@hasna/accounts 0.1.19 → 0.1.20

package/dist/cli.js

@@ -12804,8 +12804,8 @@ More information can be found at: https://a.co/c895JFp`);
   };
   var createUserAgentStringParsingProvider = ({ serviceId, clientVersion }) => async (config2) => {
     const module2 = await Promise.resolve().then(() => __toESM(require_es5()));
-    const parse = module2.parse ?? module2.default.parse ?? (() => "");
-    const parsedUA = typeof window !== "undefined" && window?.navigator?.userAgent ? parse(window.navigator.userAgent) : undefined;
+    const parse2 = module2.parse ?? module2.default.parse ?? (() => "");
+    const parsedUA = typeof window !== "undefined" && window?.navigator?.userAgent ? parse2(window.navigator.userAgent) : undefined;
     const sections = [
       ["aws-sdk-js", clientVersion],
       ["ua", "2.1"],
@@ -14563,7 +14563,7 @@ var require_dist_cjs9 = __commonJS((exports) => {
 var require_util = __commonJS((exports) => {
   var protocols = require_protocols();
   var validate = (str) => typeof str === "string" && str.indexOf("arn:") === 0 && str.split(":").length >= 6;
-  var parse = (arn) => {
+  var parse2 = (arn) => {
     const segments = arn.split(":");
     if (segments.length < 6 || segments[0] !== "arn")
       throw new Error("Malformed ARN");
@@ -14613,7 +14613,7 @@ var require_util = __commonJS((exports) => {
   }
   exports.build = build;
   exports.formatUrl = formatUrl;
-  exports.parse = parse;
+  exports.parse = parse2;
   exports.validate = validate;
 });
 
@@ -30104,12 +30104,12 @@ var require_fromHttp = __commonJS((exports) => {
   var fromHttp = (options = {}) => {
     options.logger?.debug("@aws-sdk/credential-provider-http - fromHttp");
     let host;
-    const relative = options.awsContainerCredentialsRelativeUri ?? process.env[AWS_CONTAINER_CREDENTIALS_RELATIVE_URI];
+    const relative2 = options.awsContainerCredentialsRelativeUri ?? process.env[AWS_CONTAINER_CREDENTIALS_RELATIVE_URI];
     const full = options.awsContainerCredentialsFullUri ?? process.env[AWS_CONTAINER_CREDENTIALS_FULL_URI];
     const token = options.awsContainerAuthorizationToken ?? process.env[AWS_CONTAINER_AUTHORIZATION_TOKEN];
     const tokenFile = options.awsContainerAuthorizationTokenFile ?? process.env[AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE];
     const warn = options.logger?.constructor?.name === "NoOpLogger" || !options.logger?.warn ? console.warn : options.logger.warn.bind(options.logger);
-    if (relative && full) {
+    if (relative2 && full) {
       warn("@aws-sdk/credential-provider-http: " + "you have set both awsContainerCredentialsRelativeUri and awsContainerCredentialsFullUri.");
       warn("awsContainerCredentialsFullUri will take precedence.");
     }
@@ -30119,8 +30119,8 @@ var require_fromHttp = __commonJS((exports) => {
     }
     if (full) {
       host = full;
-    } else if (relative) {
-      host = `${DEFAULT_LINK_LOCAL_HOST}${relative}`;
+    } else if (relative2) {
+      host = `${DEFAULT_LINK_LOCAL_HOST}${relative2}`;
     } else {
       throw new config_1.CredentialsProviderError(`No HTTP credential provider host provided.
 Set AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.`, { logger: options.logger });
@@ -36799,7 +36799,7 @@ var require_dist_cjs22 = __commonJS((exports) => {
 import { spawnSync as spawnSync2 } from "node:child_process";
 import { existsSync as existsSync13, readFileSync as readFileSync8 } from "node:fs";
 import { homedir as homedir6 } from "node:os";
-import { dirname as dirname5, join as join13 } from "node:path";
+import { dirname as dirname5, join as join14 } from "node:path";
 import { fileURLToPath } from "node:url";
 
 // node_modules/commander/esm.mjs
@@ -42002,62 +42002,131 @@ class AccountsError extends Error {
 
 // src/lib/tools.ts
 import { homedir as homedir3 } from "node:os";
-import { join as join3 } from "node:path";
+import { join as join4 } from "node:path";
 
 // src/storage.ts
 import { homedir as homedir2 } from "node:os";
 import { hostname } from "node:os";
-import { join as join2 } from "node:path";
+import { join as join3 } from "node:path";
 import { chmodSync, existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync, writeFileSync } from "node:fs";
 
 // src/lib/safe-path.ts
 import { existsSync as existsSync2, lstatSync, mkdirSync, realpathSync } from "node:fs";
-import { dirname, resolve } from "node:path";
+import { dirname, isAbsolute, join as join2, parse, relative, resolve, sep } from "node:path";
+function lstatIfExists(path) {
+  try {
+    return lstatSync(path);
+  } catch (err) {
+    if (err.code !== "ENOENT")
+      throw err;
+    return;
+  }
+}
 function throwIfSymlink(path, label) {
-  if (existsSync2(path) && lstatSync(path).isSymbolicLink()) {
+  if (lstatIfExists(path)?.isSymbolicLink()) {
     throw new AccountsError(`${label}: ${path}`);
   }
 }
-function assertDirChainSafe(targetFile, mustStayUnder) {
-  const absFile = resolve(targetFile);
-  const parent = dirname(absFile);
-  const base = mustStayUnder ? resolve(mustStayUnder) : undefined;
-  if (base) {
-    const rel = absFile.startsWith(base + "/") ? absFile.slice(base.length + 1) : "";
-    if (!rel && absFile !== base) {
-      throw new AccountsError(`refusing to write outside profile directory: ${targetFile}`);
-    }
-    const segments = rel.split("/").filter(Boolean);
-    if (segments.some((s) => s === "..")) {
-      throw new AccountsError(`refusing path traversal: ${targetFile}`);
-    }
-    let cursor = base;
-    for (let i = 0;i < segments.length - 1; i++) {
-      cursor = resolve(cursor, segments[i]);
-      throwIfSymlink(cursor, "refusing to write under symlink directory");
+function isAllowedSystemDirectorySymlink(path) {
+  if (path !== "/var" && path !== "/tmp")
+    return false;
+  try {
+    return realpathSync(path) === `/private${path}`;
+  } catch {
+    return false;
+  }
+}
+function assertDirectory(path, label, opts) {
+  const stat = lstatIfExists(path);
+  if (!stat) {
+    throw new AccountsError(`refusing to write under missing directory: ${path}`);
+  }
+  if (stat.isSymbolicLink()) {
+    if (opts?.allowSystemSymlink && isAllowedSystemDirectorySymlink(path))
+      return;
+    throw new AccountsError(`${label}: ${path}`);
+  }
+  if (!stat.isDirectory()) {
+    throw new AccountsError(`refusing to write under non-directory path: ${path}`);
+  }
+}
+function assertInsideBase(absPath, base, originalPath) {
+  const rel = relative(base, absPath);
+  if (rel === "")
+    return rel;
+  if (rel === ".." || rel.startsWith(".." + sep) || isAbsolute(rel)) {
+    throw new AccountsError(`refusing to write outside profile directory: ${originalPath}`);
+  }
+  return rel;
+}
+function assertExistingDirectoryComponentsSafe(path, label) {
+  const root = parse(path).root;
+  const rel = relative(root, path);
+  const segments = rel ? rel.split(sep).filter(Boolean) : [];
+  let cursor = root;
+  assertDirectory(cursor, label, { allowSystemSymlink: true });
+  for (const segment of segments) {
+    cursor = join2(cursor, segment);
+    if (!lstatIfExists(cursor))
+      return;
+    assertDirectory(cursor, label, { allowSystemSymlink: true });
+  }
+}
+function ensureBoundaryRootSafe(base) {
+  const missing = [];
+  let cursor = base;
+  while (!lstatIfExists(cursor)) {
+    missing.unshift(cursor);
+    const parent = dirname(cursor);
+    if (parent === cursor)
+      break;
+    cursor = parent;
+  }
+  assertDirectory(cursor, "refusing to use symlink base directory");
+  for (const dir of missing) {
+    if (lstatIfExists(dir)) {
+      assertDirectory(dir, "refusing to use symlink base directory");
+    } else {
+      mkdirSync(dir);
+      assertDirectory(dir, "refusing to use symlink base directory");
     }
-  } else {
-    let cursor = parent;
-    for (;; ) {
-      throwIfSymlink(cursor, "refusing to write under symlink directory");
-      const next = dirname(cursor);
-      if (next === cursor)
-        break;
-      cursor = next;
+  }
+  assertDirectory(base, "refusing to use symlink base directory");
+}
+function ensureDirectoryChainSafe(parent, startAt) {
+  const root = startAt ?? parse(parent).root;
+  const rel = relative(root, parent);
+  const segments = rel ? rel.split(sep).filter(Boolean) : [];
+  let cursor = root;
+  if (startAt)
+    assertDirectory(startAt, "refusing to write under symlink directory");
+  for (const segment of segments) {
+    cursor = join2(cursor, segment);
+    if (lstatIfExists(cursor)) {
+      assertDirectory(cursor, "refusing to write under symlink directory");
+    } else {
+      mkdirSync(cursor);
+      assertDirectory(cursor, "refusing to write under symlink directory");
     }
   }
 }
 function assertSafeWritePath(filePath, opts) {
   const absFile = resolve(filePath);
   const parent = dirname(absFile);
-  if (!existsSync2(parent))
-    mkdirSync(parent, { recursive: true });
+  const base = opts?.mustStayUnder ? resolve(opts.mustStayUnder) : undefined;
+  if (base) {
+    assertInsideBase(absFile, base, filePath);
+    assertExistingDirectoryComponentsSafe(base, "refusing to use symlink base directory");
+    ensureBoundaryRootSafe(base);
+    ensureDirectoryChainSafe(parent, base);
+  } else {
+    ensureDirectoryChainSafe(parent);
+  }
   throwIfSymlink(absFile, "refusing to write through symlink");
-  assertDirChainSafe(absFile, opts?.mustStayUnder);
   const resolved = realpathSync(existsSync2(absFile) ? absFile : parent);
-  if (opts?.mustStayUnder) {
-    const base = realpathSync(resolve(opts.mustStayUnder));
-    if (resolved !== base && !resolved.startsWith(base + "/")) {
+  if (base) {
+    const realBase = realpathSync(base);
+    if (resolved !== realBase && !resolved.startsWith(realBase + sep)) {
       throw new AccountsError(`refusing to write outside profile directory: ${filePath}`);
     }
   }
@@ -42096,16 +42165,16 @@ function accountsHome() {
   const override = process.env.ACCOUNTS_HOME;
   if (override && override.trim())
     return validateEnvPath(override, "ACCOUNTS_HOME");
-  return join2(homedir2(), ".hasna", "accounts");
+  return join3(homedir2(), ".hasna", "accounts");
 }
 function storePath() {
   const override = process.env.ACCOUNTS_STORE_PATH;
   if (override && override.trim())
     return validateEnvPath(override, "ACCOUNTS_STORE_PATH");
-  return join2(accountsHome(), "accounts.json");
+  return join3(accountsHome(), "accounts.json");
 }
 function profilesDir() {
-  return join2(accountsHome(), "profiles");
+  return join3(accountsHome(), "profiles");
 }
 var EMPTY_STORE = { version: 1, current: {}, applied: {}, profiles: [], tools: [] };
 function loadStore() {
@@ -42148,7 +42217,7 @@ function loadStore() {
 function saveStore(store) {
   const path = storePath();
   assertSafeWritePath(path, { mustStayUnder: accountsHome() });
-  mkdirSync2(join2(path, ".."), { recursive: true });
+  mkdirSync2(join3(path, ".."), { recursive: true });
   if (existsSync3(path))
     chmodSync(path, 384);
   writeFileSync(path, JSON.stringify(store, null, 2) + `
@@ -42302,7 +42371,7 @@ var BUILTIN_TOOLS = [
     extraEnv: {
       TELEGRAM_STATE_DIR: "{profileDir}/channels/telegram"
     },
-    defaultDir: join3(homedir3(), ".claude"),
+    defaultDir: join4(homedir3(), ".claude"),
     bin: "claude",
     loginHint: "run /login inside Claude, then /exit when done",
     resumeArgs: ["--continue"],
@@ -42322,7 +42391,7 @@ var BUILTIN_TOOLS = [
     id: "codex-app",
     label: "Codex App",
     envVar: "CODEX_HOME",
-    defaultDir: join3(homedir3(), ".codex"),
+    defaultDir: join4(homedir3(), ".codex"),
     bin: "/Applications/Codex.app/Contents/MacOS/Codex",
     loginHint: "sign in inside Codex.app, then quit the app when the profile is ready",
     launchArgs: ["--user-data-dir={profileDir}/electron-user-data"],
@@ -42332,7 +42401,7 @@ var BUILTIN_TOOLS = [
     id: "codex",
     label: "Codex CLI",
     envVar: "CODEX_HOME",
-    defaultDir: join3(homedir3(), ".codex"),
+    defaultDir: join4(homedir3(), ".codex"),
     bin: "codex",
     loginArgs: ["login"],
     loginHint: "complete the Codex login flow for this CODEX_HOME",
@@ -42345,7 +42414,7 @@ var BUILTIN_TOOLS = [
     id: "takumi",
     label: "Takumi",
     envVar: "TAKUMI_CONFIG_DIR",
-    defaultDir: join3(homedir3(), ".takumi"),
+    defaultDir: join4(homedir3(), ".takumi"),
     bin: "takumi",
     loginHint: "complete Takumi auth in this TAKUMI_CONFIG_DIR",
     resumeArgs: ["--continue"],
@@ -42365,7 +42434,7 @@ var BUILTIN_TOOLS = [
     id: "gemini",
     label: "Gemini CLI",
     envVar: "GEMINI_CONFIG_DIR",
-    defaultDir: join3(homedir3(), ".gemini"),
+    defaultDir: join4(homedir3(), ".gemini"),
     bin: "gemini",
     loginHint: "complete Gemini auth in this GEMINI_CONFIG_DIR",
     permissionArgs: {
@@ -42383,7 +42452,7 @@ var BUILTIN_TOOLS = [
       XDG_CONFIG_HOME: "{profileDir}/xdg-config",
       XDG_DATA_HOME: "{profileDir}/xdg-data"
     },
-    defaultDir: join3(homedir3(), ".config", "opencode"),
+    defaultDir: join4(homedir3(), ".config", "opencode"),
     bin: "opencode",
     loginArgs: ["auth", "login"],
     loginHint: "complete opencode auth login for this isolated config/data root",
@@ -42393,7 +42462,7 @@ var BUILTIN_TOOLS = [
     id: "cursor",
     label: "Cursor Agent",
     envVar: "CURSOR_CONFIG_DIR",
-    defaultDir: join3(homedir3(), ".cursor"),
+    defaultDir: join4(homedir3(), ".cursor"),
     bin: "cursor-agent",
     loginArgs: ["login"],
     loginHint: "complete cursor-agent login for this CURSOR_CONFIG_DIR"
@@ -42402,7 +42471,7 @@ var BUILTIN_TOOLS = [
     id: "pi",
     label: "Pi Coding Agent",
     envVar: "PI_CODING_AGENT_HOME",
-    defaultDir: join3(homedir3(), ".pi"),
+    defaultDir: join4(homedir3(), ".pi"),
     bin: "pi",
     loginHint: "complete Pi coding agent auth in this PI_CODING_AGENT_HOME"
   },
@@ -42410,7 +42479,7 @@ var BUILTIN_TOOLS = [
     id: "hermes",
     label: "Hermes",
     envVar: "HERMES_HOME",
-    defaultDir: join3(homedir3(), ".hermes"),
+    defaultDir: join4(homedir3(), ".hermes"),
     bin: "hermes",
     loginHint: "complete Hermes auth in this HERMES_HOME",
     permissionArgs: {
@@ -42422,7 +42491,7 @@ var BUILTIN_TOOLS = [
     id: "kimi",
     label: "Kimi Code",
     envVar: "KIMI_CODE_HOME",
-    defaultDir: join3(homedir3(), ".kimi-code"),
+    defaultDir: join4(homedir3(), ".kimi-code"),
     bin: "kimi",
     loginArgs: ["login"],
     loginHint: "complete kimi login for this KIMI_CODE_HOME",
@@ -42437,7 +42506,7 @@ var BUILTIN_TOOLS = [
     id: "grok",
     label: "Grok Build",
     envVar: "HOME",
-    defaultDir: join3(homedir3(), ".grok"),
+    defaultDir: join4(homedir3(), ".grok"),
     bin: "grok",
     loginArgs: ["login"],
     loginHint: "complete grok login in this process-scoped HOME; prefer launch/shell over exporting HOME globally"
@@ -42544,18 +42613,18 @@ function removeCustomTool(id) {
 
 // src/lib/profiles.ts
 import { homedir as homedir4 } from "node:os";
-import { isAbsolute, join as join5, relative, resolve as resolve2 } from "node:path";
+import { isAbsolute as isAbsolute2, join as join6, relative as relative2, resolve as resolve2 } from "node:path";
 import { existsSync as existsSync5, mkdirSync as mkdirSync3, rmSync } from "node:fs";
 
 // src/lib/detect.ts
 import { existsSync as existsSync4, readFileSync as readFileSync2 } from "node:fs";
-import { dirname as dirname2, join as join4 } from "node:path";
+import { dirname as dirname2, join as join5 } from "node:path";
 function detectEmail(dir, tool) {
   if (!tool.accountFile || !tool.emailPath)
     return;
-  const candidates = [join4(dir, tool.accountFile)];
+  const candidates = [join5(dir, tool.accountFile)];
   if (dir === tool.defaultDir)
-    candidates.push(join4(dirname2(dir), tool.accountFile));
+    candidates.push(join5(dirname2(dir), tool.accountFile));
   for (const file of candidates) {
     const email = readEmail(file, tool.emailPath);
     if (email)
@@ -42591,8 +42660,8 @@ function expandPath(p) {
   if (out === "~")
     out = homedir4();
   else if (out.startsWith("~/"))
-    out = join5(homedir4(), out.slice(2));
-  return isAbsolute(out) ? out : resolve2(process.cwd(), out);
+    out = join6(homedir4(), out.slice(2));
+  return isAbsolute2(out) ? out : resolve2(process.cwd(), out);
 }
 function listProfiles(toolId) {
   const profiles = loadStore().profiles;
@@ -42603,8 +42672,8 @@ function profileMatches(name, toolId) {
   return loadStore().profiles.filter((p) => p.name === name && (!toolId || p.tool === toolId));
 }
 function isManagedProfileDir(dir) {
-  const rel = relative(resolve2(profilesDir()), resolve2(dir));
-  return rel !== "" && !rel.startsWith("..") && !isAbsolute(rel);
+  const rel = relative2(resolve2(profilesDir()), resolve2(dir));
+  return rel !== "" && !rel.startsWith("..") && !isAbsolute2(rel);
 }
 function getProfile(name, toolId) {
   const matches = profileMatches(name, toolId);
@@ -42629,7 +42698,7 @@ function addProfile(opts) {
   if (store.profiles.some((p) => p.name === name && p.tool === toolId)) {
     throw new AccountsError(`a ${toolId} profile named "${name}" already exists`);
   }
-  const dir = opts.dir ? expandPath(opts.dir) : join5(profilesDir(), toolId, name);
+  const dir = opts.dir ? expandPath(opts.dir) : join6(profilesDir(), toolId, name);
   if (store.profiles.some((p) => p.dir === dir)) {
     throw new AccountsError(`a profile already uses config dir ${dir}`);
   }
@@ -42771,11 +42840,11 @@ function currentProfile(toolId) {
 
 // src/lib/claude-auth.ts
 import { copyFileSync, existsSync as existsSync6, lstatSync as lstatSync2, mkdirSync as mkdirSync4, readFileSync as readFileSync3, statSync, unlinkSync, writeFileSync as writeFileSync2 } from "node:fs";
-import { dirname as dirname4, join as join7 } from "node:path";
+import { dirname as dirname4, join as join8 } from "node:path";
 
 // src/lib/claude-layout.ts
 import { homedir as homedir5 } from "node:os";
-import { dirname as dirname3, join as join6 } from "node:path";
+import { dirname as dirname3, join as join7 } from "node:path";
 var CLAUDE_KEYCHAIN_SERVICE = "Claude Code-credentials";
 var ACCOUNTS_AUTH_DIR = ".accounts-auth";
 var OAUTH_SNAPSHOT = "oauth-account.json";
@@ -42787,32 +42856,32 @@ function liveClaudeBase() {
 }
 function liveClaudePaths() {
   const base = liveClaudeBase();
-  const configDir = join6(base, ".claude");
+  const configDir = join7(base, ".claude");
   return {
     configDir,
-    homeJson: join6(base, ".claude.json"),
-    credentialsFile: join6(configDir, ".credentials.json")
+    homeJson: join7(base, ".claude.json"),
+    credentialsFile: join7(configDir, ".credentials.json")
   };
 }
 function profileAccountJsonPaths(profileDir, tool) {
   if (!tool.accountFile)
     return [];
-  const paths = [join6(profileDir, tool.accountFile)];
+  const paths = [join7(profileDir, tool.accountFile)];
   if (profileDir === tool.defaultDir)
-    paths.push(join6(dirname3(profileDir), tool.accountFile));
+    paths.push(join7(dirname3(profileDir), tool.accountFile));
   return paths;
 }
 function profileAuthDir(profileDir) {
-  return join6(profileDir, ACCOUNTS_AUTH_DIR);
+  return join7(profileDir, ACCOUNTS_AUTH_DIR);
 }
 function profileOAuthSnapshot(profileDir) {
-  return join6(profileAuthDir(profileDir), OAUTH_SNAPSHOT);
+  return join7(profileAuthDir(profileDir), OAUTH_SNAPSHOT);
 }
 function profileCredentialsSnapshot(profileDir) {
-  return join6(profileAuthDir(profileDir), CREDENTIALS_SNAPSHOT);
+  return join7(profileAuthDir(profileDir), CREDENTIALS_SNAPSHOT);
 }
 function profileKeychainSnapshot(profileDir) {
-  return join6(profileAuthDir(profileDir), KEYCHAIN_SNAPSHOT);
+  return join7(profileAuthDir(profileDir), KEYCHAIN_SNAPSHOT);
 }
 
 // src/lib/keychain.ts
@@ -42966,7 +43035,7 @@ function mergeOAuthInto(paths, oauth, allowDelete, stayUnder) {
   }
 }
 function sanitizeSettingsFile(configDir, stayUnder) {
-  const settingsPath = join7(configDir, "settings.json");
+  const settingsPath = join8(configDir, "settings.json");
   const settings = readJsonFile(settingsPath);
   if (!settings)
     return false;
@@ -43013,7 +43082,7 @@ function liveOAuthEmail() {
 }
 function snapshotLiveAuthToProfile(profileDir, _tool) {
   const authDir = profileAuthDir(profileDir);
-  assertSafeWritePath(join7(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
+  assertSafeWritePath(join8(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
   mkdirSync4(authDir, { recursive: true });
   const live = liveClaudePaths();
   const oauth = readOAuthFromPaths([live.homeJson]);
@@ -43032,14 +43101,14 @@ function snapshotLiveAuthToProfile(profileDir, _tool) {
 }
 function ensureProfileAuthSnapshot(profileDir, tool, opts = {}) {
   const authDir = profileAuthDir(profileDir);
-  assertSafeWritePath(join7(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
+  assertSafeWritePath(join8(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
   mkdirSync4(authDir, { recursive: true });
   const oauthSource = findOAuthSource(profileAccountJsonPaths(profileDir, tool));
   const oauthSnap = profileOAuthSnapshot(profileDir);
   if (oauthSource && (opts.overwrite || snapshotIsStale(oauthSource.path, oauthSnap))) {
     writeJsonFile(oauthSnap, { oauthAccount: oauthSource.oauth }, profileDir);
   }
-  const credFile = join7(profileDir, ".credentials.json");
+  const credFile = join8(profileDir, ".credentials.json");
   const credSnap = profileCredentialsSnapshot(profileDir);
   if (existsSync6(credFile) && (opts.overwrite || snapshotIsStale(credFile, credSnap))) {
     assertSafeWritePath(credSnap, { mustStayUnder: profileDir });
@@ -43101,9 +43170,9 @@ function hasAuthSnapshot(profileDir) {
 
 // src/lib/apply-lock.ts
 import { closeSync, existsSync as existsSync7, mkdirSync as mkdirSync5, openSync, unlinkSync as unlinkSync2, writeFileSync as writeFileSync3 } from "node:fs";
-import { join as join8 } from "node:path";
+import { join as join9 } from "node:path";
 function lockPath() {
-  return join8(accountsHome(), ".apply.lock");
+  return join9(accountsHome(), ".apply.lock");
 }
 function withApplyLock(fn) {
   const home = accountsHome();
@@ -43352,7 +43421,7 @@ function listAgentsAcrossProfiles(opts = {}) {
 
 // src/lib/import-profile.ts
 import { cpSync, existsSync as existsSync9 } from "node:fs";
-import { join as join9 } from "node:path";
+import { join as join10 } from "node:path";
 function importProfile(opts) {
   const toolId = opts.tool ?? DEFAULT_TOOL;
   const tool = getTool(toolId);
@@ -43362,7 +43431,7 @@ function importProfile(opts) {
     throw new AccountsError(`config dir does not exist: ${sourceDir}`);
   }
   if (opts.copy) {
-    const targetDir = join9(profilesDir(), toolId, name);
+    const targetDir = join10(profilesDir(), toolId, name);
     if (existsSync9(targetDir)) {
       throw new AccountsError(`managed copy target already exists: ${targetDir}`);
     }
@@ -43448,7 +43517,7 @@ async function pickProfile(opts = {}) {
 
 // src/lib/hook.ts
 import { existsSync as existsSync10, mkdirSync as mkdirSync6, readFileSync as readFileSync5, unlinkSync as unlinkSync3, writeFileSync as writeFileSync4 } from "node:fs";
-import { join as join10 } from "node:path";
+import { join as join11 } from "node:path";
 var HOOK_FILE = "claude-hook.sh";
 var MARKER = "# accounts-claude-hook";
 var NAME_PATTERN = "^[a-z0-9][a-z0-9-]*$";
@@ -43456,7 +43525,7 @@ function shellQuotePath(path) {
   return `'${path.replace(/'/g, `'\\''`)}'`;
 }
 function hookPath() {
-  return join10(accountsHome(), HOOK_FILE);
+  return join11(accountsHome(), HOOK_FILE);
 }
 function hookScript() {
   const quotedHook = shellQuotePath(hookPath());
@@ -43507,7 +43576,7 @@ function shellSnippet() {
 
 // src/lib/codex-app.ts
 import { existsSync as existsSync11, mkdirSync as mkdirSync7, readFileSync as readFileSync6, writeFileSync as writeFileSync5 } from "node:fs";
-import { join as join11 } from "node:path";
+import { join as join12 } from "node:path";
 var FILE_CREDENTIALS_LINE = 'cli_auth_credentials_store = "file"';
 function insertRootConfigLine(config, line) {
   if (config.trim() === "")
@@ -43534,7 +43603,7 @@ ${after}${after.endsWith(`
 }
 function ensureCodexAppProfileConfig(profileDir) {
   mkdirSync7(profileDir, { recursive: true });
-  const configPath = join11(profileDir, "config.toml");
+  const configPath = join12(profileDir, "config.toml");
   const current = existsSync11(configPath) ? readFileSync6(configPath, "utf8") : "";
   if (/^\s*cli_auth_credentials_store\s*=/.test(current))
     return;
@@ -43634,20 +43703,20 @@ import { spawn as spawn2 } from "node:child_process";
 import { createHash } from "node:crypto";
 import { existsSync as existsSync12, mkdirSync as mkdirSync8, readFileSync as readFileSync7, readdirSync, rmSync as rmSync2, writeFileSync as writeFileSync6 } from "node:fs";
 import { createConnection, createServer } from "node:net";
-import { basename, join as join12 } from "node:path";
+import { basename, join as join13 } from "node:path";
 var STATE_SUFFIX = ".json";
 function supervisorDir() {
-  return join12(accountsHome(), "supervisors");
+  return join13(accountsHome(), "supervisors");
 }
 function supervisorStatePath(toolId) {
-  return join12(supervisorDir(), `${toolId}${STATE_SUFFIX}`);
+  return join13(supervisorDir(), `${toolId}${STATE_SUFFIX}`);
 }
 function supervisorSocketPath(toolId) {
   if (process.platform === "win32") {
     const hash = createHash("sha1").update(accountsHome()).digest("hex").slice(0, 12);
     return `\\\\.\\pipe\\hasna-accounts-${hash}-${toolId}`;
   }
-  return join12(supervisorDir(), `${toolId}.sock`);
+  return join13(supervisorDir(), `${toolId}.sock`);
 }
 function nowIso2() {
   return new Date().toISOString();
@@ -44245,7 +44314,7 @@ program2.command("switch").argument("<name>", "profile name").argument("[args...
   }
 }));
 var hook = program2.command("hook").description("install a shell wrapper for claude");
-hook.command("install").description(`write ${join13(accountsHome(), "claude-hook.sh")}`).action(action(() => {
+hook.command("install").description(`write ${join14(accountsHome(), "claude-hook.sh")}`).action(action(() => {
   const { path, created } = installHook();
   console.log(source_default.green(created ? `✓ installed hook at ${path}` : `✓ updated hook at ${path}`));
   console.log(source_default.dim(`  add to ~/.zshrc:  ${shellSnippet()}`));
@@ -44485,7 +44554,7 @@ tools.command("add").argument("<id>", "tool id, e.g. cursor").description("regis
     label: opts.label,
     envVar: opts.envVar,
     bin: opts.bin,
-    defaultDir: opts.defaultDir ? expandPath(opts.defaultDir) : join13(homedir6(), `.${id}`),
+    defaultDir: opts.defaultDir ? expandPath(opts.defaultDir) : join14(homedir6(), `.${id}`),
     ...Object.keys(extraEnv).length > 0 ? { extraEnv } : {},
     ...opts.loginArg ? { loginArgs: opts.loginArg } : {},
     ...opts.launchArg ? { launchArgs: opts.launchArg } : {},
@@ -44557,7 +44626,7 @@ program2.parseAsync(process.argv);
 function getVersion() {
   try {
     const here = dirname5(fileURLToPath(import.meta.url));
-    for (const candidate of [join13(here, "..", "package.json"), join13(here, "package.json")]) {
+    for (const candidate of [join14(here, "..", "package.json"), join14(here, "package.json")]) {
       if (existsSync13(candidate)) {
         const pkg = JSON.parse(readFileSync8(candidate, "utf8"));
         if (pkg.version)