@hasna/accounts 0.1.10 → 0.1.12

package/dist/cli.js

@@ -992,7 +992,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
         this._exitCallback = (err) => {
           if (err.code !== "commander.executeSubCommandAsync") {
             throw err;
-          }
+          } else {}
         };
       }
       return this;
@@ -12259,7 +12259,7 @@ var require_es5 = __commonJS((exports, module) => {
 
 // node_modules/@aws-sdk/core/dist-cjs/submodules/client/index.js
 var require_client2 = __commonJS((exports) => {
-  var __dirname = "/tmp/hasna-events-refresh-1781608411540/open-accounts/node_modules/@aws-sdk/core/dist-cjs/submodules/client";
+  var __dirname = "/home/hasna/workspace/hasna/opensource/open-accounts/node_modules/@aws-sdk/core/dist-cjs/submodules/client";
   var retry = require_retry();
   var protocols = require_protocols();
   var lambdaInvokeStore = require_invoke_store();
@@ -42778,6 +42778,15 @@ function writeClaudeKeychain(cred) {
 }
 
 // src/lib/claude-auth.ts
+var CLAUDE_API_AUTH_ENV_KEYS = [
+  "ANTHROPIC_API_KEY",
+  "ANTHROPIC_AUTH_TOKEN",
+  "ANTHROPIC_BASE_URL",
+  "CLAUDE_CODE_API_KEY_HELPER",
+  "CLAUDE_CODE_API_KEY_HELPER_TTL_MS",
+  "CLAUDE_CODE_USE_BEDROCK",
+  "CLAUDE_CODE_USE_VERTEX"
+];
 function readJsonFile(path) {
   if (!existsSync6(path))
     return;
@@ -42796,6 +42805,11 @@ function writeJsonFile(path, data, stayUnder) {
 function readOAuthFromPaths(paths) {
   return findOAuthSource(paths)?.oauth;
 }
+function readOAuthSnapshot(profileDir) {
+  const snap = readJsonFile(profileOAuthSnapshot(profileDir));
+  const oauth = snap?.oauthAccount;
+  return oauth && typeof oauth === "object" ? oauth : undefined;
+}
 function findOAuthSource(paths) {
   for (const p of paths) {
     const data = readJsonFile(p);
@@ -42837,6 +42851,46 @@ function mergeOAuthInto(paths, oauth, allowDelete, stayUnder) {
     }
   }
 }
+function sanitizeSettingsFile(configDir, stayUnder) {
+  const settingsPath = join7(configDir, "settings.json");
+  const settings = readJsonFile(settingsPath);
+  if (!settings)
+    return false;
+  let changed = false;
+  if ("apiKeyHelper" in settings) {
+    delete settings.apiKeyHelper;
+    changed = true;
+  }
+  const env2 = settings.env;
+  if (env2 && typeof env2 === "object" && !Array.isArray(env2)) {
+    const envRecord = env2;
+    for (const key of CLAUDE_API_AUTH_ENV_KEYS) {
+      if (key in envRecord) {
+        delete envRecord[key];
+        changed = true;
+      }
+    }
+  }
+  if (changed)
+    writeJsonFile(settingsPath, settings, stayUnder);
+  return changed;
+}
+function sanitizeClaudeProfileApiSettings(profileDir, tool) {
+  if (tool.id !== "claude")
+    return false;
+  return sanitizeSettingsFile(profileDir, profileDir);
+}
+function sanitizeClaudeOAuthProfileSettings(profileDir, tool) {
+  if (tool.id !== "claude")
+    return false;
+  if (!readOAuthSnapshot(profileDir) && !readOAuthFromPaths(profileAccountJsonPaths(profileDir, tool))) {
+    return false;
+  }
+  return sanitizeClaudeProfileApiSettings(profileDir, tool);
+}
+function sanitizeLiveClaudeOAuthSettings() {
+  return sanitizeSettingsFile(liveClaudePaths().configDir, liveClaudeBase());
+}
 function liveOAuthEmail() {
   const live = liveClaudePaths();
   const oauth = readOAuthFromPaths([live.homeJson]);
@@ -42877,6 +42931,7 @@ function ensureProfileAuthSnapshot(profileDir, tool, opts = {}) {
     assertSafeWritePath(credSnap, { mustStayUnder: profileDir });
     copyFileSync(credFile, credSnap);
   }
+  sanitizeClaudeOAuthProfileSettings(profileDir, tool);
 }
 function profileHasAuth(profileDir, tool) {
   return hasAuthSnapshot(profileDir) || !!readOAuthFromPaths(profileAccountJsonPaths(profileDir, tool));
@@ -42895,6 +42950,8 @@ function restoreClaudeAuthFromProfile(profileDir, tool, profileName) {
   if (!oauth) {
     throw new AccountsError("profile has no OAuth account data to apply");
   }
+  sanitizeClaudeOAuthProfileSettings(profileDir, tool);
+  sanitizeLiveClaudeOAuthSettings();
   assertSafeWritePath(live.homeJson, { mustStayUnder: liveRoot });
   mergeOAuthInto([live.homeJson], oauth, false, liveRoot);
   const credSnap = profileCredentialsSnapshot(profileDir);
@@ -43345,6 +43402,11 @@ function profileEnv(profile, tool) {
   for (const [name, value] of Object.entries(tool.extraEnv ?? {})) {
     env2[name] = renderTemplate(value, profile);
   }
+  if (tool.id === "claude") {
+    sanitizeClaudeProfileApiSettings(profile.dir, tool);
+    for (const key of CLAUDE_API_AUTH_ENV_KEYS)
+      env2[key] = "";
+  }
   return env2;
 }
 function formatEnvAssignments(env2) {

package/dist/index.d.ts

@@ -17,7 +17,7 @@ export type { RunSupervisorOptions, SupervisorClientOptions, SupervisorLaunchPla
 export { pickProfile } from "./lib/pick.js";
 export type { PickOptions, PickResult } from "./lib/pick.js";
 export { installHook, uninstallHook, hookPath, hookScript, shellSnippet } from "./lib/hook.js";
-export { snapshotClaudeAuthToProfile, snapshotLiveAuthToProfile, restoreClaudeAuthFromProfile, ensureProfileAuthSnapshot, hasAuthSnapshot, profileHasAuth, } from "./lib/claude-auth.js";
+export { snapshotClaudeAuthToProfile, snapshotLiveAuthToProfile, restoreClaudeAuthFromProfile, ensureProfileAuthSnapshot, hasAuthSnapshot, profileHasAuth, sanitizeClaudeProfileApiSettings, sanitizeClaudeOAuthProfileSettings, sanitizeLiveClaudeOAuthSettings, CLAUDE_API_AUTH_ENV_KEYS, } from "./lib/claude-auth.js";
 export { withApplyLock } from "./lib/apply-lock.js";
 export { isSafeProfileName } from "./lib/hook.js";
 export { readClaudeKeychain, keychainSupported } from "./lib/keychain.js";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC1F,OAAO,EACL,aAAa,EACb,YAAY,EACZ,OAAO,EACP,SAAS,EACT,aAAa,EACb,aAAa,EACb,gBAAgB,GACjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EACL,UAAU,EACV,YAAY,EACZ,WAAW,EACX,UAAU,EACV,UAAU,EACV,aAAa,EACb,aAAa,EACb,aAAa,EACb,aAAa,EACb,UAAU,EACV,cAAc,GACf,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClF,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAC/E,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,YAAY,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/E,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,uBAAuB,EACvB,iBAAiB,EACjB,qBAAqB,EACrB,aAAa,EACb,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,uBAAuB,EACvB,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,EAClB,eAAe,GAChB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC/F,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,EACzB,4BAA4B,EAC5B,yBAAyB,EACzB,eAAe,EACf,cAAc,GACf,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC1F,OAAO,EACL,aAAa,EACb,YAAY,EACZ,OAAO,EACP,SAAS,EACT,aAAa,EACb,aAAa,EACb,gBAAgB,GACjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EACL,UAAU,EACV,YAAY,EACZ,WAAW,EACX,UAAU,EACV,UAAU,EACV,aAAa,EACb,aAAa,EACb,aAAa,EACb,aAAa,EACb,UAAU,EACV,cAAc,GACf,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClF,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAC/E,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,YAAY,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/E,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,uBAAuB,EACvB,iBAAiB,EACjB,qBAAqB,EACrB,aAAa,EACb,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,uBAAuB,EACvB,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,EAClB,eAAe,GAChB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC/F,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,EACzB,4BAA4B,EAC5B,yBAAyB,EACzB,eAAe,EACf,cAAc,EACd,gCAAgC,EAChC,kCAAkC,EAClC,+BAA+B,EAC/B,wBAAwB,GACzB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/index.js

@@ -4317,256 +4317,13 @@ function removeCustomTool(id) {
   store.tools.splice(idx, 1);
   saveStore(store);
 }
-// src/lib/env.ts
-function renderTemplate(value, profile) {
-  return value.replaceAll("{profileDir}", profile.dir).replaceAll("{profileName}", profile.name).replaceAll("{toolId}", profile.tool);
-}
-function profileEnv(profile, tool) {
-  const env = {
-    [tool.envVar]: profile.dir
-  };
-  for (const [name, value] of Object.entries(tool.extraEnv ?? {})) {
-    env[name] = renderTemplate(value, profile);
-  }
-  return env;
-}
-function formatEnvAssignments(env) {
-  return Object.entries(env).map(([name, value]) => `${name}=${JSON.stringify(value)}`).join(" ");
-}
-function formatExportLines(env) {
-  return Object.entries(env).map(([name, value]) => `export ${name}=${JSON.stringify(value)}`).join(`
-`);
-}
-// src/lib/detect.ts
-import { existsSync as existsSync3, readFileSync as readFileSync2 } from "node:fs";
-import { dirname as dirname2, join as join3 } from "node:path";
-function detectEmail(dir, tool) {
-  if (!tool.accountFile || !tool.emailPath)
-    return;
-  const candidates = [join3(dir, tool.accountFile)];
-  if (dir === tool.defaultDir)
-    candidates.push(join3(dirname2(dir), tool.accountFile));
-  for (const file of candidates) {
-    const email = readEmail(file, tool.emailPath);
-    if (email)
-      return email;
-  }
-  return;
-}
-function readEmail(file, path) {
-  if (!existsSync3(file))
-    return;
-  let cursor;
-  try {
-    cursor = JSON.parse(readFileSync2(file, "utf8"));
-  } catch {
-    return;
-  }
-  for (const key of path) {
-    if (cursor && typeof cursor === "object" && key in cursor) {
-      cursor = cursor[key];
-    } else {
-      return;
-    }
-  }
-  return typeof cursor === "string" && cursor.includes("@") ? cursor : undefined;
-}
-// src/lib/profiles.ts
-import { homedir as homedir3 } from "node:os";
-import { isAbsolute, join as join4, resolve as resolve2 } from "node:path";
-import { existsSync as existsSync4, mkdirSync as mkdirSync3, rmSync } from "node:fs";
-function nowIso() {
-  return new Date().toISOString();
-}
-function expandPath(p) {
-  let out = p;
-  if (out === "~")
-    out = homedir3();
-  else if (out.startsWith("~/"))
-    out = join4(homedir3(), out.slice(2));
-  return isAbsolute(out) ? out : resolve2(process.cwd(), out);
-}
-function listProfiles(toolId) {
-  const profiles = loadStore().profiles;
-  const filtered = toolId ? profiles.filter((p) => p.tool === toolId) : profiles;
-  return filtered.slice().sort((a, b) => a.tool.localeCompare(b.tool) || a.name.localeCompare(b.name));
-}
-function profileMatches(name, toolId) {
-  return loadStore().profiles.filter((p) => p.name === name && (!toolId || p.tool === toolId));
-}
-function findProfile(name, toolId) {
-  const matches = profileMatches(name, toolId);
-  return matches.length === 1 ? matches[0] : undefined;
-}
-function getProfile(name, toolId) {
-  const matches = profileMatches(name, toolId);
-  if (matches.length === 0) {
-    const suffix = toolId ? ` for tool "${toolId}"` : "";
-    throw new AccountsError(`no profile named "${name}"${suffix}. Run \`accounts list\` to see profiles.`);
-  }
-  if (matches.length > 1) {
-    throw new AccountsError(`profile "${name}" exists for multiple tools (${matches.map((p) => p.tool).join(", ")}); pass --tool`);
-  }
-  const profile = matches[0];
-  return profile;
-}
-function addProfile(opts) {
-  const name = opts.name;
-  const nameCheck = profileNameSchema.safeParse(name);
-  if (!nameCheck.success)
-    throw new AccountsError(nameCheck.error.issues[0]?.message ?? "invalid profile name");
-  const toolId = opts.tool ?? DEFAULT_TOOL;
-  const tool = getTool(toolId);
-  const store = loadStore();
-  if (store.profiles.some((p) => p.name === name && p.tool === toolId)) {
-    throw new AccountsError(`a ${toolId} profile named "${name}" already exists`);
-  }
-  const dir = opts.dir ? expandPath(opts.dir) : join4(profilesDir(), toolId, name);
-  if (store.profiles.some((p) => p.dir === dir)) {
-    throw new AccountsError(`a profile already uses config dir ${dir}`);
-  }
-  mkdirSync3(dir, { recursive: true });
-  const email = opts.email ?? detectEmail(dir, tool);
-  const profile = {
-    name,
-    tool: toolId,
-    ...email ? { email } : {},
-    dir,
-    ...opts.description ? { description: opts.description } : {},
-    createdAt: nowIso()
-  };
-  store.profiles.push(profile);
-  saveStore(store);
-  return profile;
-}
-function removeProfile(name, opts = {}) {
-  const options = typeof opts === "boolean" ? { purge: opts } : opts;
-  const store = loadStore();
-  const matches = store.profiles.map((profile2, idx2) => ({ profile: profile2, idx: idx2 })).filter(({ profile: profile2 }) => profile2.name === name && (!options.tool || profile2.tool === options.tool));
-  if (matches.length === 0) {
-    const suffix = options.tool ? ` for tool "${options.tool}"` : "";
-    throw new AccountsError(`no profile named "${name}"${suffix}`);
-  }
-  if (matches.length > 1) {
-    throw new AccountsError(`profile "${name}" exists for multiple tools (${matches.map(({ profile: profile2 }) => profile2.tool).join(", ")}); pass --tool`);
-  }
-  const idx = matches[0].idx;
-  const profile = store.profiles[idx];
-  store.profiles.splice(idx, 1);
-  if (store.current[profile.tool] === name)
-    delete store.current[profile.tool];
-  if (store.applied[profile.tool] === name)
-    delete store.applied[profile.tool];
-  saveStore(store);
-  let purged = false;
-  let purgeNote;
-  if (options.purge) {
-    const managed = profile.dir.startsWith(profilesDir());
-    const isDefault = profile.dir === getTool(profile.tool).defaultDir;
-    if (managed && !isDefault && existsSync4(profile.dir)) {
-      rmSync(profile.dir, { recursive: true, force: true });
-      purged = true;
-    } else {
-      purgeNote = `refused to delete ${profile.dir} (not a managed profile dir); remove it manually if intended`;
-    }
-  }
-  return { profile, purged, purgeNote };
-}
-function renameProfile(oldName, newName, toolId) {
-  const nameCheck = profileNameSchema.safeParse(newName);
-  if (!nameCheck.success)
-    throw new AccountsError(nameCheck.error.issues[0]?.message ?? "invalid profile name");
-  const store = loadStore();
-  const matches = store.profiles.filter((p) => p.name === oldName && (!toolId || p.tool === toolId));
-  if (matches.length === 0) {
-    const suffix = toolId ? ` for tool "${toolId}"` : "";
-    throw new AccountsError(`no profile named "${oldName}"${suffix}`);
-  }
-  if (matches.length > 1) {
-    throw new AccountsError(`profile "${oldName}" exists for multiple tools (${matches.map((p) => p.tool).join(", ")}); pass --tool`);
-  }
-  const profile = matches[0];
-  if (store.profiles.some((p) => p.name === newName && p.tool === profile.tool)) {
-    throw new AccountsError(`a ${profile.tool} profile named "${newName}" already exists`);
-  }
-  if (store.current[profile.tool] === oldName)
-    store.current[profile.tool] = newName;
-  if (store.applied[profile.tool] === oldName)
-    store.applied[profile.tool] = newName;
-  profile.name = newName;
-  saveStore(store);
-  return profile;
-}
-function updateProfile(name, opts) {
-  const store = loadStore();
-  const matches = store.profiles.filter((p) => p.name === name && (!opts.tool || p.tool === opts.tool));
-  if (matches.length === 0) {
-    const suffix = opts.tool ? ` for tool "${opts.tool}"` : "";
-    throw new AccountsError(`no profile named "${name}"${suffix}`);
-  }
-  if (matches.length > 1) {
-    throw new AccountsError(`profile "${name}" exists for multiple tools (${matches.map((p) => p.tool).join(", ")}); pass --tool`);
-  }
-  const profile = matches[0];
-  if (opts.email !== undefined)
-    profile.email = opts.email;
-  if (opts.description !== undefined)
-    profile.description = opts.description;
-  if (opts.dir !== undefined) {
-    const dir = expandPath(opts.dir);
-    mkdirSync3(dir, { recursive: true });
-    profile.dir = dir;
-  }
-  saveStore(store);
-  return profile;
-}
-function redetectEmail(name, toolId) {
-  const store = loadStore();
-  const matches = store.profiles.filter((p) => p.name === name && (!toolId || p.tool === toolId));
-  if (matches.length === 0) {
-    const suffix = toolId ? ` for tool "${toolId}"` : "";
-    throw new AccountsError(`no profile named "${name}"${suffix}`);
-  }
-  if (matches.length > 1) {
-    throw new AccountsError(`profile "${name}" exists for multiple tools (${matches.map((p) => p.tool).join(", ")}); pass --tool`);
-  }
-  const profile = matches[0];
-  const email = detectEmail(profile.dir, getTool(profile.tool));
-  if (email)
-    profile.email = email;
-  saveStore(store);
-  return profile;
-}
-function useProfile(name, toolId) {
-  const store = loadStore();
-  const matches = store.profiles.filter((p) => p.name === name && (!toolId || p.tool === toolId));
-  if (matches.length === 0) {
-    const suffix = toolId ? ` for tool "${toolId}"` : "";
-    throw new AccountsError(`no profile named "${name}"${suffix}`);
-  }
-  if (matches.length > 1) {
-    throw new AccountsError(`profile "${name}" exists for multiple tools (${matches.map((p) => p.tool).join(", ")}); pass --tool`);
-  }
-  const profile = matches[0];
-  store.current[profile.tool] = name;
-  profile.lastUsedAt = nowIso();
-  saveStore(store);
-  return { profile, toolId: profile.tool };
-}
-function currentProfile(toolId) {
-  const store = loadStore();
-  const name = store.current[toolId];
-  if (!name)
-    return;
-  return store.profiles.find((p) => p.name === name);
-}
 // src/lib/claude-auth.ts
-import { copyFileSync, existsSync as existsSync5, lstatSync as lstatSync2, mkdirSync as mkdirSync4, readFileSync as readFileSync3, statSync, unlinkSync, writeFileSync as writeFileSync2 } from "node:fs";
-import { dirname as dirname4, join as join6 } from "node:path";
+import { copyFileSync, existsSync as existsSync3, lstatSync as lstatSync2, mkdirSync as mkdirSync3, readFileSync as readFileSync2, statSync, unlinkSync, writeFileSync as writeFileSync2 } from "node:fs";
+import { dirname as dirname3, join as join4 } from "node:path";
 
 // src/lib/claude-layout.ts
-import { homedir as homedir4 } from "node:os";
-import { dirname as dirname3, join as join5 } from "node:path";
+import { homedir as homedir3 } from "node:os";
+import { dirname as dirname2, join as join3 } from "node:path";
 var CLAUDE_KEYCHAIN_SERVICE = "Claude Code-credentials";
 var ACCOUNTS_AUTH_DIR = ".accounts-auth";
 var OAUTH_SNAPSHOT = "oauth-account.json";
@@ -4574,36 +4331,36 @@ var CREDENTIALS_SNAPSHOT = "credentials.json";
 var KEYCHAIN_SNAPSHOT = "keychain.json";
 function liveClaudeBase() {
   const testBase = process.env.ACCOUNTS_TEST_LIVE_DIR;
-  return testBase && testBase.trim() ? testBase : homedir4();
+  return testBase && testBase.trim() ? testBase : homedir3();
 }
 function liveClaudePaths() {
   const base = liveClaudeBase();
-  const configDir = join5(base, ".claude");
+  const configDir = join3(base, ".claude");
   return {
     configDir,
-    homeJson: join5(base, ".claude.json"),
-    credentialsFile: join5(configDir, ".credentials.json")
+    homeJson: join3(base, ".claude.json"),
+    credentialsFile: join3(configDir, ".credentials.json")
   };
 }
 function profileAccountJsonPaths(profileDir, tool) {
   if (!tool.accountFile)
     return [];
-  const paths = [join5(profileDir, tool.accountFile)];
+  const paths = [join3(profileDir, tool.accountFile)];
   if (profileDir === tool.defaultDir)
-    paths.push(join5(dirname3(profileDir), tool.accountFile));
+    paths.push(join3(dirname2(profileDir), tool.accountFile));
   return paths;
 }
 function profileAuthDir(profileDir) {
-  return join5(profileDir, ACCOUNTS_AUTH_DIR);
+  return join3(profileDir, ACCOUNTS_AUTH_DIR);
 }
 function profileOAuthSnapshot(profileDir) {
-  return join5(profileAuthDir(profileDir), OAUTH_SNAPSHOT);
+  return join3(profileAuthDir(profileDir), OAUTH_SNAPSHOT);
 }
 function profileCredentialsSnapshot(profileDir) {
-  return join5(profileAuthDir(profileDir), CREDENTIALS_SNAPSHOT);
+  return join3(profileAuthDir(profileDir), CREDENTIALS_SNAPSHOT);
 }
 function profileKeychainSnapshot(profileDir) {
-  return join5(profileAuthDir(profileDir), KEYCHAIN_SNAPSHOT);
+  return join3(profileAuthDir(profileDir), KEYCHAIN_SNAPSHOT);
 }
 
 // src/lib/keychain.ts
@@ -4667,24 +4424,38 @@ function writeClaudeKeychain(cred) {
 }
 
 // src/lib/claude-auth.ts
+var CLAUDE_API_AUTH_ENV_KEYS = [
+  "ANTHROPIC_API_KEY",
+  "ANTHROPIC_AUTH_TOKEN",
+  "ANTHROPIC_BASE_URL",
+  "CLAUDE_CODE_API_KEY_HELPER",
+  "CLAUDE_CODE_API_KEY_HELPER_TTL_MS",
+  "CLAUDE_CODE_USE_BEDROCK",
+  "CLAUDE_CODE_USE_VERTEX"
+];
 function readJsonFile(path) {
-  if (!existsSync5(path))
+  if (!existsSync3(path))
     return;
   try {
-    return JSON.parse(readFileSync3(path, "utf8"));
+    return JSON.parse(readFileSync2(path, "utf8"));
   } catch {
     return;
   }
 }
 function writeJsonFile(path, data, stayUnder) {
   assertSafeWritePath(path, stayUnder ? { mustStayUnder: stayUnder } : undefined);
-  mkdirSync4(dirname4(path), { recursive: true });
+  mkdirSync3(dirname3(path), { recursive: true });
   writeFileSync2(path, JSON.stringify(data, null, 2) + `
 `, { mode: 384 });
 }
 function readOAuthFromPaths(paths) {
   return findOAuthSource(paths)?.oauth;
 }
+function readOAuthSnapshot(profileDir) {
+  const snap = readJsonFile(profileOAuthSnapshot(profileDir));
+  const oauth = snap?.oauthAccount;
+  return oauth && typeof oauth === "object" ? oauth : undefined;
+}
 function findOAuthSource(paths) {
   for (const p of paths) {
     const data = readJsonFile(p);
@@ -4695,7 +4466,7 @@ function findOAuthSource(paths) {
   return;
 }
 function snapshotIsStale(sourcePath, snapshotPath) {
-  if (!existsSync5(snapshotPath))
+  if (!existsSync3(snapshotPath))
     return true;
   try {
     return statSync(sourcePath).mtimeMs > statSync(snapshotPath).mtimeMs;
@@ -4726,6 +4497,46 @@ function mergeOAuthInto(paths, oauth, allowDelete, stayUnder) {
     }
   }
 }
+function sanitizeSettingsFile(configDir, stayUnder) {
+  const settingsPath = join4(configDir, "settings.json");
+  const settings = readJsonFile(settingsPath);
+  if (!settings)
+    return false;
+  let changed = false;
+  if ("apiKeyHelper" in settings) {
+    delete settings.apiKeyHelper;
+    changed = true;
+  }
+  const env = settings.env;
+  if (env && typeof env === "object" && !Array.isArray(env)) {
+    const envRecord = env;
+    for (const key of CLAUDE_API_AUTH_ENV_KEYS) {
+      if (key in envRecord) {
+        delete envRecord[key];
+        changed = true;
+      }
+    }
+  }
+  if (changed)
+    writeJsonFile(settingsPath, settings, stayUnder);
+  return changed;
+}
+function sanitizeClaudeProfileApiSettings(profileDir, tool) {
+  if (tool.id !== "claude")
+    return false;
+  return sanitizeSettingsFile(profileDir, profileDir);
+}
+function sanitizeClaudeOAuthProfileSettings(profileDir, tool) {
+  if (tool.id !== "claude")
+    return false;
+  if (!readOAuthSnapshot(profileDir) && !readOAuthFromPaths(profileAccountJsonPaths(profileDir, tool))) {
+    return false;
+  }
+  return sanitizeClaudeProfileApiSettings(profileDir, tool);
+}
+function sanitizeLiveClaudeOAuthSettings() {
+  return sanitizeSettingsFile(liveClaudePaths().configDir, liveClaudeBase());
+}
 function liveOAuthEmail() {
   const live = liveClaudePaths();
   const oauth = readOAuthFromPaths([live.homeJson]);
@@ -4734,13 +4545,13 @@ function liveOAuthEmail() {
 }
 function snapshotLiveAuthToProfile(profileDir, _tool) {
   const authDir = profileAuthDir(profileDir);
-  assertSafeWritePath(join6(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
-  mkdirSync4(authDir, { recursive: true });
+  assertSafeWritePath(join4(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
+  mkdirSync3(authDir, { recursive: true });
   const live = liveClaudePaths();
   const oauth = readOAuthFromPaths([live.homeJson]);
   if (oauth)
     writeJsonFile(profileOAuthSnapshot(profileDir), { oauthAccount: oauth }, profileDir);
-  if (existsSync5(live.credentialsFile)) {
+  if (existsSync3(live.credentialsFile)) {
     const dest = profileCredentialsSnapshot(profileDir);
     assertSafeWritePath(dest, { mustStayUnder: profileDir });
     copyFileSync(live.credentialsFile, dest);
@@ -4756,19 +4567,20 @@ function snapshotClaudeAuthToProfile(profileDir, tool) {
 }
 function ensureProfileAuthSnapshot(profileDir, tool, opts = {}) {
   const authDir = profileAuthDir(profileDir);
-  assertSafeWritePath(join6(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
-  mkdirSync4(authDir, { recursive: true });
+  assertSafeWritePath(join4(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
+  mkdirSync3(authDir, { recursive: true });
   const oauthSource = findOAuthSource(profileAccountJsonPaths(profileDir, tool));
   const oauthSnap = profileOAuthSnapshot(profileDir);
   if (oauthSource && (opts.overwrite || snapshotIsStale(oauthSource.path, oauthSnap))) {
     writeJsonFile(oauthSnap, { oauthAccount: oauthSource.oauth }, profileDir);
   }
-  const credFile = join6(profileDir, ".credentials.json");
+  const credFile = join4(profileDir, ".credentials.json");
   const credSnap = profileCredentialsSnapshot(profileDir);
-  if (existsSync5(credFile) && (opts.overwrite || snapshotIsStale(credFile, credSnap))) {
+  if (existsSync3(credFile) && (opts.overwrite || snapshotIsStale(credFile, credSnap))) {
     assertSafeWritePath(credSnap, { mustStayUnder: profileDir });
     copyFileSync(credFile, credSnap);
   }
+  sanitizeClaudeOAuthProfileSettings(profileDir, tool);
 }
 function profileHasAuth(profileDir, tool) {
   return hasAuthSnapshot(profileDir) || !!readOAuthFromPaths(profileAccountJsonPaths(profileDir, tool));
@@ -4781,21 +4593,23 @@ function restoreClaudeAuthFromProfile(profileDir, tool, profileName) {
   ensureProfileAuthSnapshot(profileDir, tool);
   const live = liveClaudePaths();
   const liveRoot = liveClaudeBase();
-  mkdirSync4(live.configDir, { recursive: true });
+  mkdirSync3(live.configDir, { recursive: true });
   const oauthSnap = readJsonFile(profileOAuthSnapshot(profileDir));
   const oauth = oauthSnap?.oauthAccount && typeof oauthSnap.oauthAccount === "object" ? oauthSnap.oauthAccount : readOAuthFromPaths(profileAccountJsonPaths(profileDir, tool));
   if (!oauth) {
     throw new AccountsError("profile has no OAuth account data to apply");
   }
+  sanitizeClaudeOAuthProfileSettings(profileDir, tool);
+  sanitizeLiveClaudeOAuthSettings();
   assertSafeWritePath(live.homeJson, { mustStayUnder: liveRoot });
   mergeOAuthInto([live.homeJson], oauth, false, liveRoot);
   const credSnap = profileCredentialsSnapshot(profileDir);
-  if (existsSync5(credSnap)) {
+  if (existsSync3(credSnap)) {
     assertSafeWritePath(live.credentialsFile, { mustStayUnder: liveRoot });
     assertSafeWritePath(credSnap, { mustStayUnder: profileDir });
     copyFileSync(credSnap, live.credentialsFile);
-    writeFileSync2(live.credentialsFile, readFileSync3(live.credentialsFile), { mode: 384 });
-  } else if (existsSync5(live.credentialsFile)) {
+    writeFileSync2(live.credentialsFile, readFileSync2(live.credentialsFile), { mode: 384 });
+  } else if (existsSync3(live.credentialsFile)) {
     if (!lstatSync2(live.credentialsFile).isSymbolicLink())
       unlinkSync(live.credentialsFile);
   }
@@ -4817,9 +4631,257 @@ function restoreClaudeAuthFromProfile(profileDir, tool, profileName) {
   }
 }
 function hasAuthSnapshot(profileDir) {
-  return existsSync5(profileOAuthSnapshot(profileDir)) || existsSync5(profileCredentialsSnapshot(profileDir)) || existsSync5(profileKeychainSnapshot(profileDir));
+  return existsSync3(profileOAuthSnapshot(profileDir)) || existsSync3(profileCredentialsSnapshot(profileDir)) || existsSync3(profileKeychainSnapshot(profileDir));
 }
 
+// src/lib/env.ts
+function renderTemplate(value, profile) {
+  return value.replaceAll("{profileDir}", profile.dir).replaceAll("{profileName}", profile.name).replaceAll("{toolId}", profile.tool);
+}
+function profileEnv(profile, tool) {
+  const env = {
+    [tool.envVar]: profile.dir
+  };
+  for (const [name, value] of Object.entries(tool.extraEnv ?? {})) {
+    env[name] = renderTemplate(value, profile);
+  }
+  if (tool.id === "claude") {
+    sanitizeClaudeProfileApiSettings(profile.dir, tool);
+    for (const key of CLAUDE_API_AUTH_ENV_KEYS)
+      env[key] = "";
+  }
+  return env;
+}
+function formatEnvAssignments(env) {
+  return Object.entries(env).map(([name, value]) => `${name}=${JSON.stringify(value)}`).join(" ");
+}
+function formatExportLines(env) {
+  return Object.entries(env).map(([name, value]) => `export ${name}=${JSON.stringify(value)}`).join(`
+`);
+}
+// src/lib/detect.ts
+import { existsSync as existsSync4, readFileSync as readFileSync3 } from "node:fs";
+import { dirname as dirname4, join as join5 } from "node:path";
+function detectEmail(dir, tool) {
+  if (!tool.accountFile || !tool.emailPath)
+    return;
+  const candidates = [join5(dir, tool.accountFile)];
+  if (dir === tool.defaultDir)
+    candidates.push(join5(dirname4(dir), tool.accountFile));
+  for (const file of candidates) {
+    const email = readEmail(file, tool.emailPath);
+    if (email)
+      return email;
+  }
+  return;
+}
+function readEmail(file, path) {
+  if (!existsSync4(file))
+    return;
+  let cursor;
+  try {
+    cursor = JSON.parse(readFileSync3(file, "utf8"));
+  } catch {
+    return;
+  }
+  for (const key of path) {
+    if (cursor && typeof cursor === "object" && key in cursor) {
+      cursor = cursor[key];
+    } else {
+      return;
+    }
+  }
+  return typeof cursor === "string" && cursor.includes("@") ? cursor : undefined;
+}
+// src/lib/profiles.ts
+import { homedir as homedir4 } from "node:os";
+import { isAbsolute, join as join6, resolve as resolve2 } from "node:path";
+import { existsSync as existsSync5, mkdirSync as mkdirSync4, rmSync } from "node:fs";
+function nowIso() {
+  return new Date().toISOString();
+}
+function expandPath(p) {
+  let out = p;
+  if (out === "~")
+    out = homedir4();
+  else if (out.startsWith("~/"))
+    out = join6(homedir4(), out.slice(2));
+  return isAbsolute(out) ? out : resolve2(process.cwd(), out);
+}
+function listProfiles(toolId) {
+  const profiles = loadStore().profiles;
+  const filtered = toolId ? profiles.filter((p) => p.tool === toolId) : profiles;
+  return filtered.slice().sort((a, b) => a.tool.localeCompare(b.tool) || a.name.localeCompare(b.name));
+}
+function profileMatches(name, toolId) {
+  return loadStore().profiles.filter((p) => p.name === name && (!toolId || p.tool === toolId));
+}
+function findProfile(name, toolId) {
+  const matches = profileMatches(name, toolId);
+  return matches.length === 1 ? matches[0] : undefined;
+}
+function getProfile(name, toolId) {
+  const matches = profileMatches(name, toolId);
+  if (matches.length === 0) {
+    const suffix = toolId ? ` for tool "${toolId}"` : "";
+    throw new AccountsError(`no profile named "${name}"${suffix}. Run \`accounts list\` to see profiles.`);
+  }
+  if (matches.length > 1) {
+    throw new AccountsError(`profile "${name}" exists for multiple tools (${matches.map((p) => p.tool).join(", ")}); pass --tool`);
+  }
+  const profile = matches[0];
+  return profile;
+}
+function addProfile(opts) {
+  const name = opts.name;
+  const nameCheck = profileNameSchema.safeParse(name);
+  if (!nameCheck.success)
+    throw new AccountsError(nameCheck.error.issues[0]?.message ?? "invalid profile name");
+  const toolId = opts.tool ?? DEFAULT_TOOL;
+  const tool = getTool(toolId);
+  const store = loadStore();
+  if (store.profiles.some((p) => p.name === name && p.tool === toolId)) {
+    throw new AccountsError(`a ${toolId} profile named "${name}" already exists`);
+  }
+  const dir = opts.dir ? expandPath(opts.dir) : join6(profilesDir(), toolId, name);
+  if (store.profiles.some((p) => p.dir === dir)) {
+    throw new AccountsError(`a profile already uses config dir ${dir}`);
+  }
+  mkdirSync4(dir, { recursive: true });
+  const email = opts.email ?? detectEmail(dir, tool);
+  const profile = {
+    name,
+    tool: toolId,
+    ...email ? { email } : {},
+    dir,
+    ...opts.description ? { description: opts.description } : {},
+    createdAt: nowIso()
+  };
+  store.profiles.push(profile);
+  saveStore(store);
+  return profile;
+}
+function removeProfile(name, opts = {}) {
+  const options = typeof opts === "boolean" ? { purge: opts } : opts;
+  const store = loadStore();
+  const matches = store.profiles.map((profile2, idx2) => ({ profile: profile2, idx: idx2 })).filter(({ profile: profile2 }) => profile2.name === name && (!options.tool || profile2.tool === options.tool));
+  if (matches.length === 0) {
+    const suffix = options.tool ? ` for tool "${options.tool}"` : "";
+    throw new AccountsError(`no profile named "${name}"${suffix}`);
+  }
+  if (matches.length > 1) {
+    throw new AccountsError(`profile "${name}" exists for multiple tools (${matches.map(({ profile: profile2 }) => profile2.tool).join(", ")}); pass --tool`);
+  }
+  const idx = matches[0].idx;
+  const profile = store.profiles[idx];
+  store.profiles.splice(idx, 1);
+  if (store.current[profile.tool] === name)
+    delete store.current[profile.tool];
+  if (store.applied[profile.tool] === name)
+    delete store.applied[profile.tool];
+  saveStore(store);
+  let purged = false;
+  let purgeNote;
+  if (options.purge) {
+    const managed = profile.dir.startsWith(profilesDir());
+    const isDefault = profile.dir === getTool(profile.tool).defaultDir;
+    if (managed && !isDefault && existsSync5(profile.dir)) {
+      rmSync(profile.dir, { recursive: true, force: true });
+      purged = true;
+    } else {
+      purgeNote = `refused to delete ${profile.dir} (not a managed profile dir); remove it manually if intended`;
+    }
+  }
+  return { profile, purged, purgeNote };
+}
+function renameProfile(oldName, newName, toolId) {
+  const nameCheck = profileNameSchema.safeParse(newName);
+  if (!nameCheck.success)
+    throw new AccountsError(nameCheck.error.issues[0]?.message ?? "invalid profile name");
+  const store = loadStore();
+  const matches = store.profiles.filter((p) => p.name === oldName && (!toolId || p.tool === toolId));
+  if (matches.length === 0) {
+    const suffix = toolId ? ` for tool "${toolId}"` : "";
+    throw new AccountsError(`no profile named "${oldName}"${suffix}`);
+  }
+  if (matches.length > 1) {
+    throw new AccountsError(`profile "${oldName}" exists for multiple tools (${matches.map((p) => p.tool).join(", ")}); pass --tool`);
+  }
+  const profile = matches[0];
+  if (store.profiles.some((p) => p.name === newName && p.tool === profile.tool)) {
+    throw new AccountsError(`a ${profile.tool} profile named "${newName}" already exists`);
+  }
+  if (store.current[profile.tool] === oldName)
+    store.current[profile.tool] = newName;
+  if (store.applied[profile.tool] === oldName)
+    store.applied[profile.tool] = newName;
+  profile.name = newName;
+  saveStore(store);
+  return profile;
+}
+function updateProfile(name, opts) {
+  const store = loadStore();
+  const matches = store.profiles.filter((p) => p.name === name && (!opts.tool || p.tool === opts.tool));
+  if (matches.length === 0) {
+    const suffix = opts.tool ? ` for tool "${opts.tool}"` : "";
+    throw new AccountsError(`no profile named "${name}"${suffix}`);
+  }
+  if (matches.length > 1) {
+    throw new AccountsError(`profile "${name}" exists for multiple tools (${matches.map((p) => p.tool).join(", ")}); pass --tool`);
+  }
+  const profile = matches[0];
+  if (opts.email !== undefined)
+    profile.email = opts.email;
+  if (opts.description !== undefined)
+    profile.description = opts.description;
+  if (opts.dir !== undefined) {
+    const dir = expandPath(opts.dir);
+    mkdirSync4(dir, { recursive: true });
+    profile.dir = dir;
+  }
+  saveStore(store);
+  return profile;
+}
+function redetectEmail(name, toolId) {
+  const store = loadStore();
+  const matches = store.profiles.filter((p) => p.name === name && (!toolId || p.tool === toolId));
+  if (matches.length === 0) {
+    const suffix = toolId ? ` for tool "${toolId}"` : "";
+    throw new AccountsError(`no profile named "${name}"${suffix}`);
+  }
+  if (matches.length > 1) {
+    throw new AccountsError(`profile "${name}" exists for multiple tools (${matches.map((p) => p.tool).join(", ")}); pass --tool`);
+  }
+  const profile = matches[0];
+  const email = detectEmail(profile.dir, getTool(profile.tool));
+  if (email)
+    profile.email = email;
+  saveStore(store);
+  return profile;
+}
+function useProfile(name, toolId) {
+  const store = loadStore();
+  const matches = store.profiles.filter((p) => p.name === name && (!toolId || p.tool === toolId));
+  if (matches.length === 0) {
+    const suffix = toolId ? ` for tool "${toolId}"` : "";
+    throw new AccountsError(`no profile named "${name}"${suffix}`);
+  }
+  if (matches.length > 1) {
+    throw new AccountsError(`profile "${name}" exists for multiple tools (${matches.map((p) => p.tool).join(", ")}); pass --tool`);
+  }
+  const profile = matches[0];
+  store.current[profile.tool] = name;
+  profile.lastUsedAt = nowIso();
+  saveStore(store);
+  return { profile, toolId: profile.tool };
+}
+function currentProfile(toolId) {
+  const store = loadStore();
+  const name = store.current[toolId];
+  if (!name)
+    return;
+  return store.profiles.find((p) => p.name === name);
+}
 // src/lib/apply-lock.ts
 import { closeSync, existsSync as existsSync6, mkdirSync as mkdirSync5, openSync, unlinkSync as unlinkSync2, writeFileSync as writeFileSync3 } from "node:fs";
 import { join as join7 } from "node:path";
@@ -5473,6 +5535,9 @@ export {
   shellSnippet,
   sendSupervisorRequest,
   saveStore,
+  sanitizeLiveClaudeOAuthSettings,
+  sanitizeClaudeProfileApiSettings,
+  sanitizeClaudeOAuthProfileSettings,
   runSupervisedTool,
   restoreClaudeAuthFromProfile,
   resolveSupervisorLaunch,
@@ -5517,6 +5582,7 @@ export {
   addCustomTool,
   accountsHome,
   DEFAULT_TOOL,
+  CLAUDE_API_AUTH_ENV_KEYS,
   BUILTIN_TOOLS,
   AccountsError
 };

package/dist/lib/claude-auth.d.ts

@@ -1,4 +1,8 @@
 import type { ToolDef } from "../types.js";
+export declare const CLAUDE_API_AUTH_ENV_KEYS: readonly ["ANTHROPIC_API_KEY", "ANTHROPIC_AUTH_TOKEN", "ANTHROPIC_BASE_URL", "CLAUDE_CODE_API_KEY_HELPER", "CLAUDE_CODE_API_KEY_HELPER_TTL_MS", "CLAUDE_CODE_USE_BEDROCK", "CLAUDE_CODE_USE_VERTEX"];
+export declare function sanitizeClaudeProfileApiSettings(profileDir: string, tool: ToolDef): boolean;
+export declare function sanitizeClaudeOAuthProfileSettings(profileDir: string, tool: ToolDef): boolean;
+export declare function sanitizeLiveClaudeOAuthSettings(): boolean;
 /** Email address of the account currently authenticated on the live Claude paths. */
 export declare function liveOAuthEmail(): string | undefined;
 /** Snapshot live Claude auth into a profile directory (used when switching away on apply). */

package/dist/lib/claude-auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"claude-auth.d.ts","sourceRoot":"","sources":["../../src/lib/claude-auth.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAyF3C,qFAAqF;AACrF,wBAAgB,cAAc,IAAI,MAAM,GAAG,SAAS,CAKnD;AAED,8FAA8F;AAC9F,wBAAgB,yBAAyB,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI,CAmBlF;AAED,gDAAgD;AAChD,wBAAgB,2BAA2B,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,IAAI,CAEnF;AAED;;;;;;GAMG;AACH,wBAAgB,yBAAyB,CACvC,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,OAAO,EACb,IAAI,GAAE;IAAE,SAAS,CAAC,EAAE,OAAO,CAAA;CAAO,GACjC,IAAI,CAiBN;AAED,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAEzE;AAED,6DAA6D;AAC7D,wBAAgB,4BAA4B,CAC1C,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,OAAO,EACb,WAAW,CAAC,EAAE,MAAM,GACnB,IAAI,CAqDN;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAM3D"}
+{"version":3,"file":"claude-auth.d.ts","sourceRoot":"","sources":["../../src/lib/claude-auth.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAuB3C,eAAO,MAAM,wBAAwB,sMAQ3B,CAAC;AAoGX,wBAAgB,gCAAgC,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAG3F;AAED,wBAAgB,kCAAkC,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAM7F;AAED,wBAAgB,+BAA+B,IAAI,OAAO,CAEzD;AAED,qFAAqF;AACrF,wBAAgB,cAAc,IAAI,MAAM,GAAG,SAAS,CAKnD;AAED,8FAA8F;AAC9F,wBAAgB,yBAAyB,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI,CAmBlF;AAED,gDAAgD;AAChD,wBAAgB,2BAA2B,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,IAAI,CAEnF;AAED;;;;;;GAMG;AACH,wBAAgB,yBAAyB,CACvC,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,OAAO,EACb,IAAI,GAAE;IAAE,SAAS,CAAC,EAAE,OAAO,CAAA;CAAO,GACjC,IAAI,CAmBN;AAED,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAEzE;AAED,6DAA6D;AAC7D,wBAAgB,4BAA4B,CAC1C,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,OAAO,EACb,WAAW,CAAC,EAAE,MAAM,GACnB,IAAI,CAwDN;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAM3D"}

package/dist/lib/env.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/lib/env.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAMpD,wBAAgB,UAAU,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAQlF;AAED,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAIxE;AAED,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAIrE"}
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/lib/env.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAOpD,wBAAgB,UAAU,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAYlF;AAED,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAIxE;AAED,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAIrE"}

package/dist/mcp.js

@@ -17072,6 +17072,15 @@ function writeClaudeKeychain(cred) {
 }
 
 // src/lib/claude-auth.ts
+var CLAUDE_API_AUTH_ENV_KEYS = [
+  "ANTHROPIC_API_KEY",
+  "ANTHROPIC_AUTH_TOKEN",
+  "ANTHROPIC_BASE_URL",
+  "CLAUDE_CODE_API_KEY_HELPER",
+  "CLAUDE_CODE_API_KEY_HELPER_TTL_MS",
+  "CLAUDE_CODE_USE_BEDROCK",
+  "CLAUDE_CODE_USE_VERTEX"
+];
 function readJsonFile(path) {
   if (!existsSync3(path))
     return;
@@ -17090,6 +17099,11 @@ function writeJsonFile(path, data, stayUnder) {
 function readOAuthFromPaths(paths) {
   return findOAuthSource(paths)?.oauth;
 }
+function readOAuthSnapshot(profileDir) {
+  const snap = readJsonFile(profileOAuthSnapshot(profileDir));
+  const oauth = snap?.oauthAccount;
+  return oauth && typeof oauth === "object" ? oauth : undefined;
+}
 function findOAuthSource(paths) {
   for (const p of paths) {
     const data = readJsonFile(p);
@@ -17131,6 +17145,46 @@ function mergeOAuthInto(paths, oauth, allowDelete, stayUnder) {
     }
   }
 }
+function sanitizeSettingsFile(configDir, stayUnder) {
+  const settingsPath = join4(configDir, "settings.json");
+  const settings = readJsonFile(settingsPath);
+  if (!settings)
+    return false;
+  let changed = false;
+  if ("apiKeyHelper" in settings) {
+    delete settings.apiKeyHelper;
+    changed = true;
+  }
+  const env = settings.env;
+  if (env && typeof env === "object" && !Array.isArray(env)) {
+    const envRecord = env;
+    for (const key of CLAUDE_API_AUTH_ENV_KEYS) {
+      if (key in envRecord) {
+        delete envRecord[key];
+        changed = true;
+      }
+    }
+  }
+  if (changed)
+    writeJsonFile(settingsPath, settings, stayUnder);
+  return changed;
+}
+function sanitizeClaudeProfileApiSettings(profileDir, tool) {
+  if (tool.id !== "claude")
+    return false;
+  return sanitizeSettingsFile(profileDir, profileDir);
+}
+function sanitizeClaudeOAuthProfileSettings(profileDir, tool) {
+  if (tool.id !== "claude")
+    return false;
+  if (!readOAuthSnapshot(profileDir) && !readOAuthFromPaths(profileAccountJsonPaths(profileDir, tool))) {
+    return false;
+  }
+  return sanitizeClaudeProfileApiSettings(profileDir, tool);
+}
+function sanitizeLiveClaudeOAuthSettings() {
+  return sanitizeSettingsFile(liveClaudePaths().configDir, liveClaudeBase());
+}
 function liveOAuthEmail() {
   const live = liveClaudePaths();
   const oauth = readOAuthFromPaths([live.homeJson]);
@@ -17171,6 +17225,7 @@ function ensureProfileAuthSnapshot(profileDir, tool, opts = {}) {
     assertSafeWritePath(credSnap, { mustStayUnder: profileDir });
     copyFileSync(credFile, credSnap);
   }
+  sanitizeClaudeOAuthProfileSettings(profileDir, tool);
 }
 function profileHasAuth(profileDir, tool) {
   return hasAuthSnapshot(profileDir) || !!readOAuthFromPaths(profileAccountJsonPaths(profileDir, tool));
@@ -17189,6 +17244,8 @@ function restoreClaudeAuthFromProfile(profileDir, tool, profileName) {
   if (!oauth) {
     throw new AccountsError("profile has no OAuth account data to apply");
   }
+  sanitizeClaudeOAuthProfileSettings(profileDir, tool);
+  sanitizeLiveClaudeOAuthSettings();
   assertSafeWritePath(live.homeJson, { mustStayUnder: liveRoot });
   mergeOAuthInto([live.homeJson], oauth, false, liveRoot);
   const credSnap = profileCredentialsSnapshot(profileDir);
@@ -17306,6 +17363,11 @@ function profileEnv(profile, tool) {
   for (const [name, value] of Object.entries(tool.extraEnv ?? {})) {
     env[name] = renderTemplate(value, profile);
   }
+  if (tool.id === "claude") {
+    sanitizeClaudeProfileApiSettings(profile.dir, tool);
+    for (const key of CLAUDE_API_AUTH_ENV_KEYS)
+      env[key] = "";
+  }
   return env;
 }
 function formatEnvAssignments(env) {
@@ -17464,7 +17526,7 @@ function ok(data) {
 function fail(message) {
   return { content: [{ type: "text", text: JSON.stringify({ error: message }) }], isError: true };
 }
-var server = new Server({ name: "accounts", version: "0.1.8" }, { capabilities: { tools: {} } });
+var server = new Server({ name: "accounts", version: "0.1.12" }, { capabilities: { tools: {} } });
 server.setRequestHandler(ListToolsRequestSchema, async () => ({
   tools: [
     {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/accounts",
-  "version": "0.1.10",
+  "version": "0.1.12",
   "description": "Manage and switch between multiple Claude Code (and other AI coding tool) profiles/accounts locally — isolated config dirs, per-account email, one-command switching.",
   "type": "module",
   "main": "dist/index.js",