@bjesuiter/codex-switcher 1.3.0 → 1.5.0

package/cdx.mjs

@@ -1,43 +1,94 @@
 #!/usr/bin/env bun
-import { Command } from "commander";
-import * as p from "@clack/prompts";
+import tab from "@bomb.sh/tab/commander";
+import { Command, InvalidArgumentError } from "commander";
 import { existsSync } from "node:fs";
 import { mkdir, readFile, rm, writeFile } from "node:fs/promises";
-import path from "node:path";
 import os from "node:os";
+import path from "node:path";
+import * as p from "@clack/prompts";
 import { spawn } from "node:child_process";
+import { deletePassword, getPassword, listBackends, setPassword, useBackend } from "@bjesuiter/cross-keychain";
+import { createInterface } from "node:readline/promises";
 import { generatePKCE } from "@openauthjs/openauth/pkce";
 import { randomBytes } from "node:crypto";
 import http from "node:http";
 
 //#region package.json
-var version = "1.3.0";
+var version = "1.5.0";
 
 //#endregion
-//#region lib/commands/errors.ts
-const exitWithCommandError = (error) => {
-	const message = error instanceof Error ? error.message : String(error);
-	process.stderr.write(`${message}\n`);
-	process.exit(1);
+//#region lib/platform/path-resolver.ts
+const envValue = (env, key) => {
+	const value = env[key];
+	if (!value) return void 0;
+	const trimmed = value.trim();
+	return trimmed.length > 0 ? trimmed : void 0;
+};
+const resolvePiAuthPath = (env, homeDir, platform) => {
+	const piAgentDir = envValue(env, "PI_CODING_AGENT_DIR");
+	if (piAgentDir) return platform === "win32" ? path.win32.join(piAgentDir, "auth.json") : path.join(piAgentDir, "auth.json");
+	return platform === "win32" ? path.win32.join(homeDir, ".pi", "agent", "auth.json") : path.join(homeDir, ".pi", "agent", "auth.json");
+};
+const resolveXdgPaths = (env, homeDir, platform) => {
+	const configHome = envValue(env, "XDG_CONFIG_HOME") ?? path.join(homeDir, ".config");
+	const dataHome = envValue(env, "XDG_DATA_HOME") ?? path.join(homeDir, ".local", "share");
+	const configDir = path.join(configHome, "cdx");
+	return {
+		profile: "xdg",
+		configDir,
+		configPath: path.join(configDir, "accounts.json"),
+		authPath: path.join(dataHome, "opencode", "auth.json"),
+		codexAuthPath: path.join(homeDir, ".codex", "auth.json"),
+		piAuthPath: resolvePiAuthPath(env, homeDir, platform)
+	};
+};
+const resolveWindowsPaths = (env, homeDir) => {
+	const winPath = path.win32;
+	const appData = envValue(env, "APPDATA") ?? winPath.join(homeDir, "AppData", "Roaming");
+	const localAppData = envValue(env, "LOCALAPPDATA") ?? winPath.join(homeDir, "AppData", "Local");
+	const configDir = winPath.join(appData, "cdx");
+	return {
+		profile: "windows-appdata",
+		configDir,
+		configPath: winPath.join(configDir, "accounts.json"),
+		authPath: winPath.join(localAppData, "opencode", "auth.json"),
+		codexAuthPath: winPath.join(homeDir, ".codex", "auth.json"),
+		piAuthPath: resolvePiAuthPath(env, homeDir, "win32")
+	};
+};
+const resolveRuntimePaths = (input) => {
+	if (input.platform === "win32") return resolveWindowsPaths(input.env, input.homeDir);
+	return resolveXdgPaths(input.env, input.homeDir, input.platform);
 };
 
 //#endregion
 //#region lib/paths.ts
-const defaultConfigDir = path.join(os.homedir(), ".config", "cdx");
-const resolvePiAuthPath = () => {
-	const piAgentDir = process.env.PI_CODING_AGENT_DIR?.trim();
-	if (piAgentDir) return path.join(piAgentDir, "auth.json");
-	return path.join(os.homedir(), ".pi", "agent", "auth.json");
-};
-const createDefaultPaths = () => ({
-	configDir: defaultConfigDir,
-	configPath: path.join(defaultConfigDir, "accounts.json"),
-	authPath: path.join(os.homedir(), ".local", "share", "opencode", "auth.json"),
-	codexAuthPath: path.join(os.homedir(), ".codex", "auth.json"),
-	piAuthPath: resolvePiAuthPath()
+const toPathConfig = (paths) => ({
+	configDir: paths.configDir,
+	configPath: paths.configPath,
+	authPath: paths.authPath,
+	codexAuthPath: paths.codexAuthPath,
+	piAuthPath: paths.piAuthPath
 });
-let currentPaths = createDefaultPaths();
+const createDefaultPaths = () => {
+	const resolved = resolveRuntimePaths({
+		platform: process.platform,
+		env: process.env,
+		homeDir: os.homedir()
+	});
+	return {
+		paths: toPathConfig(resolved),
+		resolution: {
+			platform: process.platform,
+			profile: resolved.profile
+		}
+	};
+};
+const initial = createDefaultPaths();
+let currentPaths = initial.paths;
+let currentResolution = initial.resolution;
 const getPaths = () => currentPaths;
+const getPathResolutionInfo = () => currentResolution;
 const setPaths = (paths) => {
 	currentPaths = {
 		...currentPaths,
@@ -46,7 +97,9 @@ const setPaths = (paths) => {
 	if (paths.configDir && !paths.configPath) currentPaths.configPath = path.join(paths.configDir, "accounts.json");
 };
 const resetPaths = () => {
-	currentPaths = createDefaultPaths();
+	const next = createDefaultPaths();
+	currentPaths = next.paths;
+	currentResolution = next.resolution;
 };
 const createTestPaths = (testDir) => ({
 	configDir: path.join(testDir, "config"),
@@ -56,6 +109,48 @@ const createTestPaths = (testDir) => ({
 	piAuthPath: path.join(testDir, "pi", "auth.json")
 });
 
+//#endregion
+//#region lib/config.ts
+const isSecretStoreSelection = (value) => value === "auto" || value === "legacy-keychain";
+const loadConfiguredSecretStoreSelection = async () => {
+	const { configPath } = getPaths();
+	if (!existsSync(configPath)) return;
+	try {
+		const raw = await readFile(configPath, "utf8");
+		const parsed = JSON.parse(raw);
+		return isSecretStoreSelection(parsed.secretStore) ? parsed.secretStore : void 0;
+	} catch {
+		return;
+	}
+};
+const loadConfig = async () => {
+	const { configPath } = getPaths();
+	if (!existsSync(configPath)) throw new Error(`Missing config at ${configPath}. Create accounts.json to list Keychain services.`);
+	const raw = await readFile(configPath, "utf8");
+	const parsed = JSON.parse(raw);
+	if (!Array.isArray(parsed.accounts) || parsed.accounts.length === 0) throw new Error("accounts.json must include a non-empty accounts array.");
+	if (typeof parsed.current !== "number" || Number.isNaN(parsed.current)) parsed.current = 0;
+	if (!isSecretStoreSelection(parsed.secretStore)) delete parsed.secretStore;
+	return parsed;
+};
+const saveConfig = async (config) => {
+	const { configDir, configPath } = getPaths();
+	await mkdir(configDir, { recursive: true });
+	await writeFile(configPath, JSON.stringify(config, null, 2), "utf8");
+};
+const configExists = () => {
+	const { configPath } = getPaths();
+	return existsSync(configPath);
+};
+
+//#endregion
+//#region lib/commands/errors.ts
+const exitWithCommandError = (error) => {
+	const message = error instanceof Error ? error.message : String(error);
+	process.stderr.write(`${message}\n`);
+	process.exit(1);
+};
+
 //#endregion
 //#region lib/auth.ts
 const readExistingJson = async (filePath) => {
@@ -137,31 +232,70 @@ const writeAllAuthFiles = async (payload) => {
 };
 
 //#endregion
-//#region lib/config.ts
-const loadConfig = async () => {
-	const { configPath } = getPaths();
-	if (!existsSync(configPath)) throw new Error(`Missing config at ${configPath}. Create accounts.json to list Keychain services.`);
-	const raw = await readFile(configPath, "utf8");
-	const parsed = JSON.parse(raw);
-	if (!Array.isArray(parsed.accounts) || parsed.accounts.length === 0) throw new Error("accounts.json must include a non-empty accounts array.");
-	if (typeof parsed.current !== "number" || Number.isNaN(parsed.current)) parsed.current = 0;
-	return parsed;
+//#region lib/platform/browser.ts
+const getBrowserLauncher = (platform = process.platform, url) => {
+	if (platform === "darwin") return {
+		command: "open",
+		args: [url],
+		label: "open"
+	};
+	if (platform === "win32") return {
+		command: "cmd",
+		args: [
+			"/c",
+			"start",
+			"",
+			url
+		],
+		label: "cmd /c start"
+	};
+	return {
+		command: "xdg-open",
+		args: [url],
+		label: "xdg-open"
+	};
 };
-const saveConfig = async (config) => {
-	const { configDir, configPath } = getPaths();
-	await mkdir(configDir, { recursive: true });
-	await writeFile(configPath, JSON.stringify(config, null, 2), "utf8");
+const isCommandAvailable = (command, platform = process.platform) => {
+	const probe = platform === "win32" ? "where" : "which";
+	return Bun.spawnSync({
+		cmd: [probe, command],
+		stdout: "pipe",
+		stderr: "pipe"
+	}).exitCode === 0;
 };
-const configExists = () => {
-	const { configPath } = getPaths();
-	return existsSync(configPath);
+const getBrowserLauncherCapability = (platform = process.platform) => {
+	const launcher = getBrowserLauncher(platform, "https://example.com");
+	return {
+		command: launcher.command,
+		label: launcher.label,
+		available: isCommandAvailable(launcher.command, platform)
+	};
+};
+const openBrowserUrl = (url, spawnImpl = spawn) => {
+	const launcher = getBrowserLauncher(process.platform, url);
+	try {
+		spawnImpl(launcher.command, launcher.args, {
+			detached: true,
+			stdio: "ignore"
+		}).unref();
+		return {
+			ok: true,
+			launcher
+		};
+	} catch (error) {
+		return {
+			ok: false,
+			launcher,
+			error: error instanceof Error ? error.message : String(error)
+		};
+	}
 };
 
 //#endregion
 //#region lib/keychain.ts
-const SERVICE_PREFIX = "cdx-openai-";
+const SERVICE_PREFIX$3 = "cdx-openai-";
 const getKeychainService = (accountId) => {
-	return `${SERVICE_PREFIX}${accountId}`;
+	return `${SERVICE_PREFIX$3}${accountId}`;
 };
 const runSecurity = (args) => {
 	const result = Bun.spawnSync({
@@ -186,6 +320,23 @@ const runSecuritySafe = (args) => {
 		output: result.exitCode === 0 ? result.stdout.toString() : result.stderr.toString()
 	};
 };
+const runSecuritySafeAsync = async (args) => {
+	const childProcess = Bun.spawn(["security", ...args], {
+		stderr: "pipe",
+		stdout: "pipe"
+	});
+	const stdoutPromise = childProcess.stdout ? new Response(childProcess.stdout).text() : Promise.resolve("");
+	const stderrPromise = childProcess.stderr ? new Response(childProcess.stderr).text() : Promise.resolve("");
+	const [exitCode, stdout, stderr] = await Promise.all([
+		childProcess.exited,
+		stdoutPromise,
+		stderrPromise
+	]);
+	return {
+		success: exitCode === 0,
+		output: exitCode === 0 ? stdout : stderr
+	};
+};
 const saveKeychainPayload = (accountId, payload) => {
 	runSecurity([
 		"add-generic-password",
@@ -233,12 +384,492 @@ const listKeychainAccounts = () => {
 	if (result.exitCode !== 0) return [];
 	const output = result.stdout.toString();
 	const accounts = [];
-	const serviceRegex = new RegExp(`"svce"<blob>="${SERVICE_PREFIX}([^"]+)"`, "g");
+	const serviceRegex = new RegExp(`"svce"<blob>="${SERVICE_PREFIX$3}([^"]+)"`, "g");
 	let match;
 	while ((match = serviceRegex.exec(output)) !== null) if (match[1]) accounts.push(match[1]);
 	return [...new Set(accounts)];
 };
 
+//#endregion
+//#region lib/secrets/cross-keychain-overrides.ts
+const LEGACY_MAX_PASSWORD_LENGTH = 4096;
+const DEFAULT_CROSS_KEYCHAIN_MAX_PASSWORD_LENGTH = 16384;
+const parseMaxPasswordLength = (value) => {
+	if (!value) return null;
+	const parsed = Number.parseInt(value, 10);
+	if (!Number.isInteger(parsed) || parsed <= LEGACY_MAX_PASSWORD_LENGTH) return null;
+	return parsed;
+};
+const getCrossKeychainBackendOverrides = () => {
+	return { max_password_length: parseMaxPasswordLength(process.env.CDX_CROSS_KEYCHAIN_MAX_PASSWORD_LENGTH) ?? DEFAULT_CROSS_KEYCHAIN_MAX_PASSWORD_LENGTH };
+};
+
+//#endregion
+//#region lib/secrets/fallback-consent.ts
+const CONSENT_FILE = "secure-store-fallback-consent.json";
+const CONSENT_ENV_BYPASS = "CDX_ALLOW_SECURE_STORE_FALLBACK";
+const isBypassEnabled = () => {
+	const value = process.env[CONSENT_ENV_BYPASS];
+	if (!value) return false;
+	return [
+		"1",
+		"true",
+		"yes",
+		"y"
+	].includes(value.trim().toLowerCase());
+};
+const consentFilePath = () => path.join(getPaths().configDir, CONSENT_FILE);
+const loadConsentMap = async () => {
+	try {
+		const raw = await readFile(consentFilePath(), "utf8");
+		return JSON.parse(raw).accepted ?? {};
+	} catch {
+		return {};
+	}
+};
+const saveConsentMap = async (accepted) => {
+	const { configDir } = getPaths();
+	await mkdir(configDir, { recursive: true });
+	const payload = { accepted };
+	await writeFile(consentFilePath(), JSON.stringify(payload, null, 2), "utf8");
+};
+const promptConsent = async (message) => {
+	if (!process.stdin.isTTY || !process.stdout.isTTY) return false;
+	process.stdout.write(`\n${message}\n\n`);
+	const rl = createInterface({
+		input: process.stdin,
+		output: process.stdout
+	});
+	try {
+		const normalized = (await rl.question("Do you want to continue with this fallback? [y/N]: ")).trim().toLowerCase();
+		return normalized === "y" || normalized === "yes";
+	} finally {
+		rl.close();
+	}
+};
+const ensureFallbackConsent = async (scope, warningMessage) => {
+	if (isBypassEnabled()) return;
+	const accepted = await loadConsentMap();
+	if (accepted[scope]) return;
+	if (!await promptConsent(warningMessage)) throw new Error(`Secure-store fallback usage was not approved for '${scope}'. Re-run in an interactive terminal to confirm, or set ${CONSENT_ENV_BYPASS}=1 if you accept the fallback risk.`);
+	accepted[scope] = { acceptedAt: (/* @__PURE__ */ new Date()).toISOString() };
+	await saveConsentMap(accepted);
+};
+
+//#endregion
+//#region lib/secrets/linux-cross-keychain.ts
+const SERVICE_PREFIX$2 = "cdx-openai-";
+const LINUX_FALLBACK_SCOPE = "linux:cross-keychain:secret-service";
+let backendInitPromise$2 = null;
+let selectedBackend$2 = null;
+const tryUseBackend$2 = async (backendId) => {
+	try {
+		await useBackend(backendId, getCrossKeychainBackendOverrides());
+		return true;
+	} catch {
+		return false;
+	}
+};
+const selectBackend$2 = async () => {
+	const backends = await listBackends();
+	const available = new Set(backends.map((backend) => backend.id));
+	if (available.has("native-linux") && await tryUseBackend$2("native-linux")) return "native-linux";
+	if (available.has("secret-service") && await tryUseBackend$2("secret-service")) return "secret-service";
+	if (await tryUseBackend$2("native-linux")) return "native-linux";
+	if (await tryUseBackend$2("secret-service")) return "secret-service";
+	throw new Error("Unable to initialize Linux secure-store backend via cross-keychain.");
+};
+const ensureLinuxBackend = async (options = {}) => {
+	if (!backendInitPromise$2) backendInitPromise$2 = (async () => {
+		selectedBackend$2 = await selectBackend$2();
+	})();
+	try {
+		await backendInitPromise$2;
+	} catch {
+		backendInitPromise$2 = null;
+		selectedBackend$2 = null;
+		throw new Error("Unable to initialize Linux secure-store backend via cross-keychain.");
+	}
+	if (options.forWrite && selectedBackend$2 === "secret-service") await ensureFallbackConsent(LINUX_FALLBACK_SCOPE, "⚠ Security warning: only the cross-keychain Linux fallback backend is available.\nThis path relies on shell-based `secret-tool` operations for Secret Service access.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while helper commands run.");
+};
+const getLinuxCrossKeychainService = (accountId) => `${SERVICE_PREFIX$2}${accountId}`;
+const parsePayload$2 = (accountId, raw) => {
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch {
+		throw new Error(`Stored credential payload for account ${accountId} is not valid JSON.`);
+	}
+	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
+	return parsed;
+};
+const withService$2 = async (accountId, run, options = {}) => {
+	await ensureLinuxBackend(options);
+	return run(getLinuxCrossKeychainService(accountId));
+};
+const saveLinuxCrossKeychainPayload = async (accountId, payload) => withService$2(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
+const loadLinuxCrossKeychainPayload = async (accountId) => {
+	const raw = await withService$2(accountId, (service) => getPassword(service, accountId));
+	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
+	return parsePayload$2(accountId, raw);
+};
+const deleteLinuxCrossKeychainPayload = async (accountId) => withService$2(accountId, (service) => deletePassword(service, accountId));
+const linuxCrossKeychainPayloadExists = async (accountId) => withService$2(accountId, async (service) => await getPassword(service, accountId) !== null);
+
+//#endregion
+//#region lib/secrets/macos-cross-keychain.ts
+const SERVICE_PREFIX$1 = "cdx-openai-";
+const MACOS_FALLBACK_SCOPE = "darwin:cross-keychain:macos";
+let backendInitPromise$1 = null;
+let selectedBackend$1 = null;
+const tryUseBackend$1 = async (backendId) => {
+	try {
+		await useBackend(backendId, getCrossKeychainBackendOverrides());
+		return true;
+	} catch {
+		return false;
+	}
+};
+const selectBackend$1 = async () => {
+	const backends = await listBackends();
+	const available = new Set(backends.map((backend) => backend.id));
+	if (available.has("native-macos") && await tryUseBackend$1("native-macos")) return "native-macos";
+	if (available.has("macos") && await tryUseBackend$1("macos")) return "macos";
+	if (await tryUseBackend$1("native-macos")) return "native-macos";
+	if (await tryUseBackend$1("macos")) return "macos";
+	throw new Error("Unable to initialize macOS keychain backend via cross-keychain.");
+};
+const ensureMacOSBackend = async (options = {}) => {
+	if (!backendInitPromise$1) backendInitPromise$1 = (async () => {
+		selectedBackend$1 = await selectBackend$1();
+	})();
+	try {
+		await backendInitPromise$1;
+	} catch {
+		backendInitPromise$1 = null;
+		selectedBackend$1 = null;
+		throw new Error("Unable to initialize macOS keychain backend via cross-keychain.");
+	}
+	if (options.forWrite && selectedBackend$1 === "macos") await ensureFallbackConsent(MACOS_FALLBACK_SCOPE, "⚠ Security warning: only the cross-keychain macOS fallback backend is available.\nThis path uses the `security` command to access Keychain.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while helper commands run.");
+};
+const resolveMacOSCrossKeychainBackendId$1 = async () => {
+	await ensureMacOSBackend();
+	if (!selectedBackend$1) throw new Error("Unable to initialize macOS keychain backend via cross-keychain.");
+	return selectedBackend$1;
+};
+const getMacOSCrossKeychainService = (accountId) => `${SERVICE_PREFIX$1}${accountId}`;
+const parsePayload$1 = (accountId, raw) => {
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch {
+		throw new Error(`Stored credential payload for account ${accountId} is not valid JSON.`);
+	}
+	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
+	return parsed;
+};
+const withService$1 = async (accountId, run, options = {}) => {
+	await ensureMacOSBackend(options);
+	return run(getMacOSCrossKeychainService(accountId));
+};
+const saveMacOSCrossKeychainPayload = async (accountId, payload) => withService$1(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
+const loadMacOSCrossKeychainPayload = async (accountId) => {
+	const raw = await withService$1(accountId, (service) => getPassword(service, accountId));
+	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
+	return parsePayload$1(accountId, raw);
+};
+const deleteMacOSCrossKeychainPayload = async (accountId) => withService$1(accountId, (service) => deletePassword(service, accountId));
+const macosCrossKeychainPayloadExists = async (accountId) => withService$1(accountId, async (service) => await getPassword(service, accountId) !== null);
+
+//#endregion
+//#region lib/secrets/windows-cross-keychain.ts
+const SERVICE_PREFIX = "cdx-openai-";
+const WINDOWS_FALLBACK_SCOPE = "win32:cross-keychain:windows";
+let backendInitPromise = null;
+let selectedBackend = null;
+const tryUseBackend = async (backendId) => {
+	try {
+		await useBackend(backendId, getCrossKeychainBackendOverrides());
+		return true;
+	} catch {
+		return false;
+	}
+};
+const selectBackend = async () => {
+	const backends = await listBackends();
+	const available = new Set(backends.map((backend) => backend.id));
+	if (available.has("native-windows") && await tryUseBackend("native-windows")) return "native-windows";
+	if (available.has("windows") && await tryUseBackend("windows")) return "windows";
+	if (await tryUseBackend("native-windows")) return "native-windows";
+	if (await tryUseBackend("windows")) return "windows";
+	throw new Error("Unable to initialize Windows credential backend via cross-keychain.");
+};
+const ensureWindowsBackend = async (options = {}) => {
+	if (!backendInitPromise) backendInitPromise = (async () => {
+		selectedBackend = await selectBackend();
+	})();
+	try {
+		await backendInitPromise;
+	} catch {
+		backendInitPromise = null;
+		selectedBackend = null;
+		throw new Error("Unable to initialize Windows credential backend via cross-keychain.");
+	}
+	if (options.forWrite && selectedBackend === "windows") await ensureFallbackConsent(WINDOWS_FALLBACK_SCOPE, "⚠ Security warning: only the cross-keychain Windows fallback backend is available.\nThis path runs a PowerShell helper to access Windows Credential Manager.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while the helper runs.");
+};
+const getWindowsCrossKeychainService = (accountId) => `${SERVICE_PREFIX}${accountId}`;
+const parsePayload = (accountId, raw) => {
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch {
+		throw new Error(`Stored credential payload for account ${accountId} is not valid JSON.`);
+	}
+	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
+	return parsed;
+};
+const withService = async (accountId, run, options = {}) => {
+	await ensureWindowsBackend(options);
+	return run(getWindowsCrossKeychainService(accountId));
+};
+const saveWindowsCrossKeychainPayload = async (accountId, payload) => withService(accountId, async (service) => {
+	await setPassword(service, accountId, JSON.stringify(payload));
+}, { forWrite: true });
+const loadWindowsCrossKeychainPayload = async (accountId) => {
+	const raw = await withService(accountId, (service) => getPassword(service, accountId));
+	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
+	return parsePayload(accountId, raw);
+};
+const deleteWindowsCrossKeychainPayload = async (accountId) => withService(accountId, async (service) => {
+	await deletePassword(service, accountId);
+});
+const windowsCrossKeychainPayloadExists = async (accountId) => withService(accountId, async (service) => await getPassword(service, accountId) !== null);
+
+//#endregion
+//#region lib/secrets/store.ts
+const MISSING_SECRET_STORE_ERROR_MARKERS = [
+	"No stored credentials found",
+	"No Keychain payload found",
+	"Password not found"
+];
+const isMissingSecretStoreEntryError = (error) => {
+	if (!(error instanceof Error)) return false;
+	return MISSING_SECRET_STORE_ERROR_MARKERS.some((marker) => error.message.includes(marker));
+};
+const createMissingSecretStoreEntryError = (accountId) => /* @__PURE__ */ new Error(`No stored credentials found for account ${accountId}.`);
+const CACHED_ADAPTER_SYMBOL = Symbol.for("cdx.secretStore.cachedAdapter");
+const withSecretStoreCache = (adapter) => {
+	if (adapter[CACHED_ADAPTER_SYMBOL]) return adapter;
+	const payloadCache = /* @__PURE__ */ new Map();
+	const existsCache = /* @__PURE__ */ new Map();
+	const missingAccounts = /* @__PURE__ */ new Set();
+	const inFlightLoads = /* @__PURE__ */ new Map();
+	const markPresent = (accountId, payload) => {
+		payloadCache.set(accountId, payload);
+		existsCache.set(accountId, true);
+		missingAccounts.delete(accountId);
+	};
+	const markMissing = (accountId) => {
+		payloadCache.delete(accountId);
+		existsCache.set(accountId, false);
+		missingAccounts.add(accountId);
+	};
+	const loadAndCache = async (accountId) => {
+		const existingPromise = inFlightLoads.get(accountId);
+		if (existingPromise) return existingPromise;
+		const promise = (async () => {
+			try {
+				const payload = await adapter.load(accountId);
+				markPresent(accountId, payload);
+				return payload;
+			} catch (error) {
+				if (isMissingSecretStoreEntryError(error)) markMissing(accountId);
+				throw error;
+			} finally {
+				inFlightLoads.delete(accountId);
+			}
+		})();
+		inFlightLoads.set(accountId, promise);
+		return promise;
+	};
+	return {
+		id: adapter.id,
+		label: adapter.label,
+		getServiceName: (accountId) => adapter.getServiceName(accountId),
+		save: async (accountId, payload) => {
+			await adapter.save(accountId, payload);
+			markPresent(accountId, payload);
+		},
+		load: async (accountId) => {
+			const cachedPayload = payloadCache.get(accountId);
+			if (cachedPayload) return cachedPayload;
+			if (missingAccounts.has(accountId)) throw createMissingSecretStoreEntryError(accountId);
+			return loadAndCache(accountId);
+		},
+		delete: async (accountId) => {
+			try {
+				await adapter.delete(accountId);
+			} catch (error) {
+				if (isMissingSecretStoreEntryError(error)) markMissing(accountId);
+				throw error;
+			}
+			markMissing(accountId);
+		},
+		exists: async (accountId) => {
+			if (payloadCache.has(accountId)) return true;
+			if (missingAccounts.has(accountId)) return false;
+			const cachedExists = existsCache.get(accountId);
+			if (cachedExists !== void 0) return cachedExists;
+			try {
+				await loadAndCache(accountId);
+				return true;
+			} catch (error) {
+				if (isMissingSecretStoreEntryError(error)) return false;
+			}
+			const exists = await adapter.exists(accountId);
+			existsCache.set(accountId, exists);
+			if (!exists) missingAccounts.add(accountId);
+			return exists;
+		},
+		listAccountIds: async () => {
+			const accountIds = await adapter.listAccountIds();
+			for (const accountId of accountIds) {
+				existsCache.set(accountId, true);
+				missingAccounts.delete(accountId);
+			}
+			return accountIds;
+		},
+		getCapability: () => adapter.getCapability(),
+		[CACHED_ADAPTER_SYMBOL]: true
+	};
+};
+const unsupportedError = (platform) => /* @__PURE__ */ new Error(`No default secret store adapter configured for platform '${platform}'. Only macOS, Windows, and Linux adapters are wired by default right now.`);
+const loadConfiguredAccountIds = async () => {
+	if (!configExists()) return [];
+	return (await loadConfig()).accounts.map((account) => account.accountId);
+};
+const createMacOSCrossKeychainAdapter = () => ({
+	id: "macos-cross-keychain",
+	label: "macOS Keychain (cross-keychain)",
+	getServiceName: getMacOSCrossKeychainService,
+	save: saveMacOSCrossKeychainPayload,
+	load: loadMacOSCrossKeychainPayload,
+	delete: deleteMacOSCrossKeychainPayload,
+	exists: macosCrossKeychainPayloadExists,
+	listAccountIds: async () => {
+		const accountIds = await loadConfiguredAccountIds();
+		return (await Promise.all(accountIds.map(async (accountId) => ({
+			accountId,
+			exists: await macosCrossKeychainPayloadExists(accountId)
+		})))).filter((item) => item.exists).map((item) => item.accountId);
+	},
+	getCapability: () => ({ available: true })
+});
+const createMacOSLegacyKeychainAdapter = () => ({
+	id: "macos-legacy-keychain",
+	label: "macOS Keychain (legacy security CLI)",
+	getServiceName: getKeychainService,
+	save: async (accountId, payload) => {
+		saveKeychainPayload(accountId, payload);
+	},
+	load: async (accountId) => loadKeychainPayload(accountId),
+	delete: async (accountId) => {
+		deleteKeychainPayload(accountId);
+	},
+	exists: async (accountId) => keychainPayloadExists(accountId),
+	listAccountIds: async () => listKeychainAccounts(),
+	getCapability: () => ({ available: true })
+});
+const createWindowsCrossKeychainAdapter = () => ({
+	id: "windows-cross-keychain",
+	label: "Windows Credential Manager (cross-keychain)",
+	getServiceName: getWindowsCrossKeychainService,
+	save: saveWindowsCrossKeychainPayload,
+	load: loadWindowsCrossKeychainPayload,
+	delete: deleteWindowsCrossKeychainPayload,
+	exists: windowsCrossKeychainPayloadExists,
+	listAccountIds: async () => {
+		const accountIds = await loadConfiguredAccountIds();
+		return (await Promise.all(accountIds.map(async (accountId) => ({
+			accountId,
+			exists: await windowsCrossKeychainPayloadExists(accountId)
+		})))).filter((item) => item.exists).map((item) => item.accountId);
+	},
+	getCapability: () => ({ available: true })
+});
+const createLinuxCrossKeychainAdapter = () => ({
+	id: "linux-cross-keychain",
+	label: "Linux Secret Service (cross-keychain)",
+	getServiceName: getLinuxCrossKeychainService,
+	save: saveLinuxCrossKeychainPayload,
+	load: loadLinuxCrossKeychainPayload,
+	delete: deleteLinuxCrossKeychainPayload,
+	exists: linuxCrossKeychainPayloadExists,
+	listAccountIds: async () => {
+		const accountIds = await loadConfiguredAccountIds();
+		return (await Promise.all(accountIds.map(async (accountId) => ({
+			accountId,
+			exists: await linuxCrossKeychainPayloadExists(accountId)
+		})))).filter((item) => item.exists).map((item) => item.accountId);
+	},
+	getCapability: () => ({ available: true })
+});
+const createUnsupportedAdapter = (platform) => ({
+	id: "unsupported",
+	label: "Unsupported (no adapter configured)",
+	getServiceName: (accountId) => `cdx-openai-${accountId}`,
+	save: async () => {
+		throw unsupportedError(platform);
+	},
+	load: async () => {
+		throw unsupportedError(platform);
+	},
+	delete: async () => {
+		throw unsupportedError(platform);
+	},
+	exists: async () => false,
+	listAccountIds: async () => [],
+	getCapability: () => ({
+		available: false,
+		reason: "No default secure-store adapter available for this platform."
+	})
+});
+const createRuntimeSecretStoreAdapter = (platform = process.platform) => {
+	if (platform === "darwin") return createMacOSCrossKeychainAdapter();
+	if (platform === "win32") return createWindowsCrossKeychainAdapter();
+	if (platform === "linux") return createLinuxCrossKeychainAdapter();
+	return createUnsupportedAdapter(platform);
+};
+const createSecretStoreAdapterFromSelection = (selection = "auto", platform = process.platform) => {
+	if (selection === "legacy-keychain") {
+		if (platform !== "darwin") throw new Error("The legacy keychain adapter is only available on macOS (darwin).");
+		return createMacOSLegacyKeychainAdapter();
+	}
+	return createRuntimeSecretStoreAdapter(platform);
+};
+const resolveMacOSCrossKeychainBackendId = async (platform = process.platform) => {
+	if (platform !== "darwin") return null;
+	return resolveMacOSCrossKeychainBackendId$1();
+};
+let currentSecretStoreAdapter = withSecretStoreCache(createRuntimeSecretStoreAdapter());
+const getSecretStoreAdapter = () => currentSecretStoreAdapter;
+const setSecretStoreAdapter = (adapter) => {
+	currentSecretStoreAdapter = withSecretStoreCache(adapter);
+};
+const resetSecretStoreAdapter = () => {
+	currentSecretStoreAdapter = withSecretStoreCache(createRuntimeSecretStoreAdapter());
+};
+const getSecretStoreCapability = () => {
+	const adapter = getSecretStoreAdapter();
+	const capability = adapter.getCapability();
+	return {
+		id: adapter.id,
+		label: adapter.label,
+		available: capability.available,
+		...capability.reason ? { reason: capability.reason } : {}
+	};
+};
+
 //#endregion
 //#region lib/oauth/constants.ts
 const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
@@ -437,31 +1068,27 @@ const startOAuthServer = (state) => {
 //#endregion
 //#region lib/oauth/login.ts
 const openBrowser = (url) => {
-	const cmd = process.platform === "darwin" ? "open" : "xdg-open";
-	try {
-		spawn(cmd, [url], {
-			detached: true,
-			stdio: "ignore"
-		}).unref();
-	} catch (error) {
-		const msg = error instanceof Error ? error.message : String(error);
-		p.log.warning(`Could not auto-open browser (${msg}).`);
+	const result = openBrowserUrl(url);
+	if (!result.ok) {
+		const msg = result.error ?? "unknown error";
+		p.log.warning(`Could not auto-open browser via ${result.launcher.label} (${msg}).`);
 	}
 };
 const addAccountToConfig = async (accountId, label) => {
 	let config;
+	const secretStore = getSecretStoreAdapter();
 	if (configExists()) {
 		config = await loadConfig();
 		if (!config.accounts.some((a) => a.accountId === accountId)) config.accounts.push({
 			accountId,
-			keychainService: getKeychainService(accountId),
+			keychainService: secretStore.getServiceName(accountId),
 			...label ? { label } : {}
 		});
 	} else config = {
 		current: 0,
 		accounts: [{
 			accountId,
-			keychainService: getKeychainService(accountId),
+			keychainService: secretStore.getServiceName(accountId),
 			...label ? { label } : {}
 		}]
 	};
@@ -521,16 +1148,17 @@ const performRefresh = async (targetAccountId, label, options = {}) => {
 		}
 		if (spinner) spinner.message("Updating credentials...");
 		else p.log.message("Updating credentials...");
-		saveKeychainPayload(newAccountId, {
+		const payload = {
 			refresh: tokenResult.refresh,
 			access: tokenResult.access,
 			expires: tokenResult.expires,
 			accountId: newAccountId,
 			...tokenResult.idToken ? { idToken: tokenResult.idToken } : {}
-		});
+		};
+		await getSecretStoreAdapter().save(newAccountId, payload);
 		if (spinner) spinner.stop("Credentials refreshed!");
 		else p.log.success("Credentials refreshed!");
-		p.log.success(`Account "${displayName}" credentials updated in Keychain.`);
+		p.log.success(`Account "${displayName}" credentials updated in secure store.`);
 		return { accountId: newAccountId };
 	} finally {
 		clearInterval(keepAlive);
@@ -568,13 +1196,14 @@ const performLogin = async () => {
 		return null;
 	}
 	spinner.message("Saving credentials...");
-	saveKeychainPayload(accountId, {
+	const payload = {
 		refresh: tokenResult.refresh,
 		access: tokenResult.access,
 		expires: tokenResult.expires,
 		accountId,
 		...tokenResult.idToken ? { idToken: tokenResult.idToken } : {}
-	});
+	};
+	await getSecretStoreAdapter().save(accountId, payload);
 	spinner.stop("Login successful!");
 	const labelInput = await p.text({
 		message: "Enter a label for this account (or press Enter to skip):",
@@ -583,7 +1212,7 @@ const performLogin = async () => {
 	const label = !p.isCancel(labelInput) && labelInput?.trim() ? labelInput.trim() : void 0;
 	await addAccountToConfig(accountId, label);
 	const displayName = label ?? accountId;
-	p.log.success(`Account "${displayName}" saved to Keychain and config.`);
+	p.log.success(`Account "${displayName}" saved to secure store and config.`);
 	p.outro("You can now use 'cdx switch' to activate this account.");
 	return { accountId };
 };
@@ -595,7 +1224,19 @@ const writeActiveAuthFilesIfCurrent = async (accountId) => {
 	const config = await loadConfig();
 	const current = config.accounts[config.current];
 	if (!current || current.accountId !== accountId) return null;
-	return writeAllAuthFiles(loadKeychainPayload(accountId));
+	return writeAllAuthFiles(await getSecretStoreAdapter().load(accountId));
+};
+
+//#endregion
+//#region lib/platform/capabilities.ts
+const getRuntimeCapabilities = () => {
+	const pathResolution = getPathResolutionInfo();
+	return {
+		platform: process.platform,
+		pathProfile: pathResolution.profile,
+		secretStore: getSecretStoreCapability(),
+		browserLauncher: getBrowserLauncherCapability(process.platform)
+	};
 };
 
 //#endregion
@@ -680,20 +1321,24 @@ const readPiAuthAccount = async () => {
 		};
 	}
 };
-const getAccountStatus = (accountId, isCurrent, label) => {
-	const keychainExists = keychainPayloadExists(accountId);
+const getAccountStatus = async (accountId, isCurrent, label) => {
+	const secretStore = getSecretStoreAdapter();
+	let secureStoreExists = false;
 	let expiresAt = null;
 	let hasIdToken = false;
-	if (keychainExists) try {
-		const payload = loadKeychainPayload(accountId);
+	try {
+		const payload = await secretStore.load(accountId);
+		secureStoreExists = true;
 		expiresAt = payload.expires;
 		hasIdToken = !!payload.idToken;
-	} catch {}
+	} catch (error) {
+		secureStoreExists = !isMissingSecretStoreEntryError(error);
+	}
 	return {
 		accountId,
 		label,
 		isCurrent,
-		keychainExists,
+		secureStoreExists,
 		hasIdToken,
 		expiresAt,
 		expiresIn: formatExpiry(expiresAt)
@@ -705,7 +1350,7 @@ const getStatus = async () => {
 		const config = await loadConfig();
 		for (let i = 0; i < config.accounts.length; i++) {
 			const account = config.accounts[i];
-			accounts.push(getAccountStatus(account.accountId, i === config.current, account.label));
+			accounts.push(await getAccountStatus(account.accountId, i === config.current, account.label));
 		}
 	}
 	const [opencodeAuth, codexAuth, piAuth] = await Promise.all([
@@ -717,7 +1362,8 @@ const getStatus = async () => {
 		accounts,
 		opencodeAuth,
 		codexAuth,
-		piAuth
+		piAuth,
+		capabilities: getRuntimeCapabilities()
 	};
 };
 
@@ -727,10 +1373,16 @@ const getAccountDisplay = (accountId, isCurrent, label) => {
 	const name = label ? `${label} (${accountId})` : accountId;
 	return isCurrent ? `${name} (current)` : name;
 };
-const getRefreshExpiryState = (accountId) => {
-	if (!keychainPayloadExists(accountId)) return "unknown [no keychain]";
+const hasStoredCredentials = async (accountId) => getSecretStoreAdapter().exists(accountId);
+const loadStoredCredentials = async (accountId) => getSecretStoreAdapter().load(accountId);
+const getStoredAccountIds = async () => getSecretStoreAdapter().listAccountIds();
+const removeStoredCredentials = async (accountId) => {
+	await getSecretStoreAdapter().delete(accountId);
+};
+const getRefreshExpiryState = async (accountId) => {
+	if (!await hasStoredCredentials(accountId)) return "unknown [no secure store entry]";
 	try {
-		return formatExpiry(loadKeychainPayload(accountId).expires);
+		return formatExpiry((await loadStoredCredentials(accountId)).expires);
 	} catch {
 		return "unknown";
 	}
@@ -746,7 +1398,7 @@ const handleListAccounts = async () => {
 	for (const account of config.accounts) {
 		const marker = account.accountId === currentAccountId ? "→ " : "  ";
 		const displayName = account.label ? `${account.label} (${account.accountId})` : account.accountId;
-		const status = keychainPayloadExists(account.accountId) ? "" : " (missing credentials)";
+		const status = await hasStoredCredentials(account.accountId) ? "" : " (missing credentials)";
 		p.log.message(`${marker}${displayName}${status}`);
 	}
 };
@@ -784,7 +1436,7 @@ const handleSwitchAccount = async () => {
 	}
 	let payload;
 	try {
-		payload = loadKeychainPayload(selectedAccount.accountId);
+		payload = await loadStoredCredentials(selectedAccount.accountId);
 	} catch {
 		p.log.error(`Missing credentials for account ${selectedAccount.label ?? selectedAccount.accountId}. Re-login with 'cdx login'.`);
 		return;
@@ -815,10 +1467,10 @@ const handleReloginAccount = async () => {
 		return;
 	}
 	const currentAccountId = config.accounts[config.current]?.accountId;
-	const options = config.accounts.map((account) => ({
+	const options = await Promise.all(config.accounts.map(async (account) => ({
 		value: account.accountId,
-		label: `${getAccountDisplay(account.accountId, account.accountId === currentAccountId, account.label)} — ${getRefreshExpiryState(account.accountId)}`
-	}));
+		label: `${getAccountDisplay(account.accountId, account.accountId === currentAccountId, account.label)} — ${await getRefreshExpiryState(account.accountId)}`
+	})));
 	const selected = await p.select({
 		message: "Select account to re-login:",
 		options
@@ -829,7 +1481,7 @@ const handleReloginAccount = async () => {
 	}
 	const accountId = selected;
 	const account = config.accounts.find((a) => a.accountId === accountId);
-	const expiryState = getRefreshExpiryState(accountId);
+	const expiryState = await getRefreshExpiryState(accountId);
 	const displayName = account?.label ?? accountId;
 	p.log.info(`Current token status for ${displayName}: ${expiryState}`);
 	try {
@@ -884,7 +1536,7 @@ const handleRemoveAccount = async () => {
 		return;
 	}
 	try {
-		deleteKeychainPayload(accountId);
+		await removeStoredCredentials(accountId);
 	} catch {}
 	const previousAccountId = config.accounts[config.current]?.accountId;
 	config.accounts = config.accounts.filter((a) => a.accountId !== accountId);
@@ -948,9 +1600,9 @@ const handleStatus = async () => {
 	for (const account of status.accounts) {
 		const marker = account.isCurrent ? "→ " : "  ";
 		const name = account.label ? `${account.label} (${account.accountId})` : account.accountId;
-		const keychain = account.keychainExists ? "" : " [no keychain]";
+		const secureStore = account.secureStoreExists ? "" : " [no secure store entry]";
 		const idToken = account.hasIdToken ? "" : " [no id_token]";
-		p.log.message(`${marker}${name} — ${account.expiresIn}${keychain}${idToken}`);
+		p.log.message(`${marker}${name} — ${account.expiresIn}${secureStore}${idToken}`);
 	}
 	const ocStatus = status.opencodeAuth.exists ? `active: ${status.opencodeAuth.accountId ?? "unknown"}` : "not found";
 	const cxStatus = status.codexAuth.exists ? `active: ${status.codexAuth.accountId ?? "unknown"}` : "not found";
@@ -964,7 +1616,7 @@ const runInteractiveMode = async () => {
 	p.intro("cdx - OpenAI Account Switcher");
 	let running = true;
 	while (running) {
-		const keychainAccounts = listKeychainAccounts();
+		const storedAccounts = await getStoredAccountIds();
 		let currentInfo = "";
 		if (configExists()) try {
 			const config = await loadConfig();
@@ -976,7 +1628,7 @@ const runInteractiveMode = async () => {
 			options: [
 				{
 					value: "list",
-					label: `List accounts (${keychainAccounts.length} in Keychain)`
+					label: `List accounts (${storedAccounts.length} in secure store)`
 				},
 				{
 					value: "switch",
@@ -1055,6 +1707,164 @@ const registerDefaultInteractiveAction = (program) => {
 	});
 };
 
+//#endregion
+//#region lib/keychain-acl.ts
+const getDefaultMap = (services) => {
+	const map = /* @__PURE__ */ new Map();
+	for (const service of services) map.set(service, {
+		service,
+		mode: "missing",
+		applications: []
+	});
+	return map;
+};
+const parseItemEntries = (block) => {
+	const entries = [];
+	const entryRegex = /entry\s+\d+:\n([\s\S]*?)(?=\n\s*entry\s+\d+:|$)/g;
+	let match;
+	while ((match = entryRegex.exec(block)) !== null) if (match[1]) entries.push(match[1]);
+	return entries;
+};
+const parseApplicationsFromEntry = (entry) => {
+	const applications = [];
+	const appRegex = /^\s*\d+:\s+(.+?)(?:\s+\([^\n]*\))?\s*$/gm;
+	let match;
+	while ((match = appRegex.exec(entry)) !== null) {
+		const app = match[1]?.trim();
+		if (app) applications.push(app);
+	}
+	return applications;
+};
+const parseKeychainDecryptAccessFromDump = (dumpOutput, services) => {
+	const dedupedServices = [...new Set(services.filter((service) => service.length > 0))];
+	const result = getDefaultMap(dedupedServices);
+	if (dedupedServices.length === 0 || !dumpOutput.trim()) return result;
+	const targetServices = new Set(dedupedServices);
+	const blocks = dumpOutput.split(/\n(?=keychain:\s+")/g);
+	for (const block of blocks) {
+		if (!block.startsWith("keychain:")) continue;
+		const service = block.match(/"svce"<blob>="([^"]+)"/)?.[1];
+		if (!service || !targetServices.has(service)) continue;
+		const entries = parseItemEntries(block);
+		let mode = "missing";
+		const applications = [];
+		for (const entry of entries) {
+			const authorizationsLine = entry.match(/authorizations\s*\(\d+\):\s*([^\n]+)/)?.[1] ?? "";
+			if (!/\bdecrypt\b/.test(authorizationsLine)) continue;
+			if (/applications:\s*<null>/.test(entry)) {
+				mode = "all-apps";
+				applications.length = 0;
+				break;
+			}
+			const entryApplications = parseApplicationsFromEntry(entry);
+			if (entryApplications.length > 0) {
+				mode = "explicit-list";
+				for (const app of entryApplications) if (!applications.includes(app)) applications.push(app);
+			}
+		}
+		result.set(service, {
+			service,
+			mode,
+			applications
+		});
+	}
+	return result;
+};
+const getKeychainDecryptAccessByServiceAsync = async (services) => {
+	const dedupedServices = [...new Set(services.filter((service) => service.length > 0))];
+	const defaultResult = getDefaultMap(dedupedServices);
+	if (process.platform !== "darwin" || dedupedServices.length === 0) return defaultResult;
+	const dumpResult = await runSecuritySafeAsync(["dump-keychain", "-a"]);
+	if (!dumpResult.success) return defaultResult;
+	return parseKeychainDecryptAccessFromDump(dumpResult.output, dedupedServices);
+};
+
+//#endregion
+//#region lib/commands/doctor.ts
+const hasRuntimeTrustedApp = (trustedApplications, runtimeExecutablePath) => {
+	const runtimeBaseName = path.basename(runtimeExecutablePath).toLowerCase();
+	return trustedApplications.some((trustedApp) => {
+		if (trustedApp === runtimeExecutablePath) return true;
+		return path.basename(trustedApp).toLowerCase() === runtimeBaseName;
+	});
+};
+const registerDoctorCommand = (program) => {
+	program.command("doctor").description("Show auth file paths and runtime capabilities").option("--check-keychain-acl", "Run keychain trusted-app/ACL checks on macOS (can be slow)").action(async (options) => {
+		try {
+			const status = await getStatus();
+			const paths = getPaths();
+			const resolveLabel = (accountId) => {
+				if (!accountId) return "unknown";
+				return status.accounts.find((account) => account.accountId === accountId)?.label ?? accountId;
+			};
+			process.stdout.write("\nAuth files:\n");
+			const ocStatus = status.opencodeAuth.exists ? `active: ${resolveLabel(status.opencodeAuth.accountId)}` : "not found";
+			process.stdout.write(`  OpenCode: ${ocStatus}\n`);
+			process.stdout.write(`    Path: ${paths.authPath}\n`);
+			const cxStatus = status.codexAuth.exists ? `active: ${resolveLabel(status.codexAuth.accountId)}` : "not found";
+			process.stdout.write(`  Codex CLI: ${cxStatus}\n`);
+			process.stdout.write(`    Path: ${paths.codexAuthPath}\n`);
+			const piStatus = status.piAuth.exists ? `active: ${resolveLabel(status.piAuth.accountId)}` : "not found";
+			process.stdout.write(`  Pi Agent: ${piStatus}\n`);
+			process.stdout.write(`    Path: ${paths.piAuthPath}\n`);
+			process.stdout.write("\nCapabilities:\n");
+			process.stdout.write(`  Platform: ${status.capabilities.platform}\n`);
+			process.stdout.write(`  Path profile: ${status.capabilities.pathProfile}\n`);
+			const secretStoreState = status.capabilities.secretStore.available ? "available" : `unavailable${status.capabilities.secretStore.reason ? ` (${status.capabilities.secretStore.reason})` : ""}`;
+			process.stdout.write(`  Secret store: ${status.capabilities.secretStore.label} — ${secretStoreState}\n`);
+			const browserState = status.capabilities.browserLauncher.available ? "available" : "not found";
+			process.stdout.write(`  Browser launcher: ${status.capabilities.browserLauncher.label} — ${browserState}\n`);
+			if (process.platform === "darwin" && !options.checkKeychainAcl) {
+				process.stdout.write("  ┌─ Optional keychain ACL check\n");
+				process.stdout.write("  │  Run: cdx doctor --check-keychain-acl\n");
+				process.stdout.write("  │  Verifies whether your current runtime is trusted by Keychain.\n");
+				process.stdout.write("  └─ Expected duration: ~30-60 seconds\n");
+			}
+			if (process.platform === "darwin" && options.checkKeychainAcl) {
+				const secretStore = getSecretStoreAdapter();
+				const accountsWithSecrets = status.accounts.filter((account) => account.secureStoreExists);
+				if (accountsWithSecrets.length > 0) {
+					const runtimeExecutablePath = process.execPath;
+					const services = accountsWithSecrets.map((account) => secretStore.getServiceName(account.accountId));
+					process.stdout.write("\nKeychain ACL checks:\n");
+					process.stdout.write(`  Runtime executable: ${runtimeExecutablePath}\n`);
+					const aclSpinner = p.spinner();
+					const accountWord = accountsWithSecrets.length === 1 ? "account" : "accounts";
+					aclSpinner.start(`Checking keychain ACLs for ${accountsWithSecrets.length} ${accountWord}...`);
+					const decryptAccessByService = await getKeychainDecryptAccessByServiceAsync(services);
+					aclSpinner.stop("Keychain ACL checks complete.");
+					for (const account of accountsWithSecrets) {
+						const service = secretStore.getServiceName(account.accountId);
+						const decryptAccess = decryptAccessByService.get(service);
+						const accountLabel = resolveLabel(account.accountId);
+						if (!decryptAccess || decryptAccess.mode === "missing") {
+							process.stdout.write(`  ${accountLabel}: unable to read decrypt trusted apps (service: ${service})\n`);
+							continue;
+						}
+						if (decryptAccess.mode === "all-apps") {
+							process.stdout.write(`  ${accountLabel}: decrypt access allows all apps (<null>)\n`);
+							continue;
+						}
+						const runtimeTrusted = hasRuntimeTrustedApp(decryptAccess.applications, runtimeExecutablePath);
+						const trustedAppsList = decryptAccess.applications.join(", ");
+						if (runtimeTrusted) {
+							process.stdout.write(`  ${accountLabel}: runtime is in trusted apps\n`);
+							continue;
+						}
+						process.stdout.write(`  ⚠ ${accountLabel}: runtime not found in trusted apps\n`);
+						process.stdout.write(`    Service: ${service}\n`);
+						process.stdout.write(`    Trusted apps: ${trustedAppsList || "(none)"}\n`);
+						process.stdout.write("    This secret may have been created with a different runtime/toolchain (for example node vs bun).\n");
+					}
+				}
+			}
+			process.stdout.write("\n");
+		} catch (error) {
+			exitWithCommandError(error);
+		}
+	});
+};
+
 //#endregion
 //#region lib/commands/help.ts
 const registerHelpCommand = (program) => {
@@ -1110,6 +1920,119 @@ const registerLoginCommand = (program, deps = {}) => {
 	});
 };
 
+//#endregion
+//#region lib/secrets/migrate.ts
+const asErrorMessage = (error) => error instanceof Error ? error.message : String(error);
+const migrateLegacyMacOSSecrets = async (options = {}) => {
+	if ((options.platform ?? process.platform) !== "darwin") throw new Error("'migrate-secrets' is only available on macOS (darwin).");
+	const loadConfigFn = options.loadConfigFn ?? loadConfig;
+	const saveConfigFn = options.saveConfigFn ?? saveConfig;
+	const sourceAdapter = options.sourceAdapter ?? createMacOSLegacyKeychainAdapter();
+	const targetAdapter = options.targetAdapter ?? createRuntimeSecretStoreAdapter("darwin");
+	const config = await loadConfigFn();
+	const accountResults = [];
+	for (const account of config.accounts) {
+		const accountId = account.accountId;
+		try {
+			if (!await sourceAdapter.exists(accountId)) {
+				accountResults.push({
+					accountId,
+					label: account.label,
+					status: "skipped",
+					message: "No legacy keychain entry found."
+				});
+				continue;
+			}
+			const loaded = await sourceAdapter.load(accountId);
+			const payload = loaded.accountId === accountId ? loaded : {
+				...loaded,
+				accountId
+			};
+			await sourceAdapter.delete(accountId);
+			try {
+				await targetAdapter.save(accountId, payload);
+			} catch (error) {
+				try {
+					await sourceAdapter.save(accountId, payload);
+				} catch {}
+				throw error;
+			}
+			accountResults.push({
+				accountId,
+				label: account.label,
+				status: "migrated",
+				message: "Legacy entry migrated to cross-keychain backend."
+			});
+		} catch (error) {
+			accountResults.push({
+				accountId,
+				label: account.label,
+				status: "failed",
+				message: asErrorMessage(error)
+			});
+		}
+	}
+	const failed = accountResults.filter((entry) => entry.status === "failed").length;
+	const skipped = accountResults.filter((entry) => entry.status === "skipped").length;
+	const migrated = accountResults.filter((entry) => entry.status === "migrated").length;
+	let configUpdated = false;
+	if (failed === 0) {
+		let changed = false;
+		for (const account of config.accounts) {
+			const expectedService = targetAdapter.getServiceName(account.accountId);
+			if (account.keychainService !== expectedService) {
+				account.keychainService = expectedService;
+				changed = true;
+			}
+		}
+		if (config.secretStore !== "auto") {
+			config.secretStore = "auto";
+			changed = true;
+		}
+		if (changed) {
+			await saveConfigFn(config);
+			configUpdated = true;
+		}
+	}
+	return {
+		migrated,
+		skipped,
+		failed,
+		configUpdated,
+		accountResults
+	};
+};
+
+//#endregion
+//#region lib/commands/migrate-secrets.ts
+const statusPrefix = (result) => {
+	if (result.status === "migrated") return "✓";
+	if (result.status === "skipped") return "-";
+	return "✗";
+};
+const formatName = (result) => result.label ? `${result.label} (${result.accountId})` : result.accountId;
+const registerMigrateSecretsCommand = (program) => {
+	program.command("migrate-secrets").description("Migrate macOS legacy keychain entries to cross-keychain and update config").action(async () => {
+		try {
+			const result = await migrateLegacyMacOSSecrets();
+			process.stdout.write("\nSecret migration results:\n");
+			for (const accountResult of result.accountResults) process.stdout.write(`  ${statusPrefix(accountResult)} ${formatName(accountResult)}: ${accountResult.message}\n`);
+			process.stdout.write("\nSummary:\n");
+			process.stdout.write(`  Migrated: ${result.migrated}\n`);
+			process.stdout.write(`  Skipped:  ${result.skipped}\n`);
+			process.stdout.write(`  Failed:   ${result.failed}\n`);
+			if (result.failed === 0) {
+				process.stdout.write(result.configUpdated ? "  Config:   updated (secretStore=auto, service names normalized)\n\n" : "  Config:   already up to date\n\n");
+				return;
+			}
+			process.stdout.write("  Config:   not updated because at least one account failed\n\n");
+			throw new Error(`Migration finished with ${result.failed} failed account(s). Resolve them and run 'cdx migrate-secrets' again.`);
+		} catch (error) {
+			exitWithCommandError(error);
+		}
+	});
+};
+
 //#endregion
 //#region lib/commands/output.ts
 const formatCodexMark = (result) => {
@@ -1144,14 +2067,15 @@ const registerReloginCommand = (program) => {
 				if (!target) throw new Error(`Account "${account}" not found. Use 'cdx login' to add it.`);
 				const displayName = target.label ?? target.accountId;
 				let expiryState = "unknown";
-				let keychainState = "";
-				if (keychainPayloadExists(target.accountId)) try {
-					expiryState = formatExpiry(loadKeychainPayload(target.accountId).expires);
+				let secureStoreState = "";
+				const secretStore = getSecretStoreAdapter();
+				if (await secretStore.exists(target.accountId)) try {
+					expiryState = formatExpiry((await secretStore.load(target.accountId)).expires);
 				} catch {
 					expiryState = "unknown";
 				}
-				else keychainState = " [no keychain]";
-				process.stdout.write(`Current token status for ${displayName}: ${expiryState}${keychainState}\n`);
+				else secureStoreState = " [no secure store entry]";
+				process.stdout.write(`Current token status for ${displayName}: ${expiryState}${secureStoreState}\n`);
 				const result = await performRefresh(target.accountId, target.label);
 				if (!result) {
 					process.stderr.write("Re-login failed.\n");
@@ -1188,9 +2112,10 @@ const fetchUsageRaw = async (accessToken, accountId) => {
 * Fetches usage for an account. On 401, refreshes the token and retries once.
 */
 const fetchUsage = async (accountId) => {
+	const secretStore = getSecretStoreAdapter();
 	let payload;
 	try {
-		payload = loadKeychainPayload(accountId);
+		payload = await secretStore.load(accountId);
 	} catch (err) {
 		return {
 			ok: false,
@@ -1218,7 +2143,7 @@ const fetchUsage = async (accountId) => {
 				expires: refreshResult.expires,
 				idToken: refreshResult.idToken ?? payload.idToken
 			};
-			saveKeychainPayload(accountId, updatedPayload);
+			await secretStore.save(accountId, updatedPayload);
 			response = await fetchUsageRaw(updatedPayload.access, updatedPayload.accountId);
 			if (!response.ok) return {
 				ok: false,
@@ -1327,7 +2252,7 @@ const formatUsageOverview = (entries) => {
 //#endregion
 //#region lib/commands/status.ts
 const registerStatusCommand = (program) => {
-	program.command("status").description("Show account status, token expiry, usage, and auth file state").action(async () => {
+	program.command("status").description("Show account status, token expiry, and usage").action(async () => {
 		try {
 			const status = await getStatus();
 			if (status.accounts.length === 0) {
@@ -1339,31 +2264,43 @@ const registerStatusCommand = (program) => {
 				const account = status.accounts[i];
 				const marker = account.isCurrent ? "→ " : "  ";
 				const warnings = [];
-				if (!account.keychainExists) warnings.push("[no keychain]");
+				if (!account.secureStoreExists) warnings.push("[no secure store entry]");
 				if (!account.hasIdToken) warnings.push("[no id_token]");
 				const warnStr = warnings.length > 0 ? `  ${warnings.join(" ")}` : "";
 				const displayName = account.label ?? account.accountId;
 				process.stdout.write(`${marker}${displayName}${warnStr}\n`);
 				if (account.label) process.stdout.write(`    ${account.accountId}\n`);
 				process.stdout.write(`    ${account.expiresIn}\n`);
-				const usageResult = await fetchUsage(account.accountId);
-				if (usageResult.ok) {
-					const bars = formatUsageBars(usageResult.data);
+				if (i < status.accounts.length - 1) process.stdout.write("\n");
+			}
+			const usageSpinner = p.spinner();
+			const accountWord = status.accounts.length === 1 ? "account" : "accounts";
+			usageSpinner.start(`Fetching usage for ${status.accounts.length} ${accountWord}...`);
+			const usageResults = await Promise.allSettled(status.accounts.map((account) => fetchUsage(account.accountId)));
+			const failedUsageCount = usageResults.filter((result) => result.status === "rejected" || result.status === "fulfilled" && !result.value.ok).length;
+			if (failedUsageCount === 0) usageSpinner.stop("Usage loaded.");
+			else {
+				const failedWord = failedUsageCount === 1 ? "account" : "accounts";
+				usageSpinner.stop(`Usage loaded (${failedUsageCount} ${failedWord} failed).`);
+			}
+			process.stdout.write("\nUsage:\n");
+			for (let i = 0; i < status.accounts.length; i++) {
+				const account = status.accounts[i];
+				const marker = account.isCurrent ? "→ " : "  ";
+				const displayName = account.label ?? account.accountId;
+				process.stdout.write(`${marker}${displayName}\n`);
+				if (account.label) process.stdout.write(`    ${account.accountId}\n`);
+				const usageResult = usageResults[i];
+				if (usageResult.status === "rejected") {
+					const message = usageResult.reason instanceof Error ? usageResult.reason.message : "Fetch failed";
+					process.stdout.write(`    [usage unavailable] ${message}\n`);
+				} else if (usageResult.value.ok) {
+					const bars = formatUsageBars(usageResult.value.data);
+					if (bars.length === 0) process.stdout.write("    Usage data unavailable\n");
 					for (const bar of bars) process.stdout.write(`${bar}\n`);
-				}
+				} else process.stdout.write(`    [usage unavailable] ${usageResult.value.error.message}\n`);
 				if (i < status.accounts.length - 1) process.stdout.write("\n");
 			}
-			const resolveLabel = (accountId) => {
-				if (!accountId) return "unknown";
-				return status.accounts.find((account) => account.accountId === accountId)?.label ?? accountId;
-			};
-			process.stdout.write("\nAuth files:\n");
-			const ocStatus = status.opencodeAuth.exists ? `active: ${resolveLabel(status.opencodeAuth.accountId)}` : "not found";
-			process.stdout.write(`  OpenCode: ${ocStatus}\n`);
-			const cxStatus = status.codexAuth.exists ? `active: ${resolveLabel(status.codexAuth.accountId)}` : "not found";
-			process.stdout.write(`  Codex CLI: ${cxStatus}\n`);
-			const piStatus = status.piAuth.exists ? `active: ${resolveLabel(status.piAuth.accountId)}` : "not found";
-			process.stdout.write(`  Pi Agent: ${piStatus}\n`);
 			process.stdout.write("\n");
 		} catch (error) {
 			exitWithCommandError(error);
@@ -1378,7 +2315,7 @@ const switchNext = async () => {
 	const nextIndex = (config.current + 1) % config.accounts.length;
 	const nextAccount = config.accounts[nextIndex];
 	if (!nextAccount?.accountId) throw new Error("Account entry missing accountId.");
-	const payload = loadKeychainPayload(nextAccount.accountId);
+	const payload = await getSecretStoreAdapter().load(nextAccount.accountId);
 	const result = await writeAllAuthFiles(payload);
 	config.current = nextIndex;
 	await saveConfig(config);
@@ -1389,7 +2326,7 @@ const switchToAccount = async (identifier) => {
 	const index = config.accounts.findIndex((account) => account.accountId === identifier || account.label === identifier);
 	if (index === -1) throw new Error(`Account "${identifier}" not found. Use 'cdx login' to add it.`);
 	const account = config.accounts[index];
-	const result = await writeAllAuthFiles(loadKeychainPayload(account.accountId));
+	const result = await writeAllAuthFiles(await getSecretStoreAdapter().load(account.accountId));
 	config.current = index;
 	await saveConfig(config);
 	writeSwitchSummary(account.label ?? account.accountId, result);
@@ -1457,14 +2394,53 @@ const registerVersionCommand = (program, version) => {
 //#endregion
 //#region cdx.ts
 const interactiveMode = runInteractiveMode;
+const parseSecretStoreSelection = (value) => {
+	if (value === "auto" || value === "legacy-keychain") return value;
+	throw new InvalidArgumentError(`Invalid value '${value}' for --secret-store. Allowed values: auto, legacy-keychain.`);
+};
+const getCompletionParseArgs = (argv) => {
+	const completeIndex = argv.findIndex((arg) => arg === "complete");
+	if (completeIndex === -1) return null;
+	const separatorIndex = argv.findIndex((arg) => arg === "--");
+	if (separatorIndex === -1 || separatorIndex <= completeIndex) return null;
+	return argv.slice(separatorIndex + 1);
+};
+const getMacOSKeychainPromptWarning = (selection, platform = process.platform, backendId = null) => {
+	if (platform !== "darwin") return null;
+	if (selection === "legacy-keychain") return "⚠ macOS keychain is using the legacy security CLI backend. Touch ID may not be offered for keychain prompts.";
+	if (selection === "auto" && backendId === "macos") return "⚠ macOS keychain is using the cross-keychain CLI fallback (`security`). Touch ID may not be offered for keychain prompts.";
+	return null;
+};
+const maybeWarnAboutMacOSKeychainPromptMode = async (selection) => {
+	let backendId = null;
+	if (selection === "auto" && process.platform === "darwin") try {
+		backendId = await resolveMacOSCrossKeychainBackendId();
+	} catch {
+		backendId = null;
+	}
+	const warning = getMacOSKeychainPromptWarning(selection, process.platform, backendId);
+	if (warning) process.stderr.write(`${warning}\n`);
+};
 const createProgram = (deps = {}) => {
 	const program = new Command();
-	program.name("cdx").description("OpenAI account switcher - manage multiple OpenAI Pro subscriptions").version(version, "-v, --version");
+	program.name("cdx").description("OpenAI account switcher - manage multiple OpenAI Pro subscriptions").version(version, "-v, --version").option("--secret-store <mode>", "Select secret-store backend (auto|legacy-keychain)", parseSecretStoreSelection);
+	program.hook("preAction", async (_thisCommand, actionCommand) => {
+		const options = actionCommand.optsWithGlobals();
+		const configuredSelection = options.secretStore ? void 0 : await loadConfiguredSecretStoreSelection();
+		const selection = options.secretStore ?? configuredSelection ?? "auto";
+		setSecretStoreAdapter(createSecretStoreAdapterFromSelection(selection));
+		await maybeWarnAboutMacOSKeychainPromptMode(selection);
+	});
+	program.hook("postAction", () => {
+		resetSecretStoreAdapter();
+	});
 	registerLoginCommand(program, deps);
 	registerReloginCommand(program);
 	registerSwitchCommand(program);
 	registerLabelCommand(program);
+	registerMigrateSecretsCommand(program);
 	registerStatusCommand(program);
+	registerDoctorCommand(program);
 	registerUsageCommand(program);
 	registerHelpCommand(program);
 	registerVersionCommand(program, version);
@@ -1472,11 +2448,18 @@ const createProgram = (deps = {}) => {
 	return program;
 };
 const main = async () => {
-	await createProgram().parseAsync(process.argv);
+	const program = createProgram();
+	const completion = tab(program);
+	const completionArgs = getCompletionParseArgs(process.argv);
+	if (completionArgs) {
+		completion.parse(completionArgs);
+		return;
+	}
+	await program.parseAsync(process.argv);
 };
 if (import.meta.main) main().catch((error) => {
 	exitWithCommandError(error);
 });
 
 //#endregion
-export { createProgram, createTestPaths, getPaths, interactiveMode, loadConfig, resetPaths, runInteractiveMode, saveConfig, setPaths, switchNext, switchToAccount, writeAllAuthFiles, writeAuthFile, writeCodexAuthFile, writePiAuthFile };
+export { createProgram, createRuntimeSecretStoreAdapter, createSecretStoreAdapterFromSelection, createTestPaths, getMacOSKeychainPromptWarning, getPaths, getSecretStoreAdapter, interactiveMode, loadConfig, resetPaths, resetSecretStoreAdapter, resolveMacOSCrossKeychainBackendId, runInteractiveMode, saveConfig, setPaths, setSecretStoreAdapter, switchNext, switchToAccount, writeAllAuthFiles, writeAuthFile, writeCodexAuthFile, writePiAuthFile };