.\nThis path runs a PowerShell helper to access Windows Credential Manager.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while the helper runs.");
+};
+const getWindowsCrossKeychainService = (accountId) => `${SERVICE_PREFIX}${accountId}`;
+const parsePayload = (accountId, raw) => {
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch {
+		throw new Error(`Stored credential payload for account ${accountId} is not valid JSON.`);
+	}
+	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
+	return parsed;
+};
+const withService = async (accountId, run, options = {}) => {
+	await ensureWindowsBackend(options);
+	return run(getWindowsCrossKeychainService(accountId));
+};
+const saveWindowsCrossKeychainPayload = async (accountId, payload) => withService(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
+const loadWindowsCrossKeychainPayload = async (accountId) => {
+	const raw = await withService(accountId, (service) => getPassword(service, accountId));
+	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
+	return parsePayload(accountId, raw);
+};
+const deleteWindowsCrossKeychainPayload = async (accountId) => withService(accountId, (service) => deletePassword(service, accountId));
+const windowsCrossKeychainPayloadExists = async (accountId) => withService(accountId, async (service) => await getPassword(service, accountId) !== null);
+//#endregion
+//#region lib/secrets/store.ts
+const MAC_FALLBACK_SCOPE = "darwin:security-cli";
+let macNativeStoreOptionPromise = null;
+const unsupportedError = (platform) => /* @__PURE__ */ new Error(`No default secret store adapter configured for platform '${platform}'. Only macOS, Windows, and Linux adapters are wired by default right now.`);
+const hasNativeMacStoreOption = async () => {
+	if (!macNativeStoreOptionPromise) macNativeStoreOptionPromise = (async () => {
+		try {
+			return (await listBackends()).some((backend) => backend.id === "native-macos");
+		} catch {
+			return false;
+		}
+	})();
+	return macNativeStoreOptionPromise;
+};
+const ensureMacFallbackConsentIfNeeded = async () => {
+	if (await hasNativeMacStoreOption()) return;
+	await ensureFallbackConsent(MAC_FALLBACK_SCOPE, "⚠ Security warning: only the macOS CLI secure-store path is available.\nThis path uses the `security` command to access Keychain.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while CLI commands run.");
+};
+const createMacOSKeychainAdapter = () => ({
+	id: "macos-keychain",
+	label: "macOS Keychain",
+	getServiceName: getKeychainService,
+	save: async (accountId, payload) => {
+		await ensureMacFallbackConsentIfNeeded();
+		saveKeychainPayload(accountId, payload);
+	},
+	load: async (accountId) => loadKeychainPayload(accountId),
+	delete: async (accountId) => deleteKeychainPayload(accountId),
+	exists: async (accountId) => keychainPayloadExists(accountId),
+	listAccountIds: async () => listKeychainAccounts(),
+	getCapability: () => ({ available: true })
+});
+const loadConfiguredAccountIds = async () => {
+	if (!configExists()) return [];
+	return (await loadConfig()).accounts.map((account) => account.accountId);
+};
+const createWindowsCrossKeychainAdapter = () => ({
+	id: "windows-cross-keychain",
+	label: "Windows Credential Manager (cross-keychain)",
+	getServiceName: getWindowsCrossKeychainService,
+	save: saveWindowsCrossKeychainPayload,
+	load: loadWindowsCrossKeychainPayload,
+	delete: deleteWindowsCrossKeychainPayload,
+	exists: windowsCrossKeychainPayloadExists,
+	listAccountIds: async () => {
+		const accountIds = await loadConfiguredAccountIds();
+		return (await Promise.all(accountIds.map(async (accountId) => ({
+			accountId,
+			exists: await windowsCrossKeychainPayloadExists(accountId)
+		})))).filter((item) => item.exists).map((item) => item.accountId);
+	},
+	getCapability: () => ({ available: true })
+});
+const createLinuxCrossKeychainAdapter = () => ({
+	id: "linux-cross-keychain",
+	label: "Linux Secret Service (cross-keychain)",
+	getServiceName: getLinuxCrossKeychainService,
+	save: saveLinuxCrossKeychainPayload,
+	load: loadLinuxCrossKeychainPayload,
+	delete: deleteLinuxCrossKeychainPayload,
+	exists: linuxCrossKeychainPayloadExists,
+	listAccountIds: async () => {
+		const accountIds = await loadConfiguredAccountIds();
+		return (await Promise.all(accountIds.map(async (accountId) => ({
+			accountId,
+			exists: await linuxCrossKeychainPayloadExists(accountId)
+		})))).filter((item) => item.exists).map((item) => item.accountId);
+	},
+	getCapability: () => ({ available: true })
+});
+const createUnsupportedAdapter = (platform) => ({
+	id: "unsupported",
+	label: "Unsupported (no adapter configured)",
+	getServiceName: (accountId) => `cdx-openai-${accountId}`,
+	save: async () => {
+		throw unsupportedError(platform);
+	},
+	load: async () => {
+		throw unsupportedError(platform);
+	},
+	delete: async () => {
+		throw unsupportedError(platform);
+	},
+	exists: async () => false,
+	listAccountIds: async () => [],
+	getCapability: () => ({
+		available: false,
+		reason: "No default secure-store adapter available for this platform."
+	})
+});
+const createRuntimeSecretStoreAdapter = (platform = process.platform) => {
+	if (platform === "darwin") return createMacOSKeychainAdapter();
+	if (platform === "win32") return createWindowsCrossKeychainAdapter();
+	if (platform === "linux") return createLinuxCrossKeychainAdapter();
+	return createUnsupportedAdapter(platform);
+};
+let currentSecretStoreAdapter = createRuntimeSecretStoreAdapter();
+const getSecretStoreAdapter = () => currentSecretStoreAdapter;
+const setSecretStoreAdapter = (adapter) => {
+	currentSecretStoreAdapter = adapter;
+};
+const resetSecretStoreAdapter = () => {
+	currentSecretStoreAdapter = createRuntimeSecretStoreAdapter();
+};
+const getSecretStoreCapability = () => {
+	const adapter = getSecretStoreAdapter();
+	const capability = adapter.getCapability();
+	return {
+		id: adapter.id,
+		label: adapter.label,
+		available: capability.available,
+		...capability.reason ? { reason: capability.reason } : {}
+	};
+};
 //#endregion
 //#region lib/oauth/constants.ts
 const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
@@ -429,83 +845,101 @@ const startOAuthServer = (state) => {
 //#endregion
 //#region lib/oauth/login.ts
 const openBrowser = (url) => {
-	spawn(process.platform === "darwin" ? "open" : "xdg-open", [url], {
-		detached: true,
-		stdio: "ignore"
-	}).unref();
+	const result = openBrowserUrl(url);
+	if (!result.ok) {
+		const msg = result.error ?? "unknown error";
+		p.log.warning(`Could not auto-open browser via ${result.launcher.label} (${msg}).`);
+	}
 };
 const addAccountToConfig = async (accountId, label) => {
 	let config;
+	const secretStore = getSecretStoreAdapter();
 	if (configExists()) {
 		config = await loadConfig();
 		if (!config.accounts.some((a) => a.accountId === accountId)) config.accounts.push({
 			accountId,
-			keychainService: getKeychainService(accountId),
+			keychainService: secretStore.getServiceName(accountId),
 			...label ? { label } : {}
 		});
 	} else config = {
 		current: 0,
 		accounts: [{
 			accountId,
-			keychainService: getKeychainService(accountId),
+			keychainService: secretStore.getServiceName(accountId),
 			...label ? { label } : {}
 		}]
 	};
 	await saveConfig(config);
 };
-const performRefresh = async (targetAccountId, label) => {
-	const displayName = label ?? targetAccountId;
-	p.log.step(`Refreshing credentials for "${displayName}"...`);
-	let flow;
+const performRefresh = async (targetAccountId, label, options = {}) => {
+	const keepAlive = setInterval(() => {}, 1e3);
 	try {
-		flow = await createAuthorizationFlow();
-	} catch (error) {
-		const msg = error instanceof Error ? error.message : String(error);
-		p.log.error(`Failed to create authorization flow: ${msg}`);
-		return null;
-	}
-	const server = await startOAuthServer(flow.state);
-	if (!server.ready) {
-		p.log.error("Failed to start local server on port 1455.");
-		p.log.info("Please ensure the port is not in use.");
-		return null;
-	}
-	const spinner = p.spinner();
-	p.log.info("Opening browser for authentication...");
-	openBrowser(flow.url);
-	spinner.start("Waiting for authentication...");
-	const result = await server.waitForCode();
-	server.close();
-	if (!result) {
-		spinner.stop("Authentication timed out or failed.");
-		return null;
-	}
-	spinner.message("Exchanging authorization code...");
-	const tokenResult = await exchangeAuthorizationCode(result.code, flow.pkce.verifier);
-	if (tokenResult.type === "failed") {
-		spinner.stop("Failed to exchange authorization code.");
-		return null;
-	}
-	const newAccountId = extractAccountId(tokenResult.access);
-	if (!newAccountId) {
-		spinner.stop("Failed to extract account ID from token.");
-		return null;
-	}
-	if (newAccountId !== targetAccountId) {
-		spinner.stop(`Account mismatch: expected "${targetAccountId}" but got "${newAccountId}". Make sure you log in with the correct OpenAI account.`);
-		return null;
+		const displayName = label ?? targetAccountId;
+		p.log.step(`Re-authenticating account "${displayName}"...`);
+		const useSpinner = options.useSpinner ?? true;
+		let flow;
+		try {
+			flow = await createAuthorizationFlow();
+		} catch (error) {
+			const msg = error instanceof Error ? error.message : String(error);
+			p.log.error(`Failed to create authorization flow: ${msg}`);
+			process.stderr.write(`Failed to create authorization flow: ${msg}\n`);
+			return null;
+		}
+		const server = await startOAuthServer(flow.state);
+		if (!server.ready) {
+			p.log.error("Failed to start local server on port 1455.");
+			p.log.info("Please ensure the port is not in use.");
+			return null;
+		}
+		const spinner = useSpinner ? p.spinner() : null;
+		p.log.info("Opening browser for authentication...");
+		openBrowser(flow.url);
+		p.log.message(`If your browser did not open, paste this URL:\n${flow.url}`);
+		if (spinner) spinner.start("Waiting for authentication...");
+		const result = await server.waitForCode();
+		server.close();
+		if (!result) {
+			if (spinner) spinner.stop("Authentication timed out or failed.");
+			else p.log.warning("Authentication timed out or failed.");
+			return null;
+		}
+		if (spinner) spinner.message("Exchanging authorization code...");
+		else p.log.message("Exchanging authorization code...");
+		const tokenResult = await exchangeAuthorizationCode(result.code, flow.pkce.verifier);
+		if (tokenResult.type === "failed") {
+			if (spinner) spinner.stop("Failed to exchange authorization code.");
+			else p.log.error("Failed to exchange authorization code.");
+			return null;
+		}
+		const newAccountId = extractAccountId(tokenResult.access);
+		if (!newAccountId) {
+			if (spinner) spinner.stop("Failed to extract account ID from token.");
+			else p.log.error("Failed to extract account ID from token.");
+			return null;
+		}
+		if (newAccountId !== targetAccountId) {
+			if (spinner) spinner.stop("Authentication completed for a different account.");
+			else p.log.error("Authentication completed for a different account.");
+			throw new Error(`Account mismatch: expected "${targetAccountId}" but got "${newAccountId}". Make sure you log in with the correct OpenAI account.`);
+		}
+		if (spinner) spinner.message("Updating credentials...");
+		else p.log.message("Updating credentials...");
+		const payload = {
+			refresh: tokenResult.refresh,
+			access: tokenResult.access,
+			expires: tokenResult.expires,
+			accountId: newAccountId,
+			...tokenResult.idToken ? { idToken: tokenResult.idToken } : {}
+		};
+		await getSecretStoreAdapter().save(newAccountId, payload);
+		if (spinner) spinner.stop("Credentials refreshed!");
+		else p.log.success("Credentials refreshed!");
+		p.log.success(`Account "${displayName}" credentials updated in secure store.`);
+		return { accountId: newAccountId };
+	} finally {
+		clearInterval(keepAlive);
 	}
-	spinner.message("Updating credentials...");
-	saveKeychainPayload(newAccountId, {
-		refresh: tokenResult.refresh,
-		access: tokenResult.access,
-		expires: tokenResult.expires,
-		accountId: newAccountId,
-		...tokenResult.idToken ? { idToken: tokenResult.idToken } : {}
-	});
-	spinner.stop("Credentials refreshed!");
-	p.log.success(`Account "${displayName}" credentials updated in Keychain.`);
-	return { accountId: newAccountId };
 };
 const performLogin = async () => {
 	p.intro("cdx login - Add OpenAI account");
@@ -519,6 +953,7 @@ const performLogin = async () => {
 	const spinner = p.spinner();
 	p.log.info("Opening browser for authentication...");
 	openBrowser(flow.url);
+	p.log.message(`If your browser did not open, paste this URL:\n${flow.url}`);
 	spinner.start("Waiting for authentication...");
 	const result = await server.waitForCode();
 	server.close();
@@ -538,13 +973,14 @@ const performLogin = async () => {
 		return null;
 	}
 	spinner.message("Saving credentials...");
-	saveKeychainPayload(accountId, {
+	const payload = {
 		refresh: tokenResult.refresh,
 		access: tokenResult.access,
 		expires: tokenResult.expires,
 		accountId,
 		...tokenResult.idToken ? { idToken: tokenResult.idToken } : {}
-	});
+	};
+	await getSecretStoreAdapter().save(accountId, payload);
 	spinner.stop("Login successful!");
 	const labelInput = await p.text({
 		message: "Enter a label for this account (or press Enter to skip):",
@@ -553,7 +989,7 @@ const performLogin = async () => {
 	const label = !p.isCancel(labelInput) && labelInput?.trim() ? labelInput.trim() : void 0;
 	await addAccountToConfig(accountId, label);
 	const displayName = label ?? accountId;
-	p.log.success(`Account "${displayName}" saved to Keychain and config.`);
+	p.log.success(`Account "${displayName}" saved to secure store and config.`);
 	p.outro("You can now use 'cdx switch' to activate this account.");
 	return { accountId };
 };
@@ -565,7 +1001,19 @@ const writeActiveAuthFilesIfCurrent = async (accountId) => {
 	const config = await loadConfig();
 	const current = config.accounts[config.current];
 	if (!current || current.accountId !== accountId) return null;
-	return writeAllAuthFiles(loadKeychainPayload(accountId));
+	return writeAllAuthFiles(await getSecretStoreAdapter().load(accountId));
+};
+//#endregion
+//#region lib/platform/capabilities.ts
+const getRuntimeCapabilities = () => {
+	const pathResolution = getPathResolutionInfo();
+	return {
+		platform: process.platform,
+		pathProfile: pathResolution.profile,
+		secretStore: getSecretStoreCapability(),
+		browserLauncher: getBrowserLauncherCapability(process.platform)
+	};
 };
 //#endregion
@@ -650,12 +1098,13 @@ const readPiAuthAccount = async () => {
 		};
 	}
 };
-const getAccountStatus = (accountId, isCurrent, label) => {
-	const keychainExists = keychainPayloadExists(accountId);
+const getAccountStatus = async (accountId, isCurrent, label) => {
+	const secretStore = getSecretStoreAdapter();
+	const secureStoreExists = await secretStore.exists(accountId);
 	let expiresAt = null;
 	let hasIdToken = false;
-	if (keychainExists) try {
-		const payload = loadKeychainPayload(accountId);
+	if (secureStoreExists) try {
+		const payload = await secretStore.load(accountId);
 		expiresAt = payload.expires;
 		hasIdToken = !!payload.idToken;
 	} catch {}
@@ -663,7 +1112,7 @@ const getAccountStatus = (accountId, isCurrent, label) => {
 		accountId,
 		label,
 		isCurrent,
-		keychainExists,
+		secureStoreExists,
 		hasIdToken,
 		expiresAt,
 		expiresIn: formatExpiry(expiresAt)
@@ -675,7 +1124,7 @@ const getStatus = async () => {
 		const config = await loadConfig();
 		for (let i = 0; i < config.accounts.length; i++) {
 			const account = config.accounts[i];
-			accounts.push(getAccountStatus(account.accountId, i === config.current, account.label));
+			accounts.push(await getAccountStatus(account.accountId, i === config.current, account.label));
 		}
 	}
 	const [opencodeAuth, codexAuth, piAuth] = await Promise.all([
@@ -687,7 +1136,8 @@ const getStatus = async () => {
 		accounts,
 		opencodeAuth,
 		codexAuth,
-		piAuth
+		piAuth,
+		capabilities: getRuntimeCapabilities()
 	};
 };
@@ -697,6 +1147,20 @@ const getAccountDisplay = (accountId, isCurrent, label) => {
 	const name = label ? `${label} (${accountId})` : accountId;
 	return isCurrent ? `${name} (current)` : name;
 };
+const hasStoredCredentials = async (accountId) => getSecretStoreAdapter().exists(accountId);
+const loadStoredCredentials = async (accountId) => getSecretStoreAdapter().load(accountId);
+const getStoredAccountIds = async () => getSecretStoreAdapter().listAccountIds();
+const removeStoredCredentials = async (accountId) => {
+	await getSecretStoreAdapter().delete(accountId);
+};
+const getRefreshExpiryState = async (accountId) => {
+	if (!await hasStoredCredentials(accountId)) return "unknown [no secure store entry]";
+	try {
+		return formatExpiry((await loadStoredCredentials(accountId)).expires);
+	} catch {
+		return "unknown";
+	}
+};
 const handleListAccounts = async () => {
 	if (!configExists()) {
 		p.log.warning("No accounts configured. Use 'Add account' to get started.");
@@ -708,7 +1172,7 @@ const handleListAccounts = async () => {
 	for (const account of config.accounts) {
 		const marker = account.accountId === currentAccountId ? "→ " : "  ";
 		const displayName = account.label ? `${account.label} (${account.accountId})` : account.accountId;
-		const status = keychainPayloadExists(account.accountId) ? "" : " (missing credentials)";
+		const status = await hasStoredCredentials(account.accountId) ? "" : " (missing credentials)";
 		p.log.message(`${marker}${displayName}${status}`);
 	}
 };
@@ -746,7 +1210,7 @@ const handleSwitchAccount = async () => {
 	}
 	let payload;
 	try {
-		payload = loadKeychainPayload(selectedAccount.accountId);
+		payload = await loadStoredCredentials(selectedAccount.accountId);
 	} catch {
 		p.log.error(`Missing credentials for account ${selectedAccount.label ?? selectedAccount.accountId}. Re-login with 'cdx login'.`);
 		return;
@@ -766,23 +1230,23 @@ const handleSwitchAccount = async () => {
 const handleAddAccount = async () => {
 	await performLogin();
 };
-const handleRefreshAccount = async () => {
+const handleReloginAccount = async () => {
 	if (!configExists()) {
 		p.log.warning("No accounts configured. Use 'Add account' first.");
 		return;
 	}
 	const config = await loadConfig();
 	if (config.accounts.length === 0) {
-		p.log.warning("No accounts to refresh.");
+		p.log.warning("No accounts to re-login.");
 		return;
 	}
 	const currentAccountId = config.accounts[config.current]?.accountId;
-	const options = config.accounts.map((account) => ({
+	const options = await Promise.all(config.accounts.map(async (account) => ({
 		value: account.accountId,
-		label: getAccountDisplay(account.accountId, account.accountId === currentAccountId, account.label)
-	}));
+		label: `${getAccountDisplay(account.accountId, account.accountId === currentAccountId, account.label)} — ${await getRefreshExpiryState(account.accountId)}`
+	})));
 	const selected = await p.select({
-		message: "Select account to refresh:",
+		message: "Select account to re-login:",
 		options
 	});
 	if (p.isCancel(selected)) {
@@ -791,9 +1255,12 @@ const handleRefreshAccount = async () => {
 	}
 	const accountId = selected;
 	const account = config.accounts.find((a) => a.accountId === accountId);
+	const expiryState = await getRefreshExpiryState(accountId);
+	const displayName = account?.label ?? accountId;
+	p.log.info(`Current token status for ${displayName}: ${expiryState}`);
 	try {
-		const result = await performRefresh(accountId, account?.label);
-		if (!result) p.log.warning("Refresh was not completed.");
+		const result = await performRefresh(accountId, account?.label, { useSpinner: false });
+		if (!result) p.log.warning("Re-login was not completed.");
 		else {
 			const authResult = await writeActiveAuthFilesIfCurrent(result.accountId);
 			if (authResult) {
@@ -807,7 +1274,7 @@ const handleRefreshAccount = async () => {
 		}
 	} catch (error) {
 		const msg = error instanceof Error ? error.message : String(error);
-		p.log.error(`Refresh failed: ${msg}`);
+		p.log.error(`Re-login failed: ${msg}`);
 	}
 };
 const handleRemoveAccount = async () => {
@@ -843,7 +1310,7 @@ const handleRemoveAccount = async () => {
 		return;
 	}
 	try {
-		deleteKeychainPayload(accountId);
+		await removeStoredCredentials(accountId);
 	} catch {}
 	const previousAccountId = config.accounts[config.current]?.accountId;
 	config.accounts = config.accounts.filter((a) => a.accountId !== accountId);
@@ -907,9 +1374,9 @@ const handleStatus = async () => {
 	for (const account of status.accounts) {
 		const marker = account.isCurrent ? "→ " : "  ";
 		const name = account.label ? `${account.label} (${account.accountId})` : account.accountId;
-		const keychain = account.keychainExists ? "" : " [no keychain]";
+		const secureStore = account.secureStoreExists ? "" : " [no secure store entry]";
 		const idToken = account.hasIdToken ? "" : " [no id_token]";
-		p.log.message(`${marker}${name} — ${account.expiresIn}${keychain}${idToken}`);
+		p.log.message(`${marker}${name} — ${account.expiresIn}${secureStore}${idToken}`);
 	}
 	const ocStatus = status.opencodeAuth.exists ? `active: ${status.opencodeAuth.accountId ?? "unknown"}` : "not found";
 	const cxStatus = status.codexAuth.exists ? `active: ${status.codexAuth.accountId ?? "unknown"}` : "not found";
@@ -923,7 +1390,7 @@ const runInteractiveMode = async () => {
 	p.intro("cdx - OpenAI Account Switcher");
 	let running = true;
 	while (running) {
-		const keychainAccounts = listKeychainAccounts();
+		const storedAccounts = await getStoredAccountIds();
 		let currentInfo = "";
 		if (configExists()) try {
 			const config = await loadConfig();
@@ -935,7 +1402,7 @@ const runInteractiveMode = async () => {
 			options: [
 				{
 					value: "list",
-					label: `List accounts (${keychainAccounts.length} in Keychain)`
+					label: `List accounts (${storedAccounts.length} in secure store)`
 				},
 				{
 					value: "switch",
@@ -946,8 +1413,8 @@ const runInteractiveMode = async () => {
 					label: "Add account (OAuth login)"
 				},
 				{
-					value: "refresh",
-					label: "Refresh account (re-login)"
+					value: "relogin",
+					label: "Re-login account"
 				},
 				{
 					value: "remove",
@@ -981,8 +1448,8 @@ const runInteractiveMode = async () => {
 			case "add":
 				await handleAddAccount();
 				break;
-			case "refresh":
-				await handleRefreshAccount();
+			case "relogin":
+				await handleReloginAccount();
 				break;
 			case "remove":
 				await handleRemoveAccount();
@@ -1002,6 +1469,167 @@ const runInteractiveMode = async () => {
 	p.outro("Goodbye!");
 };
+//#endregion
+//#region lib/commands/interactive.ts
+const registerDefaultInteractiveAction = (program) => {
+	program.action(async () => {
+		try {
+			await runInteractiveMode();
+		} catch (error) {
+			exitWithCommandError(error);
+		}
+	});
+};
+//#endregion
+//#region lib/commands/doctor.ts
+const registerDoctorCommand = (program) => {
+	program.command("doctor").description("Show auth file paths and runtime capabilities").action(async () => {
+		try {
+			const status = await getStatus();
+			const paths = getPaths();
+			const resolveLabel = (accountId) => {
+				if (!accountId) return "unknown";
+				return status.accounts.find((account) => account.accountId === accountId)?.label ?? accountId;
+			};
+			process.stdout.write("\nAuth files:\n");
+			const ocStatus = status.opencodeAuth.exists ? `active: ${resolveLabel(status.opencodeAuth.accountId)}` : "not found";
+			process.stdout.write(`  OpenCode: ${ocStatus}\n`);
+			process.stdout.write(`    Path: ${paths.authPath}\n`);
+			const cxStatus = status.codexAuth.exists ? `active: ${resolveLabel(status.codexAuth.accountId)}` : "not found";
+			process.stdout.write(`  Codex CLI: ${cxStatus}\n`);
+			process.stdout.write(`    Path: ${paths.codexAuthPath}\n`);
+			const piStatus = status.piAuth.exists ? `active: ${resolveLabel(status.piAuth.accountId)}` : "not found";
+			process.stdout.write(`  Pi Agent: ${piStatus}\n`);
+			process.stdout.write(`    Path: ${paths.piAuthPath}\n`);
+			process.stdout.write("\nCapabilities:\n");
+			process.stdout.write(`  Platform: ${status.capabilities.platform}\n`);
+			process.stdout.write(`  Path profile: ${status.capabilities.pathProfile}\n`);
+			const secretStoreState = status.capabilities.secretStore.available ? "available" : `unavailable${status.capabilities.secretStore.reason ? ` (${status.capabilities.secretStore.reason})` : ""}`;
+			process.stdout.write(`  Secret store: ${status.capabilities.secretStore.label} — ${secretStoreState}\n`);
+			const browserState = status.capabilities.browserLauncher.available ? "available" : "not found";
+			process.stdout.write(`  Browser launcher: ${status.capabilities.browserLauncher.label} — ${browserState}\n`);
+			process.stdout.write("\n");
+		} catch (error) {
+			exitWithCommandError(error);
+		}
+	});
+};
+//#endregion
+//#region lib/commands/help.ts
+const registerHelpCommand = (program) => {
+	program.command("help").description("Show available commands and usage information").argument("[command]", "Show help for a specific command").action((commandName) => {
+		if (commandName) {
+			const command = program.commands.find((entry) => entry.name() === commandName);
+			if (command) {
+				command.outputHelp();
+				return;
+			}
+			process.stderr.write(`Unknown command: ${commandName}\n`);
+			program.outputHelp();
+			process.exit(1);
+		}
+		program.outputHelp();
+	});
+};
+//#endregion
+//#region lib/commands/label.ts
+const registerLabelCommand = (program) => {
+	program.command("label").description("Add or change label for an account").argument("[account]", "Account ID or current label to relabel").argument("[new-label]", "New label to assign").action(async (account, newLabel) => {
+		try {
+			if (account && newLabel) {
+				const config = await loadConfig();
+				const target = config.accounts.find((entry) => entry.accountId === account || entry.label === account);
+				if (!target) throw new Error(`Account "${account}" not found. Use 'cdx login' to add it.`);
+				target.label = newLabel;
+				await saveConfig(config);
+				process.stdout.write(`Account ${target.accountId} labeled as "${newLabel}".\n`);
+				return;
+			}
+			await handleLabelAccount();
+		} catch (error) {
+			exitWithCommandError(error);
+		}
+	});
+};
+//#endregion
+//#region lib/commands/login.ts
+const registerLoginCommand = (program, deps = {}) => {
+	const runLogin = deps.performLogin ?? performLogin;
+	program.command("login").description("Add a new OpenAI account via OAuth").action(async () => {
+		try {
+			if (!await runLogin()) {
+				process.stderr.write("Login failed.\n");
+				process.exit(1);
+			}
+		} catch (error) {
+			exitWithCommandError(error);
+		}
+	});
+};
+//#endregion
+//#region lib/commands/output.ts
+const formatCodexMark = (result) => {
+	if (result.codexWritten) return "✓";
+	if (result.codexCleared) return "⚠ missing id_token (cleared)";
+	return "⚠ missing id_token";
+};
+const writeSwitchSummary = (displayName, result) => {
+	const piMark = result.piWritten ? "✓" : "✗";
+	const codexMark = formatCodexMark(result);
+	process.stdout.write(`Switched to account ${displayName}\n`);
+	process.stdout.write("  OpenCode:  ✓\n");
+	process.stdout.write(`  Pi Agent:  ${piMark}\n`);
+	process.stdout.write(`  Codex CLI: ${codexMark}\n`);
+};
+const writeUpdatedAuthSummary = (result) => {
+	const piMark = result.piWritten ? "✓" : "✗";
+	const codexMark = formatCodexMark(result);
+	process.stdout.write("Updated active auth files:\n");
+	process.stdout.write("  OpenCode:  ✓\n");
+	process.stdout.write(`  Pi Agent:  ${piMark}\n`);
+	process.stdout.write(`  Codex CLI: ${codexMark}\n`);
+};
+//#endregion
+//#region lib/commands/refresh.ts
+const registerReloginCommand = (program) => {
+	program.command("relogin").description("Re-authenticate an existing account with full OAuth login (no duplicate account)").argument("[account]", "Account ID or label to re-login").action(async (account) => {
+		try {
+			if (account) {
+				const target = (await loadConfig()).accounts.find((entry) => entry.accountId === account || entry.label === account);
+				if (!target) throw new Error(`Account "${account}" not found. Use 'cdx login' to add it.`);
+				const displayName = target.label ?? target.accountId;
+				let expiryState = "unknown";
+				let secureStoreState = "";
+				const secretStore = getSecretStoreAdapter();
+				if (await secretStore.exists(target.accountId)) try {
+					expiryState = formatExpiry((await secretStore.load(target.accountId)).expires);
+				} catch {
+					expiryState = "unknown";
+				}
+				else secureStoreState = " [no secure store entry]";
+				process.stdout.write(`Current token status for ${displayName}: ${expiryState}${secureStoreState}\n`);
+				const result = await performRefresh(target.accountId, target.label);
+				if (!result) {
+					process.stderr.write("Re-login failed.\n");
+					process.exit(1);
+				}
+				const authResult = await writeActiveAuthFilesIfCurrent(result.accountId);
+				if (authResult) writeUpdatedAuthSummary(authResult);
+				return;
+			}
+			await handleReloginAccount();
+		} catch (error) {
+			exitWithCommandError(error);
+		}
+	});
+};
 //#endregion
 //#region lib/usage.ts
 const USAGE_ENDPOINT = "https://chatgpt.com/backend-api/wham/usage";
@@ -1022,9 +1650,10 @@ const fetchUsageRaw = async (accessToken, accountId) => {
 * Fetches usage for an account. On 401, refreshes the token and retries once.
 */
 const fetchUsage = async (accountId) => {
+	const secretStore = getSecretStoreAdapter();
 	let payload;
 	try {
-		payload = loadKeychainPayload(accountId);
+		payload = await secretStore.load(accountId);
 	} catch (err) {
 		return {
 			ok: false,
@@ -1052,7 +1681,7 @@ const fetchUsage = async (accountId) => {
 				expires: refreshResult.expires,
 				idToken: refreshResult.idToken ?? payload.idToken
 			};
-			saveKeychainPayload(accountId, updatedPayload);
+			await secretStore.save(accountId, updatedPayload);
 			response = await fetchUsageRaw(updatedPayload.access, updatedPayload.accountId);
 			if (!response.ok) return {
 				ok: false,
@@ -1159,113 +1788,9 @@ const formatUsageOverview = (entries) => {
 };
 //#endregion
-//#region cdx.ts
-const switchNext = async () => {
-	const config = await loadConfig();
-	const nextIndex = (config.current + 1) % config.accounts.length;
-	const nextAccount = config.accounts[nextIndex];
-	if (!nextAccount?.accountId) throw new Error("Account entry missing accountId.");
-	const payload = loadKeychainPayload(nextAccount.accountId);
-	const result = await writeAllAuthFiles(payload);
-	config.current = nextIndex;
-	await saveConfig(config);
-	const displayName = nextAccount.label ?? payload.accountId;
-	const opencodeMark = "✓";
-	const piMark = result.piWritten ? "✓" : "✗";
-	const codexMark = result.codexWritten ? "✓" : result.codexCleared ? "⚠ missing id_token (cleared)" : "⚠ missing id_token";
-	process.stdout.write(`Switched to account ${displayName}\n`);
-	process.stdout.write(`  OpenCode:  ${opencodeMark}\n`);
-	process.stdout.write(`  Pi Agent:  ${piMark}\n`);
-	process.stdout.write(`  Codex CLI: ${codexMark}\n`);
-};
-const switchToAccount = async (identifier) => {
-	const config = await loadConfig();
-	const index = config.accounts.findIndex((a) => a.accountId === identifier || a.label === identifier);
-	if (index === -1) throw new Error(`Account "${identifier}" not found. Use 'cdx login' to add it.`);
-	const account = config.accounts[index];
-	const result = await writeAllAuthFiles(loadKeychainPayload(account.accountId));
-	config.current = index;
-	await saveConfig(config);
-	const displayName = account.label ?? account.accountId;
-	const opencodeMark = "✓";
-	const piMark = result.piWritten ? "✓" : "✗";
-	const codexMark = result.codexWritten ? "✓" : result.codexCleared ? "⚠ missing id_token (cleared)" : "⚠ missing id_token";
-	process.stdout.write(`Switched to account ${displayName}\n`);
-	process.stdout.write(`  OpenCode:  ${opencodeMark}\n`);
-	process.stdout.write(`  Pi Agent:  ${piMark}\n`);
-	process.stdout.write(`  Codex CLI: ${codexMark}\n`);
-};
-const interactiveMode = runInteractiveMode;
-const createProgram = (deps = {}) => {
-	const program = new Command();
-	const runLogin = deps.performLogin ?? performLogin;
-	program.name("cdx").description("OpenAI account switcher - manage multiple OpenAI Pro subscriptions").version(version, "-v, --version");
-	program.command("login").description("Add a new OpenAI account via OAuth").action(async () => {
-		try {
-			if (!await runLogin()) {
-				process.stderr.write("Login failed.\n");
-				process.exit(1);
-			}
-		} catch (error) {
-			const message = error instanceof Error ? error.message : String(error);
-			process.stderr.write(`${message}\n`);
-			process.exit(1);
-		}
-	});
-	program.command("refresh").description("Re-authenticate an existing account (update tokens without creating a duplicate)").argument("[account]", "Account ID or label to refresh").action(async (account) => {
-		try {
-			if (account) {
-				const target = (await loadConfig()).accounts.find((a) => a.accountId === account || a.label === account);
-				if (!target) throw new Error(`Account "${account}" not found. Use 'cdx login' to add it.`);
-				const result = await performRefresh(target.accountId, target.label);
-				if (!result) {
-					process.stderr.write("Refresh failed.\n");
-					process.exit(1);
-				}
-				const authResult = await writeActiveAuthFilesIfCurrent(result.accountId);
-				if (authResult) {
-					const piMark = authResult.piWritten ? "✓" : "✗";
-					const codexMark = authResult.codexWritten ? "✓" : authResult.codexCleared ? "⚠ missing id_token (cleared)" : "⚠ missing id_token";
-					process.stdout.write("Updated active auth files:\n");
-					process.stdout.write("  OpenCode:  ✓\n");
-					process.stdout.write(`  Pi Agent:  ${piMark}\n`);
-					process.stdout.write(`  Codex CLI: ${codexMark}\n`);
-				}
-			} else await handleRefreshAccount();
-		} catch (error) {
-			const message = error instanceof Error ? error.message : String(error);
-			process.stderr.write(`${message}\n`);
-			process.exit(1);
-		}
-	});
-	program.command("switch").description("Switch OpenAI account (interactive picker, by name, or --next)").argument("[account-id]", "Account ID to switch to directly").option("-n, --next", "Cycle to the next configured account").action(async (accountId, options) => {
-		try {
-			if (options.next) await switchNext();
-			else if (accountId) await switchToAccount(accountId);
-			else await handleSwitchAccount();
-		} catch (error) {
-			const message = error instanceof Error ? error.message : String(error);
-			process.stderr.write(`${message}\n`);
-			process.exit(1);
-		}
-	});
-	program.command("label").description("Add or change label for an account").argument("[account]", "Account ID or current label to relabel").argument("[new-label]", "New label to assign").action(async (account, newLabel) => {
-		try {
-			if (account && newLabel) {
-				const config = await loadConfig();
-				const target = config.accounts.find((a) => a.accountId === account || a.label === account);
-				if (!target) throw new Error(`Account "${account}" not found. Use 'cdx login' to add it.`);
-				target.label = newLabel;
-				await saveConfig(config);
-				process.stdout.write(`Account ${target.accountId} labeled as "${newLabel}".\n`);
-			} else await handleLabelAccount();
-		} catch (error) {
-			const message = error instanceof Error ? error.message : String(error);
-			process.stderr.write(`${message}\n`);
-			process.exit(1);
-		}
-	});
-	program.command("status").description("Show account status, token expiry, and auth file state").action(async () => {
+//#region lib/commands/status.ts
+const registerStatusCommand = (program) => {
+	program.command("status").description("Show account status, token expiry, and usage").action(async () => {
 		try {
 			const status = await getStatus();
 			if (status.accounts.length === 0) {
@@ -1277,108 +1802,157 @@ const createProgram = (deps = {}) => {
 				const account = status.accounts[i];
 				const marker = account.isCurrent ? "→ " : "  ";
 				const warnings = [];
-				if (!account.keychainExists) warnings.push("[no keychain]");
+				if (!account.secureStoreExists) warnings.push("[no secure store entry]");
 				if (!account.hasIdToken) warnings.push("[no id_token]");
 				const warnStr = warnings.length > 0 ? `  ${warnings.join(" ")}` : "";
 				const displayName = account.label ?? account.accountId;
 				process.stdout.write(`${marker}${displayName}${warnStr}\n`);
 				if (account.label) process.stdout.write(`    ${account.accountId}\n`);
 				process.stdout.write(`    ${account.expiresIn}\n`);
-				const usageResult = await fetchUsage(account.accountId);
-				if (usageResult.ok) {
-					const bars = formatUsageBars(usageResult.data);
+				if (i < status.accounts.length - 1) process.stdout.write("\n");
+			}
+			const usageSpinner = p.spinner();
+			const accountWord = status.accounts.length === 1 ? "account" : "accounts";
+			usageSpinner.start(`Fetching usage for ${status.accounts.length} ${accountWord}...`);
+			const usageResults = await Promise.allSettled(status.accounts.map((account) => fetchUsage(account.accountId)));
+			const failedUsageCount = usageResults.filter((result) => result.status === "rejected" || result.status === "fulfilled" && !result.value.ok).length;
+			if (failedUsageCount === 0) usageSpinner.stop("Usage loaded.");
+			else {
+				const failedWord = failedUsageCount === 1 ? "account" : "accounts";
+				usageSpinner.stop(`Usage loaded (${failedUsageCount} ${failedWord} failed).`);
+			}
+			process.stdout.write("\nUsage:\n");
+			for (let i = 0; i < status.accounts.length; i++) {
+				const account = status.accounts[i];
+				const marker = account.isCurrent ? "→ " : "  ";
+				const displayName = account.label ?? account.accountId;
+				process.stdout.write(`${marker}${displayName}\n`);
+				if (account.label) process.stdout.write(`    ${account.accountId}\n`);
+				const usageResult = usageResults[i];
+				if (usageResult.status === "rejected") {
+					const message = usageResult.reason instanceof Error ? usageResult.reason.message : "Fetch failed";
+					process.stdout.write(`    [usage unavailable] ${message}\n`);
+				} else if (usageResult.value.ok) {
+					const bars = formatUsageBars(usageResult.value.data);
+					if (bars.length === 0) process.stdout.write("    Usage data unavailable\n");
 					for (const bar of bars) process.stdout.write(`${bar}\n`);
-				}
+				} else process.stdout.write(`    [usage unavailable] ${usageResult.value.error.message}\n`);
 				if (i < status.accounts.length - 1) process.stdout.write("\n");
 			}
-			const resolveLabel = (id) => {
-				if (!id) return "unknown";
-				return status.accounts.find((a) => a.accountId === id)?.label ?? id;
-			};
-			process.stdout.write("\nAuth files:\n");
-			const ocStatus = status.opencodeAuth.exists ? `active: ${resolveLabel(status.opencodeAuth.accountId)}` : "not found";
-			process.stdout.write(`  OpenCode: ${ocStatus}\n`);
-			const cxStatus = status.codexAuth.exists ? `active: ${resolveLabel(status.codexAuth.accountId)}` : "not found";
-			process.stdout.write(`  Codex CLI: ${cxStatus}\n`);
-			const piStatus = status.piAuth.exists ? `active: ${resolveLabel(status.piAuth.accountId)}` : "not found";
-			process.stdout.write(`  Pi Agent: ${piStatus}\n`);
 			process.stdout.write("\n");
 		} catch (error) {
-			const message = error instanceof Error ? error.message : String(error);
-			process.stderr.write(`${message}\n`);
-			process.exit(1);
+			exitWithCommandError(error);
 		}
 	});
+};
+//#endregion
+//#region lib/commands/switch.ts
+const switchNext = async () => {
+	const config = await loadConfig();
+	const nextIndex = (config.current + 1) % config.accounts.length;
+	const nextAccount = config.accounts[nextIndex];
+	if (!nextAccount?.accountId) throw new Error("Account entry missing accountId.");
+	const payload = await getSecretStoreAdapter().load(nextAccount.accountId);
+	const result = await writeAllAuthFiles(payload);
+	config.current = nextIndex;
+	await saveConfig(config);
+	writeSwitchSummary(nextAccount.label ?? payload.accountId, result);
+};
+const switchToAccount = async (identifier) => {
+	const config = await loadConfig();
+	const index = config.accounts.findIndex((account) => account.accountId === identifier || account.label === identifier);
+	if (index === -1) throw new Error(`Account "${identifier}" not found. Use 'cdx login' to add it.`);
+	const account = config.accounts[index];
+	const result = await writeAllAuthFiles(await getSecretStoreAdapter().load(account.accountId));
+	config.current = index;
+	await saveConfig(config);
+	writeSwitchSummary(account.label ?? account.accountId, result);
+};
+const registerSwitchCommand = (program) => {
+	program.command("switch").description("Switch OpenAI account (interactive picker, by name, or --next)").argument("[account-id]", "Account ID to switch to directly").option("-n, --next", "Cycle to the next configured account").action(async (accountId, options) => {
+		try {
+			if (options.next) await switchNext();
+			else if (accountId) await switchToAccount(accountId);
+			else await handleSwitchAccount();
+		} catch (error) {
+			exitWithCommandError(error);
+		}
+	});
+};
+//#endregion
+//#region lib/commands/usage.ts
+const registerUsageCommand = (program) => {
 	program.command("usage").description("Show OpenAI usage for all accounts (or detailed view for one)").argument("[account]", "Account ID or label (shows detailed single-account view)").action(async (account) => {
 		try {
 			const config = await loadConfig();
 			if (account) {
-				const found = config.accounts.find((a) => a.accountId === account || a.label === account);
+				const found = config.accounts.find((entry) => entry.accountId === account || entry.label === account);
 				if (!found) throw new Error(`Account "${account}" not found. Use 'cdx login' to add it.`);
 				const result = await fetchUsage(found.accountId);
 				if (!result.ok) throw new Error(result.error.message);
 				const displayName = found.label ? `${found.label} (${found.accountId})` : found.accountId;
 				process.stdout.write(`\n${displayName}\n${formatUsage(result.data)}\n\n`);
-			} else {
-				if (config.accounts.length === 0) throw new Error("No accounts configured. Use 'cdx login' to add one.");
-				const results = await Promise.allSettled(config.accounts.map((a) => fetchUsage(a.accountId)));
-				const entries = config.accounts.map((a, i) => {
-					const settled = results[i];
-					const displayName = a.label ? `${a.label} (${a.accountId})` : a.accountId;
-					const result = settled.status === "fulfilled" ? settled.value : {
-						ok: false,
-						error: {
-							type: "network_error",
-							message: settled.reason?.message ?? "Fetch failed"
-						}
-					};
-					return {
-						displayName,
-						isCurrent: i === config.current,
-						result
-					};
-				});
-				process.stdout.write(`\n${formatUsageOverview(entries)}\n\n`);
+				return;
 			}
+			if (config.accounts.length === 0) throw new Error("No accounts configured. Use 'cdx login' to add one.");
+			const results = await Promise.allSettled(config.accounts.map((entry) => fetchUsage(entry.accountId)));
+			const entries = config.accounts.map((entry, index) => {
+				const settled = results[index];
+				const displayName = entry.label ? `${entry.label} (${entry.accountId})` : entry.accountId;
+				const result = settled.status === "fulfilled" ? settled.value : {
+					ok: false,
+					error: {
+						type: "network_error",
+						message: settled.reason?.message ?? "Fetch failed"
+					}
+				};
+				return {
+					displayName,
+					isCurrent: index === config.current,
+					result
+				};
+			});
+			process.stdout.write(`\n${formatUsageOverview(entries)}\n\n`);
 		} catch (error) {
-			const message = error instanceof Error ? error.message : String(error);
-			process.stderr.write(`${message}\n`);
-			process.exit(1);
+			exitWithCommandError(error);
 		}
 	});
-	program.command("help").description("Show available commands and usage information").argument("[command]", "Show help for a specific command").action((commandName) => {
-		if (commandName) {
-			const cmd = program.commands.find((c) => c.name() === commandName);
-			if (cmd) cmd.outputHelp();
-			else {
-				process.stderr.write(`Unknown command: ${commandName}\n`);
-				program.outputHelp();
-				process.exit(1);
-			}
-		} else program.outputHelp();
-	});
+};
+//#endregion
+//#region lib/commands/version.ts
+const registerVersionCommand = (program, version) => {
 	program.command("version").description("Show CLI version").action(() => {
 		process.stdout.write(`${version}\n`);
 	});
-	program.action(async () => {
-		try {
-			await interactiveMode();
-		} catch (error) {
-			const message = error instanceof Error ? error.message : String(error);
-			process.stderr.write(`${message}\n`);
-			process.exit(1);
-		}
-	});
+};
+//#endregion
+//#region cdx.ts
+const interactiveMode = runInteractiveMode;
+const createProgram = (deps = {}) => {
+	const program = new Command();
+	program.name("cdx").description("OpenAI account switcher - manage multiple OpenAI Pro subscriptions").version(version, "-v, --version");
+	registerLoginCommand(program, deps);
+	registerReloginCommand(program);
+	registerSwitchCommand(program);
+	registerLabelCommand(program);
+	registerStatusCommand(program);
+	registerDoctorCommand(program);
+	registerUsageCommand(program);
+	registerHelpCommand(program);
+	registerVersionCommand(program, version);
+	registerDefaultInteractiveAction(program);
 	return program;
 };
 const main = async () => {
 	await createProgram().parseAsync(process.argv);
 };
 if (import.meta.main) main().catch((error) => {
-	const message = error instanceof Error ? error.message : String(error);
-	process.stderr.write(`${message}\n`);
-	process.exit(1);
+	exitWithCommandError(error);
 });
 //#endregion
-export { createProgram, createTestPaths, getPaths, interactiveMode, loadConfig, resetPaths, runInteractiveMode, saveConfig, setPaths, switchNext, switchToAccount, writeAllAuthFiles, writeAuthFile, writeCodexAuthFile, writePiAuthFile };
+export { createProgram, createRuntimeSecretStoreAdapter, createTestPaths, getPaths, getSecretStoreAdapter, interactiveMode, loadConfig, resetPaths, resetSecretStoreAdapter, runInteractiveMode, saveConfig, setPaths, setSecretStoreAdapter, switchNext, switchToAccount, writeAllAuthFiles, writeAuthFile, writeCodexAuthFile, writePiAuthFile };