@bjesuiter/codex-switcher 1.3.0 → 1.4.0

package/README.md

@@ -6,20 +6,25 @@ Switch the coding-agents [pi](https://pi.dev/), [codex](https://developers.opena
 
 ## Latest Changes
 
-### 1.3.0
+### 1.4.0
 
 #### Features
 
-- Rename `cdx refresh` command to `cdx relogin`
+- Add **beta Windows/Linux support** with platform-specific defaults for config/auth paths.
+- Add secure-store adapters via `cross-keychain` for Windows Credential Manager and Linux Secret Service/keyring.
+- Add `cdx doctor` to display auth file state with explicit paths plus runtime capability diagnostics.
+- Improve `cdx status` output flow: account/token details first, usage fetch with spinner after.
+- Require explicit one-time consent before using secure-store fallback backends (`CDX_ALLOW_SECURE_STORE_FALLBACK=1` override).
 
 #### Fixes
 
-- Fix `cdx relogin` selector flow exiting early after account selection (now continues into OAuth browser login)
+- Use platform-neutral secure-store wording in output where macOS-specific keychain wording was misleading.
 
 #### Internal
 
-- Modularize CLI command wiring by moving command handlers into per-command modules under `lib/commands/`, keeping `cdx.ts` as a thin composition entrypoint
-- Update package dependencies and lockfile (`@clack/prompts`, `commander`, `tsdown`, `@types/bun`, `@types/node`)
+- Add shared platform abstraction layer (`lib/platform/*`) for paths, browser launcher, and runtime capability detection.
+- Expand platform/path/browser/secret-store test coverage.
+- Update dependencies and lockfile for `cross-keychain`.
 
 see full changelog here: https://github.com/bjesuiter/codex-switcher/blob/main/CHANGELOG.md
 
@@ -41,9 +46,15 @@ So: switching between two $20 plans is the poor man's $100 plan for OpenAI. ^^
 
 ## Requirements
 
-- macOS (uses Keychain via the `security` command)
+- macOS (uses Keychain), Windows (uses Windows Credential Manager), **or** Linux (uses Secret Service/keyring)
 - [Bun](https://bun.sh) runtime
 
+## Platform Support Status
+
+- **macOS:** stable
+- **Windows:** beta
+- **Linux:** beta
+
 ## Install
 
 ```bash
@@ -54,63 +65,89 @@ This exposes the `cdx` binary globally.
 
 ## Usage
 
-### Add your first account
+### macOS (stable)
+
+1. Install [Bun](https://bun.sh)
+2. Install `cdx`
+3. Run and verify:
+   - `cdx login`
+   - `cdx status`
+   - `cdx switch`
+   - `cdx relogin <account-id-or-label>`
+4. Confirm auth files are written correctly after switching:
+   - `~/.local/share/opencode/auth.json` (or `$XDG_DATA_HOME/opencode/auth.json`)
+   - `~/.codex/auth.json`
+   - `~/.pi/agent/auth.json` (or `$PI_CODING_AGENT_DIR/auth.json`)
+5. Credentials are stored in macOS Keychain.
+
+### Windows (beta)
+
+Windows support is **test-ready** and suitable for friend/beta testing, but is not yet production-proven by broad real-world testing.
+
+1. Install [Bun](https://bun.sh)
+2. Install `cdx`
+3. Run and verify:
+   - `cdx login`
+   - `cdx status`
+   - `cdx switch`
+   - `cdx relogin <account-id-or-label>`
+4. Confirm auth files are written correctly after switching:
+   - `%LOCALAPPDATA%\\opencode\\auth.json`
+   - `%USERPROFILE%\\.codex\\auth.json`
+   - `%USERPROFILE%\\.pi\\agent\\auth.json` (or `%PI_CODING_AGENT_DIR%\\auth.json`)
+5. If prompted about secure-store fallback, explicitly choose whether to allow it for testing.
+   - Non-interactive override (if you accept the risk): `CDX_ALLOW_SECURE_STORE_FALLBACK=1`
+
+### Linux (beta)
+
+Linux support is **test-ready** and suitable for friend/beta testing, but is not yet production-proven by broad real-world testing.
+
+1. Install [Bun](https://bun.sh)
+2. Ensure a Secret Service backend is available (for example GNOME Keyring with `secret-tool`)
+3. Install `cdx`
+4. Run and verify:
+   - `cdx login`
+   - `cdx status`
+   - `cdx switch`
+   - `cdx relogin <account-id-or-label>`
+5. Confirm auth files are written correctly after switching:
+   - `~/.local/share/opencode/auth.json` (or `$XDG_DATA_HOME/opencode/auth.json`)
+   - `~/.codex/auth.json`
+   - `~/.pi/agent/auth.json` (or `$PI_CODING_AGENT_DIR/auth.json`)
+6. If prompted about secure-store fallback, explicitly choose whether to allow it for testing.
+   - Non-interactive override (if you accept the risk): `CDX_ALLOW_SECURE_STORE_FALLBACK=1`
+
+Please report the full command output and platform info (`cdx status`) for any failures.
+
+### Common command examples (all platforms)
+
+Add your first account:
 
 ```bash
 cdx login
 ```
 
-Opens your browser to authenticate with OpenAI. After successful login, your credentials are stored securely in macOS Keychain.
-
-### Switch between accounts
+Switch between accounts:
 
 ```bash
 cdx switch
-```
-
-Interactive picker to select an account. Writes credentials to:
-- `~/.local/share/opencode/auth.json` (OpenCode)
-- `~/.pi/agent/auth.json` (Pi agent, or `$PI_CODING_AGENT_DIR/auth.json` when `PI_CODING_AGENT_DIR` is set)
-- `~/.codex/auth.json` (Codex CLI; requires `id_token`)
-
-```bash
 cdx switch --next
-```
-
-Cycles to the next configured account without prompting.
-
-```bash
 cdx switch <account-id-or-label>
 ```
 
-Switch directly to a specific account by ID or label.
-
-### Label accounts
+Label accounts:
 
 ```bash
 cdx label
-```
-
-Interactive prompt to assign a friendly name to an account.
-
-```bash
 cdx label <account> <new-label>
 ```
 
-Assign a label directly.
-
-### Interactive mode
+Interactive mode:
 
 ```bash
 cdx
 ```
 
-Running `cdx` without arguments opens an interactive menu to:
-- List all configured accounts
-- Switch to a different account
-- Add a new account (OAuth login)
-- Remove an account
-
 ## Commands
 
 | Command | Description |
@@ -124,7 +161,8 @@ Running `cdx` without arguments opens an interactive menu to:
 | `cdx switch <id>` | Switch to specific account |
 | `cdx label` | Label an account (interactive) |
 | `cdx label <account> <label>` | Assign label directly |
-| `cdx status` | Show account status, token expiry, usage, and auth file state |
+| `cdx status` | Show account status, token expiry, and usage |
+| `cdx doctor` | Show auth file paths/state and runtime capabilities |
 | `cdx usage` | Show usage overview for all accounts |
 | `cdx usage <account>` | Show detailed usage for a specific account |
 | `cdx help [command]` | Show help for all commands or one command |
@@ -134,12 +172,34 @@ Running `cdx` without arguments opens an interactive menu to:
 
 ## How It Works
 
-- OAuth credentials are stored securely in macOS Keychain
-- Account list is stored in `~/.config/cdx/accounts.json`
-- Active account credentials are written to:
-  - `~/.local/share/opencode/auth.json`
-  - `~/.pi/agent/auth.json` (or `$PI_CODING_AGENT_DIR/auth.json`)
-  - `~/.codex/auth.json` (when `id_token` exists)
+### Secure credential storage
+
+- **macOS:** macOS Keychain
+- **Windows:** Windows Credential Manager
+- **Linux:** Secret Service/keyring
+- If only a fallback secure-store backend is available on your platform, `cdx` asks for one-time explicit consent before the first credential write and explains the security trade-off.
+  - Non-interactive override (if you accept the risk): set `CDX_ALLOW_SECURE_STORE_FALLBACK=1`
+
+### Account list path
+
+- **macOS/Linux:** `~/.config/cdx/accounts.json` (or `$XDG_CONFIG_HOME/cdx/accounts.json`)
+- **Windows:** `%APPDATA%\\cdx\\accounts.json`
+
+### Auth file paths
+
+#### macOS / Linux
+
+- **OpenCode:** `~/.local/share/opencode/auth.json` (or `$XDG_DATA_HOME/opencode/auth.json`)
+- **Codex CLI:** `~/.codex/auth.json`
+- **Pi Agent:** `~/.pi/agent/auth.json` (or `$PI_CODING_AGENT_DIR/auth.json`)
+
+#### Windows
+
+- **OpenCode:** `%LOCALAPPDATA%\\opencode\\auth.json`
+- **Codex CLI:** `%USERPROFILE%\\.codex\\auth.json`
+- **Pi Agent:** `%USERPROFILE%\\.pi\\agent\\auth.json` (or `%PI_CODING_AGENT_DIR%\\auth.json`)
+
+`cdx` writes Codex CLI auth only when `id_token` exists.
 
 ## For Developers
 
@@ -162,7 +222,7 @@ bun link
 
 ### Manual Configuration (Advanced)
 
-You can also manually add accounts to Keychain:
+You can also manually add accounts to Keychain (macOS only):
 
 ```bash
 security add-generic-password -a "ACCOUNT_ID" -s "cdx-openai-ACCOUNT_ID" -w '{"refresh":"REFRESH","access":"ACCESS","expires":1234567890,"accountId":"ACCOUNT_ID"}' -U

package/cdx.mjs

@@ -6,12 +6,14 @@ import { mkdir, readFile, rm, writeFile } from "node:fs/promises";
 import path from "node:path";
 import os from "node:os";
 import { spawn } from "node:child_process";
+import { deletePassword, getPassword, listBackends, setPassword, useBackend } from "cross-keychain";
+import { createInterface } from "node:readline/promises";
 import { generatePKCE } from "@openauthjs/openauth/pkce";
 import { randomBytes } from "node:crypto";
 import http from "node:http";
 
 //#region package.json
-var version = "1.3.0";
+var version = "1.4.0";
 
 //#endregion
 //#region lib/commands/errors.ts
@@ -21,23 +23,79 @@ const exitWithCommandError = (error) => {
 	process.exit(1);
 };
 
+//#endregion
+//#region lib/platform/path-resolver.ts
+const envValue = (env, key) => {
+	const value = env[key];
+	if (!value) return void 0;
+	const trimmed = value.trim();
+	return trimmed.length > 0 ? trimmed : void 0;
+};
+const resolvePiAuthPath = (env, homeDir, platform) => {
+	const piAgentDir = envValue(env, "PI_CODING_AGENT_DIR");
+	if (piAgentDir) return platform === "win32" ? path.win32.join(piAgentDir, "auth.json") : path.join(piAgentDir, "auth.json");
+	return platform === "win32" ? path.win32.join(homeDir, ".pi", "agent", "auth.json") : path.join(homeDir, ".pi", "agent", "auth.json");
+};
+const resolveXdgPaths = (env, homeDir, platform) => {
+	const configHome = envValue(env, "XDG_CONFIG_HOME") ?? path.join(homeDir, ".config");
+	const dataHome = envValue(env, "XDG_DATA_HOME") ?? path.join(homeDir, ".local", "share");
+	const configDir = path.join(configHome, "cdx");
+	return {
+		profile: "xdg",
+		configDir,
+		configPath: path.join(configDir, "accounts.json"),
+		authPath: path.join(dataHome, "opencode", "auth.json"),
+		codexAuthPath: path.join(homeDir, ".codex", "auth.json"),
+		piAuthPath: resolvePiAuthPath(env, homeDir, platform)
+	};
+};
+const resolveWindowsPaths = (env, homeDir) => {
+	const winPath = path.win32;
+	const appData = envValue(env, "APPDATA") ?? winPath.join(homeDir, "AppData", "Roaming");
+	const localAppData = envValue(env, "LOCALAPPDATA") ?? winPath.join(homeDir, "AppData", "Local");
+	const configDir = winPath.join(appData, "cdx");
+	return {
+		profile: "windows-appdata",
+		configDir,
+		configPath: winPath.join(configDir, "accounts.json"),
+		authPath: winPath.join(localAppData, "opencode", "auth.json"),
+		codexAuthPath: winPath.join(homeDir, ".codex", "auth.json"),
+		piAuthPath: resolvePiAuthPath(env, homeDir, "win32")
+	};
+};
+const resolveRuntimePaths = (input) => {
+	if (input.platform === "win32") return resolveWindowsPaths(input.env, input.homeDir);
+	return resolveXdgPaths(input.env, input.homeDir, input.platform);
+};
+
 //#endregion
 //#region lib/paths.ts
-const defaultConfigDir = path.join(os.homedir(), ".config", "cdx");
-const resolvePiAuthPath = () => {
-	const piAgentDir = process.env.PI_CODING_AGENT_DIR?.trim();
-	if (piAgentDir) return path.join(piAgentDir, "auth.json");
-	return path.join(os.homedir(), ".pi", "agent", "auth.json");
-};
-const createDefaultPaths = () => ({
-	configDir: defaultConfigDir,
-	configPath: path.join(defaultConfigDir, "accounts.json"),
-	authPath: path.join(os.homedir(), ".local", "share", "opencode", "auth.json"),
-	codexAuthPath: path.join(os.homedir(), ".codex", "auth.json"),
-	piAuthPath: resolvePiAuthPath()
+const toPathConfig = (paths) => ({
+	configDir: paths.configDir,
+	configPath: paths.configPath,
+	authPath: paths.authPath,
+	codexAuthPath: paths.codexAuthPath,
+	piAuthPath: paths.piAuthPath
 });
-let currentPaths = createDefaultPaths();
+const createDefaultPaths = () => {
+	const resolved = resolveRuntimePaths({
+		platform: process.platform,
+		env: process.env,
+		homeDir: os.homedir()
+	});
+	return {
+		paths: toPathConfig(resolved),
+		resolution: {
+			platform: process.platform,
+			profile: resolved.profile
+		}
+	};
+};
+const initial = createDefaultPaths();
+let currentPaths = initial.paths;
+let currentResolution = initial.resolution;
 const getPaths = () => currentPaths;
+const getPathResolutionInfo = () => currentResolution;
 const setPaths = (paths) => {
 	currentPaths = {
 		...currentPaths,
@@ -46,7 +104,9 @@ const setPaths = (paths) => {
 	if (paths.configDir && !paths.configPath) currentPaths.configPath = path.join(paths.configDir, "accounts.json");
 };
 const resetPaths = () => {
-	currentPaths = createDefaultPaths();
+	const next = createDefaultPaths();
+	currentPaths = next.paths;
+	currentResolution = next.resolution;
 };
 const createTestPaths = (testDir) => ({
 	configDir: path.join(testDir, "config"),
@@ -157,11 +217,71 @@ const configExists = () => {
 	return existsSync(configPath);
 };
 
+//#endregion
+//#region lib/platform/browser.ts
+const getBrowserLauncher = (platform = process.platform, url) => {
+	if (platform === "darwin") return {
+		command: "open",
+		args: [url],
+		label: "open"
+	};
+	if (platform === "win32") return {
+		command: "cmd",
+		args: [
+			"/c",
+			"start",
+			"",
+			url
+		],
+		label: "cmd /c start"
+	};
+	return {
+		command: "xdg-open",
+		args: [url],
+		label: "xdg-open"
+	};
+};
+const isCommandAvailable = (command, platform = process.platform) => {
+	const probe = platform === "win32" ? "where" : "which";
+	return Bun.spawnSync({
+		cmd: [probe, command],
+		stdout: "pipe",
+		stderr: "pipe"
+	}).exitCode === 0;
+};
+const getBrowserLauncherCapability = (platform = process.platform) => {
+	const launcher = getBrowserLauncher(platform, "https://example.com");
+	return {
+		command: launcher.command,
+		label: launcher.label,
+		available: isCommandAvailable(launcher.command, platform)
+	};
+};
+const openBrowserUrl = (url, spawnImpl = spawn) => {
+	const launcher = getBrowserLauncher(process.platform, url);
+	try {
+		spawnImpl(launcher.command, launcher.args, {
+			detached: true,
+			stdio: "ignore"
+		}).unref();
+		return {
+			ok: true,
+			launcher
+		};
+	} catch (error) {
+		return {
+			ok: false,
+			launcher,
+			error: error instanceof Error ? error.message : String(error)
+		};
+	}
+};
+
 //#endregion
 //#region lib/keychain.ts
-const SERVICE_PREFIX = "cdx-openai-";
+const SERVICE_PREFIX$2 = "cdx-openai-";
 const getKeychainService = (accountId) => {
-	return `${SERVICE_PREFIX}${accountId}`;
+	return `${SERVICE_PREFIX$2}${accountId}`;
 };
 const runSecurity = (args) => {
 	const result = Bun.spawnSync({
@@ -233,12 +353,300 @@ const listKeychainAccounts = () => {
 	if (result.exitCode !== 0) return [];
 	const output = result.stdout.toString();
 	const accounts = [];
-	const serviceRegex = new RegExp(`"svce"<blob>="${SERVICE_PREFIX}([^"]+)"`, "g");
+	const serviceRegex = new RegExp(`"svce"<blob>="${SERVICE_PREFIX$2}([^"]+)"`, "g");
 	let match;
 	while ((match = serviceRegex.exec(output)) !== null) if (match[1]) accounts.push(match[1]);
 	return [...new Set(accounts)];
 };
 
+//#endregion
+//#region lib/secrets/fallback-consent.ts
+const CONSENT_FILE = "secure-store-fallback-consent.json";
+const CONSENT_ENV_BYPASS = "CDX_ALLOW_SECURE_STORE_FALLBACK";
+const isBypassEnabled = () => {
+	const value = process.env[CONSENT_ENV_BYPASS];
+	if (!value) return false;
+	return [
+		"1",
+		"true",
+		"yes",
+		"y"
+	].includes(value.trim().toLowerCase());
+};
+const consentFilePath = () => path.join(getPaths().configDir, CONSENT_FILE);
+const loadConsentMap = async () => {
+	try {
+		const raw = await readFile(consentFilePath(), "utf8");
+		return JSON.parse(raw).accepted ?? {};
+	} catch {
+		return {};
+	}
+};
+const saveConsentMap = async (accepted) => {
+	const { configDir } = getPaths();
+	await mkdir(configDir, { recursive: true });
+	const payload = { accepted };
+	await writeFile(consentFilePath(), JSON.stringify(payload, null, 2), "utf8");
+};
+const promptConsent = async (message) => {
+	if (!process.stdin.isTTY || !process.stdout.isTTY) return false;
+	process.stdout.write(`\n${message}\n\n`);
+	const rl = createInterface({
+		input: process.stdin,
+		output: process.stdout
+	});
+	try {
+		const normalized = (await rl.question("Do you want to continue with this fallback? [y/N]: ")).trim().toLowerCase();
+		return normalized === "y" || normalized === "yes";
+	} finally {
+		rl.close();
+	}
+};
+const ensureFallbackConsent = async (scope, warningMessage) => {
+	if (isBypassEnabled()) return;
+	const accepted = await loadConsentMap();
+	if (accepted[scope]) return;
+	if (!await promptConsent(warningMessage)) throw new Error(`Secure-store fallback usage was not approved for '${scope}'. Re-run in an interactive terminal to confirm, or set ${CONSENT_ENV_BYPASS}=1 if you accept the fallback risk.`);
+	accepted[scope] = { acceptedAt: (/* @__PURE__ */ new Date()).toISOString() };
+	await saveConsentMap(accepted);
+};
+
+//#endregion
+//#region lib/secrets/linux-cross-keychain.ts
+const SERVICE_PREFIX$1 = "cdx-openai-";
+const LINUX_FALLBACK_SCOPE = "linux:cross-keychain:secret-service";
+let backendInitPromise$1 = null;
+let selectedBackend$1 = null;
+const tryUseBackend$1 = async (backendId) => {
+	try {
+		await useBackend(backendId);
+		return true;
+	} catch {
+		return false;
+	}
+};
+const selectBackend$1 = async () => {
+	const backends = await listBackends();
+	const available = new Set(backends.map((backend) => backend.id));
+	if (available.has("native-linux") && await tryUseBackend$1("native-linux")) return "native-linux";
+	if (available.has("secret-service") && await tryUseBackend$1("secret-service")) return "secret-service";
+	if (await tryUseBackend$1("native-linux")) return "native-linux";
+	if (await tryUseBackend$1("secret-service")) return "secret-service";
+	throw new Error("Unable to initialize Linux secure-store backend via cross-keychain.");
+};
+const ensureLinuxBackend = async (options = {}) => {
+	if (!backendInitPromise$1) backendInitPromise$1 = (async () => {
+		selectedBackend$1 = await selectBackend$1();
+	})();
+	try {
+		await backendInitPromise$1;
+	} catch {
+		backendInitPromise$1 = null;
+		selectedBackend$1 = null;
+		throw new Error("Unable to initialize Linux secure-store backend via cross-keychain.");
+	}
+	if (options.forWrite && selectedBackend$1 === "secret-service") await ensureFallbackConsent(LINUX_FALLBACK_SCOPE, "⚠ Security warning: only the cross-keychain Linux fallback backend is available.\nThis path relies on shell-based `secret-tool` operations for Secret Service access.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while helper commands run.");
+};
+const getLinuxCrossKeychainService = (accountId) => `${SERVICE_PREFIX$1}${accountId}`;
+const parsePayload$1 = (accountId, raw) => {
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch {
+		throw new Error(`Stored credential payload for account ${accountId} is not valid JSON.`);
+	}
+	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
+	return parsed;
+};
+const withService$1 = async (accountId, run, options = {}) => {
+	await ensureLinuxBackend(options);
+	return run(getLinuxCrossKeychainService(accountId));
+};
+const saveLinuxCrossKeychainPayload = async (accountId, payload) => withService$1(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
+const loadLinuxCrossKeychainPayload = async (accountId) => {
+	const raw = await withService$1(accountId, (service) => getPassword(service, accountId));
+	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
+	return parsePayload$1(accountId, raw);
+};
+const deleteLinuxCrossKeychainPayload = async (accountId) => withService$1(accountId, (service) => deletePassword(service, accountId));
+const linuxCrossKeychainPayloadExists = async (accountId) => withService$1(accountId, async (service) => await getPassword(service, accountId) !== null);
+
+//#endregion
+//#region lib/secrets/windows-cross-keychain.ts
+const SERVICE_PREFIX = "cdx-openai-";
+const WINDOWS_FALLBACK_SCOPE = "win32:cross-keychain:windows";
+let backendInitPromise = null;
+let selectedBackend = null;
+const tryUseBackend = async (backendId) => {
+	try {
+		await useBackend(backendId);
+		return true;
+	} catch {
+		return false;
+	}
+};
+const selectBackend = async () => {
+	const backends = await listBackends();
+	const available = new Set(backends.map((backend) => backend.id));
+	if (available.has("native-windows") && await tryUseBackend("native-windows")) return "native-windows";
+	if (available.has("windows") && await tryUseBackend("windows")) return "windows";
+	if (await tryUseBackend("native-windows")) return "native-windows";
+	if (await tryUseBackend("windows")) return "windows";
+	throw new Error("Unable to initialize Windows credential backend via cross-keychain.");
+};
+const ensureWindowsBackend = async (options = {}) => {
+	if (!backendInitPromise) backendInitPromise = (async () => {
+		selectedBackend = await selectBackend();
+	})();
+	try {
+		await backendInitPromise;
+	} catch {
+		backendInitPromise = null;
+		selectedBackend = null;
+		throw new Error("Unable to initialize Windows credential backend via cross-keychain.");
+	}
+	if (options.forWrite && selectedBackend === "windows") await ensureFallbackConsent(WINDOWS_FALLBACK_SCOPE, "⚠ Security warning: only the cross-keychain Windows fallback backend is available.\nThis path runs a PowerShell helper to access Windows Credential Manager.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while the helper runs.");
+};
+const getWindowsCrossKeychainService = (accountId) => `${SERVICE_PREFIX}${accountId}`;
+const parsePayload = (accountId, raw) => {
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch {
+		throw new Error(`Stored credential payload for account ${accountId} is not valid JSON.`);
+	}
+	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
+	return parsed;
+};
+const withService = async (accountId, run, options = {}) => {
+	await ensureWindowsBackend(options);
+	return run(getWindowsCrossKeychainService(accountId));
+};
+const saveWindowsCrossKeychainPayload = async (accountId, payload) => withService(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
+const loadWindowsCrossKeychainPayload = async (accountId) => {
+	const raw = await withService(accountId, (service) => getPassword(service, accountId));
+	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
+	return parsePayload(accountId, raw);
+};
+const deleteWindowsCrossKeychainPayload = async (accountId) => withService(accountId, (service) => deletePassword(service, accountId));
+const windowsCrossKeychainPayloadExists = async (accountId) => withService(accountId, async (service) => await getPassword(service, accountId) !== null);
+
+//#endregion
+//#region lib/secrets/store.ts
+const MAC_FALLBACK_SCOPE = "darwin:security-cli";
+let macNativeStoreOptionPromise = null;
+const unsupportedError = (platform) => /* @__PURE__ */ new Error(`No default secret store adapter configured for platform '${platform}'. Only macOS, Windows, and Linux adapters are wired by default right now.`);
+const hasNativeMacStoreOption = async () => {
+	if (!macNativeStoreOptionPromise) macNativeStoreOptionPromise = (async () => {
+		try {
+			return (await listBackends()).some((backend) => backend.id === "native-macos");
+		} catch {
+			return false;
+		}
+	})();
+	return macNativeStoreOptionPromise;
+};
+const ensureMacFallbackConsentIfNeeded = async () => {
+	if (await hasNativeMacStoreOption()) return;
+	await ensureFallbackConsent(MAC_FALLBACK_SCOPE, "⚠ Security warning: only the macOS CLI secure-store path is available.\nThis path uses the `security` command to access Keychain.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while CLI commands run.");
+};
+const createMacOSKeychainAdapter = () => ({
+	id: "macos-keychain",
+	label: "macOS Keychain",
+	getServiceName: getKeychainService,
+	save: async (accountId, payload) => {
+		await ensureMacFallbackConsentIfNeeded();
+		saveKeychainPayload(accountId, payload);
+	},
+	load: async (accountId) => loadKeychainPayload(accountId),
+	delete: async (accountId) => deleteKeychainPayload(accountId),
+	exists: async (accountId) => keychainPayloadExists(accountId),
+	listAccountIds: async () => listKeychainAccounts(),
+	getCapability: () => ({ available: true })
+});
+const loadConfiguredAccountIds = async () => {
+	if (!configExists()) return [];
+	return (await loadConfig()).accounts.map((account) => account.accountId);
+};
+const createWindowsCrossKeychainAdapter = () => ({
+	id: "windows-cross-keychain",
+	label: "Windows Credential Manager (cross-keychain)",
+	getServiceName: getWindowsCrossKeychainService,
+	save: saveWindowsCrossKeychainPayload,
+	load: loadWindowsCrossKeychainPayload,
+	delete: deleteWindowsCrossKeychainPayload,
+	exists: windowsCrossKeychainPayloadExists,
+	listAccountIds: async () => {
+		const accountIds = await loadConfiguredAccountIds();
+		return (await Promise.all(accountIds.map(async (accountId) => ({
+			accountId,
+			exists: await windowsCrossKeychainPayloadExists(accountId)
+		})))).filter((item) => item.exists).map((item) => item.accountId);
+	},
+	getCapability: () => ({ available: true })
+});
+const createLinuxCrossKeychainAdapter = () => ({
+	id: "linux-cross-keychain",
+	label: "Linux Secret Service (cross-keychain)",
+	getServiceName: getLinuxCrossKeychainService,
+	save: saveLinuxCrossKeychainPayload,
+	load: loadLinuxCrossKeychainPayload,
+	delete: deleteLinuxCrossKeychainPayload,
+	exists: linuxCrossKeychainPayloadExists,
+	listAccountIds: async () => {
+		const accountIds = await loadConfiguredAccountIds();
+		return (await Promise.all(accountIds.map(async (accountId) => ({
+			accountId,
+			exists: await linuxCrossKeychainPayloadExists(accountId)
+		})))).filter((item) => item.exists).map((item) => item.accountId);
+	},
+	getCapability: () => ({ available: true })
+});
+const createUnsupportedAdapter = (platform) => ({
+	id: "unsupported",
+	label: "Unsupported (no adapter configured)",
+	getServiceName: (accountId) => `cdx-openai-${accountId}`,
+	save: async () => {
+		throw unsupportedError(platform);
+	},
+	load: async () => {
+		throw unsupportedError(platform);
+	},
+	delete: async () => {
+		throw unsupportedError(platform);
+	},
+	exists: async () => false,
+	listAccountIds: async () => [],
+	getCapability: () => ({
+		available: false,
+		reason: "No default secure-store adapter available for this platform."
+	})
+});
+const createRuntimeSecretStoreAdapter = (platform = process.platform) => {
+	if (platform === "darwin") return createMacOSKeychainAdapter();
+	if (platform === "win32") return createWindowsCrossKeychainAdapter();
+	if (platform === "linux") return createLinuxCrossKeychainAdapter();
+	return createUnsupportedAdapter(platform);
+};
+let currentSecretStoreAdapter = createRuntimeSecretStoreAdapter();
+const getSecretStoreAdapter = () => currentSecretStoreAdapter;
+const setSecretStoreAdapter = (adapter) => {
+	currentSecretStoreAdapter = adapter;
+};
+const resetSecretStoreAdapter = () => {
+	currentSecretStoreAdapter = createRuntimeSecretStoreAdapter();
+};
+const getSecretStoreCapability = () => {
+	const adapter = getSecretStoreAdapter();
+	const capability = adapter.getCapability();
+	return {
+		id: adapter.id,
+		label: adapter.label,
+		available: capability.available,
+		...capability.reason ? { reason: capability.reason } : {}
+	};
+};
+
 //#endregion
 //#region lib/oauth/constants.ts
 const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
@@ -437,31 +845,27 @@ const startOAuthServer = (state) => {
 //#endregion
 //#region lib/oauth/login.ts
 const openBrowser = (url) => {
-	const cmd = process.platform === "darwin" ? "open" : "xdg-open";
-	try {
-		spawn(cmd, [url], {
-			detached: true,
-			stdio: "ignore"
-		}).unref();
-	} catch (error) {
-		const msg = error instanceof Error ? error.message : String(error);
-		p.log.warning(`Could not auto-open browser (${msg}).`);
+	const result = openBrowserUrl(url);
+	if (!result.ok) {
+		const msg = result.error ?? "unknown error";
+		p.log.warning(`Could not auto-open browser via ${result.launcher.label} (${msg}).`);
 	}
 };
 const addAccountToConfig = async (accountId, label) => {
 	let config;
+	const secretStore = getSecretStoreAdapter();
 	if (configExists()) {
 		config = await loadConfig();
 		if (!config.accounts.some((a) => a.accountId === accountId)) config.accounts.push({
 			accountId,
-			keychainService: getKeychainService(accountId),
+			keychainService: secretStore.getServiceName(accountId),
 			...label ? { label } : {}
 		});
 	} else config = {
 		current: 0,
 		accounts: [{
 			accountId,
-			keychainService: getKeychainService(accountId),
+			keychainService: secretStore.getServiceName(accountId),
 			...label ? { label } : {}
 		}]
 	};
@@ -521,16 +925,17 @@ const performRefresh = async (targetAccountId, label, options = {}) => {
 		}
 		if (spinner) spinner.message("Updating credentials...");
 		else p.log.message("Updating credentials...");
-		saveKeychainPayload(newAccountId, {
+		const payload = {
 			refresh: tokenResult.refresh,
 			access: tokenResult.access,
 			expires: tokenResult.expires,
 			accountId: newAccountId,
 			...tokenResult.idToken ? { idToken: tokenResult.idToken } : {}
-		});
+		};
+		await getSecretStoreAdapter().save(newAccountId, payload);
 		if (spinner) spinner.stop("Credentials refreshed!");
 		else p.log.success("Credentials refreshed!");
-		p.log.success(`Account "${displayName}" credentials updated in Keychain.`);
+		p.log.success(`Account "${displayName}" credentials updated in secure store.`);
 		return { accountId: newAccountId };
 	} finally {
 		clearInterval(keepAlive);
@@ -568,13 +973,14 @@ const performLogin = async () => {
 		return null;
 	}
 	spinner.message("Saving credentials...");
-	saveKeychainPayload(accountId, {
+	const payload = {
 		refresh: tokenResult.refresh,
 		access: tokenResult.access,
 		expires: tokenResult.expires,
 		accountId,
 		...tokenResult.idToken ? { idToken: tokenResult.idToken } : {}
-	});
+	};
+	await getSecretStoreAdapter().save(accountId, payload);
 	spinner.stop("Login successful!");
 	const labelInput = await p.text({
 		message: "Enter a label for this account (or press Enter to skip):",
@@ -583,7 +989,7 @@ const performLogin = async () => {
 	const label = !p.isCancel(labelInput) && labelInput?.trim() ? labelInput.trim() : void 0;
 	await addAccountToConfig(accountId, label);
 	const displayName = label ?? accountId;
-	p.log.success(`Account "${displayName}" saved to Keychain and config.`);
+	p.log.success(`Account "${displayName}" saved to secure store and config.`);
 	p.outro("You can now use 'cdx switch' to activate this account.");
 	return { accountId };
 };
@@ -595,7 +1001,19 @@ const writeActiveAuthFilesIfCurrent = async (accountId) => {
 	const config = await loadConfig();
 	const current = config.accounts[config.current];
 	if (!current || current.accountId !== accountId) return null;
-	return writeAllAuthFiles(loadKeychainPayload(accountId));
+	return writeAllAuthFiles(await getSecretStoreAdapter().load(accountId));
+};
+
+//#endregion
+//#region lib/platform/capabilities.ts
+const getRuntimeCapabilities = () => {
+	const pathResolution = getPathResolutionInfo();
+	return {
+		platform: process.platform,
+		pathProfile: pathResolution.profile,
+		secretStore: getSecretStoreCapability(),
+		browserLauncher: getBrowserLauncherCapability(process.platform)
+	};
 };
 
 //#endregion
@@ -680,12 +1098,13 @@ const readPiAuthAccount = async () => {
 		};
 	}
 };
-const getAccountStatus = (accountId, isCurrent, label) => {
-	const keychainExists = keychainPayloadExists(accountId);
+const getAccountStatus = async (accountId, isCurrent, label) => {
+	const secretStore = getSecretStoreAdapter();
+	const secureStoreExists = await secretStore.exists(accountId);
 	let expiresAt = null;
 	let hasIdToken = false;
-	if (keychainExists) try {
-		const payload = loadKeychainPayload(accountId);
+	if (secureStoreExists) try {
+		const payload = await secretStore.load(accountId);
 		expiresAt = payload.expires;
 		hasIdToken = !!payload.idToken;
 	} catch {}
@@ -693,7 +1112,7 @@ const getAccountStatus = (accountId, isCurrent, label) => {
 		accountId,
 		label,
 		isCurrent,
-		keychainExists,
+		secureStoreExists,
 		hasIdToken,
 		expiresAt,
 		expiresIn: formatExpiry(expiresAt)
@@ -705,7 +1124,7 @@ const getStatus = async () => {
 		const config = await loadConfig();
 		for (let i = 0; i < config.accounts.length; i++) {
 			const account = config.accounts[i];
-			accounts.push(getAccountStatus(account.accountId, i === config.current, account.label));
+			accounts.push(await getAccountStatus(account.accountId, i === config.current, account.label));
 		}
 	}
 	const [opencodeAuth, codexAuth, piAuth] = await Promise.all([
@@ -717,7 +1136,8 @@ const getStatus = async () => {
 		accounts,
 		opencodeAuth,
 		codexAuth,
-		piAuth
+		piAuth,
+		capabilities: getRuntimeCapabilities()
 	};
 };
 
@@ -727,10 +1147,16 @@ const getAccountDisplay = (accountId, isCurrent, label) => {
 	const name = label ? `${label} (${accountId})` : accountId;
 	return isCurrent ? `${name} (current)` : name;
 };
-const getRefreshExpiryState = (accountId) => {
-	if (!keychainPayloadExists(accountId)) return "unknown [no keychain]";
+const hasStoredCredentials = async (accountId) => getSecretStoreAdapter().exists(accountId);
+const loadStoredCredentials = async (accountId) => getSecretStoreAdapter().load(accountId);
+const getStoredAccountIds = async () => getSecretStoreAdapter().listAccountIds();
+const removeStoredCredentials = async (accountId) => {
+	await getSecretStoreAdapter().delete(accountId);
+};
+const getRefreshExpiryState = async (accountId) => {
+	if (!await hasStoredCredentials(accountId)) return "unknown [no secure store entry]";
 	try {
-		return formatExpiry(loadKeychainPayload(accountId).expires);
+		return formatExpiry((await loadStoredCredentials(accountId)).expires);
 	} catch {
 		return "unknown";
 	}
@@ -746,7 +1172,7 @@ const handleListAccounts = async () => {
 	for (const account of config.accounts) {
 		const marker = account.accountId === currentAccountId ? "→ " : "  ";
 		const displayName = account.label ? `${account.label} (${account.accountId})` : account.accountId;
-		const status = keychainPayloadExists(account.accountId) ? "" : " (missing credentials)";
+		const status = await hasStoredCredentials(account.accountId) ? "" : " (missing credentials)";
 		p.log.message(`${marker}${displayName}${status}`);
 	}
 };
@@ -784,7 +1210,7 @@ const handleSwitchAccount = async () => {
 	}
 	let payload;
 	try {
-		payload = loadKeychainPayload(selectedAccount.accountId);
+		payload = await loadStoredCredentials(selectedAccount.accountId);
 	} catch {
 		p.log.error(`Missing credentials for account ${selectedAccount.label ?? selectedAccount.accountId}. Re-login with 'cdx login'.`);
 		return;
@@ -815,10 +1241,10 @@ const handleReloginAccount = async () => {
 		return;
 	}
 	const currentAccountId = config.accounts[config.current]?.accountId;
-	const options = config.accounts.map((account) => ({
+	const options = await Promise.all(config.accounts.map(async (account) => ({
 		value: account.accountId,
-		label: `${getAccountDisplay(account.accountId, account.accountId === currentAccountId, account.label)} — ${getRefreshExpiryState(account.accountId)}`
-	}));
+		label: `${getAccountDisplay(account.accountId, account.accountId === currentAccountId, account.label)} — ${await getRefreshExpiryState(account.accountId)}`
+	})));
 	const selected = await p.select({
 		message: "Select account to re-login:",
 		options
@@ -829,7 +1255,7 @@ const handleReloginAccount = async () => {
 	}
 	const accountId = selected;
 	const account = config.accounts.find((a) => a.accountId === accountId);
-	const expiryState = getRefreshExpiryState(accountId);
+	const expiryState = await getRefreshExpiryState(accountId);
 	const displayName = account?.label ?? accountId;
 	p.log.info(`Current token status for ${displayName}: ${expiryState}`);
 	try {
@@ -884,7 +1310,7 @@ const handleRemoveAccount = async () => {
 		return;
 	}
 	try {
-		deleteKeychainPayload(accountId);
+		await removeStoredCredentials(accountId);
 	} catch {}
 	const previousAccountId = config.accounts[config.current]?.accountId;
 	config.accounts = config.accounts.filter((a) => a.accountId !== accountId);
@@ -948,9 +1374,9 @@ const handleStatus = async () => {
 	for (const account of status.accounts) {
 		const marker = account.isCurrent ? "→ " : "  ";
 		const name = account.label ? `${account.label} (${account.accountId})` : account.accountId;
-		const keychain = account.keychainExists ? "" : " [no keychain]";
+		const secureStore = account.secureStoreExists ? "" : " [no secure store entry]";
 		const idToken = account.hasIdToken ? "" : " [no id_token]";
-		p.log.message(`${marker}${name} — ${account.expiresIn}${keychain}${idToken}`);
+		p.log.message(`${marker}${name} — ${account.expiresIn}${secureStore}${idToken}`);
 	}
 	const ocStatus = status.opencodeAuth.exists ? `active: ${status.opencodeAuth.accountId ?? "unknown"}` : "not found";
 	const cxStatus = status.codexAuth.exists ? `active: ${status.codexAuth.accountId ?? "unknown"}` : "not found";
@@ -964,7 +1390,7 @@ const runInteractiveMode = async () => {
 	p.intro("cdx - OpenAI Account Switcher");
 	let running = true;
 	while (running) {
-		const keychainAccounts = listKeychainAccounts();
+		const storedAccounts = await getStoredAccountIds();
 		let currentInfo = "";
 		if (configExists()) try {
 			const config = await loadConfig();
@@ -976,7 +1402,7 @@ const runInteractiveMode = async () => {
 			options: [
 				{
 					value: "list",
-					label: `List accounts (${keychainAccounts.length} in Keychain)`
+					label: `List accounts (${storedAccounts.length} in secure store)`
 				},
 				{
 					value: "switch",
@@ -1055,6 +1481,41 @@ const registerDefaultInteractiveAction = (program) => {
 	});
 };
 
+//#endregion
+//#region lib/commands/doctor.ts
+const registerDoctorCommand = (program) => {
+	program.command("doctor").description("Show auth file paths and runtime capabilities").action(async () => {
+		try {
+			const status = await getStatus();
+			const paths = getPaths();
+			const resolveLabel = (accountId) => {
+				if (!accountId) return "unknown";
+				return status.accounts.find((account) => account.accountId === accountId)?.label ?? accountId;
+			};
+			process.stdout.write("\nAuth files:\n");
+			const ocStatus = status.opencodeAuth.exists ? `active: ${resolveLabel(status.opencodeAuth.accountId)}` : "not found";
+			process.stdout.write(`  OpenCode: ${ocStatus}\n`);
+			process.stdout.write(`    Path: ${paths.authPath}\n`);
+			const cxStatus = status.codexAuth.exists ? `active: ${resolveLabel(status.codexAuth.accountId)}` : "not found";
+			process.stdout.write(`  Codex CLI: ${cxStatus}\n`);
+			process.stdout.write(`    Path: ${paths.codexAuthPath}\n`);
+			const piStatus = status.piAuth.exists ? `active: ${resolveLabel(status.piAuth.accountId)}` : "not found";
+			process.stdout.write(`  Pi Agent: ${piStatus}\n`);
+			process.stdout.write(`    Path: ${paths.piAuthPath}\n`);
+			process.stdout.write("\nCapabilities:\n");
+			process.stdout.write(`  Platform: ${status.capabilities.platform}\n`);
+			process.stdout.write(`  Path profile: ${status.capabilities.pathProfile}\n`);
+			const secretStoreState = status.capabilities.secretStore.available ? "available" : `unavailable${status.capabilities.secretStore.reason ? ` (${status.capabilities.secretStore.reason})` : ""}`;
+			process.stdout.write(`  Secret store: ${status.capabilities.secretStore.label} — ${secretStoreState}\n`);
+			const browserState = status.capabilities.browserLauncher.available ? "available" : "not found";
+			process.stdout.write(`  Browser launcher: ${status.capabilities.browserLauncher.label} — ${browserState}\n`);
+			process.stdout.write("\n");
+		} catch (error) {
+			exitWithCommandError(error);
+		}
+	});
+};
+
 //#endregion
 //#region lib/commands/help.ts
 const registerHelpCommand = (program) => {
@@ -1144,14 +1605,15 @@ const registerReloginCommand = (program) => {
 				if (!target) throw new Error(`Account "${account}" not found. Use 'cdx login' to add it.`);
 				const displayName = target.label ?? target.accountId;
 				let expiryState = "unknown";
-				let keychainState = "";
-				if (keychainPayloadExists(target.accountId)) try {
-					expiryState = formatExpiry(loadKeychainPayload(target.accountId).expires);
+				let secureStoreState = "";
+				const secretStore = getSecretStoreAdapter();
+				if (await secretStore.exists(target.accountId)) try {
+					expiryState = formatExpiry((await secretStore.load(target.accountId)).expires);
 				} catch {
 					expiryState = "unknown";
 				}
-				else keychainState = " [no keychain]";
-				process.stdout.write(`Current token status for ${displayName}: ${expiryState}${keychainState}\n`);
+				else secureStoreState = " [no secure store entry]";
+				process.stdout.write(`Current token status for ${displayName}: ${expiryState}${secureStoreState}\n`);
 				const result = await performRefresh(target.accountId, target.label);
 				if (!result) {
 					process.stderr.write("Re-login failed.\n");
@@ -1188,9 +1650,10 @@ const fetchUsageRaw = async (accessToken, accountId) => {
 * Fetches usage for an account. On 401, refreshes the token and retries once.
 */
 const fetchUsage = async (accountId) => {
+	const secretStore = getSecretStoreAdapter();
 	let payload;
 	try {
-		payload = loadKeychainPayload(accountId);
+		payload = await secretStore.load(accountId);
 	} catch (err) {
 		return {
 			ok: false,
@@ -1218,7 +1681,7 @@ const fetchUsage = async (accountId) => {
 				expires: refreshResult.expires,
 				idToken: refreshResult.idToken ?? payload.idToken
 			};
-			saveKeychainPayload(accountId, updatedPayload);
+			await secretStore.save(accountId, updatedPayload);
 			response = await fetchUsageRaw(updatedPayload.access, updatedPayload.accountId);
 			if (!response.ok) return {
 				ok: false,
@@ -1327,7 +1790,7 @@ const formatUsageOverview = (entries) => {
 //#endregion
 //#region lib/commands/status.ts
 const registerStatusCommand = (program) => {
-	program.command("status").description("Show account status, token expiry, usage, and auth file state").action(async () => {
+	program.command("status").description("Show account status, token expiry, and usage").action(async () => {
 		try {
 			const status = await getStatus();
 			if (status.accounts.length === 0) {
@@ -1339,31 +1802,43 @@ const registerStatusCommand = (program) => {
 				const account = status.accounts[i];
 				const marker = account.isCurrent ? "→ " : "  ";
 				const warnings = [];
-				if (!account.keychainExists) warnings.push("[no keychain]");
+				if (!account.secureStoreExists) warnings.push("[no secure store entry]");
 				if (!account.hasIdToken) warnings.push("[no id_token]");
 				const warnStr = warnings.length > 0 ? `  ${warnings.join(" ")}` : "";
 				const displayName = account.label ?? account.accountId;
 				process.stdout.write(`${marker}${displayName}${warnStr}\n`);
 				if (account.label) process.stdout.write(`    ${account.accountId}\n`);
 				process.stdout.write(`    ${account.expiresIn}\n`);
-				const usageResult = await fetchUsage(account.accountId);
-				if (usageResult.ok) {
-					const bars = formatUsageBars(usageResult.data);
+				if (i < status.accounts.length - 1) process.stdout.write("\n");
+			}
+			const usageSpinner = p.spinner();
+			const accountWord = status.accounts.length === 1 ? "account" : "accounts";
+			usageSpinner.start(`Fetching usage for ${status.accounts.length} ${accountWord}...`);
+			const usageResults = await Promise.allSettled(status.accounts.map((account) => fetchUsage(account.accountId)));
+			const failedUsageCount = usageResults.filter((result) => result.status === "rejected" || result.status === "fulfilled" && !result.value.ok).length;
+			if (failedUsageCount === 0) usageSpinner.stop("Usage loaded.");
+			else {
+				const failedWord = failedUsageCount === 1 ? "account" : "accounts";
+				usageSpinner.stop(`Usage loaded (${failedUsageCount} ${failedWord} failed).`);
+			}
+			process.stdout.write("\nUsage:\n");
+			for (let i = 0; i < status.accounts.length; i++) {
+				const account = status.accounts[i];
+				const marker = account.isCurrent ? "→ " : "  ";
+				const displayName = account.label ?? account.accountId;
+				process.stdout.write(`${marker}${displayName}\n`);
+				if (account.label) process.stdout.write(`    ${account.accountId}\n`);
+				const usageResult = usageResults[i];
+				if (usageResult.status === "rejected") {
+					const message = usageResult.reason instanceof Error ? usageResult.reason.message : "Fetch failed";
+					process.stdout.write(`    [usage unavailable] ${message}\n`);
+				} else if (usageResult.value.ok) {
+					const bars = formatUsageBars(usageResult.value.data);
+					if (bars.length === 0) process.stdout.write("    Usage data unavailable\n");
 					for (const bar of bars) process.stdout.write(`${bar}\n`);
-				}
+				} else process.stdout.write(`    [usage unavailable] ${usageResult.value.error.message}\n`);
 				if (i < status.accounts.length - 1) process.stdout.write("\n");
 			}
-			const resolveLabel = (accountId) => {
-				if (!accountId) return "unknown";
-				return status.accounts.find((account) => account.accountId === accountId)?.label ?? accountId;
-			};
-			process.stdout.write("\nAuth files:\n");
-			const ocStatus = status.opencodeAuth.exists ? `active: ${resolveLabel(status.opencodeAuth.accountId)}` : "not found";
-			process.stdout.write(`  OpenCode: ${ocStatus}\n`);
-			const cxStatus = status.codexAuth.exists ? `active: ${resolveLabel(status.codexAuth.accountId)}` : "not found";
-			process.stdout.write(`  Codex CLI: ${cxStatus}\n`);
-			const piStatus = status.piAuth.exists ? `active: ${resolveLabel(status.piAuth.accountId)}` : "not found";
-			process.stdout.write(`  Pi Agent: ${piStatus}\n`);
 			process.stdout.write("\n");
 		} catch (error) {
 			exitWithCommandError(error);
@@ -1378,7 +1853,7 @@ const switchNext = async () => {
 	const nextIndex = (config.current + 1) % config.accounts.length;
 	const nextAccount = config.accounts[nextIndex];
 	if (!nextAccount?.accountId) throw new Error("Account entry missing accountId.");
-	const payload = loadKeychainPayload(nextAccount.accountId);
+	const payload = await getSecretStoreAdapter().load(nextAccount.accountId);
 	const result = await writeAllAuthFiles(payload);
 	config.current = nextIndex;
 	await saveConfig(config);
@@ -1389,7 +1864,7 @@ const switchToAccount = async (identifier) => {
 	const index = config.accounts.findIndex((account) => account.accountId === identifier || account.label === identifier);
 	if (index === -1) throw new Error(`Account "${identifier}" not found. Use 'cdx login' to add it.`);
 	const account = config.accounts[index];
-	const result = await writeAllAuthFiles(loadKeychainPayload(account.accountId));
+	const result = await writeAllAuthFiles(await getSecretStoreAdapter().load(account.accountId));
 	config.current = index;
 	await saveConfig(config);
 	writeSwitchSummary(account.label ?? account.accountId, result);
@@ -1465,6 +1940,7 @@ const createProgram = (deps = {}) => {
 	registerSwitchCommand(program);
 	registerLabelCommand(program);
 	registerStatusCommand(program);
+	registerDoctorCommand(program);
 	registerUsageCommand(program);
 	registerHelpCommand(program);
 	registerVersionCommand(program, version);
@@ -1479,4 +1955,4 @@ if (import.meta.main) main().catch((error) => {
 });
 
 //#endregion
-export { createProgram, createTestPaths, getPaths, interactiveMode, loadConfig, resetPaths, runInteractiveMode, saveConfig, setPaths, switchNext, switchToAccount, writeAllAuthFiles, writeAuthFile, writeCodexAuthFile, writePiAuthFile };
+export { createProgram, createRuntimeSecretStoreAdapter, createTestPaths, getPaths, getSecretStoreAdapter, interactiveMode, loadConfig, resetPaths, resetSecretStoreAdapter, runInteractiveMode, saveConfig, setPaths, setSecretStoreAdapter, switchNext, switchToAccount, writeAllAuthFiles, writeAuthFile, writeCodexAuthFile, writePiAuthFile };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bjesuiter/codex-switcher",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "type": "module",
   "description": "CLI tool to switch between multiple OpenAI accounts for OpenCode",
   "bin": {
@@ -22,6 +22,7 @@
   "dependencies": {
     "@clack/prompts": "^1.0.0",
     "@openauthjs/openauth": "^0.4.3",
-    "commander": "^14.0.3"
+    "commander": "^14.0.3",
+    "cross-keychain": "^1.1.0"
   }
 }