@bjesuiter/codex-switcher 1.5.0 → 1.7.1

package/README.md

@@ -6,27 +6,15 @@ Switch the coding-agents [pi](https://pi.dev/), [codex](https://developers.opena
 
 ## Latest Changes
 
-### 1.5.0
+### 1.7.1
 
 #### Features
 
-- Add shell completion support via `cdx complete <shell>` (with parse-completion handling for shell integrations).
-- Add configurable secret-store selection with `--secret-store <mode>` (`auto` or `legacy-keychain`) plus persisted config support.
-- Switch macOS `auto` secret storage to cross-keychain backend selection (prefers native backend, falls back when needed).
-- Add `cdx migrate-secrets` to migrate legacy macOS keychain entries to cross-keychain and update config.
-- Add optional macOS keychain ACL diagnostics in `cdx doctor --check-keychain-acl` to verify trusted runtime access.
-- Add doctor/runtime warnings when macOS keychain access is using legacy/CLI fallback paths where Touch ID prompts may not be offered.
-- Increase cross-keychain max password length handling (default `16384`) to support larger stored credential payloads.
+- Add a release helper script (`scripts/wait-for-npm-latest.ts`) plus `bun run wait-npm-latest` to poll npm until the package `latest` tag matches the target version.
 
 #### Fixes
 
-- Keep `cdx doctor` fast by making keychain ACL checks opt-in and improving output with clearer guidance and progress feedback.
-- Remove Windows credential payload chunking now that larger payloads are supported directly in the secure store backend.
-
-#### Internal
-
-- Temporarily switch keyring dependency from `cross-keychain` to `@bjesuiter/cross-keychain@1.1.0-jb.0` until upstream support is available.
-- Add Windows CI coverage including shell smoke checks and expanded secure-store integration tests (including Windows CRUD coverage).
+- Fix Windows CI completion test behavior by providing `APPDATA` in the account-completion test environment, so account suggestions are resolved correctly on `windows-latest`.
 
 see full changelog here: https://github.com/bjesuiter/codex-switcher/blob/main/CHANGELOG.md
 
@@ -169,8 +157,11 @@ cdx migrate-secrets
 |---------|-------------|
 | `cdx` | Interactive mode |
 | `cdx login` | Add a new OpenAI account via OAuth |
+| `cdx login --device-flow` | Add account using OAuth device flow (no local browser callback needed) |
 | `cdx relogin` | Re-authenticate an existing account via OAuth |
+| `cdx relogin --device-flow` | Re-authenticate interactively using OAuth device flow |
 | `cdx relogin <account>` | Re-authenticate a specific account by ID or label |
+| `cdx relogin <account> --device-flow` | Re-authenticate specific account using OAuth device flow |
 | `cdx switch` | Switch account (interactive picker) |
 | `cdx switch --next` | Cycle to next account |
 | `cdx switch <id>` | Switch to specific account |
@@ -179,7 +170,7 @@ cdx migrate-secrets
 | `cdx status` | Show account status, token expiry, and usage |
 | `cdx migrate-secrets` | Migrate macOS legacy keychain entries to cross-keychain and switch config to `auto` |
 | `cdx doctor` | Show auth file paths/state and runtime capabilities |
-| `cdx doctor --check-keychain-acl` | Run additional macOS keychain trusted-app/ACL checks (slow) |
+| `cdx doctor --check-keychain-acl` | Detect macOS keychain ACL/runtime mismatches (`cdx`/Bun vs legacy `security` CLI), warn about prompt-heavy setups, and suggest `cdx migrate-secrets` (slow) |
 | `cdx usage` | Show usage overview for all accounts |
 | `cdx usage <account>` | Show detailed usage for a specific account |
 | `cdx help [command]` | Show help for all commands or one command |
@@ -202,6 +193,7 @@ source <(cdx complete bash)
 ```
 
 `cdx` also supports shell parse completion requests via `cdx complete -- ...`.
+Completions include command names, options, `--secret-store` values, and account ID/label suggestions for commands like `switch`, `relogin`, `usage`, and `label`.
 
 ## How It Works
 
@@ -215,7 +207,7 @@ source <(cdx complete bash)
 - `--secret-store <mode>` always overrides config for the current run.
 - If only a fallback secure-store backend is available on your platform, `cdx` asks for one-time explicit consent before the first credential write and explains the security trade-off.
   - Non-interactive override (if you accept the risk): set `CDX_ALLOW_SECURE_STORE_FALLBACK=1`
-- On macOS, `cdx doctor --check-keychain-acl` performs an additional trusted-app/ACL check for configured account secrets. This check can be slow.
+- On macOS, `cdx doctor --check-keychain-acl` checks whether configured secrets were created for the current `cdx`/Bun runtime or by the legacy Apple `security` CLI flow. Legacy ACL entries can trigger frequent keychain password prompts; when a mismatch is detected, `cdx` suggests `cdx migrate-secrets`. This check can be slow.
 - Cross-keychain payload size policy:
   - Default max password length override is `16384`.
   - Optional override: set `CDX_CROSS_KEYCHAIN_MAX_PASSWORD_LENGTH=<integer-above-4096>`.

package/cdx.mjs

@@ -1,7 +1,7 @@
 #!/usr/bin/env bun
+import { existsSync, readFileSync } from "node:fs";
 import tab from "@bomb.sh/tab/commander";
 import { Command, InvalidArgumentError } from "commander";
-import { existsSync } from "node:fs";
 import { mkdir, readFile, rm, writeFile } from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
@@ -9,12 +9,13 @@ import * as p from "@clack/prompts";
 import { spawn } from "node:child_process";
 import { deletePassword, getPassword, listBackends, setPassword, useBackend } from "@bjesuiter/cross-keychain";
 import { createInterface } from "node:readline/promises";
-import { generatePKCE } from "@openauthjs/openauth/pkce";
 import { randomBytes } from "node:crypto";
+import { Decrypter, Encrypter } from "age-encryption";
+import { generatePKCE } from "@openauthjs/openauth/pkce";
 import http from "node:http";
 
 //#region package.json
-var version = "1.5.0";
+var version = "1.7.1";
 
 //#endregion
 //#region lib/platform/path-resolver.ts
@@ -271,13 +272,24 @@ const getBrowserLauncherCapability = (platform = process.platform) => {
 		available: isCommandAvailable(launcher.command, platform)
 	};
 };
-const openBrowserUrl = (url, spawnImpl = spawn) => {
-	const launcher = getBrowserLauncher(process.platform, url);
+const openBrowserUrl = (url, options = {}) => {
+	const platform = options.platform ?? process.platform;
+	const spawnImpl = options.spawnImpl ?? spawn;
+	const commandAvailable = options.isCommandAvailableImpl ?? isCommandAvailable;
+	const launcher = getBrowserLauncher(platform, url);
+	if (!commandAvailable(launcher.command, platform)) return {
+		ok: false,
+		launcher,
+		reason: "launcher_missing",
+		error: `${launcher.command} not found in PATH`
+	};
 	try {
-		spawnImpl(launcher.command, launcher.args, {
+		const child = spawnImpl(launcher.command, launcher.args, {
 			detached: true,
 			stdio: "ignore"
-		}).unref();
+		});
+		child.once("error", () => {});
+		child.unref();
 		return {
 			ok: true,
 			launcher
@@ -286,6 +298,7 @@ const openBrowserUrl = (url, spawnImpl = spawn) => {
 		return {
 			ok: false,
 			launcher,
+			reason: "spawn_failed",
 			error: error instanceof Error ? error.message : String(error)
 		};
 	}
@@ -503,18 +516,18 @@ const parsePayload$2 = (accountId, raw) => {
 	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
 	return parsed;
 };
-const withService$2 = async (accountId, run, options = {}) => {
+const withService$1 = async (accountId, run, options = {}) => {
 	await ensureLinuxBackend(options);
 	return run(getLinuxCrossKeychainService(accountId));
 };
-const saveLinuxCrossKeychainPayload = async (accountId, payload) => withService$2(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
+const saveLinuxCrossKeychainPayload = async (accountId, payload) => withService$1(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
 const loadLinuxCrossKeychainPayload = async (accountId) => {
-	const raw = await withService$2(accountId, (service) => getPassword(service, accountId));
+	const raw = await withService$1(accountId, (service) => getPassword(service, accountId));
 	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
 	return parsePayload$2(accountId, raw);
 };
-const deleteLinuxCrossKeychainPayload = async (accountId) => withService$2(accountId, (service) => deletePassword(service, accountId));
-const linuxCrossKeychainPayloadExists = async (accountId) => withService$2(accountId, async (service) => await getPassword(service, accountId) !== null);
+const deleteLinuxCrossKeychainPayload = async (accountId) => withService$1(accountId, (service) => deletePassword(service, accountId));
+const linuxCrossKeychainPayloadExists = async (accountId) => withService$1(accountId, async (service) => await getPassword(service, accountId) !== null);
 
 //#endregion
 //#region lib/secrets/macos-cross-keychain.ts
@@ -568,23 +581,27 @@ const parsePayload$1 = (accountId, raw) => {
 	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
 	return parsed;
 };
-const withService$1 = async (accountId, run, options = {}) => {
+const withService = async (accountId, run, options = {}) => {
 	await ensureMacOSBackend(options);
 	return run(getMacOSCrossKeychainService(accountId));
 };
-const saveMacOSCrossKeychainPayload = async (accountId, payload) => withService$1(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
+const saveMacOSCrossKeychainPayload = async (accountId, payload) => withService(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
 const loadMacOSCrossKeychainPayload = async (accountId) => {
-	const raw = await withService$1(accountId, (service) => getPassword(service, accountId));
+	const raw = await withService(accountId, (service) => getPassword(service, accountId));
 	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
 	return parsePayload$1(accountId, raw);
 };
-const deleteMacOSCrossKeychainPayload = async (accountId) => withService$1(accountId, (service) => deletePassword(service, accountId));
-const macosCrossKeychainPayloadExists = async (accountId) => withService$1(accountId, async (service) => await getPassword(service, accountId) !== null);
+const deleteMacOSCrossKeychainPayload = async (accountId) => withService(accountId, (service) => deletePassword(service, accountId));
+const macosCrossKeychainPayloadExists = async (accountId) => withService(accountId, async (service) => await getPassword(service, accountId) !== null);
 
 //#endregion
 //#region lib/secrets/windows-cross-keychain.ts
 const SERVICE_PREFIX = "cdx-openai-";
 const WINDOWS_FALLBACK_SCOPE = "win32:cross-keychain:windows";
+const WINDOWS_VAULT_FILE = "accounts.windows.age";
+const WINDOWS_VAULT_VERSION = 1;
+const WINDOWS_VAULT_KEY_SERVICE = "cdx-openai-vault-passphrase";
+const WINDOWS_VAULT_KEY_ACCOUNT = "windows-v1";
 let backendInitPromise = null;
 let selectedBackend = null;
 const tryUseBackend = async (backendId) => {
@@ -617,33 +634,143 @@ const ensureWindowsBackend = async (options = {}) => {
 	}
 	if (options.forWrite && selectedBackend === "windows") await ensureFallbackConsent(WINDOWS_FALLBACK_SCOPE, "⚠ Security warning: only the cross-keychain Windows fallback backend is available.\nThis path runs a PowerShell helper to access Windows Credential Manager.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while the helper runs.");
 };
-const getWindowsCrossKeychainService = (accountId) => `${SERVICE_PREFIX}${accountId}`;
-const parsePayload = (accountId, raw) => {
+const withWindowsBackend = async (run, options = {}) => {
+	await ensureWindowsBackend(options);
+	return run();
+};
+const getWindowsVaultPath = () => path.join(getPaths().configDir, WINDOWS_VAULT_FILE);
+const createVaultPassphrase = () => randomBytes(32).toString("hex");
+const getVaultPassphrase = async (options = {}) => {
+	const current = await getPassword(WINDOWS_VAULT_KEY_SERVICE, WINDOWS_VAULT_KEY_ACCOUNT);
+	if (current) return current;
+	if (!options.createIfMissing) return null;
+	const generated = createVaultPassphrase();
+	await setPassword(WINDOWS_VAULT_KEY_SERVICE, WINDOWS_VAULT_KEY_ACCOUNT, generated);
+	return generated;
+};
+const createEmptyVault = () => ({
+	version: WINDOWS_VAULT_VERSION,
+	accounts: {}
+});
+const parsePayload = (accountId, input) => {
+	if (!input || typeof input !== "object") throw new Error(`Stored credential payload for account ${accountId} is not valid JSON.`);
+	const parsed = input;
+	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
+	return {
+		refresh: parsed.refresh,
+		access: parsed.access,
+		expires: parsed.expires,
+		accountId: parsed.accountId,
+		...parsed.idToken ? { idToken: parsed.idToken } : {}
+	};
+};
+const parseVault = (raw, source) => {
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch {
+		throw new Error(`Stored Windows credential vault (${source}) is not valid JSON.`);
+	}
+	if (!parsed || typeof parsed !== "object") throw new Error(`Stored Windows credential vault (${source}) is not valid JSON.`);
+	const vault = parsed;
+	const rawAccounts = vault.accounts;
+	if (!rawAccounts || typeof rawAccounts !== "object") throw new Error(`Stored Windows credential vault (${source}) is missing account data.`);
+	const accounts = {};
+	for (const [accountId, payload] of Object.entries(rawAccounts)) accounts[accountId] = parsePayload(accountId, payload);
+	return {
+		version: typeof vault.version === "number" ? vault.version : WINDOWS_VAULT_VERSION,
+		accounts
+	};
+};
+const decryptVault = async (ciphertext, passphrase, source) => {
+	const decrypter = new Decrypter();
+	decrypter.addPassphrase(passphrase);
+	let plaintext;
+	try {
+		plaintext = await decrypter.decrypt(ciphertext, "text");
+	} catch {
+		throw new Error(`Failed to decrypt Windows credential vault (${source}). Stored passphrase or vault file may be invalid.`);
+	}
+	return parseVault(plaintext, source);
+};
+const encryptVault = async (vault, passphrase) => {
+	const encrypter = new Encrypter();
+	encrypter.setPassphrase(passphrase);
+	return encrypter.encrypt(JSON.stringify(vault));
+};
+const loadVault = async (passphrase) => {
+	const vaultPath = getWindowsVaultPath();
+	let ciphertext;
+	try {
+		ciphertext = await readFile(vaultPath);
+	} catch (error) {
+		if (error?.code === "ENOENT") return createEmptyVault();
+		throw error;
+	}
+	if (ciphertext.length === 0) return createEmptyVault();
+	return decryptVault(ciphertext, passphrase, vaultPath);
+};
+const saveVault = async (vault, passphrase) => {
+	const { configDir } = getPaths();
+	const vaultPath = getWindowsVaultPath();
+	await mkdir(configDir, { recursive: true });
+	await writeFile(vaultPath, await encryptVault(vault, passphrase));
+};
+const loadLegacyPayload = async (accountId) => {
+	const raw = await getPassword(getWindowsCrossKeychainService(accountId), accountId);
+	if (raw === null) return null;
 	let parsed;
 	try {
 		parsed = JSON.parse(raw);
 	} catch {
 		throw new Error(`Stored credential payload for account ${accountId} is not valid JSON.`);
 	}
-	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
-	return parsed;
+	return parsePayload(accountId, parsed);
 };
-const withService = async (accountId, run, options = {}) => {
-	await ensureWindowsBackend(options);
-	return run(getWindowsCrossKeychainService(accountId));
+const deleteLegacyPayload = async (accountId) => {
+	const service = getWindowsCrossKeychainService(accountId);
+	try {
+		await deletePassword(service, accountId);
+	} catch {}
 };
-const saveWindowsCrossKeychainPayload = async (accountId, payload) => withService(accountId, async (service) => {
-	await setPassword(service, accountId, JSON.stringify(payload));
+const getWindowsCrossKeychainService = (accountId) => `${SERVICE_PREFIX}${accountId}`;
+const saveWindowsCrossKeychainPayload = async (accountId, payload) => withWindowsBackend(async () => {
+	const passphrase = await getVaultPassphrase({ createIfMissing: true });
+	if (!passphrase) throw new Error("Unable to resolve Windows credential vault passphrase.");
+	const vault = await loadVault(passphrase);
+	vault.accounts[accountId] = payload;
+	await saveVault(vault, passphrase);
+	await deleteLegacyPayload(accountId);
 }, { forWrite: true });
-const loadWindowsCrossKeychainPayload = async (accountId) => {
-	const raw = await withService(accountId, (service) => getPassword(service, accountId));
-	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
-	return parsePayload(accountId, raw);
-};
-const deleteWindowsCrossKeychainPayload = async (accountId) => withService(accountId, async (service) => {
-	await deletePassword(service, accountId);
+const loadWindowsCrossKeychainPayload = async (accountId) => withWindowsBackend(async () => {
+	const passphrase = await getVaultPassphrase();
+	if (passphrase) {
+		const payload = (await loadVault(passphrase)).accounts[accountId];
+		if (payload) return payload;
+	}
+	const legacyPayload = await loadLegacyPayload(accountId);
+	if (legacyPayload) return legacyPayload;
+	throw new Error(`No stored credentials found for account ${accountId}.`);
+});
+const deleteWindowsCrossKeychainPayload = async (accountId) => withWindowsBackend(async () => {
+	const passphrase = await getVaultPassphrase();
+	if (passphrase) {
+		const vault = await loadVault(passphrase);
+		if (vault.accounts[accountId]) {
+			delete vault.accounts[accountId];
+			if (Object.keys(vault.accounts).length === 0) await rm(getWindowsVaultPath(), { force: true });
+			else await saveVault(vault, passphrase);
+		}
+	}
+	await deleteLegacyPayload(accountId);
+});
+const windowsCrossKeychainPayloadExists = async (accountId) => withWindowsBackend(async () => {
+	const passphrase = await getVaultPassphrase();
+	if (passphrase) {
+		if ((await loadVault(passphrase)).accounts[accountId]) return true;
+	}
+	return await loadLegacyPayload(accountId) !== null;
 });
-const windowsCrossKeychainPayloadExists = async (accountId) => withService(accountId, async (service) => await getPassword(service, accountId) !== null);
 
 //#endregion
 //#region lib/secrets/store.ts
@@ -874,6 +1001,7 @@ const getSecretStoreCapability = () => {
 //#region lib/oauth/constants.ts
 const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
 const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
+const DEVICE_CODE_URL = "https://auth.openai.com/oauth/device/code";
 const TOKEN_URL = "https://auth.openai.com/oauth/token";
 const REDIRECT_URI = "http://localhost:1455/auth/callback";
 const SCOPE = "openid profile email offline_access";
@@ -904,6 +1032,75 @@ const createAuthorizationFlow = async () => {
 		url: url.toString()
 	};
 };
+const startDeviceAuthorizationFlow = async () => {
+	try {
+		const res = await fetch(DEVICE_CODE_URL, {
+			method: "POST",
+			headers: { "Content-Type": "application/x-www-form-urlencoded" },
+			body: new URLSearchParams({
+				client_id: CLIENT_ID,
+				scope: SCOPE
+			})
+		});
+		if (!res.ok) return null;
+		const json = await res.json();
+		if (!json?.device_code || !json?.user_code || !json?.verification_uri || typeof json?.expires_in !== "number") return null;
+		return {
+			deviceCode: json.device_code,
+			userCode: json.user_code,
+			verificationUri: json.verification_uri,
+			verificationUriComplete: json.verification_uri_complete,
+			expiresIn: json.expires_in,
+			interval: typeof json.interval === "number" && json.interval > 0 ? json.interval : 5
+		};
+	} catch {
+		return null;
+	}
+};
+const pollDeviceAuthorizationToken = async (deviceCode) => {
+	try {
+		const res = await fetch(TOKEN_URL, {
+			method: "POST",
+			headers: { "Content-Type": "application/x-www-form-urlencoded" },
+			body: new URLSearchParams({
+				grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+				device_code: deviceCode,
+				client_id: CLIENT_ID
+			})
+		});
+		if (res.ok) {
+			const json = await res.json();
+			if (!json?.access_token || !json?.refresh_token || typeof json?.expires_in !== "number") return { type: "failed" };
+			return {
+				type: "success",
+				access: json.access_token,
+				refresh: json.refresh_token,
+				expires: Date.now() + json.expires_in * 1e3,
+				idToken: json.id_token
+			};
+		}
+		let errorCode;
+		let interval;
+		try {
+			const json = await res.json();
+			errorCode = json.error;
+			interval = json.interval;
+		} catch {}
+		if (errorCode === "authorization_pending") return {
+			type: "pending",
+			interval: typeof interval === "number" && interval > 0 ? interval : 5
+		};
+		if (errorCode === "slow_down") return {
+			type: "slow_down",
+			interval: typeof interval === "number" && interval > 0 ? interval : 10
+		};
+		if (errorCode === "access_denied") return { type: "access_denied" };
+		if (errorCode === "expired_token") return { type: "expired" };
+		return { type: "failed" };
+	} catch {
+		return { type: "failed" };
+	}
+};
 const exchangeAuthorizationCode = async (code, verifier) => {
 	const res = await fetch(TOKEN_URL, {
 		method: "POST",
@@ -1067,12 +1264,225 @@ const startOAuthServer = (state) => {
 
 //#endregion
 //#region lib/oauth/login.ts
-const openBrowser = (url) => {
-	const result = openBrowserUrl(url);
-	if (!result.ok) {
-		const msg = result.error ?? "unknown error";
-		p.log.warning(`Could not auto-open browser via ${result.launcher.label} (${msg}).`);
+const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+const isLikelyRemoteEnvironment = () => {
+	if (process.platform !== "linux") return false;
+	if (process.env.SSH_CONNECTION || process.env.SSH_CLIENT || process.env.SSH_TTY) return true;
+	return !process.env.DISPLAY && !process.env.WAYLAND_DISPLAY;
+};
+const parseOAuthCallbackInput = (input) => {
+	const trimmed = input.trim();
+	if (!trimmed) return null;
+	if (!trimmed.includes("://") && !trimmed.includes("code=") && !trimmed.includes("?")) return { code: trimmed };
+	try {
+		const parsedUrl = new URL(trimmed);
+		const code = parsedUrl.searchParams.get("code");
+		if (code) return {
+			code,
+			state: parsedUrl.searchParams.get("state") ?? void 0
+		};
+	} catch {}
+	const queryLike = trimmed.startsWith("?") || trimmed.startsWith("#") ? trimmed.slice(1) : trimmed.includes("?") ? trimmed.slice(trimmed.indexOf("?") + 1) : trimmed;
+	const params = new URLSearchParams(queryLike);
+	const code = params.get("code");
+	if (!code) return null;
+	return {
+		code,
+		state: params.get("state") ?? void 0
+	};
+};
+const promptBrowserFallbackChoice = async () => {
+	const remoteHint = isLikelyRemoteEnvironment();
+	if (!process.stdin.isTTY || !process.stdout.isTTY) {
+		const selected = remoteHint ? "device" : "manual";
+		p.log.info(`Non-interactive terminal detected. Falling back to ${selected === "device" ? "device OAuth flow" : "manual URL copy/paste flow"}.`);
+		return selected;
+	}
+	const options = remoteHint ? [
+		{
+			value: "device",
+			label: "Use device OAuth flow",
+			hint: "Recommended on SSH/remote servers"
+		},
+		{
+			value: "manual",
+			label: "Finish manually by copying URL",
+			hint: "Open URL on any machine and paste callback URL/code back here"
+		},
+		{
+			value: "cancel",
+			label: "Cancel login"
+		}
+	] : [
+		{
+			value: "manual",
+			label: "Finish manually by copying URL",
+			hint: "Open URL on any machine and paste callback URL/code back here"
+		},
+		{
+			value: "device",
+			label: "Use device OAuth flow",
+			hint: "Best for headless/remote environments"
+		},
+		{
+			value: "cancel",
+			label: "Cancel login"
+		}
+	];
+	const selection = await p.select({
+		message: "Browser launcher is unavailable. How do you want to continue?",
+		options
+	});
+	if (p.isCancel(selection)) return "cancel";
+	return selection;
+};
+const promptManualAuthorizationCode = async (authorizationUrl, expectedState) => {
+	p.log.info("Manual login selected.");
+	p.log.message(`Open this URL in a browser:\n${authorizationUrl}`);
+	p.log.message("After approving, copy the full callback URL (or just the 'code' value) and paste it below.");
+	for (let attempt = 1; attempt <= 3; attempt += 1) {
+		const response = await p.text({
+			message: "Paste callback URL or authorization code:",
+			placeholder: "http://localhost:1455/auth/callback?code=...&state=..."
+		});
+		if (p.isCancel(response)) {
+			p.log.info("Login cancelled.");
+			return null;
+		}
+		const parsed = parseOAuthCallbackInput(String(response));
+		if (!parsed) {
+			p.log.warning("Could not parse input. Please paste a callback URL or code.");
+			continue;
+		}
+		if (parsed.state && parsed.state !== expectedState) {
+			p.log.error("State mismatch in callback URL. Please retry the login flow.");
+			return null;
+		}
+		return parsed.code;
 	}
+	p.log.error("Failed to parse callback input after multiple attempts.");
+	return null;
+};
+const runDeviceOAuthFlow = async (useSpinner) => {
+	const deviceFlow = await startDeviceAuthorizationFlow();
+	if (!deviceFlow) {
+		p.log.error("Device OAuth flow is not available right now.");
+		return null;
+	}
+	p.log.info("Using device OAuth flow.");
+	p.log.message(`Verification URL: ${deviceFlow.verificationUri}`);
+	p.log.message(`User code: ${deviceFlow.userCode}`);
+	const launchResult = openBrowserUrl(deviceFlow.verificationUriComplete ?? deviceFlow.verificationUri);
+	if (!launchResult.ok) {
+		const msg = launchResult.error ?? "unknown error";
+		p.log.warning(`Could not auto-open verification URL via ${launchResult.launcher.label} (${msg}).`);
+	}
+	const spinner = useSpinner ? p.spinner() : null;
+	if (spinner) spinner.start("Waiting for device authorization...");
+	else p.log.message("Waiting for device authorization...");
+	let intervalMs = Math.max(deviceFlow.interval, 1) * 1e3;
+	const deadline = Date.now() + deviceFlow.expiresIn * 1e3;
+	while (Date.now() < deadline) {
+		await sleep(intervalMs);
+		const pollResult = await pollDeviceAuthorizationToken(deviceFlow.deviceCode);
+		if (pollResult.type === "success") {
+			if (spinner) spinner.stop("Device authorization completed.");
+			else p.log.success("Device authorization completed.");
+			return pollResult;
+		}
+		if (pollResult.type === "pending") {
+			intervalMs = Math.max(pollResult.interval, 1) * 1e3;
+			continue;
+		}
+		if (pollResult.type === "slow_down") {
+			intervalMs = Math.max(pollResult.interval, Math.ceil(intervalMs / 1e3) + 5) * 1e3;
+			continue;
+		}
+		if (pollResult.type === "access_denied") {
+			if (spinner) spinner.stop("Device authorization was denied.");
+			else p.log.error("Device authorization was denied.");
+			return null;
+		}
+		if (pollResult.type === "expired") {
+			if (spinner) spinner.stop("Device authorization expired.");
+			else p.log.error("Device authorization expired.");
+			return null;
+		}
+		if (spinner) spinner.stop("Device authorization failed.");
+		else p.log.error("Device authorization failed.");
+		return null;
+	}
+	if (spinner) spinner.stop("Device authorization timed out.");
+	else p.log.error("Device authorization timed out.");
+	return null;
+};
+const requestTokenViaOAuth = async (flow, options) => {
+	if (options.authFlow === "device") return runDeviceOAuthFlow(options.useSpinner);
+	const server = await startOAuthServer(flow.state);
+	if (!server.ready) {
+		p.log.error("Failed to start local server on port 1455.");
+		p.log.info("Please ensure the port is not in use.");
+		return null;
+	}
+	const spinner = options.useSpinner ? p.spinner() : null;
+	let spinnerStarted = false;
+	p.log.info("Opening browser for authentication...");
+	const launchResult = openBrowserUrl(flow.url);
+	if (!launchResult.ok) {
+		const msg = launchResult.error ?? "unknown error";
+		p.log.warning(`Could not auto-open browser via ${launchResult.launcher.label} (${msg}).`);
+	}
+	p.log.message(`If your browser did not open, paste this URL:\n${flow.url}`);
+	if (launchResult.ok) {
+		if (spinner) {
+			spinner.start("Waiting for authentication...");
+			spinnerStarted = true;
+		}
+		const result = await server.waitForCode();
+		server.close();
+		if (!result) {
+			if (spinner) spinner.stop("Authentication timed out or failed.");
+			else p.log.warning("Authentication timed out or failed.");
+			return null;
+		}
+		if (spinner) spinner.message("Exchanging authorization code...");
+		else p.log.message("Exchanging authorization code...");
+		const tokenResult = await exchangeAuthorizationCode(result.code, flow.pkce.verifier);
+		if (tokenResult.type !== "success") {
+			if (spinner) spinner.stop("Failed to exchange authorization code.");
+			else p.log.error("Failed to exchange authorization code.");
+			return null;
+		}
+		if (spinner) spinner.stop("Authentication completed.");
+		return tokenResult;
+	}
+	const fallbackChoice = await promptBrowserFallbackChoice();
+	if (fallbackChoice === "cancel") {
+		server.close();
+		p.log.info("Login cancelled.");
+		return null;
+	}
+	if (fallbackChoice === "device") {
+		server.close();
+		return runDeviceOAuthFlow(options.useSpinner);
+	}
+	server.close();
+	const code = await promptManualAuthorizationCode(flow.url, flow.state);
+	if (!code) return null;
+	if (spinner) if (spinnerStarted) spinner.message("Exchanging authorization code...");
+	else {
+		spinner.start("Exchanging authorization code...");
+		spinnerStarted = true;
+	}
+	else p.log.message("Exchanging authorization code...");
+	const tokenResult = await exchangeAuthorizationCode(code, flow.pkce.verifier);
+	if (tokenResult.type !== "success") {
+		if (spinner) spinner.stop("Failed to exchange authorization code.");
+		else p.log.error("Failed to exchange authorization code.");
+		return null;
+	}
+	if (spinner) spinner.stop("Authentication completed.");
+	return tokenResult;
 };
 const addAccountToConfig = async (accountId, label) => {
 	let config;
@@ -1100,54 +1510,35 @@ const performRefresh = async (targetAccountId, label, options = {}) => {
 		const displayName = label ?? targetAccountId;
 		p.log.step(`Re-authenticating account "${displayName}"...`);
 		const useSpinner = options.useSpinner ?? true;
-		let flow;
-		try {
-			flow = await createAuthorizationFlow();
-		} catch (error) {
-			const msg = error instanceof Error ? error.message : String(error);
-			p.log.error(`Failed to create authorization flow: ${msg}`);
-			process.stderr.write(`Failed to create authorization flow: ${msg}\n`);
-			return null;
-		}
-		const server = await startOAuthServer(flow.state);
-		if (!server.ready) {
-			p.log.error("Failed to start local server on port 1455.");
-			p.log.info("Please ensure the port is not in use.");
-			return null;
-		}
-		const spinner = useSpinner ? p.spinner() : null;
-		p.log.info("Opening browser for authentication...");
-		openBrowser(flow.url);
-		p.log.message(`If your browser did not open, paste this URL:\n${flow.url}`);
-		if (spinner) spinner.start("Waiting for authentication...");
-		const result = await server.waitForCode();
-		server.close();
-		if (!result) {
-			if (spinner) spinner.stop("Authentication timed out or failed.");
-			else p.log.warning("Authentication timed out or failed.");
-			return null;
-		}
-		if (spinner) spinner.message("Exchanging authorization code...");
-		else p.log.message("Exchanging authorization code...");
-		const tokenResult = await exchangeAuthorizationCode(result.code, flow.pkce.verifier);
-		if (tokenResult.type === "failed") {
-			if (spinner) spinner.stop("Failed to exchange authorization code.");
-			else p.log.error("Failed to exchange authorization code.");
-			return null;
+		const authFlow = options.authFlow ?? "auto";
+		let tokenResult = null;
+		if (authFlow === "device") tokenResult = await runDeviceOAuthFlow(useSpinner);
+		else {
+			let flow;
+			try {
+				flow = await createAuthorizationFlow();
+			} catch (error) {
+				const msg = error instanceof Error ? error.message : String(error);
+				p.log.error(`Failed to create authorization flow: ${msg}`);
+				process.stderr.write(`Failed to create authorization flow: ${msg}\n`);
+				return null;
+			}
+			tokenResult = await requestTokenViaOAuth(flow, {
+				useSpinner,
+				authFlow
+			});
 		}
+		if (!tokenResult) return null;
 		const newAccountId = extractAccountId(tokenResult.access);
 		if (!newAccountId) {
-			if (spinner) spinner.stop("Failed to extract account ID from token.");
-			else p.log.error("Failed to extract account ID from token.");
+			p.log.error("Failed to extract account ID from token.");
 			return null;
 		}
 		if (newAccountId !== targetAccountId) {
-			if (spinner) spinner.stop("Authentication completed for a different account.");
-			else p.log.error("Authentication completed for a different account.");
+			p.log.error("Authentication completed for a different account.");
 			throw new Error(`Account mismatch: expected "${targetAccountId}" but got "${newAccountId}". Make sure you log in with the correct OpenAI account.`);
 		}
-		if (spinner) spinner.message("Updating credentials...");
-		else p.log.message("Updating credentials...");
+		if (!useSpinner) p.log.message("Updating credentials...");
 		const payload = {
 			refresh: tokenResult.refresh,
 			access: tokenResult.access,
@@ -1156,46 +1547,29 @@ const performRefresh = async (targetAccountId, label, options = {}) => {
 			...tokenResult.idToken ? { idToken: tokenResult.idToken } : {}
 		};
 		await getSecretStoreAdapter().save(newAccountId, payload);
-		if (spinner) spinner.stop("Credentials refreshed!");
-		else p.log.success("Credentials refreshed!");
+		p.log.success("Credentials refreshed!");
 		p.log.success(`Account "${displayName}" credentials updated in secure store.`);
 		return { accountId: newAccountId };
 	} finally {
 		clearInterval(keepAlive);
 	}
 };
-const performLogin = async () => {
+const performLogin = async (options = {}) => {
 	p.intro("cdx login - Add OpenAI account");
-	const flow = await createAuthorizationFlow();
-	const server = await startOAuthServer(flow.state);
-	if (!server.ready) {
-		p.log.error("Failed to start local server on port 1455.");
-		p.log.info("Please ensure the port is not in use.");
-		return null;
-	}
-	const spinner = p.spinner();
-	p.log.info("Opening browser for authentication...");
-	openBrowser(flow.url);
-	p.log.message(`If your browser did not open, paste this URL:\n${flow.url}`);
-	spinner.start("Waiting for authentication...");
-	const result = await server.waitForCode();
-	server.close();
-	if (!result) {
-		spinner.stop("Authentication timed out or failed.");
-		return null;
-	}
-	spinner.message("Exchanging authorization code...");
-	const tokenResult = await exchangeAuthorizationCode(result.code, flow.pkce.verifier);
-	if (tokenResult.type === "failed") {
-		spinner.stop("Failed to exchange authorization code.");
-		return null;
-	}
+	const authFlow = options.authFlow ?? "auto";
+	let tokenResult = null;
+	if (authFlow === "device") tokenResult = await runDeviceOAuthFlow(true);
+	else tokenResult = await requestTokenViaOAuth(await createAuthorizationFlow(), {
+		useSpinner: true,
+		authFlow
+	});
+	if (!tokenResult) return null;
 	const accountId = extractAccountId(tokenResult.access);
 	if (!accountId) {
-		spinner.stop("Failed to extract account ID from token.");
+		p.log.error("Failed to extract account ID from token.");
 		return null;
 	}
-	spinner.message("Saving credentials...");
+	p.log.message("Saving credentials...");
 	const payload = {
 		refresh: tokenResult.refresh,
 		access: tokenResult.access,
@@ -1204,7 +1578,7 @@ const performLogin = async () => {
 		...tokenResult.idToken ? { idToken: tokenResult.idToken } : {}
 	};
 	await getSecretStoreAdapter().save(accountId, payload);
-	spinner.stop("Login successful!");
+	p.log.success("Login successful!");
 	const labelInput = await p.text({
 		message: "Enter a label for this account (or press Enter to skip):",
 		placeholder: "e.g. Work, Personal"
@@ -1456,7 +1830,7 @@ const handleSwitchAccount = async () => {
 const handleAddAccount = async () => {
 	await performLogin();
 };
-const handleReloginAccount = async () => {
+const handleReloginAccount = async (reloginOptions = {}) => {
 	if (!configExists()) {
 		p.log.warning("No accounts configured. Use 'Add account' first.");
 		return;
@@ -1485,7 +1859,10 @@ const handleReloginAccount = async () => {
 	const displayName = account?.label ?? accountId;
 	p.log.info(`Current token status for ${displayName}: ${expiryState}`);
 	try {
-		const result = await performRefresh(accountId, account?.label, { useSpinner: false });
+		const result = await performRefresh(accountId, account?.label, {
+			useSpinner: false,
+			authFlow: reloginOptions.authFlow
+		});
 		if (!result) p.log.warning("Re-login was not completed.");
 		else {
 			const authResult = await writeActiveAuthFilesIfCurrent(result.accountId);
@@ -1814,6 +2191,30 @@ const registerDoctorCommand = (program) => {
 			process.stdout.write(`  Secret store: ${status.capabilities.secretStore.label} — ${secretStoreState}\n`);
 			const browserState = status.capabilities.browserLauncher.available ? "available" : "not found";
 			process.stdout.write(`  Browser launcher: ${status.capabilities.browserLauncher.label} — ${browserState}\n`);
+			if (process.platform === "win32") {
+				const secretStore = getSecretStoreAdapter();
+				process.stdout.write("\nWindows secure-store checks:\n");
+				if (status.accounts.length === 0) process.stdout.write("  No accounts configured in config.\n");
+				else {
+					let okCount = 0;
+					for (const account of status.accounts) {
+						const accountLabel = resolveLabel(account.accountId);
+						try {
+							await secretStore.load(account.accountId);
+							okCount += 1;
+							process.stdout.write(`  ${accountLabel}: credential payload load OK\n`);
+						} catch (error) {
+							if (isMissingSecretStoreEntryError(error)) {
+								process.stdout.write(`  ⚠ ${accountLabel}: missing secure-store entry for configured account\n`);
+								continue;
+							}
+							const message = error instanceof Error ? error.message : String(error);
+							process.stdout.write(`  ⚠ ${accountLabel}: secure-store load failed (${message})\n`);
+						}
+					}
+					process.stdout.write(`  Summary: ${okCount}/${status.accounts.length} configured account(s) passed secure-store load checks.\n`);
+				}
+			}
 			if (process.platform === "darwin" && !options.checkKeychainAcl) {
 				process.stdout.write("  ┌─ Optional keychain ACL check\n");
 				process.stdout.write("  │  Run: cdx doctor --check-keychain-acl\n");
@@ -1855,6 +2256,7 @@ const registerDoctorCommand = (program) => {
 						process.stdout.write(`    Service: ${service}\n`);
 						process.stdout.write(`    Trusted apps: ${trustedAppsList || "(none)"}\n`);
 						process.stdout.write("    This secret may have been created with a different runtime/toolchain (for example node vs bun).\n");
+						process.stdout.write("    Suggested fix: run `cdx migrate-secrets` to recreate keychain entries with the current runtime ACL.\n");
 					}
 				}
 			}
@@ -1908,9 +2310,9 @@ const registerLabelCommand = (program) => {
 //#region lib/commands/login.ts
 const registerLoginCommand = (program, deps = {}) => {
 	const runLogin = deps.performLogin ?? performLogin;
-	program.command("login").description("Add a new OpenAI account via OAuth").action(async () => {
+	program.command("login").description("Add a new OpenAI account via OAuth").option("--device-flow", "Use OAuth device flow instead of browser callback flow").action(async (options) => {
 		try {
-			if (!await runLogin()) {
+			if (!await runLogin({ authFlow: options.deviceFlow ? "device" : "auto" })) {
 				process.stderr.write("Login failed.\n");
 				process.exit(1);
 			}
@@ -2060,8 +2462,9 @@ const writeUpdatedAuthSummary = (result) => {
 //#endregion
 //#region lib/commands/refresh.ts
 const registerReloginCommand = (program) => {
-	program.command("relogin").description("Re-authenticate an existing account with full OAuth login (no duplicate account)").argument("[account]", "Account ID or label to re-login").action(async (account) => {
+	program.command("relogin").description("Re-authenticate an existing account with full OAuth login (no duplicate account)").option("--device-flow", "Use OAuth device flow instead of browser callback flow").argument("[account]", "Account ID or label to re-login").action(async (account, options) => {
 		try {
+			const authFlow = options.deviceFlow ? "device" : "auto";
 			if (account) {
 				const target = (await loadConfig()).accounts.find((entry) => entry.accountId === account || entry.label === account);
 				if (!target) throw new Error(`Account "${account}" not found. Use 'cdx login' to add it.`);
@@ -2076,7 +2479,7 @@ const registerReloginCommand = (program) => {
 				}
 				else secureStoreState = " [no secure store entry]";
 				process.stdout.write(`Current token status for ${displayName}: ${expiryState}${secureStoreState}\n`);
-				const result = await performRefresh(target.accountId, target.label);
+				const result = await performRefresh(target.accountId, target.label, { authFlow });
 				if (!result) {
 					process.stderr.write("Re-login failed.\n");
 					process.exit(1);
@@ -2085,7 +2488,7 @@ const registerReloginCommand = (program) => {
 				if (authResult) writeUpdatedAuthSummary(authResult);
 				return;
 			}
-			await handleReloginAccount();
+			await handleReloginAccount({ authFlow });
 		} catch (error) {
 			exitWithCommandError(error);
 		}
@@ -2405,6 +2808,66 @@ const getCompletionParseArgs = (argv) => {
 	if (separatorIndex === -1 || separatorIndex <= completeIndex) return null;
 	return argv.slice(separatorIndex + 1);
 };
+const readCompletionAccounts = () => {
+	try {
+		const { configPath } = getPaths();
+		if (!existsSync(configPath)) return [];
+		const raw = readFileSync(configPath, "utf8");
+		const parsed = JSON.parse(raw);
+		if (!Array.isArray(parsed.accounts)) return [];
+		const accounts = [];
+		for (const account of parsed.accounts) {
+			if (typeof account.accountId !== "string" || !account.accountId.trim()) continue;
+			accounts.push({
+				accountId: account.accountId,
+				...typeof account.label === "string" && account.label.trim() ? { label: account.label } : {}
+			});
+		}
+		return accounts;
+	} catch {
+		return [];
+	}
+};
+const addConfiguredAccountCompletions = (complete) => {
+	const accounts = readCompletionAccounts();
+	const seen = /* @__PURE__ */ new Set();
+	for (const account of accounts) {
+		if (!seen.has(account.accountId)) {
+			seen.add(account.accountId);
+			const description = account.label ? `Account ID (${account.label})` : "Account ID";
+			complete(account.accountId, description);
+		}
+		if (account.label && !seen.has(account.label)) {
+			seen.add(account.label);
+			complete(account.label, `Label for ${account.accountId}`);
+		}
+	}
+};
+const attachAccountArgumentCompletion = (completion, commandName, argumentName) => {
+	const command = completion.commands.get(commandName);
+	if (!command) return;
+	command.argument(argumentName, (complete) => {
+		addConfiguredAccountCompletions(complete);
+	});
+};
+const configureTabCompletion = (completion) => {
+	const secretStoreOption = completion.options.get("secret-store");
+	if (secretStoreOption) secretStoreOption.handler = (complete) => {
+		complete("auto", "Automatic backend selection");
+		complete("legacy-keychain", "macOS legacy keychain backend");
+	};
+	attachAccountArgumentCompletion(completion, "switch", "account-id");
+	attachAccountArgumentCompletion(completion, "relogin", "account");
+	attachAccountArgumentCompletion(completion, "usage", "account");
+	attachAccountArgumentCompletion(completion, "label", "account");
+	const helpCommand = completion.commands.get("help");
+	if (helpCommand) helpCommand.argument("command", (complete) => {
+		for (const [name, command] of completion.commands.entries()) {
+			if (name === "") continue;
+			complete(name, command.description || "Command");
+		}
+	});
+};
 const getMacOSKeychainPromptWarning = (selection, platform = process.platform, backendId = null) => {
 	if (platform !== "darwin") return null;
 	if (selection === "legacy-keychain") return "⚠ macOS keychain is using the legacy security CLI backend. Touch ID may not be offered for keychain prompts.";
@@ -2450,6 +2913,7 @@ const createProgram = (deps = {}) => {
 const main = async () => {
 	const program = createProgram();
 	const completion = tab(program);
+	configureTabCompletion(completion);
 	const completionArgs = getCompletionParseArgs(process.argv);
 	if (completionArgs) {
 		completion.parse(completionArgs);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bjesuiter/codex-switcher",
-  "version": "1.5.0",
+  "version": "1.7.1",
   "type": "module",
   "description": "CLI tool to switch between multiple OpenAI accounts for OpenCode",
   "bin": {
@@ -24,6 +24,7 @@
     "@bomb.sh/tab": "^0.0.13",
     "@clack/prompts": "^1.0.0",
     "@openauthjs/openauth": "^0.4.3",
+    "age-encryption": "^0.3.0",
     "commander": "^14.0.3"
   }
 }