@hasna/accounts 0.1.11 → 0.1.13

package/README.md

@@ -97,8 +97,8 @@ Implementation details: [docs/IMPLEMENT.md](docs/IMPLEMENT.md).
 | `accounts login <name> --tool <tool>` | Launch the tool's login flow in an isolated profile dir. |
 | `accounts apply <name> --tool claude` | Apply profile auth to live Claude paths (requires snapshot; Claude-only). |
 | `accounts pick` | Interactive picker; default applies. `--env`, `--no-act`. |
-| `accounts switch <name> --tool <tool>` | Switch profile and print a restart/resume command. Add `--resume`; add `--launch` to run it. |
-| `accounts switch <name> --tool <tool> --supervisor` | Ask a running `accounts run <tool>` supervisor to restart under that profile. |
+| `accounts switch <name> --tool <tool>` | Switch profile and print a restart/resume command. Add `--resume`, `--launch`, or `--permissions <preset>`. |
+| `accounts switch <name> --tool <tool> --supervisor` | Ask a running `accounts run <tool>` supervisor to restart under that profile. Supports `--permissions <preset>`. |
 | `accounts use <name> --tool <tool>` | Mark profile active; prints apply/env hints. |
 | `accounts list` (`ls`) | List profiles (`●` active, `◉` applied, `●◉` both). |
 | `accounts show <name> --tool <tool>` | Profile details including active/applied flags. |
@@ -106,8 +106,8 @@ Implementation details: [docs/IMPLEMENT.md](docs/IMPLEMENT.md).
 | `accounts active [tool]` | Print active profile name (scripting). |
 | `accounts applied [tool]` | Print applied profile name (scripting). |
 | `accounts env [name] --tool <tool>` | Print one or more `export ...` lines for the profile. |
-| `accounts launch <name> --tool <tool>` | Launch tool once with profile env. |
-| `accounts run <tool> [args...]` | Run a tool under the supervisor so MCP/CLI can switch and restart it. |
+| `accounts launch <name> --tool <tool>` | Launch tool once with profile env. Supports `--permissions <preset>`. |
+| `accounts run <tool> [args...]` | Run a tool under the supervisor so MCP/CLI can switch and restart it. Supports `--permissions <preset>`. |
 | `accounts supervisor status [tool]` | Show running supervisors. |
 | `accounts supervisor switch <name> --tool <tool>` | Switch a running supervisor to another profile. |
 | `accounts supervisor stop <tool>` | Stop a running supervisor and its child process. |
@@ -159,11 +159,18 @@ Human equivalent:
 ```bash
 accounts switch account001 --tool claude --resume
 accounts switch account001 --tool claude --resume --launch
+accounts switch account001 --tool claude --resume --permissions dangerous
 accounts switch account001 --tool claude --supervisor
 accounts switch codex-work --tool codex --resume
 accounts switch ops --tool opencode --resume
 ```
 
+`--permissions <preset>` maps a permission mode to the tool's own flags. For
+example, `--permissions dangerous` launches Claude/Takumi with
+`--dangerously-skip-permissions`, Codex with
+`--dangerously-bypass-approvals-and-sandbox`, and Gemini/Hermes/Kimi with their
+YOLO mode flags. Unsupported tools fail with a list of configured presets.
+
 ## Shell hook (optional)
 
 ```bash
@@ -233,6 +240,7 @@ For Grok Build, prefer `accounts launch` or `accounts shell`; exporting `HOME`
 globally is intentionally not recommended.
 
 Custom tools can join supervised resume switching with `accounts tools add ... --resume-arg <arg>`.
+They can also define permission presets with `--permission-arg preset=--flag`.
 
 ## Library
 

package/dist/cli.js

@@ -992,7 +992,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
         this._exitCallback = (err) => {
           if (err.code !== "commander.executeSubCommandAsync") {
             throw err;
-          }
+          } else {}
         };
       }
       return this;
@@ -12259,7 +12259,7 @@ var require_es5 = __commonJS((exports, module) => {
 
 // node_modules/@aws-sdk/core/dist-cjs/submodules/client/index.js
 var require_client2 = __commonJS((exports) => {
-  var __dirname = "/tmp/hasna-events-017-batch-1781608575/open-accounts/node_modules/@aws-sdk/core/dist-cjs/submodules/client";
+  var __dirname = "/home/hasna/workspace/hasna/opensource/open-accounts/node_modules/@aws-sdk/core/dist-cjs/submodules/client";
   var retry = require_retry();
   var protocols = require_protocols();
   var lambdaInvokeStore = require_invoke_store();
@@ -41977,6 +41977,7 @@ var toolDefSchema = exports_external.object({
   loginArgs: exports_external.array(exports_external.string()).optional(),
   loginHint: exports_external.string().optional(),
   resumeArgs: exports_external.array(exports_external.string()).optional(),
+  permissionArgs: exports_external.record(exports_external.array(exports_external.string())).optional(),
   accountFile: exports_external.string().optional(),
   emailPath: exports_external.array(exports_external.string()).optional()
 });
@@ -42304,6 +42305,15 @@ var BUILTIN_TOOLS = [
     bin: "claude",
     loginHint: "run /login inside Claude, then /exit when done",
     resumeArgs: ["--continue"],
+    permissionArgs: {
+      dangerous: ["--dangerously-skip-permissions"],
+      "allow-dangerous": ["--allow-dangerously-skip-permissions"],
+      bypass: ["--permission-mode", "bypassPermissions"],
+      auto: ["--permission-mode", "auto"],
+      "accept-edits": ["--permission-mode", "acceptEdits"],
+      "dont-ask": ["--permission-mode", "dontAsk"],
+      plan: ["--permission-mode", "plan"]
+    },
     accountFile: ".claude.json",
     emailPath: ["oauthAccount", "emailAddress"]
   },
@@ -42315,7 +42325,10 @@ var BUILTIN_TOOLS = [
     bin: "codex",
     loginArgs: ["login"],
     loginHint: "complete the Codex login flow for this CODEX_HOME",
-    resumeArgs: ["resume", "--last"]
+    resumeArgs: ["resume", "--last"],
+    permissionArgs: {
+      dangerous: ["--dangerously-bypass-approvals-and-sandbox"]
+    }
   },
   {
     id: "takumi",
@@ -42325,6 +42338,15 @@ var BUILTIN_TOOLS = [
     bin: "takumi",
     loginHint: "complete Takumi auth in this TAKUMI_CONFIG_DIR",
     resumeArgs: ["--continue"],
+    permissionArgs: {
+      dangerous: ["--dangerously-skip-permissions"],
+      "allow-dangerous": ["--allow-dangerously-skip-permissions"],
+      bypass: ["--permission-mode", "bypassPermissions"],
+      auto: ["--permission-mode", "auto"],
+      "accept-edits": ["--permission-mode", "acceptEdits"],
+      "dont-ask": ["--permission-mode", "dontAsk"],
+      plan: ["--permission-mode", "plan"]
+    },
     accountFile: ".claude.json",
     emailPath: ["oauthAccount", "emailAddress"]
   },
@@ -42334,7 +42356,13 @@ var BUILTIN_TOOLS = [
     envVar: "GEMINI_CONFIG_DIR",
     defaultDir: join3(homedir3(), ".gemini"),
     bin: "gemini",
-    loginHint: "complete Gemini auth in this GEMINI_CONFIG_DIR"
+    loginHint: "complete Gemini auth in this GEMINI_CONFIG_DIR",
+    permissionArgs: {
+      dangerous: ["--yolo"],
+      yolo: ["--yolo"],
+      "auto-edit": ["--approval-mode", "auto_edit"],
+      plan: ["--approval-mode", "plan"]
+    }
   },
   {
     id: "opencode",
@@ -42373,7 +42401,11 @@ var BUILTIN_TOOLS = [
     envVar: "HERMES_HOME",
     defaultDir: join3(homedir3(), ".hermes"),
     bin: "hermes",
-    loginHint: "complete Hermes auth in this HERMES_HOME"
+    loginHint: "complete Hermes auth in this HERMES_HOME",
+    permissionArgs: {
+      dangerous: ["--yolo"],
+      yolo: ["--yolo"]
+    }
   },
   {
     id: "kimi",
@@ -42382,7 +42414,13 @@ var BUILTIN_TOOLS = [
     defaultDir: join3(homedir3(), ".kimi-code"),
     bin: "kimi",
     loginArgs: ["login"],
-    loginHint: "complete kimi login for this KIMI_CODE_HOME"
+    loginHint: "complete kimi login for this KIMI_CODE_HOME",
+    permissionArgs: {
+      dangerous: ["--yolo"],
+      yolo: ["--yolo"],
+      auto: ["--auto"],
+      plan: ["--plan"]
+    }
   },
   {
     id: "grok",
@@ -42395,6 +42433,43 @@ var BUILTIN_TOOLS = [
   }
 ];
 var DEFAULT_TOOL = "claude";
+var PERMISSION_ALIASES = new Map([
+  ["danger", "dangerous"],
+  ["dangerously-skip-permissions", "dangerous"],
+  ["skip-permissions", "dangerous"],
+  ["skip", "dangerous"],
+  ["bypasspermissions", "bypass"],
+  ["bypass-permissions", "bypass"],
+  ["acceptedits", "accept-edits"],
+  ["accept-edit", "accept-edits"],
+  ["autoedit", "auto-edit"],
+  ["auto-edits", "auto-edit"],
+  ["auto_edit", "auto-edit"],
+  ["dontask", "dont-ask"],
+  ["dont-ask-permissions", "dont-ask"]
+]);
+function normalizePermissionPreset(value) {
+  const normalized = value.trim().replace(/^--/, "").replaceAll("_", "-").toLowerCase();
+  return PERMISSION_ALIASES.get(normalized) ?? normalized;
+}
+function permissionArgsFor(tool, permissions) {
+  if (!permissions)
+    return [];
+  const preset = normalizePermissionPreset(permissions);
+  if (preset === "default" || preset === "none" || preset === "off")
+    return [];
+  const args = tool.permissionArgs?.[preset];
+  if (!args) {
+    const supported = Object.keys(tool.permissionArgs ?? {}).sort();
+    const suffix = supported.length > 0 ? ` Supported permissions: ${supported.join(", ")}.` : " No permission presets are configured.";
+    throw new AccountsError(`tool "${tool.id}" does not support permissions "${permissions}".${suffix}`);
+  }
+  return args;
+}
+function mergeToolArgs(tool, args, opts = {}) {
+  const permissionArgs = permissionArgsFor(tool, opts.permissions).filter((arg) => !args.includes(arg));
+  return [...permissionArgs, ...args];
+}
 var BUILTIN_IDS = new Set(BUILTIN_TOOLS.map((t) => t.id));
 function isBuiltinTool(id) {
   return BUILTIN_IDS.has(id);
@@ -42778,6 +42853,15 @@ function writeClaudeKeychain(cred) {
 }
 
 // src/lib/claude-auth.ts
+var CLAUDE_API_AUTH_ENV_KEYS = [
+  "ANTHROPIC_API_KEY",
+  "ANTHROPIC_AUTH_TOKEN",
+  "ANTHROPIC_BASE_URL",
+  "CLAUDE_CODE_API_KEY_HELPER",
+  "CLAUDE_CODE_API_KEY_HELPER_TTL_MS",
+  "CLAUDE_CODE_USE_BEDROCK",
+  "CLAUDE_CODE_USE_VERTEX"
+];
 function readJsonFile(path) {
   if (!existsSync6(path))
     return;
@@ -42796,6 +42880,11 @@ function writeJsonFile(path, data, stayUnder) {
 function readOAuthFromPaths(paths) {
   return findOAuthSource(paths)?.oauth;
 }
+function readOAuthSnapshot(profileDir) {
+  const snap = readJsonFile(profileOAuthSnapshot(profileDir));
+  const oauth = snap?.oauthAccount;
+  return oauth && typeof oauth === "object" ? oauth : undefined;
+}
 function findOAuthSource(paths) {
   for (const p of paths) {
     const data = readJsonFile(p);
@@ -42837,6 +42926,46 @@ function mergeOAuthInto(paths, oauth, allowDelete, stayUnder) {
     }
   }
 }
+function sanitizeSettingsFile(configDir, stayUnder) {
+  const settingsPath = join7(configDir, "settings.json");
+  const settings = readJsonFile(settingsPath);
+  if (!settings)
+    return false;
+  let changed = false;
+  if ("apiKeyHelper" in settings) {
+    delete settings.apiKeyHelper;
+    changed = true;
+  }
+  const env2 = settings.env;
+  if (env2 && typeof env2 === "object" && !Array.isArray(env2)) {
+    const envRecord = env2;
+    for (const key of CLAUDE_API_AUTH_ENV_KEYS) {
+      if (key in envRecord) {
+        delete envRecord[key];
+        changed = true;
+      }
+    }
+  }
+  if (changed)
+    writeJsonFile(settingsPath, settings, stayUnder);
+  return changed;
+}
+function sanitizeClaudeProfileApiSettings(profileDir, tool) {
+  if (tool.id !== "claude")
+    return false;
+  return sanitizeSettingsFile(profileDir, profileDir);
+}
+function sanitizeClaudeOAuthProfileSettings(profileDir, tool) {
+  if (tool.id !== "claude")
+    return false;
+  if (!readOAuthSnapshot(profileDir) && !readOAuthFromPaths(profileAccountJsonPaths(profileDir, tool))) {
+    return false;
+  }
+  return sanitizeClaudeProfileApiSettings(profileDir, tool);
+}
+function sanitizeLiveClaudeOAuthSettings() {
+  return sanitizeSettingsFile(liveClaudePaths().configDir, liveClaudeBase());
+}
 function liveOAuthEmail() {
   const live = liveClaudePaths();
   const oauth = readOAuthFromPaths([live.homeJson]);
@@ -42877,6 +43006,7 @@ function ensureProfileAuthSnapshot(profileDir, tool, opts = {}) {
     assertSafeWritePath(credSnap, { mustStayUnder: profileDir });
     copyFileSync(credFile, credSnap);
   }
+  sanitizeClaudeOAuthProfileSettings(profileDir, tool);
 }
 function profileHasAuth(profileDir, tool) {
   return hasAuthSnapshot(profileDir) || !!readOAuthFromPaths(profileAccountJsonPaths(profileDir, tool));
@@ -42895,6 +43025,8 @@ function restoreClaudeAuthFromProfile(profileDir, tool, profileName) {
   if (!oauth) {
     throw new AccountsError("profile has no OAuth account data to apply");
   }
+  sanitizeClaudeOAuthProfileSettings(profileDir, tool);
+  sanitizeLiveClaudeOAuthSettings();
   assertSafeWritePath(live.homeJson, { mustStayUnder: liveRoot });
   mergeOAuthInto([live.homeJson], oauth, false, liveRoot);
   const credSnap = profileCredentialsSnapshot(profileDir);
@@ -43345,6 +43477,11 @@ function profileEnv(profile, tool) {
   for (const [name, value] of Object.entries(tool.extraEnv ?? {})) {
     env2[name] = renderTemplate(value, profile);
   }
+  if (tool.id === "claude") {
+    sanitizeClaudeProfileApiSettings(profile.dir, tool);
+    for (const key of CLAUDE_API_AUTH_ENV_KEYS)
+      env2[key] = "";
+  }
   return env2;
 }
 function formatEnvAssignments(env2) {
@@ -43379,7 +43516,8 @@ function commandLine(env2, command) {
   return `${formatEnvAssignments(env2)} ${command.map(shellQuote).join(" ")}`.trim();
 }
 function commandFor(tool, opts) {
-  return [tool.bin, ...opts.resume ? tool.resumeArgs ?? [] : [], ...opts.args ?? []];
+  const args = [...opts.resume ? tool.resumeArgs ?? [] : [], ...opts.args ?? []];
+  return [tool.bin, ...mergeToolArgs(tool, args, { permissions: opts.permissions })];
 }
 function switchProfile(name, opts = {}) {
   const profile = getProfile(name, opts.tool);
@@ -43408,6 +43546,7 @@ function switchProfile(name, opts = {}) {
     exports: formatExportLines(env2),
     command,
     commandLine: commandLine(env2, command),
+    ...opts.permissions ? { permissions: normalizePermissionPreset(opts.permissions) } : {},
     restartRequired,
     message
   };
@@ -43733,7 +43872,8 @@ async function runSupervisedTool(initialProfile, tool, initialArgs = [], opts =
         tool: tool.id,
         mode: request.mode ?? "auto",
         resume: request.resume ?? true,
-        args: request.args ?? []
+        args: request.args ?? [],
+        permissions: request.permissions
       });
       log(`accounts supervisor: switching ${tool.id} to ${result.profile.name}`);
       setTimeout(() => void restartWith(result), 0);
@@ -43825,6 +43965,20 @@ function printStorageSyncResult(result, json) {
   console.log(source_default.green(`pushed ${result.pushed}, pulled ${result.pulled}`));
   console.log(source_default.dim(`key: ${result.key}`));
 }
+function parsePermissionArgs(entries) {
+  const permissionArgs = {};
+  for (const entry of entries ?? []) {
+    const idx = entry.indexOf("=");
+    if (idx <= 0)
+      die(`invalid --permission-arg ${entry}; expected PRESET=ARG`);
+    const preset = normalizePermissionPreset(entry.slice(0, idx));
+    const arg = entry.slice(idx + 1);
+    if (!arg)
+      die(`invalid --permission-arg ${entry}; expected PRESET=ARG`);
+    (permissionArgs[preset] ??= []).push(arg);
+  }
+  return permissionArgs;
+}
 program2.name("accounts").description("Manage and switch between multiple Claude Code (and other AI tool) profiles/accounts.").version(getVersion());
 program2.command("add").argument("<name>", "profile name (lowercase, hyphenated)").description("create a new profile with an isolated config dir").option("-t, --tool <tool>", "tool the profile is for", DEFAULT_TOOL).option("-e, --email <email>", "account email (auto-detected when omitted)").option("-d, --dir <path>", "config dir to use (default: managed dir under ~/.hasna/accounts)").option("--description <text>", "free-text description").action(action((name, opts) => {
   const p = addProfile({ name, tool: opts.tool, email: opts.email, dir: opts.dir, description: opts.description });
@@ -43955,12 +44109,20 @@ program2.command("applied").argument("[tool]", "tool id (default: claude)").desc
     die(`no applied profile for "${tool}". Run \`accounts apply <name>\` first.`);
   console.log(p.name);
 }));
-program2.command("switch").argument("<name>", "profile name").argument("[args...]", "extra args passed when printing/launching the tool").description("switch to a profile and print a restart/resume command; use --launch to run it").option("-t, --tool <tool>", "tool when the profile name exists for multiple tools").option("--mode <mode>", "switch mode: auto, apply, env, active", "auto").option("--resume", "include the tool's resume/continue args in the handoff command").option("--launch", "launch the tool after switching").option("--supervisor", "ask a running accounts supervisor to restart the tool").option("--json", "output JSON").action(action(async (name, args, opts) => {
+program2.command("switch").argument("<name>", "profile name").argument("[args...]", "extra args passed when printing/launching the tool").description("switch to a profile and print a restart/resume command; use --launch to run it").option("-t, --tool <tool>", "tool when the profile name exists for multiple tools").option("--mode <mode>", "switch mode: auto, apply, env, active", "auto").option("--resume", "include the tool's resume/continue args in the handoff command").option("--permissions <preset>", "tool-specific permission preset, e.g. dangerous").option("--launch", "launch the tool after switching").option("--supervisor", "ask a running accounts supervisor to restart the tool").option("--json", "output JSON").action(action(async (name, args, opts) => {
   if (opts.supervisor && opts.launch)
     die("--supervisor and --launch cannot be used together");
   if (opts.supervisor) {
     const profile = getProfile(name, opts.tool);
-    const response = await sendSupervisorRequest(profile.tool, { type: "switch_profile", name: profile.name, tool: profile.tool, mode: opts.mode, resume: opts.resume ?? true, args }, { allowMissing: true });
+    const response = await sendSupervisorRequest(profile.tool, {
+      type: "switch_profile",
+      name: profile.name,
+      tool: profile.tool,
+      mode: opts.mode,
+      resume: opts.resume ?? true,
+      args,
+      permissions: opts.permissions
+    }, { allowMissing: true });
     if (!response) {
       die(`no running accounts supervisor for ${getTool(profile.tool).label}. Start one with \`accounts run ${profile.tool}\`.`);
     }
@@ -43976,7 +44138,13 @@ program2.command("switch").argument("<name>", "profile name").argument("[args...
     }
     return;
   }
-  const result = switchProfile(name, { tool: opts.tool, mode: opts.mode, resume: opts.resume, args });
+  const result = switchProfile(name, {
+    tool: opts.tool,
+    mode: opts.mode,
+    resume: opts.resume,
+    args,
+    permissions: opts.permissions
+  });
   if (opts.json) {
     console.log(JSON.stringify(result, null, 2));
   } else {
@@ -44022,13 +44190,14 @@ program2.command("env").argument("[name]", "profile name (defaults to the active
   const tool = getTool(profile.tool);
   console.log(formatExportLines(profileEnv(profile, tool)));
 }));
-program2.command("launch").argument("<name>", "profile name").argument("[args...]", "extra args passed to the tool binary").description("launch the tool's binary with the profile's config dir active").option("-t, --tool <tool>", "tool when the profile name exists for multiple tools").action(action((name, args, opts) => {
+program2.command("launch").argument("<name>", "profile name").argument("[args...]", "extra args passed to the tool binary").description("launch the tool's binary with the profile's config dir active").option("-t, --tool <tool>", "tool when the profile name exists for multiple tools").option("--permissions <preset>", "tool-specific permission preset, e.g. dangerous").action(action((name, args, opts) => {
   const profile = getProfile(name, opts.tool);
   const tool = getTool(profile.tool);
   const env2 = profileEnv(profile, tool);
+  const launchArgs = mergeToolArgs(tool, args, { permissions: opts.permissions });
   useProfile(name, tool.id);
-  console.log(source_default.dim(`→ ${formatEnvAssignments(env2)} ${tool.bin} ${args.join(" ")}`));
-  const res = spawnSync2(tool.bin, args, {
+  console.log(source_default.dim(`→ ${formatEnvAssignments(env2)} ${tool.bin} ${launchArgs.join(" ")}`));
+  const res = spawnSync2(tool.bin, launchArgs, {
     stdio: "inherit",
     env: { ...process.env, ...env2 }
   });
@@ -44036,9 +44205,11 @@ program2.command("launch").argument("<name>", "profile name").argument("[args...
     die(`failed to launch ${tool.bin}: ${res.error.message}`);
   process.exit(res.status ?? 0);
 }));
-program2.command("run").argument("<target>", "tool id to supervise (claude, codex, opencode...) or a profile name").argument("[args...]", "extra args passed to the tool binary").description("run a tool under the accounts supervisor so MCP can switch/restart it").option("-p, --profile <name>", "profile to run when target is a tool id").option("-t, --tool <tool>", "tool when target is a profile name").option("--resume", "start with the tool's resume/continue args").action(action(async (target, args, opts) => {
+program2.command("run").argument("<target>", "tool id to supervise (claude, codex, opencode...) or a profile name").argument("[args...]", "extra args passed to the tool binary").description("run a tool under the accounts supervisor so MCP can switch/restart it").option("-p, --profile <name>", "profile to run when target is a tool id").option("-t, --tool <tool>", "tool when target is a profile name").option("--resume", "start with the tool's resume/continue args").option("--permissions <preset>", "tool-specific permission preset, e.g. dangerous").action(action(async (target, args, opts) => {
   const plan = resolveSupervisorLaunch(target, { profile: opts.profile, tool: opts.tool });
-  const runArgs = [...opts.resume ? plan.tool.resumeArgs ?? [] : [], ...args];
+  const runArgs = mergeToolArgs(plan.tool, [...opts.resume ? plan.tool.resumeArgs ?? [] : [], ...args], {
+    permissions: opts.permissions
+  });
   console.error(source_default.green(`✓ accounts supervisor running ${plan.tool.label} as ${source_default.bold(plan.profile.name)}`));
   console.error(source_default.dim(`  control: accounts supervisor status ${plan.tool.id}`));
   console.error(source_default.dim(`  switch:  accounts switch <profile> --tool ${plan.tool.id} --supervisor`));
@@ -44071,9 +44242,17 @@ supervisor.command("status").argument("[tool]", "tool id").description("show run
     console.log(source_default.dim(`  ${state2.command.join(" ")}`));
   }
 }));
-supervisor.command("switch").argument("<name>", "profile name").argument("[args...]", "extra args passed after resume/continue args").description("switch a running supervisor to another profile").option("-t, --tool <tool>", "tool when the profile name exists for multiple tools").option("--mode <mode>", "switch mode: auto, apply, env, active", "auto").option("--no-resume", "restart without the tool's resume/continue args").option("--json", "output JSON").action(action(async (name, args, opts) => {
+supervisor.command("switch").argument("<name>", "profile name").argument("[args...]", "extra args passed after resume/continue args").description("switch a running supervisor to another profile").option("-t, --tool <tool>", "tool when the profile name exists for multiple tools").option("--mode <mode>", "switch mode: auto, apply, env, active", "auto").option("--no-resume", "restart without the tool's resume/continue args").option("--permissions <preset>", "tool-specific permission preset, e.g. dangerous").option("--json", "output JSON").action(action(async (name, args, opts) => {
   const profile = getProfile(name, opts.tool);
-  const response = await sendSupervisorRequest(profile.tool, { type: "switch_profile", name: profile.name, tool: profile.tool, mode: opts.mode, resume: opts.resume !== false, args }, { allowMissing: true });
+  const response = await sendSupervisorRequest(profile.tool, {
+    type: "switch_profile",
+    name: profile.name,
+    tool: profile.tool,
+    mode: opts.mode,
+    resume: opts.resume !== false,
+    args,
+    permissions: opts.permissions
+  }, { allowMissing: true });
   if (!response)
     die(`no running accounts supervisor for ${getTool(profile.tool).label}`);
   if (!response.ok)
@@ -44209,10 +44388,12 @@ tools.command("list", { isDefault: true }).description("list supported tools (bu
   for (const t of all) {
     const tag = isBuiltinTool(t.id) ? source_default.dim("built-in") : source_default.magenta("custom");
     const envNames = [t.envVar, ...Object.keys(t.extraEnv ?? {})].join(", ");
-    console.log(`${source_default.cyan(t.id.padEnd(10))} ${t.label.padEnd(16)} ${source_default.dim(envNames)} → ${source_default.dim(t.defaultDir)}  ${tag}`);
+    const permissions = Object.keys(t.permissionArgs ?? {});
+    const permissionsHint = permissions.length > 0 ? source_default.dim(` permissions: ${permissions.sort().join(",")}`) : "";
+    console.log(`${source_default.cyan(t.id.padEnd(10))} ${t.label.padEnd(16)} ${source_default.dim(envNames)} → ${source_default.dim(t.defaultDir)}  ${tag}${permissionsHint}`);
   }
 }));
-tools.command("add").argument("<id>", "tool id, e.g. cursor").description("register a custom tool/app so profiles can target it").requiredOption("--label <label>", 'display name, e.g. "Cursor"').requiredOption("--env-var <VAR>", "env var that points the tool at its config dir").requiredOption("--bin <bin>", "binary to launch").option("--default-dir <path>", "default config dir (default: ~/.<id>)").option("--extra-env <VAR=VALUE...>", "additional env var templates; supports {profileDir}, {profileName}, {toolId}").option("--login-arg <arg...>", "arguments for `accounts login <profile> --tool <id>`").option("--resume-arg <arg...>", "arguments for supervised resume/restart, e.g. --continue").option("--account-file <file>", "file inside the config dir holding the email").option("--email-path <path>", "dot-path to the email inside that file (e.g. account.email)").action(action((id, opts) => {
+tools.command("add").argument("<id>", "tool id, e.g. cursor").description("register a custom tool/app so profiles can target it").requiredOption("--label <label>", 'display name, e.g. "Cursor"').requiredOption("--env-var <VAR>", "env var that points the tool at its config dir").requiredOption("--bin <bin>", "binary to launch").option("--default-dir <path>", "default config dir (default: ~/.<id>)").option("--extra-env <VAR=VALUE...>", "additional env var templates; supports {profileDir}, {profileName}, {toolId}").option("--login-arg <arg...>", "arguments for `accounts login <profile> --tool <id>`").option("--resume-arg <arg...>", "arguments for supervised resume/restart, e.g. --continue").option("--permission-arg <preset=arg...>", "tool permission preset args, e.g. dangerous=--yolo").option("--account-file <file>", "file inside the config dir holding the email").option("--email-path <path>", "dot-path to the email inside that file (e.g. account.email)").action(action((id, opts) => {
   const extraEnv = {};
   for (const entry of opts.extraEnv ?? []) {
     const idx = entry.indexOf("=");
@@ -44220,6 +44401,7 @@ tools.command("add").argument("<id>", "tool id, e.g. cursor").description("regis
       die(`invalid --extra-env ${entry}; expected VAR=VALUE`);
     extraEnv[entry.slice(0, idx)] = entry.slice(idx + 1);
   }
+  const permissionArgs = parsePermissionArgs(opts.permissionArg);
   const def = {
     id,
     label: opts.label,
@@ -44229,6 +44411,7 @@ tools.command("add").argument("<id>", "tool id, e.g. cursor").description("regis
     ...Object.keys(extraEnv).length > 0 ? { extraEnv } : {},
     ...opts.loginArg ? { loginArgs: opts.loginArg } : {},
     ...opts.resumeArg ? { resumeArgs: opts.resumeArg } : {},
+    ...Object.keys(permissionArgs).length > 0 ? { permissionArgs } : {},
     ...opts.accountFile ? { accountFile: opts.accountFile } : {},
     ...opts.emailPath ? { emailPath: opts.emailPath.split(".") } : {}
   };

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 export * from "./types.js";
 export { loadStore, saveStore, storePath, accountsHome, profilesDir } from "./storage.js";
-export { BUILTIN_TOOLS, DEFAULT_TOOL, getTool, listTools, isBuiltinTool, addCustomTool, removeCustomTool, } from "./lib/tools.js";
+export { BUILTIN_TOOLS, DEFAULT_TOOL, getTool, listTools, isBuiltinTool, addCustomTool, removeCustomTool, mergeToolArgs, normalizePermissionPreset, permissionArgsFor, } from "./lib/tools.js";
 export { profileEnv, formatEnvAssignments, formatExportLines } from "./lib/env.js";
 export { detectEmail } from "./lib/detect.js";
 export { expandPath, listProfiles, findProfile, getProfile, addProfile, removeProfile, renameProfile, updateProfile, redetectEmail, useProfile, currentProfile, } from "./lib/profiles.js";
@@ -17,7 +17,7 @@ export type { RunSupervisorOptions, SupervisorClientOptions, SupervisorLaunchPla
 export { pickProfile } from "./lib/pick.js";
 export type { PickOptions, PickResult } from "./lib/pick.js";
 export { installHook, uninstallHook, hookPath, hookScript, shellSnippet } from "./lib/hook.js";
-export { snapshotClaudeAuthToProfile, snapshotLiveAuthToProfile, restoreClaudeAuthFromProfile, ensureProfileAuthSnapshot, hasAuthSnapshot, profileHasAuth, } from "./lib/claude-auth.js";
+export { snapshotClaudeAuthToProfile, snapshotLiveAuthToProfile, restoreClaudeAuthFromProfile, ensureProfileAuthSnapshot, hasAuthSnapshot, profileHasAuth, sanitizeClaudeProfileApiSettings, sanitizeClaudeOAuthProfileSettings, sanitizeLiveClaudeOAuthSettings, CLAUDE_API_AUTH_ENV_KEYS, } from "./lib/claude-auth.js";
 export { withApplyLock } from "./lib/apply-lock.js";
 export { isSafeProfileName } from "./lib/hook.js";
 export { readClaudeKeychain, keychainSupported } from "./lib/keychain.js";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC1F,OAAO,EACL,aAAa,EACb,YAAY,EACZ,OAAO,EACP,SAAS,EACT,aAAa,EACb,aAAa,EACb,gBAAgB,GACjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EACL,UAAU,EACV,YAAY,EACZ,WAAW,EACX,UAAU,EACV,UAAU,EACV,aAAa,EACb,aAAa,EACb,aAAa,EACb,aAAa,EACb,UAAU,EACV,cAAc,GACf,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClF,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAC/E,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,YAAY,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/E,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,uBAAuB,EACvB,iBAAiB,EACjB,qBAAqB,EACrB,aAAa,EACb,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,uBAAuB,EACvB,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,EAClB,eAAe,GAChB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC/F,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,EACzB,4BAA4B,EAC5B,yBAAyB,EACzB,eAAe,EACf,cAAc,GACf,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC1F,OAAO,EACL,aAAa,EACb,YAAY,EACZ,OAAO,EACP,SAAS,EACT,aAAa,EACb,aAAa,EACb,gBAAgB,EAChB,aAAa,EACb,yBAAyB,EACzB,iBAAiB,GAClB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACnF,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EACL,UAAU,EACV,YAAY,EACZ,WAAW,EACX,UAAU,EACV,UAAU,EACV,aAAa,EACb,aAAa,EACb,aAAa,EACb,aAAa,EACb,UAAU,EACV,cAAc,GACf,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClF,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAC/E,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,YAAY,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/E,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,uBAAuB,EACvB,iBAAiB,EACjB,qBAAqB,EACrB,aAAa,EACb,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,uBAAuB,EACvB,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,EAClB,eAAe,GAChB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC/F,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,EACzB,4BAA4B,EAC5B,yBAAyB,EACzB,eAAe,EACf,cAAc,EACd,gCAAgC,EAChC,kCAAkC,EAClC,+BAA+B,EAC/B,wBAAwB,GACzB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC"}