npm - @bjesuiter/codex-switcher - Versions diffs - 1.5.1 → 1.7.2 - Mend

@bjesuiter/codex-switcher 1.5.1 → 1.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -6,12 +6,11 @@ Switch the coding-agents [pi](https://pi.dev/), [codex](https://developers.opena
 ## Latest Changes
-### 1.5.1
+### 1.7.2
 #### Fixes
-- `cdx doctor --check-keychain-acl` now suggests running `cdx migrate-secrets` when keychain ACL/runtime mismatches are detected.
-- Clarify keychain ACL diagnostics wording to distinguish entries created by `cdx` (Bun runtime) vs the legacy Apple `security` CLI path, including why mismatches can trigger repeated keychain password prompts.
+- Improve device OAuth failure diagnostics during login/relogin. When device flow startup or polling fails, `cdx` now prints technical details (HTTP status, OAuth error code, and response/body snippets where available) instead of only showing a generic "not available right now" message.
 see full changelog here: https://github.com/bjesuiter/codex-switcher/blob/main/CHANGELOG.md
@@ -154,8 +153,11 @@ cdx migrate-secrets
 |---------|-------------|
 | `cdx` | Interactive mode |
 | `cdx login` | Add a new OpenAI account via OAuth |
+| `cdx login --device-flow` | Add account using OAuth device flow (no local browser callback needed) |
 | `cdx relogin` | Re-authenticate an existing account via OAuth |
+| `cdx relogin --device-flow` | Re-authenticate interactively using OAuth device flow |
 | `cdx relogin <account>` | Re-authenticate a specific account by ID or label |
+| `cdx relogin <account> --device-flow` | Re-authenticate specific account using OAuth device flow |
 | `cdx switch` | Switch account (interactive picker) |
 | `cdx switch --next` | Cycle to next account |
 | `cdx switch <id>` | Switch to specific account |
@@ -187,6 +189,7 @@ source <(cdx complete bash)
 ```
 `cdx` also supports shell parse completion requests via `cdx complete -- ...`.
+Completions include command names, options, `--secret-store` values, and account ID/label suggestions for commands like `switch`, `relogin`, `usage`, and `label`.
 ## How It Works

package/cdx.mjs CHANGED Viewed

@@ -1,7 +1,7 @@
 #!/usr/bin/env bun
+import { existsSync, readFileSync } from "node:fs";
 import tab from "@bomb.sh/tab/commander";
 import { Command, InvalidArgumentError } from "commander";
-import { existsSync } from "node:fs";
 import { mkdir, readFile, rm, writeFile } from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
@@ -9,12 +9,13 @@ import * as p from "@clack/prompts";
 import { spawn } from "node:child_process";
 import { deletePassword, getPassword, listBackends, setPassword, useBackend } from "@bjesuiter/cross-keychain";
 import { createInterface } from "node:readline/promises";
-import { generatePKCE } from "@openauthjs/openauth/pkce";
 import { randomBytes } from "node:crypto";
+import { Decrypter, Encrypter } from "age-encryption";
+import { generatePKCE } from "@openauthjs/openauth/pkce";
 import http from "node:http";
 //#region package.json
-var version = "1.5.1";
+var version = "1.7.2";
 //#endregion
 //#region lib/platform/path-resolver.ts
@@ -271,13 +272,24 @@ const getBrowserLauncherCapability = (platform = process.platform) => {
 		available: isCommandAvailable(launcher.command, platform)
 	};
 };
-const openBrowserUrl = (url, spawnImpl = spawn) => {
-	const launcher = getBrowserLauncher(process.platform, url);
+const openBrowserUrl = (url, options = {}) => {
+	const platform = options.platform ?? process.platform;
+	const spawnImpl = options.spawnImpl ?? spawn;
+	const commandAvailable = options.isCommandAvailableImpl ?? isCommandAvailable;
+	const launcher = getBrowserLauncher(platform, url);
+	if (!commandAvailable(launcher.command, platform)) return {
+		ok: false,
+		launcher,
+		reason: "launcher_missing",
+		error: `${launcher.command} not found in PATH`
+	};
 	try {
-		spawnImpl(launcher.command, launcher.args, {
+		const child = spawnImpl(launcher.command, launcher.args, {
 			detached: true,
 			stdio: "ignore"
-		}).unref();
+		});
+		child.once("error", () => {});
+		child.unref();
 		return {
 			ok: true,
 			launcher
@@ -286,6 +298,7 @@ const openBrowserUrl = (url, spawnImpl = spawn) => {
 		return {
 			ok: false,
 			launcher,
+			reason: "spawn_failed",
 			error: error instanceof Error ? error.message : String(error)
 		};
 	}
@@ -503,18 +516,18 @@ const parsePayload$2 = (accountId, raw) => {
 	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
 	return parsed;
 };
-const withService$2 = async (accountId, run, options = {}) => {
+const withService$1 = async (accountId, run, options = {}) => {
 	await ensureLinuxBackend(options);
 	return run(getLinuxCrossKeychainService(accountId));
 };
-const saveLinuxCrossKeychainPayload = async (accountId, payload) => withService$2(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
+const saveLinuxCrossKeychainPayload = async (accountId, payload) => withService$1(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
 const loadLinuxCrossKeychainPayload = async (accountId) => {
-	const raw = await withService$2(accountId, (service) => getPassword(service, accountId));
+	const raw = await withService$1(accountId, (service) => getPassword(service, accountId));
 	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
 	return parsePayload$2(accountId, raw);
 };
-const deleteLinuxCrossKeychainPayload = async (accountId) => withService$2(accountId, (service) => deletePassword(service, accountId));
-const linuxCrossKeychainPayloadExists = async (accountId) => withService$2(accountId, async (service) => await getPassword(service, accountId) !== null);
+const deleteLinuxCrossKeychainPayload = async (accountId) => withService$1(accountId, (service) => deletePassword(service, accountId));
+const linuxCrossKeychainPayloadExists = async (accountId) => withService$1(accountId, async (service) => await getPassword(service, accountId) !== null);
 //#endregion
 //#region lib/secrets/macos-cross-keychain.ts
@@ -568,23 +581,27 @@ const parsePayload$1 = (accountId, raw) => {
 	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
 	return parsed;
 };
-const withService$1 = async (accountId, run, options = {}) => {
+const withService = async (accountId, run, options = {}) => {
 	await ensureMacOSBackend(options);
 	return run(getMacOSCrossKeychainService(accountId));
 };
-const saveMacOSCrossKeychainPayload = async (accountId, payload) => withService$1(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
+const saveMacOSCrossKeychainPayload = async (accountId, payload) => withService(accountId, (service) => setPassword(service, accountId, JSON.stringify(payload)), { forWrite: true });
 const loadMacOSCrossKeychainPayload = async (accountId) => {
-	const raw = await withService$1(accountId, (service) => getPassword(service, accountId));
+	const raw = await withService(accountId, (service) => getPassword(service, accountId));
 	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
 	return parsePayload$1(accountId, raw);
 };
-const deleteMacOSCrossKeychainPayload = async (accountId) => withService$1(accountId, (service) => deletePassword(service, accountId));
-const macosCrossKeychainPayloadExists = async (accountId) => withService$1(accountId, async (service) => await getPassword(service, accountId) !== null);
+const deleteMacOSCrossKeychainPayload = async (accountId) => withService(accountId, (service) => deletePassword(service, accountId));
+const macosCrossKeychainPayloadExists = async (accountId) => withService(accountId, async (service) => await getPassword(service, accountId) !== null);
 //#endregion
 //#region lib/secrets/windows-cross-keychain.ts
 const SERVICE_PREFIX = "cdx-openai-";
 const WINDOWS_FALLBACK_SCOPE = "win32:cross-keychain:windows";
+const WINDOWS_VAULT_FILE = "accounts.windows.age";
+const WINDOWS_VAULT_VERSION = 1;
+const WINDOWS_VAULT_KEY_SERVICE = "cdx-openai-vault-passphrase";
+const WINDOWS_VAULT_KEY_ACCOUNT = "windows-v1";
 let backendInitPromise = null;
 let selectedBackend = null;
 const tryUseBackend = async (backendId) => {
@@ -617,33 +634,143 @@ const ensureWindowsBackend = async (options = {}) => {
 	}
 	if (options.forWrite && selectedBackend === "windows") await ensureFallbackConsent(WINDOWS_FALLBACK_SCOPE, "⚠ Security warning: only the cross-keychain Windows fallback backend is available.\nThis path runs a PowerShell helper to access Windows Credential Manager.\nCompared to native bindings, secrets may be more exposed to process inspection/logging while the helper runs.");
 };
-const getWindowsCrossKeychainService = (accountId) => `${SERVICE_PREFIX}${accountId}`;
-const parsePayload = (accountId, raw) => {
+const withWindowsBackend = async (run, options = {}) => {
+	await ensureWindowsBackend(options);
+	return run();
+};
+const getWindowsVaultPath = () => path.join(getPaths().configDir, WINDOWS_VAULT_FILE);
+const createVaultPassphrase = () => randomBytes(32).toString("hex");
+const getVaultPassphrase = async (options = {}) => {
+	const current = await getPassword(WINDOWS_VAULT_KEY_SERVICE, WINDOWS_VAULT_KEY_ACCOUNT);
+	if (current) return current;
+	if (!options.createIfMissing) return null;
+	const generated = createVaultPassphrase();
+	await setPassword(WINDOWS_VAULT_KEY_SERVICE, WINDOWS_VAULT_KEY_ACCOUNT, generated);
+	return generated;
+};
+const createEmptyVault = () => ({
+	version: WINDOWS_VAULT_VERSION,
+	accounts: {}
+});
+const parsePayload = (accountId, input) => {
+	if (!input || typeof input !== "object") throw new Error(`Stored credential payload for account ${accountId} is not valid JSON.`);
+	const parsed = input;
+	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
+	return {
+		refresh: parsed.refresh,
+		access: parsed.access,
+		expires: parsed.expires,
+		accountId: parsed.accountId,
+		...parsed.idToken ? { idToken: parsed.idToken } : {}
+	};
+};
+const parseVault = (raw, source) => {
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch {
+		throw new Error(`Stored Windows credential vault (${source}) is not valid JSON.`);
+	}
+	if (!parsed || typeof parsed !== "object") throw new Error(`Stored Windows credential vault (${source}) is not valid JSON.`);
+	const vault = parsed;
+	const rawAccounts = vault.accounts;
+	if (!rawAccounts || typeof rawAccounts !== "object") throw new Error(`Stored Windows credential vault (${source}) is missing account data.`);
+	const accounts = {};
+	for (const [accountId, payload] of Object.entries(rawAccounts)) accounts[accountId] = parsePayload(accountId, payload);
+	return {
+		version: typeof vault.version === "number" ? vault.version : WINDOWS_VAULT_VERSION,
+		accounts
+	};
+};
+const decryptVault = async (ciphertext, passphrase, source) => {
+	const decrypter = new Decrypter();
+	decrypter.addPassphrase(passphrase);
+	let plaintext;
+	try {
+		plaintext = await decrypter.decrypt(ciphertext, "text");
+	} catch {
+		throw new Error(`Failed to decrypt Windows credential vault (${source}). Stored passphrase or vault file may be invalid.`);
+	}
+	return parseVault(plaintext, source);
+};
+const encryptVault = async (vault, passphrase) => {
+	const encrypter = new Encrypter();
+	encrypter.setPassphrase(passphrase);
+	return encrypter.encrypt(JSON.stringify(vault));
+};
+const loadVault = async (passphrase) => {
+	const vaultPath = getWindowsVaultPath();
+	let ciphertext;
+	try {
+		ciphertext = await readFile(vaultPath);
+	} catch (error) {
+		if (error?.code === "ENOENT") return createEmptyVault();
+		throw error;
+	}
+	if (ciphertext.length === 0) return createEmptyVault();
+	return decryptVault(ciphertext, passphrase, vaultPath);
+};
+const saveVault = async (vault, passphrase) => {
+	const { configDir } = getPaths();
+	const vaultPath = getWindowsVaultPath();
+	await mkdir(configDir, { recursive: true });
+	await writeFile(vaultPath, await encryptVault(vault, passphrase));
+};
+const loadLegacyPayload = async (accountId) => {
+	const raw = await getPassword(getWindowsCrossKeychainService(accountId), accountId);
+	if (raw === null) return null;
 	let parsed;
 	try {
 		parsed = JSON.parse(raw);
 	} catch {
 		throw new Error(`Stored credential payload for account ${accountId} is not valid JSON.`);
 	}
-	if (!parsed.refresh || !parsed.access || !parsed.expires || !parsed.accountId) throw new Error(`Stored credential payload for account ${accountId} is missing required fields.`);
-	return parsed;
+	return parsePayload(accountId, parsed);
 };
-const withService = async (accountId, run, options = {}) => {
-	await ensureWindowsBackend(options);
-	return run(getWindowsCrossKeychainService(accountId));
+const deleteLegacyPayload = async (accountId) => {
+	const service = getWindowsCrossKeychainService(accountId);
+	try {
+		await deletePassword(service, accountId);
+	} catch {}
 };
-const saveWindowsCrossKeychainPayload = async (accountId, payload) => withService(accountId, async (service) => {
-	await setPassword(service, accountId, JSON.stringify(payload));
+const getWindowsCrossKeychainService = (accountId) => `${SERVICE_PREFIX}${accountId}`;
+const saveWindowsCrossKeychainPayload = async (accountId, payload) => withWindowsBackend(async () => {
+	const passphrase = await getVaultPassphrase({ createIfMissing: true });
+	if (!passphrase) throw new Error("Unable to resolve Windows credential vault passphrase.");
+	const vault = await loadVault(passphrase);
+	vault.accounts[accountId] = payload;
+	await saveVault(vault, passphrase);
+	await deleteLegacyPayload(accountId);
 }, { forWrite: true });
-const loadWindowsCrossKeychainPayload = async (accountId) => {
-	const raw = await withService(accountId, (service) => getPassword(service, accountId));
-	if (raw === null) throw new Error(`No stored credentials found for account ${accountId}.`);
-	return parsePayload(accountId, raw);
-};
-const deleteWindowsCrossKeychainPayload = async (accountId) => withService(accountId, async (service) => {
-	await deletePassword(service, accountId);
+const loadWindowsCrossKeychainPayload = async (accountId) => withWindowsBackend(async () => {
+	const passphrase = await getVaultPassphrase();
+	if (passphrase) {
+		const payload = (await loadVault(passphrase)).accounts[accountId];
+		if (payload) return payload;
+	}
+	const legacyPayload = await loadLegacyPayload(accountId);
+	if (legacyPayload) return legacyPayload;
+	throw new Error(`No stored credentials found for account ${accountId}.`);
+});
+const deleteWindowsCrossKeychainPayload = async (accountId) => withWindowsBackend(async () => {
+	const passphrase = await getVaultPassphrase();
+	if (passphrase) {
+		const vault = await loadVault(passphrase);
+		if (vault.accounts[accountId]) {
+			delete vault.accounts[accountId];
+			if (Object.keys(vault.accounts).length === 0) await rm(getWindowsVaultPath(), { force: true });
+			else await saveVault(vault, passphrase);
+		}
+	}
+	await deleteLegacyPayload(accountId);
+});
+const windowsCrossKeychainPayloadExists = async (accountId) => withWindowsBackend(async () => {
+	const passphrase = await getVaultPassphrase();
+	if (passphrase) {
+		if ((await loadVault(passphrase)).accounts[accountId]) return true;
+	}
+	return await loadLegacyPayload(accountId) !== null;
 });
-const windowsCrossKeychainPayloadExists = async (accountId) => withService(accountId, async (service) => await getPassword(service, accountId) !== null);
 //#endregion
 //#region lib/secrets/store.ts
@@ -874,6 +1001,7 @@ const getSecretStoreCapability = () => {
 //#region lib/oauth/constants.ts
 const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
 const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
+const DEVICE_CODE_URL = "https://auth.openai.com/oauth/device/code";
 const TOKEN_URL = "https://auth.openai.com/oauth/token";
 const REDIRECT_URI = "http://localhost:1455/auth/callback";
 const SCOPE = "openid profile email offline_access";
@@ -904,6 +1032,138 @@ const createAuthorizationFlow = async () => {
 		url: url.toString()
 	};
 };
+const truncateForLog = (value, maxLength = 300) => {
+	if (value.length <= maxLength) return value;
+	return `${value.slice(0, maxLength)}…`;
+};
+const startDeviceAuthorizationFlow = async () => {
+	try {
+		const res = await fetch(DEVICE_CODE_URL, {
+			method: "POST",
+			headers: { "Content-Type": "application/x-www-form-urlencoded" },
+			body: new URLSearchParams({
+				client_id: CLIENT_ID,
+				scope: SCOPE
+			})
+		});
+		if (!res.ok) {
+			let oauthError;
+			let responseBody;
+			try {
+				const json = await res.json();
+				oauthError = json.error;
+				responseBody = truncateForLog(JSON.stringify({
+					...json.error ? { error: json.error } : {},
+					...json.error_description ? { error_description: json.error_description } : {}
+				}));
+			} catch {
+				try {
+					responseBody = truncateForLog(await res.text());
+				} catch {
+					responseBody = void 0;
+				}
+			}
+			return {
+				type: "failed",
+				error: `Device code request failed with HTTP ${res.status} ${res.statusText}`,
+				status: res.status,
+				...oauthError ? { oauthError } : {},
+				...responseBody ? { responseBody } : {}
+			};
+		}
+		const json = await res.json();
+		if (!json?.device_code || !json?.user_code || !json?.verification_uri || typeof json?.expires_in !== "number") return {
+			type: "failed",
+			error: "Device code response is missing required fields.",
+			responseBody: truncateForLog(JSON.stringify(json))
+		};
+		return {
+			type: "success",
+			flow: {
+				deviceCode: json.device_code,
+				userCode: json.user_code,
+				verificationUri: json.verification_uri,
+				verificationUriComplete: json.verification_uri_complete,
+				expiresIn: json.expires_in,
+				interval: typeof json.interval === "number" && json.interval > 0 ? json.interval : 5
+			}
+		};
+	} catch (error) {
+		return {
+			type: "failed",
+			error: `Device code request failed: ${error instanceof Error ? error.message : String(error)}`
+		};
+	}
+};
+const pollDeviceAuthorizationToken = async (deviceCode) => {
+	try {
+		const res = await fetch(TOKEN_URL, {
+			method: "POST",
+			headers: { "Content-Type": "application/x-www-form-urlencoded" },
+			body: new URLSearchParams({
+				grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+				device_code: deviceCode,
+				client_id: CLIENT_ID
+			})
+		});
+		if (res.ok) {
+			const json = await res.json();
+			if (!json?.access_token || !json?.refresh_token || typeof json?.expires_in !== "number") return {
+				type: "failed",
+				error: "Device token response is missing access_token/refresh_token/expires_in.",
+				responseBody: truncateForLog(JSON.stringify(json))
+			};
+			return {
+				type: "success",
+				access: json.access_token,
+				refresh: json.refresh_token,
+				expires: Date.now() + json.expires_in * 1e3,
+				idToken: json.id_token
+			};
+		}
+		let errorCode;
+		let interval;
+		let responseBody;
+		try {
+			const json = await res.json();
+			errorCode = json.error;
+			interval = json.interval;
+			responseBody = truncateForLog(JSON.stringify({
+				...json.error ? { error: json.error } : {},
+				...json.error_description ? { error_description: json.error_description } : {},
+				...typeof json.interval === "number" ? { interval: json.interval } : {}
+			}));
+		} catch {
+			try {
+				responseBody = truncateForLog(await res.text());
+			} catch {
+				responseBody = void 0;
+			}
+		}
+		if (errorCode === "authorization_pending") return {
+			type: "pending",
+			interval: typeof interval === "number" && interval > 0 ? interval : 5
+		};
+		if (errorCode === "slow_down") return {
+			type: "slow_down",
+			interval: typeof interval === "number" && interval > 0 ? interval : 10
+		};
+		if (errorCode === "access_denied") return { type: "access_denied" };
+		if (errorCode === "expired_token") return { type: "expired" };
+		return {
+			type: "failed",
+			error: `Device token polling failed with HTTP ${res.status} ${res.statusText}`,
+			status: res.status,
+			...errorCode ? { oauthError: errorCode } : {},
+			...responseBody ? { responseBody } : {}
+		};
+	} catch (error) {
+		return {
+			type: "failed",
+			error: `Device token polling request failed: ${error instanceof Error ? error.message : String(error)}`
+		};
+	}
+};
 const exchangeAuthorizationCode = async (code, verifier) => {
 	const res = await fetch(TOKEN_URL, {
 		method: "POST",
@@ -1067,12 +1327,236 @@ const startOAuthServer = (state) => {
 //#endregion
 //#region lib/oauth/login.ts
-const openBrowser = (url) => {
-	const result = openBrowserUrl(url);
-	if (!result.ok) {
-		const msg = result.error ?? "unknown error";
-		p.log.warning(`Could not auto-open browser via ${result.launcher.label} (${msg}).`);
+const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+const isLikelyRemoteEnvironment = () => {
+	if (process.platform !== "linux") return false;
+	if (process.env.SSH_CONNECTION || process.env.SSH_CLIENT || process.env.SSH_TTY) return true;
+	return !process.env.DISPLAY && !process.env.WAYLAND_DISPLAY;
+};
+const parseOAuthCallbackInput = (input) => {
+	const trimmed = input.trim();
+	if (!trimmed) return null;
+	if (!trimmed.includes("://") && !trimmed.includes("code=") && !trimmed.includes("?")) return { code: trimmed };
+	try {
+		const parsedUrl = new URL(trimmed);
+		const code = parsedUrl.searchParams.get("code");
+		if (code) return {
+			code,
+			state: parsedUrl.searchParams.get("state") ?? void 0
+		};
+	} catch {}
+	const queryLike = trimmed.startsWith("?") || trimmed.startsWith("#") ? trimmed.slice(1) : trimmed.includes("?") ? trimmed.slice(trimmed.indexOf("?") + 1) : trimmed;
+	const params = new URLSearchParams(queryLike);
+	const code = params.get("code");
+	if (!code) return null;
+	return {
+		code,
+		state: params.get("state") ?? void 0
+	};
+};
+const promptBrowserFallbackChoice = async () => {
+	const remoteHint = isLikelyRemoteEnvironment();
+	if (!process.stdin.isTTY || !process.stdout.isTTY) {
+		const selected = remoteHint ? "device" : "manual";
+		p.log.info(`Non-interactive terminal detected. Falling back to ${selected === "device" ? "device OAuth flow" : "manual URL copy/paste flow"}.`);
+		return selected;
+	}
+	const options = remoteHint ? [
+		{
+			value: "device",
+			label: "Use device OAuth flow",
+			hint: "Recommended on SSH/remote servers"
+		},
+		{
+			value: "manual",
+			label: "Finish manually by copying URL",
+			hint: "Open URL on any machine and paste callback URL/code back here"
+		},
+		{
+			value: "cancel",
+			label: "Cancel login"
+		}
+	] : [
+		{
+			value: "manual",
+			label: "Finish manually by copying URL",
+			hint: "Open URL on any machine and paste callback URL/code back here"
+		},
+		{
+			value: "device",
+			label: "Use device OAuth flow",
+			hint: "Best for headless/remote environments"
+		},
+		{
+			value: "cancel",
+			label: "Cancel login"
+		}
+	];
+	const selection = await p.select({
+		message: "Browser launcher is unavailable. How do you want to continue?",
+		options
+	});
+	if (p.isCancel(selection)) return "cancel";
+	return selection;
+};
+const promptManualAuthorizationCode = async (authorizationUrl, expectedState) => {
+	p.log.info("Manual login selected.");
+	p.log.message(`Open this URL in a browser:\n${authorizationUrl}`);
+	p.log.message("After approving, copy the full callback URL (or just the 'code' value) and paste it below.");
+	for (let attempt = 1; attempt <= 3; attempt += 1) {
+		const response = await p.text({
+			message: "Paste callback URL or authorization code:",
+			placeholder: "http://localhost:1455/auth/callback?code=...&state=..."
+		});
+		if (p.isCancel(response)) {
+			p.log.info("Login cancelled.");
+			return null;
+		}
+		const parsed = parseOAuthCallbackInput(String(response));
+		if (!parsed) {
+			p.log.warning("Could not parse input. Please paste a callback URL or code.");
+			continue;
+		}
+		if (parsed.state && parsed.state !== expectedState) {
+			p.log.error("State mismatch in callback URL. Please retry the login flow.");
+			return null;
+		}
+		return parsed.code;
+	}
+	p.log.error("Failed to parse callback input after multiple attempts.");
+	return null;
+};
+const runDeviceOAuthFlow = async (useSpinner) => {
+	const deviceFlowResult = await startDeviceAuthorizationFlow();
+	if (deviceFlowResult.type !== "success") {
+		p.log.error("Device OAuth flow is not available right now.");
+		p.log.error(`Technical details: ${deviceFlowResult.error}`);
+		if (typeof deviceFlowResult.status === "number") p.log.error(`HTTP status: ${deviceFlowResult.status}`);
+		if (deviceFlowResult.oauthError) p.log.error(`OAuth error: ${deviceFlowResult.oauthError}`);
+		if (deviceFlowResult.responseBody) p.log.error(`Response: ${deviceFlowResult.responseBody}`);
+		return null;
+	}
+	const deviceFlow = deviceFlowResult.flow;
+	p.log.info("Using device OAuth flow.");
+	p.log.message(`Verification URL: ${deviceFlow.verificationUri}`);
+	p.log.message(`User code: ${deviceFlow.userCode}`);
+	const launchResult = openBrowserUrl(deviceFlow.verificationUriComplete ?? deviceFlow.verificationUri);
+	if (!launchResult.ok) {
+		const msg = launchResult.error ?? "unknown error";
+		p.log.warning(`Could not auto-open verification URL via ${launchResult.launcher.label} (${msg}).`);
+	}
+	const spinner = useSpinner ? p.spinner() : null;
+	if (spinner) spinner.start("Waiting for device authorization...");
+	else p.log.message("Waiting for device authorization...");
+	let intervalMs = Math.max(deviceFlow.interval, 1) * 1e3;
+	const deadline = Date.now() + deviceFlow.expiresIn * 1e3;
+	while (Date.now() < deadline) {
+		await sleep(intervalMs);
+		const pollResult = await pollDeviceAuthorizationToken(deviceFlow.deviceCode);
+		if (pollResult.type === "success") {
+			if (spinner) spinner.stop("Device authorization completed.");
+			else p.log.success("Device authorization completed.");
+			return pollResult;
+		}
+		if (pollResult.type === "pending") {
+			intervalMs = Math.max(pollResult.interval, 1) * 1e3;
+			continue;
+		}
+		if (pollResult.type === "slow_down") {
+			intervalMs = Math.max(pollResult.interval, Math.ceil(intervalMs / 1e3) + 5) * 1e3;
+			continue;
+		}
+		if (pollResult.type === "access_denied") {
+			if (spinner) spinner.stop("Device authorization was denied.");
+			else p.log.error("Device authorization was denied.");
+			return null;
+		}
+		if (pollResult.type === "expired") {
+			if (spinner) spinner.stop("Device authorization expired.");
+			else p.log.error("Device authorization expired.");
+			return null;
+		}
+		if (spinner) spinner.stop("Device authorization failed.");
+		else p.log.error("Device authorization failed.");
+		if (pollResult.type === "failed") {
+			if (pollResult.error) p.log.error(`Technical details: ${pollResult.error}`);
+			if (typeof pollResult.status === "number") p.log.error(`HTTP status: ${pollResult.status}`);
+			if (pollResult.oauthError) p.log.error(`OAuth error: ${pollResult.oauthError}`);
+			if (pollResult.responseBody) p.log.error(`Response: ${pollResult.responseBody}`);
+		}
+		return null;
 	}
+	if (spinner) spinner.stop("Device authorization timed out.");
+	else p.log.error("Device authorization timed out.");
+	return null;
+};
+const requestTokenViaOAuth = async (flow, options) => {
+	if (options.authFlow === "device") return runDeviceOAuthFlow(options.useSpinner);
+	const server = await startOAuthServer(flow.state);
+	if (!server.ready) {
+		p.log.error("Failed to start local server on port 1455.");
+		p.log.info("Please ensure the port is not in use.");
+		return null;
+	}
+	const spinner = options.useSpinner ? p.spinner() : null;
+	let spinnerStarted = false;
+	p.log.info("Opening browser for authentication...");
+	const launchResult = openBrowserUrl(flow.url);
+	if (!launchResult.ok) {
+		const msg = launchResult.error ?? "unknown error";
+		p.log.warning(`Could not auto-open browser via ${launchResult.launcher.label} (${msg}).`);
+	}
+	p.log.message(`If your browser did not open, paste this URL:\n${flow.url}`);
+	if (launchResult.ok) {
+		if (spinner) {
+			spinner.start("Waiting for authentication...");
+			spinnerStarted = true;
+		}
+		const result = await server.waitForCode();
+		server.close();
+		if (!result) {
+			if (spinner) spinner.stop("Authentication timed out or failed.");
+			else p.log.warning("Authentication timed out or failed.");
+			return null;
+		}
+		if (spinner) spinner.message("Exchanging authorization code...");
+		else p.log.message("Exchanging authorization code...");
+		const tokenResult = await exchangeAuthorizationCode(result.code, flow.pkce.verifier);
+		if (tokenResult.type !== "success") {
+			if (spinner) spinner.stop("Failed to exchange authorization code.");
+			else p.log.error("Failed to exchange authorization code.");
+			return null;
+		}
+		if (spinner) spinner.stop("Authentication completed.");
+		return tokenResult;
+	}
+	const fallbackChoice = await promptBrowserFallbackChoice();
+	if (fallbackChoice === "cancel") {
+		server.close();
+		p.log.info("Login cancelled.");
+		return null;
+	}
+	if (fallbackChoice === "device") {
+		server.close();
+		return runDeviceOAuthFlow(options.useSpinner);
+	}
+	server.close();
+	const code = await promptManualAuthorizationCode(flow.url, flow.state);
+	if (!code) return null;
+	if (spinner) if (spinnerStarted) spinner.message("Exchanging authorization code...");
+	else {
+		spinner.start("Exchanging authorization code...");
+		spinnerStarted = true;
+	}
+	else p.log.message("Exchanging authorization code...");
+	const tokenResult = await exchangeAuthorizationCode(code, flow.pkce.verifier);
+	if (tokenResult.type !== "success") {
+		if (spinner) spinner.stop("Failed to exchange authorization code.");
+		else p.log.error("Failed to exchange authorization code.");
+		return null;
+	}
+	if (spinner) spinner.stop("Authentication completed.");
+	return tokenResult;
 };
 const addAccountToConfig = async (accountId, label) => {
 	let config;
@@ -1100,54 +1584,35 @@ const performRefresh = async (targetAccountId, label, options = {}) => {
 		const displayName = label ?? targetAccountId;
 		p.log.step(`Re-authenticating account "${displayName}"...`);
 		const useSpinner = options.useSpinner ?? true;
-		let flow;
-		try {
-			flow = await createAuthorizationFlow();
-		} catch (error) {
-			const msg = error instanceof Error ? error.message : String(error);
-			p.log.error(`Failed to create authorization flow: ${msg}`);
-			process.stderr.write(`Failed to create authorization flow: ${msg}\n`);
-			return null;
-		}
-		const server = await startOAuthServer(flow.state);
-		if (!server.ready) {
-			p.log.error("Failed to start local server on port 1455.");
-			p.log.info("Please ensure the port is not in use.");
-			return null;
-		}
-		const spinner = useSpinner ? p.spinner() : null;
-		p.log.info("Opening browser for authentication...");
-		openBrowser(flow.url);
-		p.log.message(`If your browser did not open, paste this URL:\n${flow.url}`);
-		if (spinner) spinner.start("Waiting for authentication...");
-		const result = await server.waitForCode();
-		server.close();
-		if (!result) {
-			if (spinner) spinner.stop("Authentication timed out or failed.");
-			else p.log.warning("Authentication timed out or failed.");
-			return null;
-		}
-		if (spinner) spinner.message("Exchanging authorization code...");
-		else p.log.message("Exchanging authorization code...");
-		const tokenResult = await exchangeAuthorizationCode(result.code, flow.pkce.verifier);
-		if (tokenResult.type === "failed") {
-			if (spinner) spinner.stop("Failed to exchange authorization code.");
-			else p.log.error("Failed to exchange authorization code.");
-			return null;
+		const authFlow = options.authFlow ?? "auto";
+		let tokenResult = null;
+		if (authFlow === "device") tokenResult = await runDeviceOAuthFlow(useSpinner);
+		else {
+			let flow;
+			try {
+				flow = await createAuthorizationFlow();
+			} catch (error) {
+				const msg = error instanceof Error ? error.message : String(error);
+				p.log.error(`Failed to create authorization flow: ${msg}`);
+				process.stderr.write(`Failed to create authorization flow: ${msg}\n`);
+				return null;
+			}
+			tokenResult = await requestTokenViaOAuth(flow, {
+				useSpinner,
+				authFlow
+			});
 		}
+		if (!tokenResult) return null;
 		const newAccountId = extractAccountId(tokenResult.access);
 		if (!newAccountId) {
-			if (spinner) spinner.stop("Failed to extract account ID from token.");
-			else p.log.error("Failed to extract account ID from token.");
+			p.log.error("Failed to extract account ID from token.");
 			return null;
 		}
 		if (newAccountId !== targetAccountId) {
-			if (spinner) spinner.stop("Authentication completed for a different account.");
-			else p.log.error("Authentication completed for a different account.");
+			p.log.error("Authentication completed for a different account.");
 			throw new Error(`Account mismatch: expected "${targetAccountId}" but got "${newAccountId}". Make sure you log in with the correct OpenAI account.`);
 		}
-		if (spinner) spinner.message("Updating credentials...");
-		else p.log.message("Updating credentials...");
+		if (!useSpinner) p.log.message("Updating credentials...");
 		const payload = {
 			refresh: tokenResult.refresh,
 			access: tokenResult.access,
@@ -1156,46 +1621,29 @@ const performRefresh = async (targetAccountId, label, options = {}) => {
 			...tokenResult.idToken ? { idToken: tokenResult.idToken } : {}
 		};
 		await getSecretStoreAdapter().save(newAccountId, payload);
-		if (spinner) spinner.stop("Credentials refreshed!");
-		else p.log.success("Credentials refreshed!");
+		p.log.success("Credentials refreshed!");
 		p.log.success(`Account "${displayName}" credentials updated in secure store.`);
 		return { accountId: newAccountId };
 	} finally {
 		clearInterval(keepAlive);
 	}
 };
-const performLogin = async () => {
+const performLogin = async (options = {}) => {
 	p.intro("cdx login - Add OpenAI account");
-	const flow = await createAuthorizationFlow();
-	const server = await startOAuthServer(flow.state);
-	if (!server.ready) {
-		p.log.error("Failed to start local server on port 1455.");
-		p.log.info("Please ensure the port is not in use.");
-		return null;
-	}
-	const spinner = p.spinner();
-	p.log.info("Opening browser for authentication...");
-	openBrowser(flow.url);
-	p.log.message(`If your browser did not open, paste this URL:\n${flow.url}`);
-	spinner.start("Waiting for authentication...");
-	const result = await server.waitForCode();
-	server.close();
-	if (!result) {
-		spinner.stop("Authentication timed out or failed.");
-		return null;
-	}
-	spinner.message("Exchanging authorization code...");
-	const tokenResult = await exchangeAuthorizationCode(result.code, flow.pkce.verifier);
-	if (tokenResult.type === "failed") {
-		spinner.stop("Failed to exchange authorization code.");
-		return null;
-	}
+	const authFlow = options.authFlow ?? "auto";
+	let tokenResult = null;
+	if (authFlow === "device") tokenResult = await runDeviceOAuthFlow(true);
+	else tokenResult = await requestTokenViaOAuth(await createAuthorizationFlow(), {
+		useSpinner: true,
+		authFlow
+	});
+	if (!tokenResult) return null;
 	const accountId = extractAccountId(tokenResult.access);
 	if (!accountId) {
-		spinner.stop("Failed to extract account ID from token.");
+		p.log.error("Failed to extract account ID from token.");
 		return null;
 	}
-	spinner.message("Saving credentials...");
+	p.log.message("Saving credentials...");
 	const payload = {
 		refresh: tokenResult.refresh,
 		access: tokenResult.access,
@@ -1204,7 +1652,7 @@ const performLogin = async () => {
 		...tokenResult.idToken ? { idToken: tokenResult.idToken } : {}
 	};
 	await getSecretStoreAdapter().save(accountId, payload);
-	spinner.stop("Login successful!");
+	p.log.success("Login successful!");
 	const labelInput = await p.text({
 		message: "Enter a label for this account (or press Enter to skip):",
 		placeholder: "e.g. Work, Personal"
@@ -1456,7 +1904,7 @@ const handleSwitchAccount = async () => {
 const handleAddAccount = async () => {
 	await performLogin();
 };
-const handleReloginAccount = async () => {
+const handleReloginAccount = async (reloginOptions = {}) => {
 	if (!configExists()) {
 		p.log.warning("No accounts configured. Use 'Add account' first.");
 		return;
@@ -1485,7 +1933,10 @@ const handleReloginAccount = async () => {
 	const displayName = account?.label ?? accountId;
 	p.log.info(`Current token status for ${displayName}: ${expiryState}`);
 	try {
-		const result = await performRefresh(accountId, account?.label, { useSpinner: false });
+		const result = await performRefresh(accountId, account?.label, {
+			useSpinner: false,
+			authFlow: reloginOptions.authFlow
+		});
 		if (!result) p.log.warning("Re-login was not completed.");
 		else {
 			const authResult = await writeActiveAuthFilesIfCurrent(result.accountId);
@@ -1814,6 +2265,30 @@ const registerDoctorCommand = (program) => {
 			process.stdout.write(`  Secret store: ${status.capabilities.secretStore.label} — ${secretStoreState}\n`);
 			const browserState = status.capabilities.browserLauncher.available ? "available" : "not found";
 			process.stdout.write(`  Browser launcher: ${status.capabilities.browserLauncher.label} — ${browserState}\n`);
+			if (process.platform === "win32") {
+				const secretStore = getSecretStoreAdapter();
+				process.stdout.write("\nWindows secure-store checks:\n");
+				if (status.accounts.length === 0) process.stdout.write("  No accounts configured in config.\n");
+				else {
+					let okCount = 0;
+					for (const account of status.accounts) {
+						const accountLabel = resolveLabel(account.accountId);
+						try {
+							await secretStore.load(account.accountId);
+							okCount += 1;
+							process.stdout.write(`  ${accountLabel}: credential payload load OK\n`);
+						} catch (error) {
+							if (isMissingSecretStoreEntryError(error)) {
+								process.stdout.write(`  ⚠ ${accountLabel}: missing secure-store entry for configured account\n`);
+								continue;
+							}
+							const message = error instanceof Error ? error.message : String(error);
+							process.stdout.write(`  ⚠ ${accountLabel}: secure-store load failed (${message})\n`);
+						}
+					}
+					process.stdout.write(`  Summary: ${okCount}/${status.accounts.length} configured account(s) passed secure-store load checks.\n`);
+				}
+			}
 			if (process.platform === "darwin" && !options.checkKeychainAcl) {
 				process.stdout.write("  ┌─ Optional keychain ACL check\n");
 				process.stdout.write("  │  Run: cdx doctor --check-keychain-acl\n");
@@ -1909,9 +2384,9 @@ const registerLabelCommand = (program) => {
 //#region lib/commands/login.ts
 const registerLoginCommand = (program, deps = {}) => {
 	const runLogin = deps.performLogin ?? performLogin;
-	program.command("login").description("Add a new OpenAI account via OAuth").action(async () => {
+	program.command("login").description("Add a new OpenAI account via OAuth").option("--device-flow", "Use OAuth device flow instead of browser callback flow").action(async (options) => {
 		try {
-			if (!await runLogin()) {
+			if (!await runLogin({ authFlow: options.deviceFlow ? "device" : "auto" })) {
 				process.stderr.write("Login failed.\n");
 				process.exit(1);
 			}
@@ -2061,8 +2536,9 @@ const writeUpdatedAuthSummary = (result) => {
 //#endregion
 //#region lib/commands/refresh.ts
 const registerReloginCommand = (program) => {
-	program.command("relogin").description("Re-authenticate an existing account with full OAuth login (no duplicate account)").argument("[account]", "Account ID or label to re-login").action(async (account) => {
+	program.command("relogin").description("Re-authenticate an existing account with full OAuth login (no duplicate account)").option("--device-flow", "Use OAuth device flow instead of browser callback flow").argument("[account]", "Account ID or label to re-login").action(async (account, options) => {
 		try {
+			const authFlow = options.deviceFlow ? "device" : "auto";
 			if (account) {
 				const target = (await loadConfig()).accounts.find((entry) => entry.accountId === account || entry.label === account);
 				if (!target) throw new Error(`Account "${account}" not found. Use 'cdx login' to add it.`);
@@ -2077,7 +2553,7 @@ const registerReloginCommand = (program) => {
 				}
 				else secureStoreState = " [no secure store entry]";
 				process.stdout.write(`Current token status for ${displayName}: ${expiryState}${secureStoreState}\n`);
-				const result = await performRefresh(target.accountId, target.label);
+				const result = await performRefresh(target.accountId, target.label, { authFlow });
 				if (!result) {
 					process.stderr.write("Re-login failed.\n");
 					process.exit(1);
@@ -2086,7 +2562,7 @@ const registerReloginCommand = (program) => {
 				if (authResult) writeUpdatedAuthSummary(authResult);
 				return;
 			}
-			await handleReloginAccount();
+			await handleReloginAccount({ authFlow });
 		} catch (error) {
 			exitWithCommandError(error);
 		}
@@ -2406,6 +2882,66 @@ const getCompletionParseArgs = (argv) => {
 	if (separatorIndex === -1 || separatorIndex <= completeIndex) return null;
 	return argv.slice(separatorIndex + 1);
 };
+const readCompletionAccounts = () => {
+	try {
+		const { configPath } = getPaths();
+		if (!existsSync(configPath)) return [];
+		const raw = readFileSync(configPath, "utf8");
+		const parsed = JSON.parse(raw);
+		if (!Array.isArray(parsed.accounts)) return [];
+		const accounts = [];
+		for (const account of parsed.accounts) {
+			if (typeof account.accountId !== "string" || !account.accountId.trim()) continue;
+			accounts.push({
+				accountId: account.accountId,
+				...typeof account.label === "string" && account.label.trim() ? { label: account.label } : {}
+			});
+		}
+		return accounts;
+	} catch {
+		return [];
+	}
+};
+const addConfiguredAccountCompletions = (complete) => {
+	const accounts = readCompletionAccounts();
+	const seen = /* @__PURE__ */ new Set();
+	for (const account of accounts) {
+		if (!seen.has(account.accountId)) {
+			seen.add(account.accountId);
+			const description = account.label ? `Account ID (${account.label})` : "Account ID";
+			complete(account.accountId, description);
+		}
+		if (account.label && !seen.has(account.label)) {
+			seen.add(account.label);
+			complete(account.label, `Label for ${account.accountId}`);
+		}
+	}
+};
+const attachAccountArgumentCompletion = (completion, commandName, argumentName) => {
+	const command = completion.commands.get(commandName);
+	if (!command) return;
+	command.argument(argumentName, (complete) => {
+		addConfiguredAccountCompletions(complete);
+	});
+};
+const configureTabCompletion = (completion) => {
+	const secretStoreOption = completion.options.get("secret-store");
+	if (secretStoreOption) secretStoreOption.handler = (complete) => {
+		complete("auto", "Automatic backend selection");
+		complete("legacy-keychain", "macOS legacy keychain backend");
+	};
+	attachAccountArgumentCompletion(completion, "switch", "account-id");
+	attachAccountArgumentCompletion(completion, "relogin", "account");
+	attachAccountArgumentCompletion(completion, "usage", "account");
+	attachAccountArgumentCompletion(completion, "label", "account");
+	const helpCommand = completion.commands.get("help");
+	if (helpCommand) helpCommand.argument("command", (complete) => {
+		for (const [name, command] of completion.commands.entries()) {
+			if (name === "") continue;
+			complete(name, command.description || "Command");
+		}
+	});
+};
 const getMacOSKeychainPromptWarning = (selection, platform = process.platform, backendId = null) => {
 	if (platform !== "darwin") return null;
 	if (selection === "legacy-keychain") return "⚠ macOS keychain is using the legacy security CLI backend. Touch ID may not be offered for keychain prompts.";
@@ -2451,6 +2987,7 @@ const createProgram = (deps = {}) => {
 const main = async () => {
 	const program = createProgram();
 	const completion = tab(program);
+	configureTabCompletion(completion);
 	const completionArgs = getCompletionParseArgs(process.argv);
 	if (completionArgs) {
 		completion.parse(completionArgs);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bjesuiter/codex-switcher",
-  "version": "1.5.1",
+  "version": "1.7.2",
   "type": "module",
   "description": "CLI tool to switch between multiple OpenAI accounts for OpenCode",
   "bin": {
@@ -24,6 +24,7 @@
     "@bomb.sh/tab": "^0.0.13",
     "@clack/prompts": "^1.0.0",
     "@openauthjs/openauth": "^0.4.3",
+    "age-encryption": "^0.3.0",
     "commander": "^14.0.3"
   }
 }