@bjesuiter/codex-switcher 1.4.0 → 1.5.0

package/README.md

@@ -6,25 +6,27 @@ Switch the coding-agents [pi](https://pi.dev/), [codex](https://developers.opena
 
 ## Latest Changes
 
-### 1.4.0
+### 1.5.0
 
 #### Features
 
-- Add **beta Windows/Linux support** with platform-specific defaults for config/auth paths.
-- Add secure-store adapters via `cross-keychain` for Windows Credential Manager and Linux Secret Service/keyring.
-- Add `cdx doctor` to display auth file state with explicit paths plus runtime capability diagnostics.
-- Improve `cdx status` output flow: account/token details first, usage fetch with spinner after.
-- Require explicit one-time consent before using secure-store fallback backends (`CDX_ALLOW_SECURE_STORE_FALLBACK=1` override).
+- Add shell completion support via `cdx complete <shell>` (with parse-completion handling for shell integrations).
+- Add configurable secret-store selection with `--secret-store <mode>` (`auto` or `legacy-keychain`) plus persisted config support.
+- Switch macOS `auto` secret storage to cross-keychain backend selection (prefers native backend, falls back when needed).
+- Add `cdx migrate-secrets` to migrate legacy macOS keychain entries to cross-keychain and update config.
+- Add optional macOS keychain ACL diagnostics in `cdx doctor --check-keychain-acl` to verify trusted runtime access.
+- Add doctor/runtime warnings when macOS keychain access is using legacy/CLI fallback paths where Touch ID prompts may not be offered.
+- Increase cross-keychain max password length handling (default `16384`) to support larger stored credential payloads.
 
 #### Fixes
 
-- Use platform-neutral secure-store wording in output where macOS-specific keychain wording was misleading.
+- Keep `cdx doctor` fast by making keychain ACL checks opt-in and improving output with clearer guidance and progress feedback.
+- Remove Windows credential payload chunking now that larger payloads are supported directly in the secure store backend.
 
 #### Internal
 
-- Add shared platform abstraction layer (`lib/platform/*`) for paths, browser launcher, and runtime capability detection.
-- Expand platform/path/browser/secret-store test coverage.
-- Update dependencies and lockfile for `cross-keychain`.
+- Temporarily switch keyring dependency from `cross-keychain` to `@bjesuiter/cross-keychain@1.1.0-jb.0` until upstream support is available.
+- Add Windows CI coverage including shell smoke checks and expanded secure-store integration tests (including Windows CRUD coverage).
 
 see full changelog here: https://github.com/bjesuiter/codex-switcher/blob/main/CHANGELOG.md
 
@@ -148,6 +150,19 @@ Interactive mode:
 cdx
 ```
 
+Use the legacy macOS keychain implementation (if needed):
+
+```bash
+cdx --secret-store legacy-keychain switch
+cdx --secret-store legacy-keychain status
+```
+
+Migrate legacy macOS keychain entries to cross-keychain (`auto`) and update config:
+
+```bash
+cdx migrate-secrets
+```
+
 ## Commands
 
 | Command | Description |
@@ -162,13 +177,31 @@ cdx
 | `cdx label` | Label an account (interactive) |
 | `cdx label <account> <label>` | Assign label directly |
 | `cdx status` | Show account status, token expiry, and usage |
+| `cdx migrate-secrets` | Migrate macOS legacy keychain entries to cross-keychain and switch config to `auto` |
 | `cdx doctor` | Show auth file paths/state and runtime capabilities |
+| `cdx doctor --check-keychain-acl` | Run additional macOS keychain trusted-app/ACL checks (slow) |
 | `cdx usage` | Show usage overview for all accounts |
 | `cdx usage <account>` | Show detailed usage for a specific account |
 | `cdx help [command]` | Show help for all commands or one command |
+| `cdx complete <shell>` | Generate shell completion script (`zsh`, `bash`, `fish`, `powershell`) |
 | `cdx version` | Show CLI version |
 | `cdx --help` | Show help |
 | `cdx --version` | Show version |
+| `cdx --secret-store legacy-keychain <command>` | Override configured backend for this run (macOS legacy keychain) |
+
+### Shell completion
+
+Generate and source completion scripts:
+
+```bash
+# zsh
+source <(cdx complete zsh)
+
+# bash
+source <(cdx complete bash)
+```
+
+`cdx` also supports shell parse completion requests via `cdx complete -- ...`.
 
 ## How It Works
 
@@ -177,8 +210,16 @@ cdx
 - **macOS:** macOS Keychain
 - **Windows:** Windows Credential Manager
 - **Linux:** Secret Service/keyring
+- Default backend selection is automatic (`auto`).
+- You can persist a preferred backend in `accounts.json` via optional `"secretStore"` (`"auto"` or `"legacy-keychain"`).
+- `--secret-store <mode>` always overrides config for the current run.
 - If only a fallback secure-store backend is available on your platform, `cdx` asks for one-time explicit consent before the first credential write and explains the security trade-off.
   - Non-interactive override (if you accept the risk): set `CDX_ALLOW_SECURE_STORE_FALLBACK=1`
+- On macOS, `cdx doctor --check-keychain-acl` performs an additional trusted-app/ACL check for configured account secrets. This check can be slow.
+- Cross-keychain payload size policy:
+  - Default max password length override is `16384`.
+  - Optional override: set `CDX_CROSS_KEYCHAIN_MAX_PASSWORD_LENGTH=<integer-above-4096>`.
+  - This currently relies on `@bjesuiter/cross-keychain@1.1.0-jb.0` until upstream support is released.
 
 ### Account list path
 
@@ -233,6 +274,7 @@ And create the accounts list manually:
 ```json
 {
   "current": 0,
+  "secretStore": "auto",
   "accounts": [
     { "accountId": "ACCOUNT_ID", "keychainService": "cdx-openai-ACCOUNT_ID" }
   ]

package/cdx.mjs

@@ -1,27 +1,20 @@
 #!/usr/bin/env bun
-import { Command } from "commander";
-import * as p from "@clack/prompts";
+import tab from "@bomb.sh/tab/commander";
+import { Command, InvalidArgumentError } from "commander";
 import { existsSync } from "node:fs";
 import { mkdir, readFile, rm, writeFile } from "node:fs/promises";
-import path from "node:path";
 import os from "node:os";
+import path from "node:path";
+import * as p from "@clack/prompts";
 import { spawn } from "node:child_process";
-import { deletePassword, getPassword, listBackends, setPassword, useBackend } from "cross-keychain";
+import { deletePassword, getPassword, listBackends, setPassword, useBackend } from "@bjesuiter/cross-keychain";
 import { createInterface } from "node:readline/promises";
 import { generatePKCE } from "@openauthjs/openauth/pkce";
 import { randomBytes } from "node:crypto";
 import http from "node:http";
 
 //#region package.json
-var version = "1.4.0";
-
-//#endregion
-//#region lib/commands/errors.ts
-const exitWithCommandError = (error) => {
-	const message = error instanceof Error ? error.message : String(error);
-	process.stderr.write(`${message}\n`);
-	process.exit(1);
-};
+var version = "1.5.0";
 
 //#endregion
 //#region lib/platform/path-resolver.ts
@@ -116,6 +109,48 @@ const createTestPaths = (testDir) => ({
 	piAuthPath: path.join(testDir, "pi", "auth.json")
 });
 
+//#endregion
+//#region lib/config.ts
+const isSecretStoreSelection = (value) => value === "auto" || value === "legacy-keychain";
+const loadConfiguredSecretStoreSelection = async () => {
+	const { configPath } = getPaths();
+	if (!existsSync(configPath)) return;
+	try {
+		const raw = await readFile(configPath, "utf8");
+		const parsed = JSON.parse(raw);
+		return isSecretStoreSelection(parsed.secretStore) ? parsed.secretStore : void 0;
+	} catch {
+		return;
+	}
+};
+const loadConfig = async () => {
+	const { configPath } = getPaths();
+	if (!existsSync(configPath)) throw new Error(`Missing config at ${configPath}. Create accounts.json to list Keychain services.`);
+	const raw = await readFile(configPath, "utf8");
+	const parsed = JSON.parse(raw);
+	if (!Array.isArray(parsed.accounts) || parsed.accounts.length === 0) throw new Error("accounts.json must include a non-empty accounts array.");
+	if (typeof parsed.current !== "number" || Number.isNaN(parsed.current)) parsed.current = 0;
+	if (!isSecretStoreSelection(parsed.secretStore)) delete parsed.secretStore;
+	return parsed;
+};
+const saveConfig = async (config) => {
+	const { configDir, configPath } = getPaths();
+	await mkdir(configDir, { recursive: true });
+	await writeFile(configPath, JSON.stringify(config, null, 2), "utf8");
+};
+const configExists = () => {
+	const { configPath } = getPaths();
+	return existsSync(configPath);
+};
+
+//#endregion
+//#region lib/commands/errors.ts
+const exitWithCommandError = (error) => {
+	const message = error instanceof Error ? error.message : String(error);
+	process.stderr.write(`${message}\n`);
+	process.exit(1);
+};
+
 //#endregion
 //#region lib/auth.ts
 const readExistingJson = async (filePath) => {
@@ -196,27 +231,6 @@ const writeAllAuthFiles = async (payload) => {
 	};
 };
 
-//#endregion
-//#region lib/config.ts
-const loadConfig = async () => {
-	const { configPath } = getPaths();
-	if (!existsSync(configPath)) throw new Error(`Missing config at ${configPath}. Create accounts.json to list Keychain services.`);
-	const raw = await readFile(configPath, "utf8");
-	const parsed = JSON.parse(raw);
-	if (!Array.isArray(parsed.accounts) || parsed.accounts.length === 0) throw new Error("accounts.json must include a non-empty accounts array.");
-	if (typeof parsed.current !== "number" || Number.isNaN(parsed.current)) parsed.current = 0;
-	return parsed;
-};
-const saveConfig = async (config) => {
-	const { configDir, configPath } = getPaths();
-	await mkdir(configDir, { recursive: true });
-	await writeFile(configPath, JSON.stringify(config, null, 2), "utf8");
-};
-const configExists = () => {
-	const { configPath } = getPaths();
-	return existsSync(configPath);
-};
-
 //#endregion
 //#region lib/platform/browser.ts
 const getBrowserLauncher = (platform = process.platform, url) => {
@@ -279,9 +293,9 @@ const openBrowserUrl = (url, spawnImpl = spawn) => {
 
 //#endregion
 //#region lib/keychain.ts
-const SERVICE_PREFIX$2 = "cdx-openai-";
+const SERVICE_PREFIX$3 = "cdx-openai-";
 const getKeychainService = (accountId) => {
-	return `${SERVICE_PREFIX$2}${accountId}`;
+	return `${SERVICE_PREFIX$3}${accountId}`;
 };
 const runSecurity = (args) => {
 	const result = Bun.spawnSync({
@@ -306,6 +320,23 @@ const runSecuritySafe = (args) => {
 		output: result.exitCode === 0 ? result.stdout.toString() : result.stderr.toString()
 	};
 };
+const runSecuritySafeAsync = async (args) => {
+	const childProcess = Bun.spawn(["security", ...args], {
+		stderr: "pipe",
+		stdout: "pipe"
+	});
+	const stdoutPromise = childProcess.stdout ? new Response(childProcess.stdout).text() : Promise.resolve("");
+	const stderrPromise = childProcess.stderr ? new Response(childProcess.stderr).text() : Promise.resolve("");
+	const [exitCode, stdout, stderr] = await Promise.all([
+		childProcess.exited,
+		stdoutPromise,
+		stderrPromise
+	]);
+	return {
+		success: exitCode === 0,
+		output: exitCode === 0 ? stdout : stderr
+	};
+};
 const saveKeychainPayload = (accountId, payload) => {
 	runSecurity([
 		"add-generic-password",
@@ -353,12 +384,26 @@ const listKeychainAccounts = () => {
 	if (result.exitCode !== 0) return [];
 	const output = result.stdout.toString();
 	const accounts = [];
-	const serviceRegex = new RegExp(`"svce"<blob>="${SERVICE_PREFIX$2}([^"]+)"`, "g");
+	const serviceRegex = new RegExp(`"svce"<blob>="${SERVICE_PREFIX$3}([^"]+)"`, "g");
 	let match;
 	while ((match = serviceRegex.exec(output)) !== null) if (match[1]) accounts.push(match[1]);
 	return [...new Set(accounts)];
 };
 
+//#endregion
+//#region lib/secrets/cross-keychain-overrides.ts
+const LEGACY_MAX_PASSWORD_LENGTH = 4096;
+const DEFAULT_CROSS_KEYCHAIN_MAX_PASSWORD_LENGTH = 16384;
+const parseMaxPasswordLength = (value) => {
+	if (!value) return null;
+	const parsed = Number.parseInt(value, 10);
+	if (!Number.isInteger(parsed) || parsed <= LEGACY_MAX_PASSWORD_LENGTH) return null;
+	return parsed;
+};
+const getCrossKeychainBackendOverrides = () => {
+	return { max_password_length: parseMaxPasswordLength(process.env.CDX_CROSS_KEYCHAIN_MAX_PASSWORD_LENGTH) ?? DEFAULT_CROSS_KEYCHAIN_MAX_PASSWORD_LENGTH };
+};
+
 //#endregion
 //#region lib/secrets/fallback-consent.ts
 const CONSENT_FILE = "secure-store-fallback-consent.json";
@@ -413,13 +458,73 @@ const ensureFallbackConsent = async (scope, warningMessage) => {
 
 //#endregion
 //#region lib/secrets/linux-cross-keychain.ts
-const SERVICE_PREFIX$1 = "cdx-openai-";
+const SERVICE_PREFIX$2 = "cdx-openai-";
 const LINUX_FALLBACK_SCOPE = "linux:cross-keychain:secret-service";
+let backendInitPromise$2 = null;
+let selectedBackend$2 = null;
+const tryUseBackend$2 = async (backendId) => {
+	try {
+		await useBackend(backendId, getCrossKeychainBackendOverrides());
+		return true;
+	} catch {
+		return false;
+	}
+};
+const selectBackend$2 = async () => {
+	const backends = await listBackends();
+	const available = new Set(backends.map((backend) => backend.id));
+	if (available.has("native-linux") && await tryUseBackend$2("native-linux")) return "native-linux";
+	if (available.has("secret-service") && await tryUseBackend$2("secret-service")) return "secret-service";
+	if (await tryUseBackend$2("native-linux")) return "native-linux";
+	if (await tryUseBackend$2("secret-service")) return "secret-service";
+	throw new Error("Unable to initialize Linux secure-store backend via cross-keychain.");
+};
+const ensureLinuxBackend = async (options = {}) => {
+	if (!backendInitPromise$2) backendInitPromise$2 = (async () => {
+		selectedBackend$2 = await selectBackend$2();
+	})();
+	try {
+		await backendInitPromise$2;
+	} catch {
+		backendInitPromise$2 = null;
+		selectedBackend$2 = null;
+		throw new Error("Unable to initialize Linux secure-store backend via cross-keychain.");
+	}
+	if (options.forWrite && selectedBackend$2 === "secret-service") await ensureFallbackConsent(LINUX_FALLBACK_SCOPE, "⚠ Security warning: only the cross-keychain Linux fallback backend is available.\nThis path relies on shell-based `secret-tool` operations for Secret Service access.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while helper commands run.");
+};
+const getLinuxCrossKeychainService = (accountId) => `${SERVICE_PREFIX$2}${accountId}`;
+const parsePayload$2 = (accountId, raw) => {
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch {
+		throw new Error(`Stored credential payload for account ${accountId} is not valid JSON.`);
+	}
+	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
+	return parsed;
+};
+const withService$2 = async (accountId, run, options = {}) => {
+	await ensureLinuxBackend(options);
+	return run(getLinuxCrossKeychainService(accountId));
+};
+const saveLinuxCrossKeychainPayload = async (accountId, payload) => withService$2(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
+const loadLinuxCrossKeychainPayload = async (accountId) => {
+	const raw = await withService$2(accountId, (service) => getPassword(service, accountId));
+	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
+	return parsePayload$2(accountId, raw);
+};
+const deleteLinuxCrossKeychainPayload = async (accountId) => withService$2(accountId, (service) => deletePassword(service, accountId));
+const linuxCrossKeychainPayloadExists = async (accountId) => withService$2(accountId, async (service) => await getPassword(service, accountId) !== null);
+
+//#endregion
+//#region lib/secrets/macos-cross-keychain.ts
+const SERVICE_PREFIX$1 = "cdx-openai-";
+const MACOS_FALLBACK_SCOPE = "darwin:cross-keychain:macos";
 let backendInitPromise$1 = null;
 let selectedBackend$1 = null;
 const tryUseBackend$1 = async (backendId) => {
 	try {
-		await useBackend(backendId);
+		await useBackend(backendId, getCrossKeychainBackendOverrides());
 		return true;
 	} catch {
 		return false;
@@ -428,13 +533,13 @@ const tryUseBackend$1 = async (backendId) => {
 const selectBackend$1 = async () => {
 	const backends = await listBackends();
 	const available = new Set(backends.map((backend) => backend.id));
-	if (available.has("native-linux") && await tryUseBackend$1("native-linux")) return "native-linux";
-	if (available.has("secret-service") && await tryUseBackend$1("secret-service")) return "secret-service";
-	if (await tryUseBackend$1("native-linux")) return "native-linux";
-	if (await tryUseBackend$1("secret-service")) return "secret-service";
-	throw new Error("Unable to initialize Linux secure-store backend via cross-keychain.");
+	if (available.has("native-macos") && await tryUseBackend$1("native-macos")) return "native-macos";
+	if (available.has("macos") && await tryUseBackend$1("macos")) return "macos";
+	if (await tryUseBackend$1("native-macos")) return "native-macos";
+	if (await tryUseBackend$1("macos")) return "macos";
+	throw new Error("Unable to initialize macOS keychain backend via cross-keychain.");
 };
-const ensureLinuxBackend = async (options = {}) => {
+const ensureMacOSBackend = async (options = {}) => {
 	if (!backendInitPromise$1) backendInitPromise$1 = (async () => {
 		selectedBackend$1 = await selectBackend$1();
 	})();
@@ -443,11 +548,16 @@ const ensureLinuxBackend = async (options = {}) => {
 	} catch {
 		backendInitPromise$1 = null;
 		selectedBackend$1 = null;
-		throw new Error("Unable to initialize Linux secure-store backend via cross-keychain.");
+		throw new Error("Unable to initialize macOS keychain backend via cross-keychain.");
 	}
-	if (options.forWrite && selectedBackend$1 === "secret-service") await ensureFallbackConsent(LINUX_FALLBACK_SCOPE, "⚠ Security warning: only the cross-keychain Linux fallback backend is available.\nThis path relies on shell-based `secret-tool` operations for Secret Service access.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while helper commands run.");
+	if (options.forWrite && selectedBackend$1 === "macos") await ensureFallbackConsent(MACOS_FALLBACK_SCOPE, "⚠ Security warning: only the cross-keychain macOS fallback backend is available.\nThis path uses the `security` command to access Keychain.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while helper commands run.");
 };
-const getLinuxCrossKeychainService = (accountId) => `${SERVICE_PREFIX$1}${accountId}`;
+const resolveMacOSCrossKeychainBackendId$1 = async () => {
+	await ensureMacOSBackend();
+	if (!selectedBackend$1) throw new Error("Unable to initialize macOS keychain backend via cross-keychain.");
+	return selectedBackend$1;
+};
+const getMacOSCrossKeychainService = (accountId) => `${SERVICE_PREFIX$1}${accountId}`;
 const parsePayload$1 = (accountId, raw) => {
 	let parsed;
 	try {
@@ -459,17 +569,17 @@ const parsePayload$1 = (accountId, raw) => {
 	return parsed;
 };
 const withService$1 = async (accountId, run, options = {}) => {
-	await ensureLinuxBackend(options);
-	return run(getLinuxCrossKeychainService(accountId));
+	await ensureMacOSBackend(options);
+	return run(getMacOSCrossKeychainService(accountId));
 };
-const saveLinuxCrossKeychainPayload = async (accountId, payload) => withService$1(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
-const loadLinuxCrossKeychainPayload = async (accountId) => {
+const saveMacOSCrossKeychainPayload = async (accountId, payload) => withService$1(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
+const loadMacOSCrossKeychainPayload = async (accountId) => {
 	const raw = await withService$1(accountId, (service) => getPassword(service, accountId));
 	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
 	return parsePayload$1(accountId, raw);
 };
-const deleteLinuxCrossKeychainPayload = async (accountId) => withService$1(accountId, (service) => deletePassword(service, accountId));
-const linuxCrossKeychainPayloadExists = async (accountId) => withService$1(accountId, async (service) => await getPassword(service, accountId) !== null);
+const deleteMacOSCrossKeychainPayload = async (accountId) => withService$1(accountId, (service) => deletePassword(service, accountId));
+const macosCrossKeychainPayloadExists = async (accountId) => withService$1(accountId, async (service) => await getPassword(service, accountId) !== null);
 
 //#endregion
 //#region lib/secrets/windows-cross-keychain.ts
@@ -479,7 +589,7 @@ let backendInitPromise = null;
 let selectedBackend = null;
 const tryUseBackend = async (backendId) => {
 	try {
-		await useBackend(backendId);
+		await useBackend(backendId, getCrossKeychainBackendOverrides());
 		return true;
 	} catch {
 		return false;
@@ -522,52 +632,154 @@ const withService = async (accountId, run, options = {}) => {
 	await ensureWindowsBackend(options);
 	return run(getWindowsCrossKeychainService(accountId));
 };
-const saveWindowsCrossKeychainPayload = async (accountId, payload) => withService(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
+const saveWindowsCrossKeychainPayload = async (accountId, payload) => withService(accountId, async (service) => {
+	await setPassword(service, accountId, JSON.stringify(payload));
+}, { forWrite: true });
 const loadWindowsCrossKeychainPayload = async (accountId) => {
 	const raw = await withService(accountId, (service) => getPassword(service, accountId));
 	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
 	return parsePayload(accountId, raw);
 };
-const deleteWindowsCrossKeychainPayload = async (accountId) => withService(accountId, (service) => deletePassword(service, accountId));
+const deleteWindowsCrossKeychainPayload = async (accountId) => withService(accountId, async (service) => {
+	await deletePassword(service, accountId);
+});
 const windowsCrossKeychainPayloadExists = async (accountId) => withService(accountId, async (service) => await getPassword(service, accountId) !== null);
 
 //#endregion
 //#region lib/secrets/store.ts
-const MAC_FALLBACK_SCOPE = "darwin:security-cli";
-let macNativeStoreOptionPromise = null;
-const unsupportedError = (platform) => /* @__PURE__ */ new Error(`No default secret store adapter configured for platform '${platform}'. Only macOS, Windows, and Linux adapters are wired by default right now.`);
-const hasNativeMacStoreOption = async () => {
-	if (!macNativeStoreOptionPromise) macNativeStoreOptionPromise = (async () => {
-		try {
-			return (await listBackends()).some((backend) => backend.id === "native-macos");
-		} catch {
-			return false;
-		}
-	})();
-	return macNativeStoreOptionPromise;
+const MISSING_SECRET_STORE_ERROR_MARKERS = [
+	"No stored credentials found",
+	"No Keychain payload found",
+	"Password not found"
+];
+const isMissingSecretStoreEntryError = (error) => {
+	if (!(error instanceof Error)) return false;
+	return MISSING_SECRET_STORE_ERROR_MARKERS.some((marker) => error.message.includes(marker));
+};
+const createMissingSecretStoreEntryError = (accountId) => /* @__PURE__ */ new Error(`No stored credentials found for account ${accountId}.`);
+const CACHED_ADAPTER_SYMBOL = Symbol.for("cdx.secretStore.cachedAdapter");
+const withSecretStoreCache = (adapter) => {
+	if (adapter[CACHED_ADAPTER_SYMBOL]) return adapter;
+	const payloadCache = /* @__PURE__ */ new Map();
+	const existsCache = /* @__PURE__ */ new Map();
+	const missingAccounts = /* @__PURE__ */ new Set();
+	const inFlightLoads = /* @__PURE__ */ new Map();
+	const markPresent = (accountId, payload) => {
+		payloadCache.set(accountId, payload);
+		existsCache.set(accountId, true);
+		missingAccounts.delete(accountId);
+	};
+	const markMissing = (accountId) => {
+		payloadCache.delete(accountId);
+		existsCache.set(accountId, false);
+		missingAccounts.add(accountId);
+	};
+	const loadAndCache = async (accountId) => {
+		const existingPromise = inFlightLoads.get(accountId);
+		if (existingPromise) return existingPromise;
+		const promise = (async () => {
+			try {
+				const payload = await adapter.load(accountId);
+				markPresent(accountId, payload);
+				return payload;
+			} catch (error) {
+				if (isMissingSecretStoreEntryError(error)) markMissing(accountId);
+				throw error;
+			} finally {
+				inFlightLoads.delete(accountId);
+			}
+		})();
+		inFlightLoads.set(accountId, promise);
+		return promise;
+	};
+	return {
+		id: adapter.id,
+		label: adapter.label,
+		getServiceName: (accountId) => adapter.getServiceName(accountId),
+		save: async (accountId, payload) => {
+			await adapter.save(accountId, payload);
+			markPresent(accountId, payload);
+		},
+		load: async (accountId) => {
+			const cachedPayload = payloadCache.get(accountId);
+			if (cachedPayload) return cachedPayload;
+			if (missingAccounts.has(accountId)) throw createMissingSecretStoreEntryError(accountId);
+			return loadAndCache(accountId);
+		},
+		delete: async (accountId) => {
+			try {
+				await adapter.delete(accountId);
+			} catch (error) {
+				if (isMissingSecretStoreEntryError(error)) markMissing(accountId);
+				throw error;
+			}
+			markMissing(accountId);
+		},
+		exists: async (accountId) => {
+			if (payloadCache.has(accountId)) return true;
+			if (missingAccounts.has(accountId)) return false;
+			const cachedExists = existsCache.get(accountId);
+			if (cachedExists !== void 0) return cachedExists;
+			try {
+				await loadAndCache(accountId);
+				return true;
+			} catch (error) {
+				if (isMissingSecretStoreEntryError(error)) return false;
+			}
+			const exists = await adapter.exists(accountId);
+			existsCache.set(accountId, exists);
+			if (!exists) missingAccounts.add(accountId);
+			return exists;
+		},
+		listAccountIds: async () => {
+			const accountIds = await adapter.listAccountIds();
+			for (const accountId of accountIds) {
+				existsCache.set(accountId, true);
+				missingAccounts.delete(accountId);
+			}
+			return accountIds;
+		},
+		getCapability: () => adapter.getCapability(),
+		[CACHED_ADAPTER_SYMBOL]: true
+	};
 };
-const ensureMacFallbackConsentIfNeeded = async () => {
-	if (await hasNativeMacStoreOption()) return;
-	await ensureFallbackConsent(MAC_FALLBACK_SCOPE, "⚠ Security warning: only the macOS CLI secure-store path is available.\nThis path uses the `security` command to access Keychain.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while CLI commands run.");
+const unsupportedError = (platform) => /* @__PURE__ */ new Error(`No default secret store adapter configured for platform '${platform}'. Only macOS, Windows, and Linux adapters are wired by default right now.`);
+const loadConfiguredAccountIds = async () => {
+	if (!configExists()) return [];
+	return (await loadConfig()).accounts.map((account) => account.accountId);
 };
-const createMacOSKeychainAdapter = () => ({
-	id: "macos-keychain",
-	label: "macOS Keychain",
+const createMacOSCrossKeychainAdapter = () => ({
+	id: "macos-cross-keychain",
+	label: "macOS Keychain (cross-keychain)",
+	getServiceName: getMacOSCrossKeychainService,
+	save: saveMacOSCrossKeychainPayload,
+	load: loadMacOSCrossKeychainPayload,
+	delete: deleteMacOSCrossKeychainPayload,
+	exists: macosCrossKeychainPayloadExists,
+	listAccountIds: async () => {
+		const accountIds = await loadConfiguredAccountIds();
+		return (await Promise.all(accountIds.map(async (accountId) => ({
+			accountId,
+			exists: await macosCrossKeychainPayloadExists(accountId)
+		})))).filter((item) => item.exists).map((item) => item.accountId);
+	},
+	getCapability: () => ({ available: true })
+});
+const createMacOSLegacyKeychainAdapter = () => ({
+	id: "macos-legacy-keychain",
+	label: "macOS Keychain (legacy security CLI)",
 	getServiceName: getKeychainService,
 	save: async (accountId, payload) => {
-		await ensureMacFallbackConsentIfNeeded();
 		saveKeychainPayload(accountId, payload);
 	},
 	load: async (accountId) => loadKeychainPayload(accountId),
-	delete: async (accountId) => deleteKeychainPayload(accountId),
+	delete: async (accountId) => {
+		deleteKeychainPayload(accountId);
+	},
 	exists: async (accountId) => keychainPayloadExists(accountId),
 	listAccountIds: async () => listKeychainAccounts(),
 	getCapability: () => ({ available: true })
 });
-const loadConfiguredAccountIds = async () => {
-	if (!configExists()) return [];
-	return (await loadConfig()).accounts.map((account) => account.accountId);
-};
 const createWindowsCrossKeychainAdapter = () => ({
 	id: "windows-cross-keychain",
 	label: "Windows Credential Manager (cross-keychain)",
@@ -623,18 +835,29 @@ const createUnsupportedAdapter = (platform) => ({
 	})
 });
 const createRuntimeSecretStoreAdapter = (platform = process.platform) => {
-	if (platform === "darwin") return createMacOSKeychainAdapter();
+	if (platform === "darwin") return createMacOSCrossKeychainAdapter();
 	if (platform === "win32") return createWindowsCrossKeychainAdapter();
 	if (platform === "linux") return createLinuxCrossKeychainAdapter();
 	return createUnsupportedAdapter(platform);
 };
-let currentSecretStoreAdapter = createRuntimeSecretStoreAdapter();
+const createSecretStoreAdapterFromSelection = (selection = "auto", platform = process.platform) => {
+	if (selection === "legacy-keychain") {
+		if (platform !== "darwin") throw new Error("The legacy keychain adapter is only available on macOS (darwin).");
+		return createMacOSLegacyKeychainAdapter();
+	}
+	return createRuntimeSecretStoreAdapter(platform);
+};
+const resolveMacOSCrossKeychainBackendId = async (platform = process.platform) => {
+	if (platform !== "darwin") return null;
+	return resolveMacOSCrossKeychainBackendId$1();
+};
+let currentSecretStoreAdapter = withSecretStoreCache(createRuntimeSecretStoreAdapter());
 const getSecretStoreAdapter = () => currentSecretStoreAdapter;
 const setSecretStoreAdapter = (adapter) => {
-	currentSecretStoreAdapter = adapter;
+	currentSecretStoreAdapter = withSecretStoreCache(adapter);
 };
 const resetSecretStoreAdapter = () => {
-	currentSecretStoreAdapter = createRuntimeSecretStoreAdapter();
+	currentSecretStoreAdapter = withSecretStoreCache(createRuntimeSecretStoreAdapter());
 };
 const getSecretStoreCapability = () => {
 	const adapter = getSecretStoreAdapter();
@@ -1100,14 +1323,17 @@ const readPiAuthAccount = async () => {
 };
 const getAccountStatus = async (accountId, isCurrent, label) => {
 	const secretStore = getSecretStoreAdapter();
-	const secureStoreExists = await secretStore.exists(accountId);
+	let secureStoreExists = false;
 	let expiresAt = null;
 	let hasIdToken = false;
-	if (secureStoreExists) try {
+	try {
 		const payload = await secretStore.load(accountId);
+		secureStoreExists = true;
 		expiresAt = payload.expires;
 		hasIdToken = !!payload.idToken;
-	} catch {}
+	} catch (error) {
+		secureStoreExists = !isMissingSecretStoreEntryError(error);
+	}
 	return {
 		accountId,
 		label,
@@ -1481,10 +1707,89 @@ const registerDefaultInteractiveAction = (program) => {
 	});
 };
 
+//#endregion
+//#region lib/keychain-acl.ts
+const getDefaultMap = (services) => {
+	const map = /* @__PURE__ */ new Map();
+	for (const service of services) map.set(service, {
+		service,
+		mode: "missing",
+		applications: []
+	});
+	return map;
+};
+const parseItemEntries = (block) => {
+	const entries = [];
+	const entryRegex = /entry\s+\d+:\n([\s\S]*?)(?=\n\s*entry\s+\d+:|$)/g;
+	let match;
+	while ((match = entryRegex.exec(block)) !== null) if (match[1]) entries.push(match[1]);
+	return entries;
+};
+const parseApplicationsFromEntry = (entry) => {
+	const applications = [];
+	const appRegex = /^\s*\d+:\s+(.+?)(?:\s+\([^\n]*\))?\s*$/gm;
+	let match;
+	while ((match = appRegex.exec(entry)) !== null) {
+		const app = match[1]?.trim();
+		if (app) applications.push(app);
+	}
+	return applications;
+};
+const parseKeychainDecryptAccessFromDump = (dumpOutput, services) => {
+	const dedupedServices = [...new Set(services.filter((service) => service.length > 0))];
+	const result = getDefaultMap(dedupedServices);
+	if (dedupedServices.length === 0 || !dumpOutput.trim()) return result;
+	const targetServices = new Set(dedupedServices);
+	const blocks = dumpOutput.split(/\n(?=keychain:\s+")/g);
+	for (const block of blocks) {
+		if (!block.startsWith("keychain:")) continue;
+		const service = block.match(/"svce"<blob>="([^"]+)"/)?.[1];
+		if (!service || !targetServices.has(service)) continue;
+		const entries = parseItemEntries(block);
+		let mode = "missing";
+		const applications = [];
+		for (const entry of entries) {
+			const authorizationsLine = entry.match(/authorizations\s*\(\d+\):\s*([^\n]+)/)?.[1] ?? "";
+			if (!/\bdecrypt\b/.test(authorizationsLine)) continue;
+			if (/applications:\s*<null>/.test(entry)) {
+				mode = "all-apps";
+				applications.length = 0;
+				break;
+			}
+			const entryApplications = parseApplicationsFromEntry(entry);
+			if (entryApplications.length > 0) {
+				mode = "explicit-list";
+				for (const app of entryApplications) if (!applications.includes(app)) applications.push(app);
+			}
+		}
+		result.set(service, {
+			service,
+			mode,
+			applications
+		});
+	}
+	return result;
+};
+const getKeychainDecryptAccessByServiceAsync = async (services) => {
+	const dedupedServices = [...new Set(services.filter((service) => service.length > 0))];
+	const defaultResult = getDefaultMap(dedupedServices);
+	if (process.platform !== "darwin" || dedupedServices.length === 0) return defaultResult;
+	const dumpResult = await runSecuritySafeAsync(["dump-keychain", "-a"]);
+	if (!dumpResult.success) return defaultResult;
+	return parseKeychainDecryptAccessFromDump(dumpResult.output, dedupedServices);
+};
+
 //#endregion
 //#region lib/commands/doctor.ts
+const hasRuntimeTrustedApp = (trustedApplications, runtimeExecutablePath) => {
+	const runtimeBaseName = path.basename(runtimeExecutablePath).toLowerCase();
+	return trustedApplications.some((trustedApp) => {
+		if (trustedApp === runtimeExecutablePath) return true;
+		return path.basename(trustedApp).toLowerCase() === runtimeBaseName;
+	});
+};
 const registerDoctorCommand = (program) => {
-	program.command("doctor").description("Show auth file paths and runtime capabilities").action(async () => {
+	program.command("doctor").description("Show auth file paths and runtime capabilities").option("--check-keychain-acl", "Run keychain trusted-app/ACL checks on macOS (can be slow)").action(async (options) => {
 		try {
 			const status = await getStatus();
 			const paths = getPaths();
@@ -1509,6 +1814,50 @@ const registerDoctorCommand = (program) => {
 			process.stdout.write(`  Secret store: ${status.capabilities.secretStore.label} — ${secretStoreState}\n`);
 			const browserState = status.capabilities.browserLauncher.available ? "available" : "not found";
 			process.stdout.write(`  Browser launcher: ${status.capabilities.browserLauncher.label} — ${browserState}\n`);
+			if (process.platform === "darwin" && !options.checkKeychainAcl) {
+				process.stdout.write("  ┌─ Optional keychain ACL check\n");
+				process.stdout.write("  │  Run: cdx doctor --check-keychain-acl\n");
+				process.stdout.write("  │  Verifies whether your current runtime is trusted by Keychain.\n");
+				process.stdout.write("  └─ Expected duration: ~30-60 seconds\n");
+			}
+			if (process.platform === "darwin" && options.checkKeychainAcl) {
+				const secretStore = getSecretStoreAdapter();
+				const accountsWithSecrets = status.accounts.filter((account) => account.secureStoreExists);
+				if (accountsWithSecrets.length > 0) {
+					const runtimeExecutablePath = process.execPath;
+					const services = accountsWithSecrets.map((account) => secretStore.getServiceName(account.accountId));
+					process.stdout.write("\nKeychain ACL checks:\n");
+					process.stdout.write(`  Runtime executable: ${runtimeExecutablePath}\n`);
+					const aclSpinner = p.spinner();
+					const accountWord = accountsWithSecrets.length === 1 ? "account" : "accounts";
+					aclSpinner.start(`Checking keychain ACLs for ${accountsWithSecrets.length} ${accountWord}...`);
+					const decryptAccessByService = await getKeychainDecryptAccessByServiceAsync(services);
+					aclSpinner.stop("Keychain ACL checks complete.");
+					for (const account of accountsWithSecrets) {
+						const service = secretStore.getServiceName(account.accountId);
+						const decryptAccess = decryptAccessByService.get(service);
+						const accountLabel = resolveLabel(account.accountId);
+						if (!decryptAccess || decryptAccess.mode === "missing") {
+							process.stdout.write(`  ${accountLabel}: unable to read decrypt trusted apps (service: ${service})\n`);
+							continue;
+						}
+						if (decryptAccess.mode === "all-apps") {
+							process.stdout.write(`  ${accountLabel}: decrypt access allows all apps (<null>)\n`);
+							continue;
+						}
+						const runtimeTrusted = hasRuntimeTrustedApp(decryptAccess.applications, runtimeExecutablePath);
+						const trustedAppsList = decryptAccess.applications.join(", ");
+						if (runtimeTrusted) {
+							process.stdout.write(`  ${accountLabel}: runtime is in trusted apps\n`);
+							continue;
+						}
+						process.stdout.write(`  ⚠ ${accountLabel}: runtime not found in trusted apps\n`);
+						process.stdout.write(`    Service: ${service}\n`);
+						process.stdout.write(`    Trusted apps: ${trustedAppsList || "(none)"}\n`);
+						process.stdout.write("    This secret may have been created with a different runtime/toolchain (for example node vs bun).\n");
+					}
+				}
+			}
 			process.stdout.write("\n");
 		} catch (error) {
 			exitWithCommandError(error);
@@ -1571,6 +1920,119 @@ const registerLoginCommand = (program, deps = {}) => {
 	});
 };
 
+//#endregion
+//#region lib/secrets/migrate.ts
+const asErrorMessage = (error) => error instanceof Error ? error.message : String(error);
+const migrateLegacyMacOSSecrets = async (options = {}) => {
+	if ((options.platform ?? process.platform) !== "darwin") throw new Error("'migrate-secrets' is only available on macOS (darwin).");
+	const loadConfigFn = options.loadConfigFn ?? loadConfig;
+	const saveConfigFn = options.saveConfigFn ?? saveConfig;
+	const sourceAdapter = options.sourceAdapter ?? createMacOSLegacyKeychainAdapter();
+	const targetAdapter = options.targetAdapter ?? createRuntimeSecretStoreAdapter("darwin");
+	const config = await loadConfigFn();
+	const accountResults = [];
+	for (const account of config.accounts) {
+		const accountId = account.accountId;
+		try {
+			if (!await sourceAdapter.exists(accountId)) {
+				accountResults.push({
+					accountId,
+					label: account.label,
+					status: "skipped",
+					message: "No legacy keychain entry found."
+				});
+				continue;
+			}
+			const loaded = await sourceAdapter.load(accountId);
+			const payload = loaded.accountId === accountId ? loaded : {
+				...loaded,
+				accountId
+			};
+			await sourceAdapter.delete(accountId);
+			try {
+				await targetAdapter.save(accountId, payload);
+			} catch (error) {
+				try {
+					await sourceAdapter.save(accountId, payload);
+				} catch {}
+				throw error;
+			}
+			accountResults.push({
+				accountId,
+				label: account.label,
+				status: "migrated",
+				message: "Legacy entry migrated to cross-keychain backend."
+			});
+		} catch (error) {
+			accountResults.push({
+				accountId,
+				label: account.label,
+				status: "failed",
+				message: asErrorMessage(error)
+			});
+		}
+	}
+	const failed = accountResults.filter((entry) => entry.status === "failed").length;
+	const skipped = accountResults.filter((entry) => entry.status === "skipped").length;
+	const migrated = accountResults.filter((entry) => entry.status === "migrated").length;
+	let configUpdated = false;
+	if (failed === 0) {
+		let changed = false;
+		for (const account of config.accounts) {
+			const expectedService = targetAdapter.getServiceName(account.accountId);
+			if (account.keychainService !== expectedService) {
+				account.keychainService = expectedService;
+				changed = true;
+			}
+		}
+		if (config.secretStore !== "auto") {
+			config.secretStore = "auto";
+			changed = true;
+		}
+		if (changed) {
+			await saveConfigFn(config);
+			configUpdated = true;
+		}
+	}
+	return {
+		migrated,
+		skipped,
+		failed,
+		configUpdated,
+		accountResults
+	};
+};
+
+//#endregion
+//#region lib/commands/migrate-secrets.ts
+const statusPrefix = (result) => {
+	if (result.status === "migrated") return "✓";
+	if (result.status === "skipped") return "-";
+	return "✗";
+};
+const formatName = (result) => result.label ? `${result.label} (${result.accountId})` : result.accountId;
+const registerMigrateSecretsCommand = (program) => {
+	program.command("migrate-secrets").description("Migrate macOS legacy keychain entries to cross-keychain and update config").action(async () => {
+		try {
+			const result = await migrateLegacyMacOSSecrets();
+			process.stdout.write("\nSecret migration results:\n");
+			for (const accountResult of result.accountResults) process.stdout.write(`  ${statusPrefix(accountResult)} ${formatName(accountResult)}: ${accountResult.message}\n`);
+			process.stdout.write("\nSummary:\n");
+			process.stdout.write(`  Migrated: ${result.migrated}\n`);
+			process.stdout.write(`  Skipped:  ${result.skipped}\n`);
+			process.stdout.write(`  Failed:   ${result.failed}\n`);
+			if (result.failed === 0) {
+				process.stdout.write(result.configUpdated ? "  Config:   updated (secretStore=auto, service names normalized)\n\n" : "  Config:   already up to date\n\n");
+				return;
+			}
+			process.stdout.write("  Config:   not updated because at least one account failed\n\n");
+			throw new Error(`Migration finished with ${result.failed} failed account(s). Resolve them and run 'cdx migrate-secrets' again.`);
+		} catch (error) {
+			exitWithCommandError(error);
+		}
+	});
+};
+
 //#endregion
 //#region lib/commands/output.ts
 const formatCodexMark = (result) => {
@@ -1932,13 +2394,51 @@ const registerVersionCommand = (program, version) => {
 //#endregion
 //#region cdx.ts
 const interactiveMode = runInteractiveMode;
+const parseSecretStoreSelection = (value) => {
+	if (value === "auto" || value === "legacy-keychain") return value;
+	throw new InvalidArgumentError(`Invalid value '${value}' for --secret-store. Allowed values: auto, legacy-keychain.`);
+};
+const getCompletionParseArgs = (argv) => {
+	const completeIndex = argv.findIndex((arg) => arg === "complete");
+	if (completeIndex === -1) return null;
+	const separatorIndex = argv.findIndex((arg) => arg === "--");
+	if (separatorIndex === -1 || separatorIndex <= completeIndex) return null;
+	return argv.slice(separatorIndex + 1);
+};
+const getMacOSKeychainPromptWarning = (selection, platform = process.platform, backendId = null) => {
+	if (platform !== "darwin") return null;
+	if (selection === "legacy-keychain") return "⚠ macOS keychain is using the legacy security CLI backend. Touch ID may not be offered for keychain prompts.";
+	if (selection === "auto" && backendId === "macos") return "⚠ macOS keychain is using the cross-keychain CLI fallback (`security`). Touch ID may not be offered for keychain prompts.";
+	return null;
+};
+const maybeWarnAboutMacOSKeychainPromptMode = async (selection) => {
+	let backendId = null;
+	if (selection === "auto" && process.platform === "darwin") try {
+		backendId = await resolveMacOSCrossKeychainBackendId();
+	} catch {
+		backendId = null;
+	}
+	const warning = getMacOSKeychainPromptWarning(selection, process.platform, backendId);
+	if (warning) process.stderr.write(`${warning}\n`);
+};
 const createProgram = (deps = {}) => {
 	const program = new Command();
-	program.name("cdx").description("OpenAI account switcher - manage multiple OpenAI Pro subscriptions").version(version, "-v, --version");
+	program.name("cdx").description("OpenAI account switcher - manage multiple OpenAI Pro subscriptions").version(version, "-v, --version").option("--secret-store <mode>", "Select secret-store backend (auto|legacy-keychain)", parseSecretStoreSelection);
+	program.hook("preAction", async (_thisCommand, actionCommand) => {
+		const options = actionCommand.optsWithGlobals();
+		const configuredSelection = options.secretStore ? void 0 : await loadConfiguredSecretStoreSelection();
+		const selection = options.secretStore ?? configuredSelection ?? "auto";
+		setSecretStoreAdapter(createSecretStoreAdapterFromSelection(selection));
+		await maybeWarnAboutMacOSKeychainPromptMode(selection);
+	});
+	program.hook("postAction", () => {
+		resetSecretStoreAdapter();
+	});
 	registerLoginCommand(program, deps);
 	registerReloginCommand(program);
 	registerSwitchCommand(program);
 	registerLabelCommand(program);
+	registerMigrateSecretsCommand(program);
 	registerStatusCommand(program);
 	registerDoctorCommand(program);
 	registerUsageCommand(program);
@@ -1948,11 +2448,18 @@ const createProgram = (deps = {}) => {
 	return program;
 };
 const main = async () => {
-	await createProgram().parseAsync(process.argv);
+	const program = createProgram();
+	const completion = tab(program);
+	const completionArgs = getCompletionParseArgs(process.argv);
+	if (completionArgs) {
+		completion.parse(completionArgs);
+		return;
+	}
+	await program.parseAsync(process.argv);
 };
 if (import.meta.main) main().catch((error) => {
 	exitWithCommandError(error);
 });
 
 //#endregion
-export { createProgram, createRuntimeSecretStoreAdapter, createTestPaths, getPaths, getSecretStoreAdapter, interactiveMode, loadConfig, resetPaths, resetSecretStoreAdapter, runInteractiveMode, saveConfig, setPaths, setSecretStoreAdapter, switchNext, switchToAccount, writeAllAuthFiles, writeAuthFile, writeCodexAuthFile, writePiAuthFile };
+export { createProgram, createRuntimeSecretStoreAdapter, createSecretStoreAdapterFromSelection, createTestPaths, getMacOSKeychainPromptWarning, getPaths, getSecretStoreAdapter, interactiveMode, loadConfig, resetPaths, resetSecretStoreAdapter, resolveMacOSCrossKeychainBackendId, runInteractiveMode, saveConfig, setPaths, setSecretStoreAdapter, switchNext, switchToAccount, writeAllAuthFiles, writeAuthFile, writeCodexAuthFile, writePiAuthFile };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bjesuiter/codex-switcher",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "type": "module",
   "description": "CLI tool to switch between multiple OpenAI accounts for OpenCode",
   "bin": {
@@ -20,9 +20,10 @@
   "license": "MIT",
   "author": "bjesuiter",
   "dependencies": {
+    "@bjesuiter/cross-keychain": "1.1.0-jb.0",
+    "@bomb.sh/tab": "^0.0.13",
     "@clack/prompts": "^1.0.0",
     "@openauthjs/openauth": "^0.4.3",
-    "commander": "^14.0.3",
-    "cross-keychain": "^1.1.0"
+    "commander": "^14.0.3"
   }
 }