@harars/opencode-switch-openai-auth-plugin 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,106 @@
+# opencode-switch-openai-auth-plugin
+
+OpenCode TUI plugin for saving and switching between multiple OpenAI OAuth accounts with a single `/switch` command.
+
+## Features
+
+- one `/switch` command for login, switch, and remove
+- reuses the native OpenCode OpenAI OAuth flow
+- stores saved accounts in a plugin-owned JSON file
+- switches only `auth.json.openai` when you pick an account
+- keeps saved-account removal separate from active auth
+- supports multiple credentials for the same email by keying entries from the refresh token hash
+
+## Behavior
+
+The `/switch` dialog can show:
+
+- `login`
+- saved accounts
+- `logout`
+
+Saved accounts are displayed with:
+
+- title: email, or account id, or generated fallback key
+- footer: `Current` for the active credential
+
+`login` behavior:
+
+- calls the native OpenCode provider auth flow for `openai`
+- rereads the active OpenAI auth after OAuth completes
+- saves that credential into `auth-switch/accounts.json`
+
+`switch` behavior:
+
+- writes the selected saved credential into `auth.json.openai`
+- refreshes host auth state when runtime support is available
+
+`logout` behavior:
+
+- removes a saved credential from the plugin store
+- does not delete the currently active OpenAI auth from `auth.json`
+
+## Storage
+
+Plugin account store locations:
+
+- Linux: `~/.local/share/opencode/auth-switch/accounts.json`
+- macOS: `~/Library/Application Support/opencode/auth-switch/accounts.json`
+- Windows: `%LOCALAPPDATA%/opencode/auth-switch/accounts.json`
+
+`OPENCODE_TEST_HOME` is supported for tests.
+
+## Local Development
+
+Install dependencies:
+
+```bash
+bun install
+```
+
+Run checks:
+
+```bash
+bun test
+bunx tsc -p tsconfig.json --noEmit
+```
+
+## Loading The Plugin
+
+After publishing to npm, add the package name directly to your OpenCode `tui.json`.
+
+Example:
+
+```json
+{
+  "plugin": [
+    "@harars/opencode-switch-openai-auth-plugin"
+  ],
+  "plugin_enabled": {
+    "harars.switch-auth": true
+  }
+}
+```
+
+This package is published as source files so OpenCode can load the TUI entry directly from the installed package.
+
+For local development, you can still point `tui.json` at a local file path.
+
+Example local file setup:
+
+```json
+{
+  "plugin": [
+    "file:///absolute/path/to/opencode-switch-openai-auth-plugin/src/tui.tsx"
+  ],
+  "plugin_enabled": {
+    "harars.switch-auth": true
+  }
+}
+```
+
+## Package
+
+- package name: `@harars/opencode-switch-openai-auth-plugin`
+- plugin id: `harars.switch-auth`
+- license: MIT

package/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "@harars/opencode-switch-openai-auth-plugin",
+  "version": "0.1.0",
+  "description": "OpenCode TUI plugin for switching saved OpenAI OAuth accounts",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/HArars/opencode-switch-openai-auth-plugin.git"
+  },
+  "homepage": "https://github.com/HArars/opencode-switch-openai-auth-plugin#readme",
+  "bugs": {
+    "url": "https://github.com/HArars/opencode-switch-openai-auth-plugin/issues"
+  },
+  "keywords": [
+    "opencode",
+    "plugin",
+    "tui",
+    "openai",
+    "oauth",
+    "auth",
+    "account-switcher"
+  ],
+  "type": "module",
+  "license": "MIT",
+  "main": "./src/index.ts",
+  "exports": {
+    ".": "./src/index.ts",
+    "./tui": "./src/tui.tsx"
+  },
+  "engines": {
+    "opencode": "^1.0.0"
+  },
+  "oc-plugin": [["tui", {
+    "compact": true
+  }]],
+  "scripts": {
+    "build": "bun ./scripts/build.ts",
+    "typecheck": "bunx tsc -p tsconfig.json --noEmit",
+    "test": "bun test"
+  },
+  "files": [
+    "src",
+    "README.md",
+    "LICENSE"
+  ],
+  "peerDependencies": {
+    "@opencode-ai/plugin": "^1.0.0"
+  },
+  "dependencies": {
+    "@opentui/core": "^0.1.93",
+    "@opentui/solid": "^0.1.93",
+    "solid-js": "^1.9.12"
+  },
+  "devDependencies": {
+    "bun-types": "^1.3.11",
+    "typescript": "^6.0.2"
+  }
+}

package/src/format.ts

@@ -0,0 +1,27 @@
+import type { StoredAccount } from "./types"
+
+function short(id?: string) {
+  if (!id) return
+  if (id.length <= 12) return id
+  return `${id.slice(0, 6)}...${id.slice(-4)}`
+}
+
+export function accountTitle(account: StoredAccount) {
+  return account.email || account.accountId || account.id
+}
+
+export function accountDescription(account: StoredAccount, current: boolean) {
+  return short(account.accountId)
+}
+
+export function accountFooter(current: boolean) {
+  return current ? "Current" : undefined
+}
+
+export function loginTitle() {
+  return "login"
+}
+
+export function logoutTitle(has: boolean) {
+  return has ? "logout" : "logout unavailable"
+}

package/src/index.ts

@@ -0,0 +1 @@
+export { default } from "./tui"

package/src/login.tsx

@@ -0,0 +1,297 @@
+/** @jsxImportSource @opentui/solid */
+import { TextAttributes } from "@opentui/core"
+import type { TuiPluginApi } from "@opencode-ai/plugin/tui"
+import { useKeyboard } from "@opentui/solid"
+import type { OAuthAuthz, ProviderMethod, ProviderPrompt } from "./types"
+import { readCurrentAuth, upsertSavedAccount } from "./store"
+
+type OAuthMethod = {
+  index: number
+  method: ProviderMethod
+}
+
+function visible(prompt: ProviderPrompt, values: Record<string, string>) {
+  if (!prompt.when) return true
+  const cur = values[prompt.when.key]
+  if (prompt.when.op === "eq") return cur === prompt.when.value
+  return cur !== prompt.when.value
+}
+
+function same(prev: Awaited<ReturnType<typeof readCurrentAuth>>, next: Awaited<ReturnType<typeof readCurrentAuth>>) {
+  if (!prev || !next) return false
+  return prev.refresh === next.refresh
+}
+
+function clip(text: string) {
+  if (process.stdout.isTTY) {
+    const base64 = Buffer.from(text).toString("base64")
+    const osc52 = `\x1b]52;c;${base64}\x07`
+    const seq = process.env.TMUX || process.env.STY ? `\x1bPtmux;\x1b${osc52}\x1b\\` : osc52
+    process.stdout.write(seq)
+  }
+
+  const cmds = process.platform === "darwin"
+    ? [["pbcopy"]]
+    : process.platform === "win32"
+      ? [["clip"]]
+      : [["wl-copy"], ["xclip", "-selection", "clipboard"], ["xsel", "--clipboard", "--input"]]
+
+  return Promise.any(
+    cmds.map(async (cmd) => {
+      const proc = Bun.spawn({
+        cmd,
+        stdin: "pipe",
+        stdout: "ignore",
+        stderr: "ignore",
+      })
+      await proc.stdin.write(new TextEncoder().encode(text))
+      proc.stdin.end()
+      const code = await proc.exited
+      if (code !== 0) throw new Error("copy failed")
+    }),
+  ).catch(() => {})
+}
+
+function target(authz: OAuthAuthz) {
+  return authz.instructions.match(/[A-Z0-9]{4}-[A-Z0-9]{4,5}/)?.[0] ?? authz.url
+}
+
+function bind(api: TuiPluginApi, authz: OAuthAuthz) {
+  useKeyboard((evt) => {
+    if (evt.name !== "c" || evt.ctrl || evt.meta) return
+    evt.preventDefault()
+    evt.stopPropagation()
+    void clip(target(authz))
+      .then(() => api.ui.toast({ variant: "info", message: "Copied to clipboard" }))
+  })
+}
+
+function WaitView(props: { api: TuiPluginApi; title: string; authz: OAuthAuthz }) {
+  bind(props.api, props.authz)
+  return (
+    <box paddingLeft={2} paddingRight={2} gap={1} paddingBottom={1}>
+      <text attributes={TextAttributes.BOLD}>{props.title}</text>
+      <text>{props.authz.instructions}</text>
+      <text>{props.authz.url}</text>
+      <text>Waiting for authorization...</text>
+      <text>Press c to copy the link</text>
+    </box>
+  )
+}
+
+function CodePrompt(props: {
+  api: TuiPluginApi
+  title: string
+  authz: OAuthAuthz
+  onConfirm: (value: string) => void
+  onCancel: () => void
+}) {
+  bind(props.api, props.authz)
+  return (
+    <props.api.ui.DialogPrompt
+      title={props.title}
+      placeholder="Authorization code"
+      onConfirm={props.onConfirm}
+      onCancel={props.onCancel}
+      description={() => (
+        <box gap={1}>
+          <text>{props.authz.instructions}</text>
+          <text>{props.authz.url}</text>
+          <text>Press c to copy the code</text>
+        </box>
+      )}
+    />
+  )
+}
+
+function wait(api: TuiPluginApi, title: string, authz: OAuthAuthz, run: () => Promise<void>) {
+  api.ui.dialog.replace(() => <WaitView api={api} title={title} authz={authz} />)
+  void run()
+}
+
+async function choose(api: TuiPluginApi, methods: OAuthMethod[]) {
+  if (methods.length === 1) return 0
+  return await new Promise<number | null>((resolve) => {
+    api.ui.dialog.replace(
+      () => (
+        <api.ui.DialogSelect
+          title="Select auth method"
+          options={methods.map((item, index) => ({ title: item.method.label, value: index }))}
+          onSelect={(item) => resolve(item.value)}
+        />
+      ),
+      () => resolve(null),
+    )
+  })
+}
+
+async function ask(api: TuiPluginApi, title: string, prompt: ProviderPrompt) {
+  if (prompt.type === "text") {
+    return await new Promise<string | null>((resolve) => {
+      api.ui.dialog.replace(
+        () => (
+          <box paddingLeft={2} paddingRight={2} paddingTop={2} paddingBottom={2}>
+            <api.ui.DialogPrompt
+              title={title}
+              placeholder={prompt.placeholder}
+              onConfirm={(value) => resolve(value)}
+              onCancel={() => resolve(null)}
+              description={() => <text>{prompt.message}</text>}
+            />
+          </box>
+        ),
+        () => resolve(null),
+      )
+    })
+  }
+  return await new Promise<string | null>((resolve) => {
+    api.ui.dialog.replace(
+      () => (
+        <box paddingLeft={2} paddingRight={2} paddingTop={2} paddingBottom={2}>
+          <api.ui.DialogSelect
+            title={prompt.message}
+            options={(prompt.options ?? []).map((item) => ({
+              title: item.label,
+              value: item.value,
+              description: item.hint,
+            }))}
+            onSelect={(item) => resolve(item.value)}
+          />
+        </box>
+      ),
+      () => resolve(null),
+    )
+  })
+}
+
+async function prompts(api: TuiPluginApi, title: string, method: ProviderMethod) {
+  const values: Record<string, string> = {}
+  for (const prompt of method.prompts ?? []) {
+    if (!visible(prompt, values)) continue
+    const value = await ask(api, title, prompt)
+    if (value == null) return
+    values[prompt.key] = value
+  }
+  return values
+}
+
+async function save(api: TuiPluginApi, prev?: Awaited<ReturnType<typeof readCurrentAuth>>) {
+  let activeUpdated = false
+  try {
+    const client = api.client as TuiPluginApi["client"] & {
+      sync?: { bootstrap?: () => Promise<void> }
+    }
+    if (typeof api.client.instance.dispose === "function") {
+      await api.client.instance.dispose()
+    }
+    if (typeof client.sync?.bootstrap === "function") {
+      await client.sync.bootstrap()
+    }
+    const auth = await readCurrentAuth()
+    if (!auth) {
+      api.ui.toast({ variant: "error", message: "Login completed, but saved account could not be loaded" })
+      return false
+    }
+    activeUpdated = true
+    if (same(prev, auth)) {
+      api.ui.toast({ variant: "warning", message: "Login completed, but OpenAI account did not change" })
+      return false
+    }
+    await upsertSavedAccount(auth)
+    return true
+  } catch {
+    api.ui.toast({
+      variant: "error",
+      message: activeUpdated
+        ? "Login completed, but saving the account failed"
+        : "Login completed, but account sync failed",
+    })
+    return false
+  }
+}
+
+async function code(api: TuiPluginApi, index: number, method: ProviderMethod, authz: OAuthAuthz) {
+  const prev = await readCurrentAuth()
+  const ok = await new Promise<boolean>((resolve) => {
+    api.ui.dialog.replace(
+      () => (
+        <CodePrompt
+          api={api}
+          title={method.label}
+          authz={authz}
+          onConfirm={async (value) => {
+            const res = await api.client.provider.oauth.callback({ providerID: "openai", method: index, code: value })
+            resolve(!res.error)
+          }}
+          onCancel={() => resolve(false)}
+        />
+      ),
+      () => resolve(false),
+    )
+  })
+  if (!ok) {
+    api.ui.toast({ variant: "error", message: "Login failed" })
+    return false
+  }
+  return save(api, prev)
+}
+
+async function auto(api: TuiPluginApi, index: number, method: ProviderMethod, authz: OAuthAuthz) {
+  const prev = await readCurrentAuth()
+  const ok = await new Promise<boolean>((resolve) => {
+    wait(api, method.label, authz, async () => {
+      const res = await api.client.provider.oauth.callback({ providerID: "openai", method: index })
+      resolve(!res.error)
+    })
+  })
+  if (!ok) {
+    api.ui.toast({ variant: "error", message: "Login failed" })
+    return false
+  }
+  return save(api, prev)
+}
+
+export async function hasLogin(api: TuiPluginApi) {
+  try {
+    const res = await api.client.provider.auth()
+    const methods = (res.data?.openai ?? []) as ProviderMethod[]
+    return methods.some((item) => item.type === "oauth")
+  } catch {
+    return false
+  }
+}
+
+export async function loginOpenAI(api: TuiPluginApi) {
+  try {
+    const auth = await api.client.provider.auth()
+    const methods = ((auth.data?.openai ?? []) as ProviderMethod[])
+      .map((method, index) => ({ method, index }))
+      .filter((item) => item.method.type === "oauth")
+    if (!methods.length) {
+      api.ui.toast({ variant: "error", message: "OpenAI OAuth login unavailable" })
+      return false
+    }
+    const index = await choose(api, methods)
+    if (index == null) return false
+    const picked = methods[index]
+    const method = picked.method
+    const inputs = await prompts(api, method.label, method)
+    if (method.prompts?.length && !inputs) return false
+    const authz = await api.client.provider.oauth.authorize({
+      providerID: "openai",
+      method: picked.index,
+      inputs,
+    })
+    if (authz.error || !authz.data) {
+      api.ui.toast({ variant: "error", message: "Login failed" })
+      return false
+    }
+    if (authz.data.method === "code") return code(api, picked.index, method, authz.data as OAuthAuthz)
+    if (authz.data.method === "auto") return auto(api, picked.index, method, authz.data as OAuthAuthz)
+    api.ui.toast({ variant: "error", message: "Unsupported auth method" })
+    return false
+  } catch {
+    api.ui.toast({ variant: "error", message: "Login failed" })
+    return false
+  }
+}

package/src/parse.ts

@@ -0,0 +1,73 @@
+import { createHash } from "node:crypto"
+import type { Claims, OpenAIAuth, StoreEntry } from "./types"
+
+function text(v: unknown) {
+  return typeof v === "string" && v.trim() ? v : undefined
+}
+
+function obj(v: unknown) {
+  return v && typeof v === "object" ? (v as Record<string, unknown>) : undefined
+}
+
+export function parseJwtClaims(token: string): Claims {
+  const part = token.split(".")[1]
+  if (!part) return {}
+  try {
+    return JSON.parse(Buffer.from(part, "base64url").toString("utf8")) as Claims
+  } catch {
+    return {}
+  }
+}
+
+export function extractEmail(auth: OpenAIAuth) {
+  const claims = parseJwtClaims(auth.access)
+  const direct = text(claims["https://api.openai.com/profile.email"])
+  if (direct) return direct
+  return text(obj(claims["https://api.openai.com/profile"] as unknown)?.email)
+}
+
+export function extractPlan(auth: OpenAIAuth) {
+  return text(parseJwtClaims(auth.access)["https://api.openai.com/auth.chatgpt_plan_type"])
+}
+
+export function extractAccountId(auth: OpenAIAuth) {
+  if (text(auth.accountId)) return text(auth.accountId)
+  const claims = parseJwtClaims(auth.access)
+  const direct = text(claims.chatgpt_account_id)
+  if (direct) return direct
+  const namespaced = text(claims["https://api.openai.com/auth.chatgpt_account_id"])
+  if (namespaced) return namespaced
+  const orgs = claims.organizations
+  if (!Array.isArray(orgs) || !orgs.length) return
+  return text(obj(orgs[0])?.id)
+}
+
+export function fallback(refresh: string) {
+  return `fallback:${createHash("sha256").update(refresh).digest("hex").slice(0, 16)}`
+}
+
+export function key(auth: OpenAIAuth) {
+  return fallback(auth.refresh)
+}
+
+export function entryFromAuth(auth: OpenAIAuth, now = Date.now()): StoreEntry {
+  return {
+    key: key(auth),
+    email: extractEmail(auth),
+    accountId: extractAccountId(auth),
+    plan: extractPlan(auth),
+    savedAt: now,
+    auth: clean(auth),
+  }
+}
+
+export function clean(auth: OpenAIAuth): OpenAIAuth {
+  return {
+    type: "oauth",
+    refresh: auth.refresh,
+    access: auth.access,
+    expires: auth.expires,
+    ...(text(auth.accountId) ? { accountId: auth.accountId } : {}),
+    ...(text(auth.enterpriseUrl) ? { enterpriseUrl: auth.enterpriseUrl } : {}),
+  }
+}

package/src/paths.ts

@@ -0,0 +1,27 @@
+import os from "node:os"
+import path from "node:path"
+
+export function dataPath() {
+  if (process.env.OPENCODE_TEST_HOME) {
+    return path.join(process.env.OPENCODE_TEST_HOME, ".local", "share", "opencode")
+  }
+  if (process.env.XDG_DATA_HOME) return path.join(process.env.XDG_DATA_HOME, "opencode")
+  if (process.platform === "darwin") return path.join(os.homedir(), "Library", "Application Support", "opencode")
+  if (process.platform === "win32") {
+    const root = process.env.LOCALAPPDATA || process.env.APPDATA
+    if (root) return path.join(root, "opencode")
+  }
+  return path.join(os.homedir(), ".local", "share", "opencode")
+}
+
+export function authPath() {
+  return path.join(dataPath(), "auth.json")
+}
+
+export function storeDir() {
+  return path.join(dataPath(), "auth-switch")
+}
+
+export function storePath() {
+  return path.join(storeDir(), "accounts.json")
+}

package/src/store.ts

@@ -0,0 +1,244 @@
+import fs from "node:fs/promises"
+import path from "node:path"
+import type { OpenAIAuth, StoreEntry, StoreFile, StoreLoad, StoredAccount } from "./types"
+import { authPath, storeDir, storePath } from "./paths"
+import { clean, entryFromAuth, extractAccountId, extractEmail, fallback } from "./parse"
+
+function obj(v: unknown) {
+  return v && typeof v === "object" ? (v as Record<string, unknown>) : undefined
+}
+
+function text(v: unknown) {
+  return typeof v === "string" && v.trim() ? v : undefined
+}
+
+function num(v: unknown) {
+  return typeof v === "number" && Number.isFinite(v) ? v : undefined
+}
+
+export function validAuth(v: unknown): v is OpenAIAuth {
+  const item = obj(v)
+  if (!item) return false
+  if (item.type !== "oauth") return false
+  if (!text(item.refresh) || !text(item.access) || num(item.expires) === undefined) return false
+  if (item.accountId !== undefined && !text(item.accountId)) return false
+  if (item.enterpriseUrl !== undefined && !text(item.enterpriseUrl)) return false
+  return true
+}
+
+function validEntry(id: string, v: unknown): v is StoreEntry {
+  const item = obj(v)
+  if (!item || item.key !== id) return false
+  if (item.email !== undefined && !text(item.email)) return false
+  if (item.accountId !== undefined && !text(item.accountId)) return false
+  if (item.plan !== undefined && !text(item.plan)) return false
+  if (num(item.savedAt) === undefined) return false
+  if (item.lastUsedAt !== undefined && num(item.lastUsedAt) === undefined) return false
+  return validAuth(item.auth)
+}
+
+async function readJson(file: string) {
+  const data = Bun.file(file)
+  if (!(await data.exists())) return
+  const raw = (await data.text()).trim()
+  if (!raw) return
+  return JSON.parse(raw) as unknown
+}
+
+async function writeJson(file: string, value: unknown) {
+  await fs.mkdir(storeDir(), { recursive: true })
+  await Bun.write(file, `${JSON.stringify(value, null, 2)}\n`)
+}
+
+function hydrateAccount(id: string, item: StoreEntry): StoredAccount {
+  return {
+    ...item,
+    id,
+    email: item.email || extractEmail(item.auth),
+    accountId: item.accountId || extractAccountId(item.auth),
+  }
+}
+
+function normalizeEntries(entries: Record<string, unknown>) {
+  const normalized: Record<string, StoreEntry> = {}
+  let changed = false
+
+  for (const [id, value] of Object.entries(entries)) {
+    if (!validEntry(id, value)) {
+      const item = obj(value)
+      if (!item || !validAuth(item.auth)) {
+        changed = true
+        continue
+      }
+      const auth = clean(item.auth)
+      const nextKey = fallback(auth.refresh)
+      normalized[nextKey] = {
+        key: nextKey,
+        email: text(item.email) || extractEmail(auth),
+        accountId: text(item.accountId) || extractAccountId(auth),
+        plan: text(item.plan),
+        savedAt: num(item.savedAt) ?? Date.now(),
+        ...(num(item.lastUsedAt) !== undefined ? { lastUsedAt: num(item.lastUsedAt) } : {}),
+        auth,
+      }
+      changed = true
+      continue
+    }
+
+    const nextKey = fallback(value.auth.refresh)
+    if (nextKey !== id || value.key !== nextKey) changed = true
+    normalized[nextKey] = {
+      ...value,
+      key: nextKey,
+      auth: clean(value.auth),
+    }
+  }
+
+  return { normalized, changed }
+}
+
+export async function readCurrentAuth() {
+  const raw = await readJson(authPath())
+  const data = obj(raw)
+  if (!data) return
+  const auth = data.openai
+  if (!validAuth(auth)) return
+  return clean(auth)
+}
+
+export async function writeCurrentOpenAI(auth: OpenAIAuth) {
+  const raw = (await readJson(authPath())) ?? {}
+  const next = obj(raw) ?? {}
+  next.openai = clean(auth)
+  await fs.mkdir(path.dirname(authPath()), { recursive: true })
+  await Bun.write(authPath(), `${JSON.stringify(next, null, 2)}\n`)
+}
+
+export async function readStore(): Promise<StoreLoad> {
+  const raw = await readJson(storePath())
+  if (raw === undefined) return { ok: false, reason: "missing" }
+  const root = obj(raw)
+  const map = obj(root?.openai)
+  if (!root || root.version !== 1 || !map) return { ok: false, reason: "malformed" }
+  const { normalized, changed } = normalizeEntries(map)
+  if (changed) {
+    await writeStore({ version: 1, openai: normalized })
+  }
+  return {
+    ok: true,
+    store: {
+      version: 1,
+      openai: normalized,
+    },
+  }
+}
+
+export async function writeStore(store: StoreFile) {
+  await writeJson(storePath(), store)
+}
+
+export async function readAllAccounts() {
+  const load = await readStore()
+  if (!load.ok) return load
+  return {
+    ok: true as const,
+    accounts: Object.entries(load.store.openai)
+      .filter(([id, item]) => validEntry(id, item))
+      .map(([id, item]) => hydrateAccount(id, item)),
+  }
+}
+
+export async function pruneInvalidAccounts() {
+  const load = await readStore()
+  if (!load.ok) return load
+  const next = Object.fromEntries(Object.entries(load.store.openai).filter(([id, item]) => validEntry(id, item)))
+  if (Object.keys(next).length !== Object.keys(load.store.openai).length) {
+    await writeStore({ version: 1, openai: next })
+  }
+  return {
+    ok: true as const,
+    accounts: Object.entries(next).map(([id, item]) => hydrateAccount(id, item)),
+  }
+}
+
+export async function currentAccountId() {
+  const auth = await readCurrentAuth()
+  if (!auth) return
+  return fallback(auth.refresh)
+}
+
+function match(list: StoredAccount[], auth: OpenAIAuth) {
+  return list.find((item) => {
+    if (item.auth.refresh === auth.refresh) return true
+    return item.id === fallback(auth.refresh)
+  })?.id
+}
+
+export async function upsertSavedAccount(auth: OpenAIAuth) {
+  const base = entryFromAuth(auth)
+  const load = await readStore()
+  const store = load.ok ? load.store : { version: 1 as const, openai: {} }
+  const list = Object.entries(store.openai)
+  const match = list.find(([id, item]) => {
+    if (!validEntry(id, item)) return false
+    return item.auth.refresh === auth.refresh || id === base.key
+  })
+  const prev = match?.[1]
+  const next: StoreEntry = {
+    ...base,
+    savedAt: prev?.savedAt ?? base.savedAt,
+    lastUsedAt: prev?.lastUsedAt,
+  }
+  const out = Object.fromEntries(
+    list.filter(([id]) => id !== match?.[0]).filter(([id, item]) => validEntry(id, item)),
+  ) as Record<string, StoreEntry>
+  out[next.key] = next
+  await writeStore({ version: 1, openai: out })
+  return { ...next, id: next.key }
+}
+
+function sort(list: StoredAccount[], cur?: string) {
+  return [...list].sort((a, b) => {
+    const ac = a.id === cur ? 1 : 0
+    const bc = b.id === cur ? 1 : 0
+    if (ac !== bc) return bc - ac
+    if ((b.lastUsedAt ?? 0) !== (a.lastUsedAt ?? 0)) return (b.lastUsedAt ?? 0) - (a.lastUsedAt ?? 0)
+    if (b.savedAt !== a.savedAt) return b.savedAt - a.savedAt
+    return (a.email || a.accountId || a.id).localeCompare(b.email || b.accountId || b.id)
+  })
+}
+
+export async function listAccounts() {
+  const load = await pruneInvalidAccounts()
+  if (!load.ok) return load
+  const auth = await readCurrentAuth()
+  const cur = auth ? match(load.accounts, auth) ?? fallback(auth.refresh) : undefined
+  return { ok: true as const, accounts: sort(load.accounts, cur), current: cur }
+}
+
+export async function switchAccount(id: string) {
+  const load = await readStore()
+  if (!load.ok) throw new Error("account store unavailable")
+  const item = load.store.openai[id]
+  if (!validEntry(id, item)) throw new Error("saved account not found")
+  await writeCurrentOpenAI(item.auth)
+  await writeStore({
+    version: 1,
+    openai: {
+      ...load.store.openai,
+      [id]: {
+        ...item,
+        lastUsedAt: Date.now(),
+      },
+    },
+  })
+}
+
+export async function deleteSavedAccount(id: string) {
+  const load = await readStore()
+  if (!load.ok) throw new Error("account store unavailable")
+  if (!(id in load.store.openai)) throw new Error("saved account not found")
+  const next = { ...load.store.openai }
+  delete next[id]
+  await writeStore({ version: 1, openai: next })
+}

package/src/tui.tsx

@@ -0,0 +1,194 @@
+/** @jsxImportSource @opentui/solid */
+import type { TuiCommand, TuiPlugin, TuiPluginModule } from "@opencode-ai/plugin/tui"
+import { accountDescription, accountFooter, accountTitle, loginTitle, logoutTitle } from "./format"
+import { hasLogin, loginOpenAI } from "./login"
+import { deleteSavedAccount, listAccounts, switchAccount } from "./store"
+import type { StoredAccount, SwitchAction, SwitchOption } from "./types"
+
+let seq = 0
+
+function frame(text: string) {
+  return (
+    <box paddingLeft={2} paddingRight={2} paddingTop={2} paddingBottom={2}>
+      <text>{text}</text>
+    </box>
+  )
+}
+
+async function pick(api: Parameters<TuiPlugin>[0], list: StoredAccount[]) {
+  return await new Promise<string | null>((resolve) => {
+    api.ui.dialog.replace(
+      () => (
+        <api.ui.DialogSelect
+          title="Remove saved account"
+          options={list.map((item) => ({
+            title: accountTitle(item),
+            value: item.id,
+            category: accountDescription(item, false),
+          }))}
+          onSelect={(item) => resolve(item.value)}
+        />
+      ),
+      () => resolve(null),
+    )
+  })
+}
+
+async function confirm(api: Parameters<TuiPlugin>[0], title: string, message: string) {
+  return await new Promise<boolean>((resolve) => {
+    api.ui.dialog.replace(
+      () => (
+        <api.ui.DialogConfirm
+          title={title}
+          message={message}
+          onConfirm={() => resolve(true)}
+          onCancel={() => resolve(false)}
+        />
+      ),
+      () => resolve(false),
+    )
+  })
+}
+
+async function remove(api: Parameters<TuiPlugin>[0], list: StoredAccount[]) {
+  const id = await pick(api, list)
+  if (!id) return
+  const item = list.find((row) => row.id === id)
+  if (!item) return
+  const ok = await confirm(api, "Remove saved account", `Remove ${accountTitle(item)} from saved accounts?`)
+  if (!ok) return
+  try {
+    await deleteSavedAccount(id)
+    api.ui.toast({ variant: "success", message: "Saved account removed" })
+  } catch {
+    api.ui.toast({ variant: "error", message: "Failed to remove saved account" })
+  }
+}
+
+function options(list: StoredAccount[], current: string | undefined, canLogin: boolean): SwitchOption[] {
+  const rows = list.map((item) => ({
+    title: accountTitle(item),
+    value: { type: "account", id: item.id } as SwitchAction,
+    description: accountDescription(item, item.id === current),
+    footer: accountFooter(item.id === current),
+    category: "Accounts",
+  }))
+  return [
+    ...(canLogin ? [{ title: loginTitle(), value: { type: "login" } as SwitchAction }] : []),
+    ...rows,
+    ...(list.length
+      ? [
+          {
+            title: logoutTitle(true),
+            value: { type: "logout" } as SwitchAction,
+            description: "Remove a saved account",
+            category: "Actions",
+          },
+        ]
+      : []),
+  ]
+}
+
+async function open(api: Parameters<TuiPlugin>[0]) {
+  const id = ++seq
+  api.ui.dialog.setSize("large")
+  api.ui.dialog.replace(() => frame("Loading accounts..."))
+
+  const [store, canLogin] = await Promise.all([listAccounts(), hasLogin(api)])
+  if (id !== seq) return
+
+  if (!store.ok && store.reason === "malformed") {
+    api.ui.toast({ variant: "error", message: "Failed to load account store" })
+  }
+
+  const accounts = store.ok ? store.accounts : []
+  const current = store.ok ? store.current : undefined
+  const rows = options(accounts, current, canLogin)
+
+  if (!rows.length) {
+    api.ui.dialog.replace(() => frame("OpenAI login unavailable and no saved accounts found"))
+    return
+  }
+
+  if (!accounts.length && canLogin) {
+    api.ui.dialog.replace(() => (
+      <api.ui.DialogSelect
+        title="Switch OpenAI account"
+        options={rows}
+        placeholder="Search"
+        onSelect={(item) => void act(api, item.value, accounts)}
+      />
+    ))
+    return
+  }
+
+  api.ui.dialog.replace(() => (
+    <api.ui.DialogSelect
+      title="Switch OpenAI account"
+      options={rows}
+      placeholder="Search"
+      current={current ? ({ type: "account", id: current } as SwitchAction) : undefined}
+      onSelect={(item) => void act(api, item.value, accounts)}
+    />
+  ))
+}
+
+async function act(api: Parameters<TuiPlugin>[0], action: SwitchAction, list: StoredAccount[]) {
+  if (action.type === "login") {
+    const ok = await loginOpenAI(api)
+    if (ok) {
+      api.ui.toast({ variant: "success", message: "Account saved" })
+      await open(api)
+    }
+    return
+  }
+  if (action.type === "logout") {
+    await remove(api, list)
+    await open(api)
+    return
+  }
+  try {
+    await switchAccount(action.id)
+  } catch {
+    api.ui.toast({ variant: "error", message: "Failed to switch account" })
+    return
+  }
+
+  try {
+    const client = api.client as typeof api.client & {
+      sync?: { bootstrap?: () => Promise<void> }
+    }
+    if (typeof api.client.instance.dispose === "function") {
+      await api.client.instance.dispose()
+    }
+    if (typeof client.sync?.bootstrap === "function") {
+      await client.sync.bootstrap()
+    }
+    api.ui.toast({ variant: "success", message: "Switched OpenAI account" })
+    api.ui.dialog.clear()
+  } catch {
+    api.ui.toast({
+      variant: "warning",
+      message: "Account file was switched, but session refresh failed",
+    })
+  }
+}
+
+const tui: TuiPlugin = async (api) => {
+  api.command.register(() => [
+    {
+      title: "Switch OpenAI account",
+      value: "openai.switch",
+      description: "Login, switch, or remove saved OpenAI accounts",
+      slash: { name: "switch" },
+      onSelect: () => {
+        void open(api)
+      },
+    } satisfies TuiCommand,
+  ])
+}
+
+export default {
+  id: "harars.switch-auth",
+  tui,
+} satisfies TuiPluginModule & { id: string }

package/src/types.ts

@@ -0,0 +1,71 @@
+export type OpenAIAuth = {
+  type: "oauth"
+  refresh: string
+  access: string
+  expires: number
+  accountId?: string
+  enterpriseUrl?: string
+}
+
+export type StoreEntry = {
+  key: string
+  email?: string
+  accountId?: string
+  plan?: string
+  savedAt: number
+  lastUsedAt?: number
+  auth: OpenAIAuth
+}
+
+export type StoreFile = {
+  version: 1
+  openai: Record<string, StoreEntry>
+}
+
+export type StoredAccount = StoreEntry & {
+  id: string
+}
+
+export type SwitchAction =
+  | { type: "login" }
+  | { type: "account"; id: string }
+  | { type: "logout" }
+
+export type SwitchOption = {
+  title: string
+  value: SwitchAction
+  description?: string
+  category?: string
+  footer?: string
+}
+
+export type Claims = Record<string, unknown>
+
+export type StoreLoad =
+  | { ok: true; store: StoreFile }
+  | { ok: false; reason: "malformed" | "missing" }
+
+export type ProviderPrompt = {
+  type: "text" | "select"
+  key: string
+  message: string
+  placeholder?: string
+  options?: Array<{ label: string; value: string; hint?: string }>
+  when?: {
+    key: string
+    op: "eq" | "neq"
+    value: string
+  }
+}
+
+export type ProviderMethod = {
+  type: "oauth" | "api"
+  label: string
+  prompts?: ProviderPrompt[]
+}
+
+export type OAuthAuthz = {
+  url: string
+  method: "auto" | "code"
+  instructions: string
+}