@mostok/codexes 0.1.0

package/dist/cli.js

@@ -0,0 +1,3426 @@
+#!/usr/bin/env node
+
+// src/logging/logger.ts
+var LOG_LEVEL_ORDER = {
+  DEBUG: 10,
+  INFO: 20,
+  WARN: 30,
+  ERROR: 40
+};
+function resolveLogLevel(value) {
+  switch (value?.toUpperCase()) {
+    case "ERROR":
+      return "ERROR";
+    case "WARN":
+      return "WARN";
+    case "INFO":
+      return "INFO";
+    case "DEBUG":
+      return "DEBUG";
+    default:
+      return "ERROR";
+  }
+}
+function createLogSink(stream) {
+  return {
+    write(level, event, details = {}) {
+      stream.write(
+        `${JSON.stringify({
+          ts: (/* @__PURE__ */ new Date()).toISOString(),
+          level,
+          event,
+          details
+        })}
+`
+      );
+    }
+  };
+}
+function createLogger(input) {
+  const configuredLevel = resolveLogLevel(input.level);
+  return {
+    debug(event, details) {
+      logWithLevel("DEBUG", input.name, configuredLevel, input.sink, event, details);
+    },
+    info(event, details) {
+      logWithLevel("INFO", input.name, configuredLevel, input.sink, event, details);
+    },
+    warn(event, details) {
+      logWithLevel("WARN", input.name, configuredLevel, input.sink, event, details);
+    },
+    error(event, details) {
+      logWithLevel("ERROR", input.name, configuredLevel, input.sink, event, details);
+    }
+  };
+}
+function logWithLevel(level, name, configuredLevel, sink, event, details) {
+  if (LOG_LEVEL_ORDER[level] < LOG_LEVEL_ORDER[configuredLevel]) {
+    return;
+  }
+  sink.write(level, `${name}.${event}`, details);
+}
+
+// src/config/wrapper-config.ts
+import { mkdir, readFile } from "node:fs/promises";
+var DEFAULT_EXPERIMENTAL_PROBE_TIMEOUT_MS = 3500;
+var DEFAULT_EXPERIMENTAL_CACHE_TTL_MS = 6e4;
+async function resolveWrapperConfig(input) {
+  await mkdir(input.paths.dataRoot, { recursive: true });
+  const credentialStoreMode = await detectCredentialStoreMode(
+    input.paths.codexConfigFile,
+    input.logger
+  );
+  const resolved = {
+    configFilePath: input.paths.wrapperConfigFile,
+    codexConfigFilePath: input.paths.codexConfigFile,
+    selectionCacheFilePath: input.paths.selectionCacheFile,
+    credentialStoreMode,
+    credentialStorePolicyReason: credentialStoreMode === "file" ? "file mode detected in Codex config" : "codexes currently supports only file-backed auth storage",
+    accountSelectionStrategy: resolveAccountSelectionStrategy(input.env),
+    experimentalSelection: resolveExperimentalSelectionConfig(input.env, input.logger)
+  };
+  input.logger.info("wrapper_config.resolved", {
+    configFilePath: resolved.configFilePath,
+    codexConfigFilePath: resolved.codexConfigFilePath,
+    selectionCacheFilePath: resolved.selectionCacheFilePath,
+    credentialStoreMode: resolved.credentialStoreMode,
+    accountSelectionStrategy: resolved.accountSelectionStrategy,
+    experimentalSelection: resolved.experimentalSelection
+  });
+  return resolved;
+}
+function resolveExperimentalSelectionConfig(env, logger) {
+  const probeTimeoutMs = resolvePositiveIntegerEnv({
+    defaultValue: DEFAULT_EXPERIMENTAL_PROBE_TIMEOUT_MS,
+    env,
+    envKey: "CODEXES_EXPERIMENTAL_SELECTION_TIMEOUT_MS",
+    logger
+  });
+  const cacheTtlMs = resolvePositiveIntegerEnv({
+    defaultValue: DEFAULT_EXPERIMENTAL_CACHE_TTL_MS,
+    env,
+    envKey: "CODEXES_EXPERIMENTAL_SELECTION_CACHE_TTL_MS",
+    logger
+  });
+  const useAccountIdHeader = resolveBooleanEnv(
+    env.CODEXES_EXPERIMENTAL_SELECTION_USE_ACCOUNT_ID_HEADER
+  );
+  const enabled = resolveAccountSelectionStrategy(env) === "remaining-limit-experimental";
+  logger.debug("wrapper_config.experimental_selection_resolved", {
+    enabled,
+    probeTimeoutMs,
+    cacheTtlMs,
+    useAccountIdHeader
+  });
+  return {
+    enabled,
+    probeTimeoutMs,
+    cacheTtlMs,
+    useAccountIdHeader
+  };
+}
+function resolveAccountSelectionStrategy(env) {
+  switch (env.CODEXES_ACCOUNT_SELECTION_STRATEGY?.trim().toLowerCase()) {
+    case "single-account":
+      return "single-account";
+    case "remaining-limit-experimental":
+      return "remaining-limit-experimental";
+    case "manual-default":
+    case void 0:
+    case "":
+      return "manual-default";
+    default:
+      return "manual-default";
+  }
+}
+async function detectCredentialStoreMode(configFile, logger) {
+  try {
+    const rawConfig = await readFile(configFile, "utf8");
+    const mode = parseCredentialStoreMode(rawConfig);
+    logger.debug("credential_store.detected", {
+      configFile,
+      credentialStoreMode: mode
+    });
+    return mode;
+  } catch (error) {
+    if (typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT") {
+      logger.warn("credential_store.config_missing", {
+        configFile,
+        fallbackMode: "missing"
+      });
+      return "missing";
+    }
+    logger.error("credential_store.read_failed", {
+      configFile,
+      message: error instanceof Error ? error.message : String(error)
+    });
+    return "unknown";
+  }
+}
+function parseCredentialStoreMode(rawConfig) {
+  const match = rawConfig.match(/^\s*cli_auth_credentials_store\s*=\s*"([^"]+)"/m);
+  if (!match) {
+    return "missing";
+  }
+  const configuredValue = match[1];
+  if (!configuredValue) {
+    return "unknown";
+  }
+  switch (configuredValue.trim().toLowerCase()) {
+    case "file":
+      return "file";
+    case "keyring":
+      return "keyring";
+    case "auto":
+      return "auto";
+    default:
+      return "unknown";
+  }
+}
+function resolvePositiveIntegerEnv(input) {
+  const raw = input.env[input.envKey]?.trim();
+  if (!raw) {
+    return input.defaultValue;
+  }
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    input.logger.warn("wrapper_config.invalid_env_override", {
+      envKey: input.envKey,
+      rawValue: raw,
+      fallbackValue: input.defaultValue
+    });
+    return input.defaultValue;
+  }
+  return parsed;
+}
+function resolveBooleanEnv(value) {
+  switch (value?.trim().toLowerCase()) {
+    case "1":
+    case "true":
+    case "yes":
+    case "on":
+      return true;
+    default:
+      return false;
+  }
+}
+
+// src/core/paths.ts
+import path from "node:path";
+import os from "node:os";
+function resolvePaths(cwd, env) {
+  const baseDataDir = resolveBaseDataDir(env);
+  return {
+    projectRoot: cwd,
+    dataRoot: baseDataDir,
+    sharedCodexHome: env.CODEX_HOME ?? path.join(baseDataDir, "shared-home"),
+    accountRoot: path.join(baseDataDir, "accounts"),
+    runtimeRoot: path.join(baseDataDir, "runtime"),
+    registryFile: path.join(baseDataDir, "registry.json"),
+    wrapperConfigFile: path.join(baseDataDir, "codexes.json"),
+    codexConfigFile: path.join(env.CODEX_HOME ?? path.join(baseDataDir, "shared-home"), "config.toml"),
+    selectionCacheFile: path.join(baseDataDir, "selection-cache.json")
+  };
+}
+function resolveBaseDataDir(env) {
+  if (process.platform === "win32") {
+    return path.join(
+      env.LOCALAPPDATA ?? path.join(os.homedir(), "AppData", "Local"),
+      "codexes"
+    );
+  }
+  if (process.platform === "darwin") {
+    return path.join(
+      env.HOME ?? os.homedir(),
+      "Library",
+      "Application Support",
+      "codexes"
+    );
+  }
+  const xdgStateHome = env.XDG_STATE_HOME;
+  if (xdgStateHome) {
+    return path.join(xdgStateHome, "codexes");
+  }
+  return path.join(env.HOME ?? os.homedir(), ".local", "state", "codexes");
+}
+
+// src/process/find-codex-binary.ts
+import { access, stat } from "node:fs/promises";
+import path2 from "node:path";
+async function findCodexBinary(input) {
+  const candidates = buildCandidates(input.env);
+  const rejectedCandidates = [];
+  input.logger.debug("binary_resolution.start", {
+    wrapperExecutablePath: input.wrapperExecutablePath,
+    candidateCount: candidates.length
+  });
+  for (const candidate of candidates) {
+    const reason = await getRejectionReason(candidate, input.wrapperExecutablePath);
+    if (reason) {
+      rejectedCandidates.push({ candidate, reason });
+      input.logger.debug("binary_resolution.rejected", { candidate, reason });
+      continue;
+    }
+    input.logger.info("binary_resolution.selected", { candidate });
+    return {
+      path: candidate,
+      candidates,
+      rejectedCandidates
+    };
+  }
+  input.logger.warn("binary_resolution.missing", {
+    wrapperExecutablePath: input.wrapperExecutablePath,
+    rejectedCandidates
+  });
+  return {
+    path: null,
+    candidates,
+    rejectedCandidates
+  };
+}
+function buildCandidates(env) {
+  const pathValue = env.PATH ?? "";
+  const pathEntries = pathValue.split(path2.delimiter).map((entry) => entry.trim()).filter(Boolean);
+  const executableNames = process.platform === "win32" ? ["codex.cmd", "codex.exe", "codex.bat"] : ["codex"];
+  return Array.from(
+    new Set(
+      pathEntries.flatMap(
+        (entry) => executableNames.map((executableName) => path2.join(entry, executableName))
+      )
+    )
+  );
+}
+async function getRejectionReason(candidate, wrapperExecutablePath) {
+  try {
+    await access(candidate);
+  } catch {
+    return "not_accessible";
+  }
+  const [candidateStat, wrapperStat] = await Promise.all([
+    stat(candidate).catch(() => null),
+    stat(wrapperExecutablePath).catch(() => null)
+  ]);
+  if (!candidateStat || !candidateStat.isFile()) {
+    return "not_a_file";
+  }
+  if (wrapperStat && isSameFile(candidate, wrapperExecutablePath, candidateStat, wrapperStat)) {
+    return "self_recursive_wrapper_path";
+  }
+  if (path2.basename(candidate).toLowerCase().startsWith("codexes")) {
+    return "wrapper_named_binary";
+  }
+  return null;
+}
+function isSameFile(candidate, wrapperExecutablePath, candidateStat, wrapperStat) {
+  if (path2.resolve(candidate) === path2.resolve(wrapperExecutablePath)) {
+    return true;
+  }
+  return candidateStat.ino === wrapperStat.ino && candidateStat.dev === wrapperStat.dev;
+}
+
+// src/runtime/init/initialize-runtime.ts
+import os2 from "node:os";
+import path4 from "node:path";
+import {
+  copyFile,
+  cp,
+  mkdir as mkdir3,
+  readFile as readFile3,
+  stat as stat3,
+  writeFile as writeFile2
+} from "node:fs/promises";
+
+// src/accounts/account-registry.ts
+import { randomUUID } from "node:crypto";
+import { mkdir as mkdir2, readFile as readFile2, rename, rm, stat as stat2, writeFile } from "node:fs/promises";
+import path3 from "node:path";
+var REGISTRY_SCHEMA_VERSION = 1;
+function createAccountRegistry(input) {
+  return {
+    addAccount(details) {
+      return withRegistryMutation(input, "registry.add", async (document, now) => {
+        const normalizedLabel = normalizeLabel(details.label);
+        const duplicate = document.accounts.find(
+          (account) => account.label.toLowerCase() === normalizedLabel.toLowerCase()
+        );
+        if (duplicate) {
+          input.logger.warn("registry.duplicate_label", {
+            label: normalizedLabel,
+            existingAccountId: duplicate.id
+          });
+          throw new Error(`An account named "${normalizedLabel}" already exists.`);
+        }
+        const accountId = randomUUID();
+        const record = {
+          id: accountId,
+          label: normalizedLabel,
+          authDirectory: details.authDirectory ?? path3.join(input.accountRoot, accountId),
+          createdAt: now,
+          updatedAt: now,
+          lastUsedAt: null
+        };
+        document.accounts.push(record);
+        if (!document.defaultAccountId) {
+          document.defaultAccountId = record.id;
+        }
+        input.logger.info("registry.account_added", {
+          accountId: record.id,
+          label: record.label,
+          authDirectory: record.authDirectory,
+          defaultAccountId: document.defaultAccountId
+        });
+        return record;
+      });
+    },
+    async getDefaultAccount() {
+      const document = await readRegistryDocument(input);
+      const account = document.defaultAccountId ? document.accounts.find((entry) => entry.id === document.defaultAccountId) ?? null : null;
+      input.logger.debug("registry.default_loaded", {
+        defaultAccountId: document.defaultAccountId,
+        resolvedAccountId: account?.id ?? null
+      });
+      return account;
+    },
+    async listAccounts() {
+      const document = await readRegistryDocument(input);
+      input.logger.debug("registry.list_loaded", {
+        accountCount: document.accounts.length,
+        defaultAccountId: document.defaultAccountId
+      });
+      return [...document.accounts];
+    },
+    removeAccount(accountId) {
+      return withRegistryMutation(input, "registry.remove", async (document, now) => {
+        const record = document.accounts.find((account) => account.id === accountId);
+        if (!record) {
+          input.logger.warn("registry.remove_missing", { accountId });
+          throw new Error(`Account "${accountId}" was not found.`);
+        }
+        document.accounts = document.accounts.filter((account) => account.id !== accountId);
+        if (document.defaultAccountId === accountId) {
+          document.defaultAccountId = document.accounts[0]?.id ?? null;
+        }
+        record.updatedAt = now;
+        input.logger.info("registry.account_removed", {
+          accountId,
+          nextDefaultAccountId: document.defaultAccountId
+        });
+        return record;
+      });
+    },
+    selectAccount(accountId) {
+      return withRegistryMutation(input, "registry.select", async (document, now) => {
+        const record = document.accounts.find((account) => account.id === accountId);
+        if (!record) {
+          input.logger.warn("registry.select_missing", { accountId });
+          throw new Error(`Account "${accountId}" was not found.`);
+        }
+        document.defaultAccountId = record.id;
+        record.updatedAt = now;
+        record.lastUsedAt = now;
+        input.logger.info("registry.account_selected", {
+          accountId,
+          label: record.label
+        });
+        return record;
+      });
+    }
+  };
+}
+async function withRegistryMutation(input, operation, mutate) {
+  await mkdir2(input.accountRoot, { recursive: true });
+  await mkdir2(path3.dirname(input.registryFile), { recursive: true });
+  const document = await readRegistryDocument(input);
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  input.logger.debug(`${operation}.start`, {
+    registryFile: input.registryFile,
+    accountRoot: input.accountRoot,
+    accountCount: document.accounts.length
+  });
+  const result = await mutate(document, now);
+  await persistRegistryDocument(input, document);
+  input.logger.debug(`${operation}.complete`, {
+    registryFile: input.registryFile,
+    accountCount: document.accounts.length,
+    defaultAccountId: document.defaultAccountId
+  });
+  return result;
+}
+async function readRegistryDocument(input) {
+  await mkdir2(input.accountRoot, { recursive: true });
+  await mkdir2(path3.dirname(input.registryFile), { recursive: true });
+  try {
+    const raw = await readFile2(input.registryFile, "utf8");
+    const parsed = JSON.parse(raw);
+    const migrated = migrateRegistryDocument(parsed, input.logger, input.registryFile);
+    input.logger.debug("registry.read_success", {
+      registryFile: input.registryFile,
+      schemaVersion: migrated.schemaVersion,
+      accountCount: migrated.accounts.length
+    });
+    return migrated;
+  } catch (error) {
+    if (isFileMissing(error)) {
+      const emptyDocument2 = createEmptyRegistryDocument();
+      input.logger.info("registry.read_missing", {
+        registryFile: input.registryFile,
+        action: "create_empty_registry"
+      });
+      await persistRegistryDocument(input, emptyDocument2);
+      return emptyDocument2;
+    }
+    const normalized = normalizeUnknownError(error);
+    const corruptionBackupPath = `${input.registryFile}.corrupt-${Date.now()}`;
+    input.logger.warn("registry.read_corrupt", {
+      registryFile: input.registryFile,
+      corruptionBackupPath,
+      message: normalized.message
+    });
+    await rename(input.registryFile, corruptionBackupPath).catch(() => void 0);
+    const emptyDocument = createEmptyRegistryDocument();
+    await persistRegistryDocument(input, emptyDocument);
+    return emptyDocument;
+  }
+}
+async function persistRegistryDocument(input, document) {
+  const tempFile = `${input.registryFile}.tmp`;
+  const serialized = JSON.stringify(document, null, 2);
+  await writeFile(tempFile, serialized, "utf8");
+  await rename(tempFile, input.registryFile);
+  input.logger.debug("registry.write_success", {
+    registryFile: input.registryFile,
+    bytes: Buffer.byteLength(serialized, "utf8"),
+    schemaVersion: document.schemaVersion,
+    defaultAccountId: document.defaultAccountId
+  });
+}
+function migrateRegistryDocument(value, logger, registryFile) {
+  if (!isObject(value)) {
+    throw new Error("Registry document is not a JSON object.");
+  }
+  const schemaVersion = typeof value.schemaVersion === "number" ? value.schemaVersion : 0;
+  logger.debug("registry.migration_check", {
+    registryFile,
+    schemaVersion,
+    targetSchemaVersion: REGISTRY_SCHEMA_VERSION
+  });
+  if (schemaVersion > REGISTRY_SCHEMA_VERSION) {
+    throw new Error(
+      `Registry schema ${schemaVersion} is newer than supported schema ${REGISTRY_SCHEMA_VERSION}.`
+    );
+  }
+  if (schemaVersion === REGISTRY_SCHEMA_VERSION) {
+    return normalizeRegistryDocument(value);
+  }
+  if (schemaVersion === 0) {
+    const migrated = normalizeRegistryDocument({
+      schemaVersion: REGISTRY_SCHEMA_VERSION,
+      defaultAccountId: value.defaultAccountId ?? null,
+      accounts: value.accounts ?? []
+    });
+    logger.info("registry.migration_applied", {
+      registryFile,
+      fromSchemaVersion: 0,
+      toSchemaVersion: REGISTRY_SCHEMA_VERSION
+    });
+    return migrated;
+  }
+  throw new Error(`Unsupported registry schema version ${schemaVersion}.`);
+}
+function normalizeRegistryDocument(value) {
+  const accounts = Array.isArray(value.accounts) ? value.accounts.map(normalizeAccountRecord) : [];
+  const defaultAccountId = typeof value.defaultAccountId === "string" ? value.defaultAccountId : null;
+  return {
+    schemaVersion: REGISTRY_SCHEMA_VERSION,
+    defaultAccountId: defaultAccountId && accounts.some((account) => account.id === defaultAccountId) ? defaultAccountId : accounts[0]?.id ?? null,
+    accounts
+  };
+}
+function normalizeAccountRecord(value) {
+  if (!isObject(value)) {
+    throw new Error("Account record is not an object.");
+  }
+  const id = typeof value.id === "string" ? value.id : randomUUID();
+  const createdAt = typeof value.createdAt === "string" ? value.createdAt : (/* @__PURE__ */ new Date(0)).toISOString();
+  const updatedAt = typeof value.updatedAt === "string" ? value.updatedAt : createdAt;
+  return {
+    id,
+    label: normalizeLabel(typeof value.label === "string" ? value.label : id),
+    authDirectory: typeof value.authDirectory === "string" ? value.authDirectory : path3.join("accounts", id),
+    createdAt,
+    updatedAt,
+    lastUsedAt: typeof value.lastUsedAt === "string" ? value.lastUsedAt : null
+  };
+}
+function createEmptyRegistryDocument() {
+  return {
+    schemaVersion: REGISTRY_SCHEMA_VERSION,
+    defaultAccountId: null,
+    accounts: []
+  };
+}
+function normalizeLabel(label) {
+  const normalized = label.trim();
+  if (!normalized) {
+    throw new Error("Account label cannot be empty.");
+  }
+  return normalized;
+}
+function isObject(value) {
+  return typeof value === "object" && value !== null;
+}
+function isFileMissing(error) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT";
+}
+function normalizeUnknownError(error) {
+  if (error instanceof Error) {
+    return { message: error.message };
+  }
+  return { message: String(error) };
+}
+
+// src/runtime/init/initialize-runtime.ts
+async function initializeRuntimeEnvironment(input) {
+  const legacyCodexHome = path4.join(os2.homedir(), ".codex");
+  const firstRun = !await pathExists(input.paths.sharedCodexHome);
+  const createdDirectories = [];
+  const createdFiles = [];
+  const copiedSharedArtifacts = [];
+  const skippedArtifacts = [];
+  input.logger.info("runtime_init.start", {
+    dataRoot: input.paths.dataRoot,
+    sharedCodexHome: input.paths.sharedCodexHome,
+    legacyCodexHome,
+    firstRun
+  });
+  for (const directory of [
+    input.paths.dataRoot,
+    input.paths.sharedCodexHome,
+    input.paths.accountRoot,
+    input.paths.runtimeRoot,
+    path4.join(input.paths.runtimeRoot, "backups"),
+    path4.join(input.paths.runtimeRoot, "tmp"),
+    path4.dirname(input.paths.registryFile)
+  ]) {
+    if (!await pathExists(directory)) {
+      createdDirectories.push(directory);
+      input.logger.info("runtime_init.directory_create", { directory });
+    } else {
+      input.logger.debug("runtime_init.directory_exists", { directory });
+    }
+    await mkdir3(directory, { recursive: true });
+  }
+  const configResult = await ensureSharedConfigToml({
+    legacyCodexHome,
+    logger: input.logger,
+    sharedCodexHome: input.paths.sharedCodexHome
+  });
+  createdFiles.push(...configResult.createdFiles);
+  copiedSharedArtifacts.push(...configResult.copiedArtifacts);
+  skippedArtifacts.push(...configResult.skippedArtifacts);
+  const mcpResult = await ensureSharedFileCopy({
+    artifactName: "mcp.json",
+    logger: input.logger,
+    sharedCodexHome: input.paths.sharedCodexHome,
+    sourceCodexHome: legacyCodexHome
+  });
+  createdFiles.push(...mcpResult.createdFiles);
+  copiedSharedArtifacts.push(...mcpResult.copiedArtifacts);
+  skippedArtifacts.push(...mcpResult.skippedArtifacts);
+  const trustResult = await ensureSharedDirectoryCopy({
+    artifactName: "trust",
+    logger: input.logger,
+    sharedCodexHome: input.paths.sharedCodexHome,
+    sourceCodexHome: legacyCodexHome
+  });
+  copiedSharedArtifacts.push(...trustResult.copiedArtifacts);
+  skippedArtifacts.push(...trustResult.skippedArtifacts);
+  const registry = createAccountRegistry({
+    accountRoot: input.paths.accountRoot,
+    logger: input.logger,
+    registryFile: input.paths.registryFile
+  });
+  if (!await pathExists(input.paths.registryFile)) {
+    createdFiles.push(input.paths.registryFile);
+    input.logger.info("runtime_init.registry_bootstrap", {
+      registryFile: input.paths.registryFile
+    });
+  } else {
+    input.logger.debug("runtime_init.registry_exists", {
+      registryFile: input.paths.registryFile
+    });
+  }
+  await registry.listAccounts();
+  const result = {
+    firstRun,
+    legacyCodexHome,
+    sharedCodexHome: input.paths.sharedCodexHome,
+    createdDirectories,
+    createdFiles,
+    copiedSharedArtifacts,
+    skippedArtifacts
+  };
+  input.logger.info("runtime_init.complete", {
+    firstRun: result.firstRun,
+    createdDirectories: result.createdDirectories,
+    createdFiles: result.createdFiles,
+    copiedSharedArtifacts: result.copiedSharedArtifacts,
+    skippedArtifacts: result.skippedArtifacts
+  });
+  return result;
+}
+async function ensureSharedConfigToml(input) {
+  const targetPath = path4.join(input.sharedCodexHome, "config.toml");
+  const sourcePath = path4.join(input.legacyCodexHome, "config.toml");
+  if (await pathExists(targetPath)) {
+    const existingConfig = await readFile3(targetPath, "utf8");
+    const existingMode = detectCredentialStoreMode2(existingConfig);
+    input.logger.debug("runtime_init.config_exists", {
+      targetPath,
+      credentialStoreMode: existingMode
+    });
+    if (existingMode === "missing") {
+      await writeFile2(targetPath, pinFileCredentialStore(existingConfig), "utf8");
+      input.logger.info("runtime_init.config_file_mode_pinned", {
+        targetPath
+      });
+    } else if (existingMode !== "file") {
+      input.logger.warn("runtime_init.config_mode_unsupported", {
+        targetPath,
+        credentialStoreMode: existingMode
+      });
+    }
+    return emptyArtifactResult();
+  }
+  if (await pathExists(sourcePath) && !samePath(sourcePath, targetPath)) {
+    const sourceConfig = await readFile3(sourcePath, "utf8");
+    const pinnedConfig = pinFileCredentialStore(sourceConfig);
+    await writeFile2(targetPath, pinnedConfig, "utf8");
+    input.logger.info("runtime_init.config_imported", {
+      sourcePath,
+      targetPath,
+      sourceCredentialStoreMode: detectCredentialStoreMode2(sourceConfig),
+      targetCredentialStoreMode: detectCredentialStoreMode2(pinnedConfig)
+    });
+    return {
+      copiedArtifacts: ["config.toml"],
+      createdFiles: [targetPath],
+      skippedArtifacts: []
+    };
+  }
+  await writeFile2(
+    targetPath,
+    [
+      'cli_auth_credentials_store = "file"',
+      "",
+      "# Wrapper-owned shared Codex home for codexes.",
+      "# Add MCP and trust configuration here as needed.",
+      ""
+    ].join("\n"),
+    "utf8"
+  );
+  input.logger.info("runtime_init.config_created", {
+    targetPath
+  });
+  return {
+    copiedArtifacts: [],
+    createdFiles: [targetPath],
+    skippedArtifacts: []
+  };
+}
+async function ensureSharedFileCopy(input) {
+  const targetPath = path4.join(input.sharedCodexHome, input.artifactName);
+  const sourcePath = path4.join(input.sourceCodexHome, input.artifactName);
+  if (await pathExists(targetPath)) {
+    input.logger.debug("runtime_init.file_exists", {
+      artifactName: input.artifactName,
+      targetPath
+    });
+    return emptyArtifactResult();
+  }
+  if (!await pathExists(sourcePath) || samePath(sourcePath, targetPath)) {
+    input.logger.debug("runtime_init.file_skip", {
+      artifactName: input.artifactName,
+      sourcePath,
+      targetPath,
+      reason: "source_missing_or_same_path"
+    });
+    return {
+      copiedArtifacts: [],
+      createdFiles: [],
+      skippedArtifacts: [
+        {
+          path: input.artifactName,
+          reason: "source_missing_or_same_path"
+        }
+      ]
+    };
+  }
+  await copyFile(sourcePath, targetPath);
+  input.logger.info("runtime_init.file_copied", {
+    artifactName: input.artifactName,
+    sourcePath,
+    targetPath
+  });
+  return {
+    copiedArtifacts: [input.artifactName],
+    createdFiles: [targetPath],
+    skippedArtifacts: []
+  };
+}
+async function ensureSharedDirectoryCopy(input) {
+  const targetPath = path4.join(input.sharedCodexHome, input.artifactName);
+  const sourcePath = path4.join(input.sourceCodexHome, input.artifactName);
+  if (await pathExists(targetPath)) {
+    input.logger.debug("runtime_init.directory_artifact_exists", {
+      artifactName: input.artifactName,
+      targetPath
+    });
+    return emptyArtifactResult();
+  }
+  if (!await pathExists(sourcePath) || samePath(sourcePath, targetPath)) {
+    input.logger.debug("runtime_init.directory_artifact_skip", {
+      artifactName: input.artifactName,
+      sourcePath,
+      targetPath,
+      reason: "source_missing_or_same_path"
+    });
+    return {
+      copiedArtifacts: [],
+      createdFiles: [],
+      skippedArtifacts: [
+        {
+          path: input.artifactName,
+          reason: "source_missing_or_same_path"
+        }
+      ]
+    };
+  }
+  await cp(sourcePath, targetPath, { recursive: true });
+  input.logger.info("runtime_init.directory_artifact_copied", {
+    artifactName: input.artifactName,
+    sourcePath,
+    targetPath
+  });
+  return {
+    copiedArtifacts: [input.artifactName],
+    createdFiles: [],
+    skippedArtifacts: []
+  };
+}
+function detectCredentialStoreMode2(rawConfig) {
+  const match = rawConfig.match(/^\s*cli_auth_credentials_store\s*=\s*"([^"]+)"/m);
+  return match?.[1]?.trim().toLowerCase() ?? "missing";
+}
+function pinFileCredentialStore(rawConfig) {
+  if (/^\s*cli_auth_credentials_store\s*=\s*"file"/m.test(rawConfig)) {
+    return rawConfig;
+  }
+  if (/^\s*cli_auth_credentials_store\s*=\s*"[^"]+"/m.test(rawConfig)) {
+    return rawConfig.replace(
+      /^\s*cli_auth_credentials_store\s*=\s*"[^"]+"/m,
+      'cli_auth_credentials_store = "file"'
+    );
+  }
+  const trimmed = rawConfig.trim();
+  if (!trimmed) {
+    return 'cli_auth_credentials_store = "file"\n';
+  }
+  return ['cli_auth_credentials_store = "file"', "", trimmed, ""].join("\n");
+}
+function samePath(left, right) {
+  return path4.resolve(left) === path4.resolve(right);
+}
+async function pathExists(targetPath) {
+  try {
+    await stat3(targetPath);
+    return true;
+  } catch (error) {
+    if (typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT") {
+      return false;
+    }
+    throw error;
+  }
+}
+function emptyArtifactResult() {
+  return {
+    copiedArtifacts: [],
+    createdFiles: [],
+    skippedArtifacts: []
+  };
+}
+
+// src/core/context.ts
+async function buildAppContext(argv, io) {
+  const logLevel = resolveLogLevel(io.env.LOG_LEVEL);
+  const sink = createLogSink(io.stderr);
+  const paths = resolvePaths(io.cwd, io.env);
+  const runtimeInitialization = await initializeRuntimeEnvironment({
+    env: io.env,
+    logger: createLogger({
+      level: logLevel,
+      name: "runtime",
+      sink
+    }),
+    paths
+  });
+  const wrapperConfig = await resolveWrapperConfig({
+    env: io.env,
+    logger: createLogger({
+      level: logLevel,
+      name: "config",
+      sink
+    }),
+    paths
+  });
+  const codexBinary = await findCodexBinary({
+    env: io.env,
+    logger: createLogger({
+      level: logLevel,
+      name: "process",
+      sink
+    }),
+    wrapperExecutablePath: io.executablePath
+  });
+  createLogger({
+    level: logLevel,
+    name: "context",
+    sink
+  }).debug("initialized", {
+    argv,
+    cwd: io.cwd,
+    logLevel,
+    paths,
+    runtimeInitialization,
+    wrapperConfig,
+    codexBinary
+  });
+  return {
+    argv,
+    executablePath: io.executablePath,
+    environment: {
+      cwd: io.cwd,
+      platform: process.platform,
+      runtime: process.version
+    },
+    io: {
+      stdout: io.stdout,
+      stderr: io.stderr
+    },
+    logging: {
+      level: logLevel,
+      sink
+    },
+    paths,
+    runtimeInitialization,
+    wrapperConfig,
+    codexBinary
+  };
+}
+
+// src/runtime/runtime-contract.ts
+import path5 from "node:path";
+function createRuntimeContract(input) {
+  const contract = {
+    credentialStoreMode: input.credentialStoreMode,
+    sharedCodexHome: input.sharedCodexHome,
+    runtimeRoot: input.runtimeRoot,
+    perAccountRoot: input.accountRoot,
+    supported: input.credentialStoreMode === "file",
+    fileRules: [
+      createRule("config.toml", "shared", "never", "Shared CLI behavior and MCP config should remain common."),
+      createRule("mcp.json", "shared", "never", "MCP topology is shared across accounts."),
+      createRule("trust/**", "shared", "never", "Trust metadata should not be overwritten per account."),
+      createRule(
+        "auth.json",
+        "account",
+        "if-changed",
+        "Windows probe evidence shows auth.json is sufficient for `codex login status`, so it belongs to the active account profile."
+      ),
+      createRule(
+        "sessions/**",
+        "account",
+        "if-changed",
+        "Session refresh artifacts are still treated as account-scoped until a real token-refresh probe proves otherwise."
+      ),
+      createRule("cache/**", "ephemeral", "never", "Transient caches should be recreated instead of copied."),
+      createRule("logs/**", "ephemeral", "never", "Runtime logs are diagnostic and should not sync back."),
+      createRule("history.jsonl", "ephemeral", "never", "Conversation history should stay local to each runtime session."),
+      createRule("models_cache.json", "ephemeral", "never", "Model cache data can be rebuilt and should not drive account switching."),
+      createRule("tmp/**", "ephemeral", "never", "Temporary files should be discarded after each run."),
+      createRule(
+        "state_*.sqlite*",
+        "protected",
+        "never",
+        "Observed SQLite runtime state exists in the live Codex home and remains unproven for cross-account merge or sync-back."
+      ),
+      createRule(
+        "logs_*.sqlite*",
+        "protected",
+        "never",
+        "SQLite-backed log databases should stay isolated until a dedicated write-heavy probe proves they are safe to discard or share."
+      ),
+      createRule("keyring/**", "protected", "never", "External credential stores are explicitly unsupported for MVP.")
+    ],
+    syncBackStrategy: {
+      whenChildProcessSucceeds: "Compare allowed account-classified files and sync only changed files back to the owning account profile.",
+      whenChildProcessFails: "Restore pre-launch runtime state and avoid syncing ambiguous mutations unless the failure is known-safe.",
+      compareStrategy: "Use file existence, modified time, and content hash checks before any sync-back write."
+    }
+  };
+  input.logger.info("runtime.contract_created", {
+    sharedCodexHome: contract.sharedCodexHome,
+    runtimeRoot: contract.runtimeRoot,
+    perAccountRoot: contract.perAccountRoot,
+    credentialStoreMode: contract.credentialStoreMode,
+    supported: contract.supported
+  });
+  input.logger.debug("runtime.file_rules", {
+    fileRules: contract.fileRules,
+    syncBackStrategy: contract.syncBackStrategy
+  });
+  return contract;
+}
+function resolveAccountRuntimePaths(contract, accountId) {
+  const accountDirectory = path5.join(contract.perAccountRoot, accountId);
+  return {
+    accountDirectory,
+    accountStateDirectory: path5.join(accountDirectory, "state"),
+    accountMetadataFile: path5.join(accountDirectory, "account.json"),
+    runtimeBackupDirectory: path5.join(contract.runtimeRoot, "backups", accountId),
+    runtimeTempDirectory: path5.join(contract.runtimeRoot, "tmp", accountId)
+  };
+}
+function summarizeRuntimeContract(contract) {
+  return {
+    supported: contract.supported,
+    credentialStoreMode: contract.credentialStoreMode,
+    sharedCodexHome: contract.sharedCodexHome,
+    runtimeRoot: contract.runtimeRoot,
+    perAccountRoot: contract.perAccountRoot,
+    classifications: contract.fileRules.reduce(
+      (accumulator, rule) => {
+        accumulator[rule.classification] += 1;
+        return accumulator;
+      },
+      {
+        shared: 0,
+        account: 0,
+        ephemeral: 0,
+        protected: 0
+      }
+    )
+  };
+}
+function createRule(pathPattern, classification, syncBack, reason) {
+  return {
+    pathPattern,
+    classification,
+    syncBack,
+    reason
+  };
+}
+
+// src/commands/account-add/run-account-add-command.ts
+import { mkdir as mkdir5, readFile as readFile5, rm as rm2, writeFile as writeFile4 } from "node:fs/promises";
+import path8 from "node:path";
+
+// src/runtime/login-workspace.ts
+import { copyFile as copyFile2, cp as cp2, mkdir as mkdir4, mkdtemp, readFile as readFile4, stat as stat4, writeFile as writeFile3 } from "node:fs/promises";
+import path6 from "node:path";
+async function prepareLoginWorkspace(input) {
+  const workspaceParent = path6.join(input.runtimeRoot, "tmp");
+  await mkdir4(workspaceParent, { recursive: true });
+  const workspaceRoot = await mkdtemp(path6.join(workspaceParent, "account-add-"));
+  const codexHome = path6.join(workspaceRoot, "codex-home");
+  await mkdir4(codexHome, { recursive: true });
+  input.logger.info("login_workspace.created", {
+    workspaceRoot,
+    codexHome,
+    sharedCodexHome: input.sharedCodexHome
+  });
+  await ensurePinnedFileConfig({
+    codexHome,
+    logger: input.logger,
+    sharedCodexHome: input.sharedCodexHome
+  });
+  await copySharedArtifactIfPresent({
+    artifactName: "mcp.json",
+    codexHome,
+    logger: input.logger,
+    sharedCodexHome: input.sharedCodexHome
+  });
+  await copySharedDirectoryIfPresent({
+    artifactName: "trust",
+    codexHome,
+    logger: input.logger,
+    sharedCodexHome: input.sharedCodexHome
+  });
+  await mkdir4(path6.join(codexHome, "sessions"), { recursive: true });
+  return { workspaceRoot, codexHome };
+}
+async function copyAccountScopedAuthArtifacts(input) {
+  const accountRules = input.runtimeContract.fileRules.filter(
+    (rule) => rule.classification === "account"
+  );
+  input.logger.info("login_workspace.copy_account_artifacts.start", {
+    accountId: input.accountId,
+    destinationRoot: input.destinationRoot,
+    sourceCodexHome: input.sourceCodexHome,
+    allowedPatterns: accountRules.map((rule) => rule.pathPattern)
+  });
+  await mkdir4(input.destinationRoot, { recursive: true });
+  for (const rule of accountRules) {
+    await copyRuleArtifacts({
+      destinationRoot: input.destinationRoot,
+      logger: input.logger,
+      rule,
+      sourceCodexHome: input.sourceCodexHome
+    });
+  }
+  input.logger.info("login_workspace.copy_account_artifacts.complete", {
+    accountId: input.accountId,
+    destinationRoot: input.destinationRoot
+  });
+}
+async function ensurePinnedFileConfig(input) {
+  const sourceConfigPath = path6.join(input.sharedCodexHome, "config.toml");
+  const targetConfigPath = path6.join(input.codexHome, "config.toml");
+  const configContents = await readFile4(sourceConfigPath, "utf8").catch(() => "");
+  const pinnedConfig = pinFileCredentialStore2(configContents);
+  await writeFile3(targetConfigPath, pinnedConfig, "utf8");
+  input.logger.info("login_workspace.config_prepared", {
+    sourceConfigPath,
+    targetConfigPath,
+    credentialStoreMode: "file"
+  });
+}
+async function copySharedArtifactIfPresent(input) {
+  const sourcePath = path6.join(input.sharedCodexHome, input.artifactName);
+  const targetPath = path6.join(input.codexHome, input.artifactName);
+  if (!await pathExists2(sourcePath)) {
+    input.logger.debug("login_workspace.shared_file_skipped", {
+      artifactName: input.artifactName,
+      sourcePath,
+      reason: "missing"
+    });
+    return;
+  }
+  await copyFile2(sourcePath, targetPath);
+  input.logger.debug("login_workspace.shared_file_copied", {
+    artifactName: input.artifactName,
+    sourcePath,
+    targetPath
+  });
+}
+async function copySharedDirectoryIfPresent(input) {
+  const sourcePath = path6.join(input.sharedCodexHome, input.artifactName);
+  const targetPath = path6.join(input.codexHome, input.artifactName);
+  if (!await pathExists2(sourcePath)) {
+    input.logger.debug("login_workspace.shared_directory_skipped", {
+      artifactName: input.artifactName,
+      sourcePath,
+      reason: "missing"
+    });
+    return;
+  }
+  await cp2(sourcePath, targetPath, { recursive: true });
+  input.logger.debug("login_workspace.shared_directory_copied", {
+    artifactName: input.artifactName,
+    sourcePath,
+    targetPath
+  });
+}
+async function copyRuleArtifacts(input) {
+  if (input.rule.pathPattern.endsWith("/**")) {
+    const relativeDirectory = input.rule.pathPattern.slice(0, -3);
+    const sourceDirectory = path6.join(input.sourceCodexHome, relativeDirectory);
+    const targetDirectory = path6.join(input.destinationRoot, relativeDirectory);
+    if (!await pathExists2(sourceDirectory)) {
+      input.logger.debug("login_workspace.account_directory_skipped", {
+        pathPattern: input.rule.pathPattern,
+        sourceDirectory,
+        reason: "missing"
+      });
+      return;
+    }
+    await cp2(sourceDirectory, targetDirectory, { recursive: true });
+    input.logger.debug("login_workspace.account_directory_copied", {
+      pathPattern: input.rule.pathPattern,
+      sourceDirectory,
+      targetDirectory
+    });
+    return;
+  }
+  const sourceFile = path6.join(input.sourceCodexHome, input.rule.pathPattern);
+  const targetFile = path6.join(input.destinationRoot, input.rule.pathPattern);
+  if (!await pathExists2(sourceFile)) {
+    input.logger.debug("login_workspace.account_file_skipped", {
+      pathPattern: input.rule.pathPattern,
+      sourceFile,
+      reason: "missing"
+    });
+    return;
+  }
+  await mkdir4(path6.dirname(targetFile), { recursive: true });
+  await copyFile2(sourceFile, targetFile);
+  input.logger.debug("login_workspace.account_file_copied", {
+    pathPattern: input.rule.pathPattern,
+    sourceFile,
+    targetFile
+  });
+}
+function pinFileCredentialStore2(rawConfig) {
+  if (/^\s*cli_auth_credentials_store\s*=\s*"file"/m.test(rawConfig)) {
+    return rawConfig;
+  }
+  if (/^\s*cli_auth_credentials_store\s*=\s*"[^"]+"/m.test(rawConfig)) {
+    return rawConfig.replace(
+      /^\s*cli_auth_credentials_store\s*=\s*"[^"]+"/m,
+      'cli_auth_credentials_store = "file"'
+    );
+  }
+  const trimmed = rawConfig.trim();
+  if (!trimmed) {
+    return 'cli_auth_credentials_store = "file"\n';
+  }
+  return ['cli_auth_credentials_store = "file"', "", trimmed, ""].join("\n");
+}
+async function pathExists2(targetPath) {
+  try {
+    await stat4(targetPath);
+    return true;
+  } catch (error) {
+    if (typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT") {
+      return false;
+    }
+    throw error;
+  }
+}
+
+// src/process/run-codex-login.ts
+import { spawn } from "node:child_process";
+
+// src/process/codex-launch-spec.ts
+import { access as access2 } from "node:fs/promises";
+import path7 from "node:path";
+async function resolveCodexLaunchSpec(codexBinaryPath, args) {
+  if (process.platform !== "win32") {
+    return {
+      command: codexBinaryPath,
+      args
+    };
+  }
+  const npmShim = await resolveNpmCodexShim(codexBinaryPath);
+  if (npmShim) {
+    return {
+      command: npmShim.nodeBinary,
+      args: [npmShim.codexScript, ...args]
+    };
+  }
+  if (/\.(cmd|bat)$/i.test(codexBinaryPath)) {
+    return {
+      command: process.env.ComSpec ?? "cmd.exe",
+      args: ["/d", "/s", "/c", buildCmdInvocation(codexBinaryPath, args)]
+    };
+  }
+  if (/\.ps1$/i.test(codexBinaryPath)) {
+    return {
+      command: process.env.ComSpec ? "powershell.exe" : "pwsh",
+      args: [
+        "-NoProfile",
+        "-ExecutionPolicy",
+        "Bypass",
+        "-File",
+        codexBinaryPath,
+        ...args
+      ]
+    };
+  }
+  return {
+    command: codexBinaryPath,
+    args
+  };
+}
+function buildCmdInvocation(binaryPath, args) {
+  return [quoteForCmd(binaryPath), ...args.map(quoteForCmd)].join(" ");
+}
+function quoteForCmd(value) {
+  if (value.length === 0) {
+    return '""';
+  }
+  if (!/[\s"]/u.test(value)) {
+    return value;
+  }
+  return `"${value.replace(/"/g, '""')}"`;
+}
+async function resolveNpmCodexShim(codexBinaryPath) {
+  const basename = path7.basename(codexBinaryPath).toLowerCase();
+  if (!["codex", "codex.cmd", "codex.bat", "codex.ps1"].includes(basename)) {
+    return null;
+  }
+  const directory = path7.dirname(codexBinaryPath);
+  const codexScript = path7.join(directory, "node_modules", "@openai", "codex", "bin", "codex.js");
+  if (!await pathExists3(codexScript)) {
+    return null;
+  }
+  const bundledNode = path7.join(directory, "node.exe");
+  return {
+    codexScript,
+    nodeBinary: await pathExists3(bundledNode) ? bundledNode : "node"
+  };
+}
+async function pathExists3(filePath) {
+  try {
+    await access2(filePath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/process/run-codex-login.ts
+async function runInteractiveCodexLogin(input) {
+  const launchSpec = await resolveCodexLaunchSpec(input.codexBinaryPath, ["login"]);
+  input.logger.info("login.spawn.start", {
+    codexBinaryPath: input.codexBinaryPath,
+    resolvedCommand: launchSpec.command,
+    codexHome: input.codexHome,
+    argv: launchSpec.args,
+    timeoutMs: input.timeoutMs
+  });
+  return new Promise((resolve, reject) => {
+    const child = spawn(launchSpec.command, launchSpec.args, {
+      env: {
+        ...process.env,
+        CODEX_HOME: input.codexHome
+      },
+      shell: false,
+      stdio: "inherit",
+      windowsHide: false
+    });
+    let timedOut = false;
+    let cancelledBySignal = false;
+    let settled = false;
+    const timeoutHandle = setTimeout(() => {
+      timedOut = true;
+      input.logger.warn("login.spawn.timeout", {
+        codexBinaryPath: input.codexBinaryPath,
+        codexHome: input.codexHome,
+        timeoutMs: input.timeoutMs
+      });
+      terminateChild(child);
+    }, input.timeoutMs);
+    const forwardSignal = (signal) => {
+      cancelledBySignal = true;
+      input.logger.warn("login.spawn.parent_signal", {
+        signal,
+        pid: child.pid ?? null
+      });
+      child.kill(signal);
+    };
+    const signalHandlers = {
+      SIGINT: () => forwardSignal("SIGINT"),
+      SIGTERM: () => forwardSignal("SIGTERM")
+    };
+    process.on("SIGINT", signalHandlers.SIGINT);
+    process.on("SIGTERM", signalHandlers.SIGTERM);
+    const cleanup = () => {
+      clearTimeout(timeoutHandle);
+      process.off("SIGINT", signalHandlers.SIGINT);
+      process.off("SIGTERM", signalHandlers.SIGTERM);
+    };
+    child.on("error", (error) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      cleanup();
+      input.logger.error("login.spawn.error", {
+        codexBinaryPath: input.codexBinaryPath,
+        codexHome: input.codexHome,
+        message: error.message
+      });
+      reject(error);
+    });
+    child.on("exit", (exitCode2, signal) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      cleanup();
+      input.logger.info("login.spawn.complete", {
+        codexBinaryPath: input.codexBinaryPath,
+        codexHome: input.codexHome,
+        exitCode: exitCode2,
+        signal,
+        timedOut,
+        cancelledBySignal
+      });
+      resolve({
+        exitCode: exitCode2,
+        signal,
+        timedOut,
+        timeoutMs: input.timeoutMs,
+        cancelledBySignal
+      });
+    });
+  });
+}
+function terminateChild(child) {
+  if (process.platform === "win32") {
+    child.kill();
+    return;
+  }
+  child.kill("SIGTERM");
+}
+
+// src/commands/account-add/run-account-add-command.ts
+var DEFAULT_LOGIN_TIMEOUT_MS = 10 * 60 * 1e3;
+var ACCOUNT_METADATA_SCHEMA_VERSION = 1;
+async function runAccountAddCommand(context, argv) {
+  const logger = createLogger({
+    level: context.logging.level,
+    name: "account_add",
+    sink: context.logging.sink
+  });
+  if (argv.includes("--help")) {
+    context.io.stdout.write(`${buildAccountAddHelpText()}
+`);
+    logger.info("help.rendered");
+    return 0;
+  }
+  const parsed = parseAccountAddArgs(argv);
+  logger.info("command.start", {
+    requestedLabel: parsed.label,
+    timeoutMs: parsed.timeoutMs,
+    codexBinaryPath: context.codexBinary.path,
+    sharedCodexHome: context.paths.sharedCodexHome,
+    accountRoot: context.paths.accountRoot,
+    runtimeRoot: context.paths.runtimeRoot
+  });
+  if (!context.codexBinary.path) {
+    logger.error("command.binary_missing", {
+      candidates: context.codexBinary.candidates,
+      rejectedCandidates: context.codexBinary.rejectedCandidates
+    });
+    throw new Error("Could not find the real `codex` binary on PATH.");
+  }
+  if (context.wrapperConfig.credentialStoreMode !== "file") {
+    logger.error("command.unsupported_credential_store", {
+      credentialStoreMode: context.wrapperConfig.credentialStoreMode,
+      configFilePath: context.wrapperConfig.codexConfigFilePath,
+      reason: context.wrapperConfig.credentialStorePolicyReason
+    });
+    throw new Error(
+      `codexes account add requires cli_auth_credentials_store = "file"; detected ${context.wrapperConfig.credentialStoreMode}.`
+    );
+  }
+  const registry = createAccountRegistry({
+    accountRoot: context.paths.accountRoot,
+    logger,
+    registryFile: context.paths.registryFile
+  });
+  const existingAccounts = await registry.listAccounts();
+  const duplicate = existingAccounts.find(
+    (account) => account.label.toLowerCase() === parsed.label.toLowerCase()
+  );
+  if (duplicate) {
+    logger.warn("command.duplicate_label", {
+      requestedLabel: parsed.label,
+      existingAccountId: duplicate.id
+    });
+    throw new Error(`An account named "${parsed.label}" already exists.`);
+  }
+  const runtimeContract = createRuntimeContract({
+    accountRoot: context.paths.accountRoot,
+    credentialStoreMode: context.wrapperConfig.credentialStoreMode,
+    logger,
+    runtimeRoot: context.paths.runtimeRoot,
+    sharedCodexHome: context.paths.sharedCodexHome
+  });
+  const workspace = await prepareLoginWorkspace({
+    logger,
+    runtimeRoot: context.paths.runtimeRoot,
+    sharedCodexHome: context.paths.sharedCodexHome
+  });
+  let loginResult = null;
+  try {
+    loginResult = await runInteractiveCodexLogin({
+      codexBinaryPath: context.codexBinary.path,
+      codexHome: workspace.codexHome,
+      logger,
+      timeoutMs: parsed.timeoutMs
+    });
+    if (loginResult.exitCode !== 0) {
+      logger.warn("command.login_failed", {
+        exitCode: loginResult.exitCode,
+        signal: loginResult.signal,
+        timedOut: loginResult.timedOut,
+        timeoutMs: loginResult.timeoutMs,
+        cancelledBySignal: loginResult.cancelledBySignal
+      });
+      context.io.stderr.write(buildLoginFailureMessage(loginResult));
+      return loginResult.exitCode ?? 1;
+    }
+    const authSummary = await readAuthSummary(workspace.codexHome, logger);
+    if (!authSummary.present) {
+      logger.error("command.auth_missing_after_login", {
+        codexHome: workspace.codexHome
+      });
+      throw new Error(
+        "codex login completed without creating auth.json in the isolated workspace."
+      );
+    }
+    const account = await registry.addAccount({ label: parsed.label });
+    try {
+      const runtimePaths = resolveAccountRuntimePaths(runtimeContract, account.id);
+      await mkdir5(runtimePaths.accountDirectory, { recursive: true });
+      await copyAccountScopedAuthArtifacts({
+        accountId: account.id,
+        destinationRoot: runtimePaths.accountStateDirectory,
+        logger,
+        runtimeContract,
+        sourceCodexHome: workspace.codexHome
+      });
+      await writeAccountMetadata({
+        capturedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        destinationFile: runtimePaths.accountMetadataFile,
+        label: account.label,
+        logger,
+        recordId: account.id,
+        summary: authSummary
+      });
+      logger.info("command.complete", {
+        accountId: account.id,
+        label: account.label,
+        authDirectory: account.authDirectory,
+        authAccountId: authSummary.accountId
+      });
+      context.io.stdout.write(
+        [
+          `Added account "${account.label}"`,
+          `  id: ${account.id}`,
+          `  auth state: ${runtimePaths.accountStateDirectory}`,
+          authSummary.accountId ? `  auth account id: ${authSummary.accountId}` : null
+        ].filter((line) => Boolean(line)).join("\n") + "\n"
+      );
+      return 0;
+    } catch (error) {
+      logger.error("command.persist_failed", {
+        message: error instanceof Error ? error.message : String(error),
+        accountLabel: parsed.label
+      });
+      await cleanupFailedAccountRecord(registry, logger, parsed.label);
+      throw error;
+    }
+  } finally {
+    await cleanupWorkspace(workspace, logger, loginResult);
+  }
+}
+function parseAccountAddArgs(argv) {
+  let label = null;
+  let timeoutMs = DEFAULT_LOGIN_TIMEOUT_MS;
+  for (let index = 0; index < argv.length; index += 1) {
+    const token = argv[index];
+    if (!token) {
+      continue;
+    }
+    if (token === "--timeout-ms") {
+      const next = argv[index + 1];
+      if (!next) {
+        throw new Error("Expected a number after --timeout-ms.");
+      }
+      const parsedTimeout = Number.parseInt(next, 10);
+      if (!Number.isFinite(parsedTimeout) || parsedTimeout <= 0) {
+        throw new Error(`Invalid timeout: ${next}`);
+      }
+      timeoutMs = parsedTimeout;
+      index += 1;
+      continue;
+    }
+    if (token.startsWith("--timeout-ms=")) {
+      const raw = token.slice("--timeout-ms=".length);
+      const parsedTimeout = Number.parseInt(raw, 10);
+      if (!Number.isFinite(parsedTimeout) || parsedTimeout <= 0) {
+        throw new Error(`Invalid timeout: ${raw}`);
+      }
+      timeoutMs = parsedTimeout;
+      continue;
+    }
+    if (token.startsWith("--")) {
+      throw new Error(`Unknown option for account add: ${token}`);
+    }
+    if (label) {
+      throw new Error(`Unexpected argument for account add: ${token}`);
+    }
+    label = token.trim();
+  }
+  if (!label) {
+    throw new Error(buildAccountAddHelpText());
+  }
+  return { label, timeoutMs };
+}
+function buildAccountAddHelpText() {
+  return [
+    "Usage:",
+    "  codexes account add <label> [--timeout-ms <milliseconds>]",
+    "",
+    "Examples:",
+    "  codexes account add work",
+    "  codexes account add personal --timeout-ms 900000"
+  ].join("\n");
+}
+async function readAuthSummary(codexHome, logger) {
+  const authFile = path8.join(codexHome, "auth.json");
+  try {
+    const raw = await readFile5(authFile, "utf8");
+    const parsed = JSON.parse(raw);
+    const tokens = typeof parsed.tokens === "object" && parsed.tokens !== null ? parsed.tokens : null;
+    const summary = {
+      present: true,
+      authMode: typeof parsed.auth_mode === "string" ? parsed.auth_mode : null,
+      accountId: typeof tokens?.account_id === "string" ? tokens.account_id : null,
+      lastRefresh: typeof parsed.last_refresh === "string" ? parsed.last_refresh : null
+    };
+    logger.debug("auth_summary.loaded", {
+      authFile,
+      authMode: summary.authMode,
+      accountId: summary.accountId,
+      lastRefresh: summary.lastRefresh
+    });
+    return summary;
+  } catch (error) {
+    if (typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT") {
+      logger.warn("auth_summary.missing", { authFile });
+      return {
+        present: false,
+        authMode: null,
+        accountId: null,
+        lastRefresh: null
+      };
+    }
+    logger.error("auth_summary.failed", {
+      authFile,
+      message: error instanceof Error ? error.message : String(error)
+    });
+    throw error;
+  }
+}
+async function writeAccountMetadata(input) {
+  const metadata = {
+    schemaVersion: ACCOUNT_METADATA_SCHEMA_VERSION,
+    accountId: input.recordId,
+    label: input.label,
+    capturedAt: input.capturedAt,
+    authMode: input.summary.authMode,
+    authAccountId: input.summary.accountId,
+    lastRefresh: input.summary.lastRefresh,
+    loginStatus: "succeeded"
+  };
+  await writeFile4(input.destinationFile, JSON.stringify(metadata, null, 2), "utf8");
+  input.logger.info("account_metadata.written", {
+    destinationFile: input.destinationFile,
+    accountId: metadata.accountId,
+    authAccountId: metadata.authAccountId
+  });
+}
+async function cleanupFailedAccountRecord(registry, logger, label) {
+  const accounts = await registry.listAccounts();
+  const account = [...accounts].reverse().find((entry) => entry.label.toLowerCase() === label.toLowerCase());
+  if (!account) {
+    return;
+  }
+  await registry.removeAccount(account.id).catch(() => void 0);
+  await rm2(account.authDirectory, { force: true, recursive: true }).catch(() => void 0);
+  logger.warn("command.rollback_account_record", {
+    accountId: account.id,
+    label: account.label
+  });
+}
+async function cleanupWorkspace(workspace, logger, loginResult) {
+  logger.debug("workspace.cleanup.start", {
+    workspaceRoot: workspace.workspaceRoot,
+    codexHome: workspace.codexHome,
+    loginExitCode: loginResult?.exitCode ?? null
+  });
+  await rm2(workspace.workspaceRoot, {
+    force: true,
+    recursive: true
+  }).catch(() => void 0);
+  logger.debug("workspace.cleanup.complete", {
+    workspaceRoot: workspace.workspaceRoot
+  });
+}
+function buildLoginFailureMessage(loginResult) {
+  if (loginResult.timedOut) {
+    return `codexes: account login timed out after ${loginResult.timeoutMs}ms.
+`;
+  }
+  if (loginResult.cancelledBySignal) {
+    return "codexes: account login was cancelled.\n";
+  }
+  return `codexes: account login failed with exit code ${loginResult.exitCode ?? "unknown"}.
+`;
+}
+
+// src/accounts/account-resolution.ts
+import { readFile as readFile6 } from "node:fs/promises";
+import path9 from "node:path";
+function resolveAccountBySelector(input) {
+  const normalizedSelector = input.selector.trim();
+  const matches = input.accounts.filter(
+    (account) => account.id === normalizedSelector || account.label.toLowerCase() === normalizedSelector.toLowerCase()
+  );
+  input.logger.debug("account_resolution.lookup", {
+    selector: normalizedSelector,
+    accountCount: input.accounts.length,
+    matchCount: matches.length,
+    matchedAccountIds: matches.map((account) => account.id)
+  });
+  if (matches.length === 0) {
+    throw new Error(`No account matches "${normalizedSelector}".`);
+  }
+  if (matches.length > 1) {
+    throw new Error(
+      `Selector "${normalizedSelector}" matched multiple accounts; use the account id instead.`
+    );
+  }
+  const [match] = matches;
+  if (!match) {
+    throw new Error(`No account matches "${normalizedSelector}".`);
+  }
+  return match;
+}
+async function buildAccountPresentations(input) {
+  const presentations = [];
+  for (const account of input.accounts) {
+    presentations.push({
+      account,
+      ...await readAccountMetadataSummary(account, input.logger)
+    });
+  }
+  return presentations;
+}
+async function readAccountMetadataSummary(account, logger) {
+  const metadataFile = path9.join(account.authDirectory, "account.json");
+  try {
+    const raw = await readFile6(metadataFile, "utf8");
+    const parsed = JSON.parse(raw);
+    const summary = {
+      authAccountId: typeof parsed.authAccountId === "string" ? parsed.authAccountId : null,
+      authMode: typeof parsed.authMode === "string" ? parsed.authMode : null
+    };
+    logger.debug("account_resolution.metadata_loaded", {
+      accountId: account.id,
+      metadataFile,
+      authAccountId: summary.authAccountId,
+      authMode: summary.authMode
+    });
+    return summary;
+  } catch (error) {
+    if (typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT") {
+      logger.debug("account_resolution.metadata_missing", {
+        accountId: account.id,
+        metadataFile
+      });
+      return { authAccountId: null, authMode: null };
+    }
+    logger.warn("account_resolution.metadata_failed", {
+      accountId: account.id,
+      metadataFile,
+      message: error instanceof Error ? error.message : String(error)
+    });
+    return { authAccountId: null, authMode: null };
+  }
+}
+
+// src/commands/account-list/run-account-list-command.ts
+async function runAccountListCommand(context) {
+  const logger = createLogger({
+    level: context.logging.level,
+    name: "account_list",
+    sink: context.logging.sink
+  });
+  const registry = createAccountRegistry({
+    accountRoot: context.paths.accountRoot,
+    logger,
+    registryFile: context.paths.registryFile
+  });
+  const [accounts, defaultAccount] = await Promise.all([
+    registry.listAccounts(),
+    registry.getDefaultAccount()
+  ]);
+  logger.info("command.start", {
+    accountCount: accounts.length,
+    defaultAccountId: defaultAccount?.id ?? null
+  });
+  if (accounts.length === 0) {
+    context.io.stdout.write(
+      [
+        "No accounts configured.",
+        "Add one with: codexes account add <label>"
+      ].join("\n") + "\n"
+    );
+    logger.info("command.empty");
+    return 0;
+  }
+  const presentations = await buildAccountPresentations({ accounts, logger });
+  const lines = presentations.map(({ account, authAccountId, authMode }) => {
+    const markers = [
+      defaultAccount?.id === account.id ? "default" : null,
+      authMode ? `auth=${authMode}` : null,
+      authAccountId ? `authAccountId=${authAccountId}` : null
+    ].filter((value) => Boolean(value)).join(", ");
+    return `${defaultAccount?.id === account.id ? "*" : " "} ${account.label} (${account.id})${markers ? ` [${markers}]` : ""}`;
+  });
+  context.io.stdout.write(`${lines.join("\n")}
+`);
+  logger.info("command.complete", {
+    accountIds: presentations.map(({ account }) => account.id)
+  });
+  return 0;
+}
+
+// src/commands/account-remove/run-account-remove-command.ts
+import { rm as rm3 } from "node:fs/promises";
+async function runAccountRemoveCommand(context, argv) {
+  const logger = createLogger({
+    level: context.logging.level,
+    name: "account_remove",
+    sink: context.logging.sink
+  });
+  if (argv.includes("--help")) {
+    context.io.stdout.write(`${buildAccountRemoveHelpText()}
+`);
+    logger.info("help.rendered");
+    return 0;
+  }
+  const selector = argv[0]?.trim();
+  if (!selector || argv.length > 1) {
+    throw new Error(buildAccountRemoveHelpText());
+  }
+  const registry = createAccountRegistry({
+    accountRoot: context.paths.accountRoot,
+    logger,
+    registryFile: context.paths.registryFile
+  });
+  const accounts = await registry.listAccounts();
+  if (accounts.length === 0) {
+    context.io.stdout.write("No accounts configured.\n");
+    logger.info("command.empty");
+    return 0;
+  }
+  const account = resolveAccountBySelector({ accounts, logger, selector });
+  logger.info("command.start", {
+    requestedSelector: selector,
+    resolvedAccountId: account.id,
+    label: account.label
+  });
+  await registry.removeAccount(account.id);
+  await rm3(account.authDirectory, { force: true, recursive: true });
+  context.io.stdout.write(`Removed account "${account.label}" (${account.id}).
+`);
+  logger.info("command.complete", {
+    requestedSelector: selector,
+    resolvedAccountId: account.id
+  });
+  return 0;
+}
+function buildAccountRemoveHelpText() {
+  return [
+    "Usage:",
+    "  codexes account remove <account-id-or-label>"
+  ].join("\n");
+}
+
+// src/commands/account-use/run-account-use-command.ts
+async function runAccountUseCommand(context, argv) {
+  const logger = createLogger({
+    level: context.logging.level,
+    name: "account_use",
+    sink: context.logging.sink
+  });
+  if (argv.includes("--help")) {
+    context.io.stdout.write(`${buildAccountUseHelpText()}
+`);
+    logger.info("help.rendered");
+    return 0;
+  }
+  const registry = createAccountRegistry({
+    accountRoot: context.paths.accountRoot,
+    logger,
+    registryFile: context.paths.registryFile
+  });
+  const accounts = await registry.listAccounts();
+  if (accounts.length === 0) {
+    context.io.stdout.write(
+      [
+        "No accounts configured.",
+        "Add one with: codexes account add <label>"
+      ].join("\n") + "\n"
+    );
+    logger.info("command.empty");
+    return 0;
+  }
+  const selector = argv[0]?.trim() ?? null;
+  if (argv.length > 1) {
+    throw new Error(buildAccountUseHelpText());
+  }
+  let targetAccount = null;
+  if (!selector) {
+    if (accounts.length === 1) {
+      const [singleAccount] = accounts;
+      if (!singleAccount) {
+        throw new Error("No accounts configured.");
+      }
+      targetAccount = singleAccount;
+      logger.info("command.single_account_default", {
+        resolvedAccountId: targetAccount.id,
+        label: targetAccount.label
+      });
+    } else {
+      throw new Error(
+        "Multiple accounts exist. Specify which one to use: codexes account use <account-id-or-label>"
+      );
+    }
+  } else {
+    targetAccount = resolveAccountBySelector({ accounts, logger, selector });
+  }
+  if (!targetAccount) {
+    throw new Error("Could not resolve the account to use.");
+  }
+  logger.info("command.start", {
+    requestedSelector: selector,
+    resolvedAccountId: targetAccount.id,
+    label: targetAccount.label
+  });
+  const selectedAccount = await registry.selectAccount(targetAccount.id);
+  context.io.stdout.write(
+    `Using account "${selectedAccount.label}" (${selectedAccount.id}) as the default.
+`
+  );
+  logger.info("command.complete", {
+    requestedSelector: selector,
+    resolvedAccountId: selectedAccount.id
+  });
+  return 0;
+}
+function buildAccountUseHelpText() {
+  return [
+    "Usage:",
+    "  codexes account use <account-id-or-label>",
+    "  codexes account use",
+    "",
+    "When only one account exists, `codexes account use` selects it automatically."
+  ].join("\n");
+}
+
+// src/runtime/lock/runtime-lock.ts
+import os3 from "node:os";
+import path10 from "node:path";
+import { mkdir as mkdir6, readFile as readFile7, rm as rm4, stat as stat5, writeFile as writeFile5 } from "node:fs/promises";
+var DEFAULT_WAIT_TIMEOUT_MS = 15e3;
+var DEFAULT_STALE_LOCK_MS = 5 * 60 * 1e3;
+var DEFAULT_POLL_INTERVAL_MS = 250;
+async function acquireRuntimeLock(input) {
+  const lockRoot = path10.join(input.runtimeRoot, "lock");
+  const ownerFile = path10.join(lockRoot, "owner.json");
+  const waitTimeoutMs = input.waitTimeoutMs ?? DEFAULT_WAIT_TIMEOUT_MS;
+  const staleLockMs = input.staleLockMs ?? DEFAULT_STALE_LOCK_MS;
+  const pollIntervalMs = input.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS;
+  const startedAt = Date.now();
+  input.logger.info("runtime_lock.acquire.start", {
+    lockRoot,
+    waitTimeoutMs,
+    staleLockMs,
+    pollIntervalMs
+  });
+  while (true) {
+    try {
+      await mkdir6(lockRoot);
+      const owner = {
+        pid: process.pid,
+        host: os3.hostname(),
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      await writeFile5(ownerFile, JSON.stringify(owner, null, 2), "utf8");
+      input.logger.info("runtime_lock.acquire.complete", {
+        lockRoot,
+        waitedMs: Date.now() - startedAt,
+        owner
+      });
+      return {
+        async release() {
+          input.logger.info("runtime_lock.release.start", { lockRoot });
+          await rm4(lockRoot, { force: true, recursive: true }).catch(() => void 0);
+          input.logger.info("runtime_lock.release.complete", { lockRoot });
+        }
+      };
+    } catch (error) {
+      if (!isAlreadyExistsError(error)) {
+        input.logger.error("runtime_lock.acquire.failed", {
+          lockRoot,
+          message: error instanceof Error ? error.message : String(error)
+        });
+        throw error;
+      }
+    }
+    const lockAgeMs = await readLockAgeMs(lockRoot, ownerFile);
+    if (lockAgeMs !== null && lockAgeMs > staleLockMs) {
+      input.logger.warn("runtime_lock.stale_detected", {
+        lockRoot,
+        lockAgeMs
+      });
+      await rm4(lockRoot, { force: true, recursive: true }).catch(() => void 0);
+      continue;
+    }
+    const waitedMs = Date.now() - startedAt;
+    input.logger.debug("runtime_lock.acquire.waiting", {
+      lockRoot,
+      waitedMs,
+      lockAgeMs
+    });
+    if (waitedMs >= waitTimeoutMs) {
+      input.logger.error("runtime_lock.acquire.timeout", {
+        lockRoot,
+        waitedMs,
+        lockAgeMs
+      });
+      throw new Error(
+        `Timed out waiting for the shared runtime lock after ${waitTimeoutMs}ms.`
+      );
+    }
+    await sleep(pollIntervalMs);
+  }
+}
+async function readLockAgeMs(lockRoot, ownerFile) {
+  const ownerContents = await readFile7(ownerFile, "utf8").catch(() => null);
+  if (ownerContents) {
+    const parsed = JSON.parse(ownerContents);
+    if (typeof parsed.createdAt === "string") {
+      return Date.now() - new Date(parsed.createdAt).getTime();
+    }
+  }
+  const lockStats = await stat5(lockRoot).catch(() => null);
+  return lockStats ? Date.now() - lockStats.mtimeMs : null;
+}
+function isAlreadyExistsError(error) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === "EEXIST";
+}
+function sleep(durationMs) {
+  return new Promise((resolve) => {
+    setTimeout(resolve, durationMs);
+  });
+}
+
+// src/runtime/activate-account/activate-account.ts
+import { copyFile as copyFile3, cp as cp3, mkdir as mkdir7, readFile as readFile8, rm as rm5, stat as stat6 } from "node:fs/promises";
+import path11 from "node:path";
+import { createHash } from "node:crypto";
+async function activateAccountIntoSharedRuntime(input) {
+  const runtimePaths = resolveAccountRuntimePaths(input.runtimeContract, input.account.id);
+  const accountStateRoot = runtimePaths.accountStateDirectory;
+  const backupRoot = path11.join(runtimePaths.runtimeBackupDirectory, "active");
+  input.logger.info("account_activation.start", {
+    accountId: input.account.id,
+    label: input.account.label,
+    accountStateRoot,
+    sharedCodexHome: input.sharedCodexHome,
+    backupRoot
+  });
+  await rm5(backupRoot, { force: true, recursive: true }).catch(() => void 0);
+  await mkdir7(backupRoot, { recursive: true });
+  const accountRules = input.runtimeContract.fileRules.filter(
+    (rule) => rule.classification === "account"
+  );
+  const authSourcePath = path11.join(accountStateRoot, "auth.json");
+  if (!await pathExists4(authSourcePath)) {
+    input.logger.error("account_activation.missing_auth", {
+      accountId: input.account.id,
+      authSourcePath
+    });
+    throw new Error(
+      `Account "${input.account.label}" has no stored auth.json; add the account again.`
+    );
+  }
+  try {
+    for (const rule of accountRules) {
+      await backupRuntimeArtifact({
+        backupRoot,
+        logger: input.logger,
+        rule,
+        sharedCodexHome: input.sharedCodexHome
+      });
+      await replaceRuntimeArtifact({
+        accountStateRoot,
+        logger: input.logger,
+        rule,
+        sharedCodexHome: input.sharedCodexHome
+      });
+    }
+  } catch (error) {
+    input.logger.error("account_activation.failed", {
+      accountId: input.account.id,
+      message: error instanceof Error ? error.message : String(error)
+    });
+    await restoreSharedRuntimeFromBackup({
+      account: input.account,
+      backupRoot,
+      logger: input.logger,
+      runtimeContract: input.runtimeContract,
+      sharedCodexHome: input.sharedCodexHome
+    });
+    throw error;
+  }
+  input.logger.info("account_activation.complete", {
+    accountId: input.account.id,
+    sharedCodexHome: input.sharedCodexHome
+  });
+  return {
+    account: input.account,
+    backupRoot,
+    runtimeContract: input.runtimeContract,
+    sharedCodexHome: input.sharedCodexHome,
+    sourceAccountStateRoot: accountStateRoot
+  };
+}
+async function syncSharedRuntimeBackToAccount(input) {
+  const accountRules = input.session.runtimeContract.fileRules.filter(
+    (rule) => rule.classification === "account"
+  );
+  input.logger.info("account_sync.start", {
+    accountId: input.session.account.id,
+    sharedCodexHome: input.session.sharedCodexHome,
+    accountStateRoot: input.session.sourceAccountStateRoot
+  });
+  for (const rule of accountRules) {
+    await syncRuntimeArtifact({
+      accountStateRoot: input.session.sourceAccountStateRoot,
+      logger: input.logger,
+      rule,
+      sharedCodexHome: input.session.sharedCodexHome
+    });
+  }
+  input.logger.info("account_sync.complete", {
+    accountId: input.session.account.id
+  });
+}
+async function restoreSharedRuntimeFromBackup(input) {
+  const accountRules = input.runtimeContract.fileRules.filter(
+    (rule) => rule.classification === "account"
+  );
+  input.logger.warn("account_activation.restore.start", {
+    accountId: input.account.id,
+    backupRoot: input.backupRoot,
+    sharedCodexHome: input.sharedCodexHome
+  });
+  for (const rule of accountRules) {
+    await restoreRuntimeArtifact({
+      backupRoot: input.backupRoot,
+      logger: input.logger,
+      rule,
+      sharedCodexHome: input.sharedCodexHome
+    });
+  }
+  input.logger.warn("account_activation.restore.complete", {
+    accountId: input.account.id
+  });
+}
+async function backupRuntimeArtifact(input) {
+  const sourcePath = path11.join(input.sharedCodexHome, normalizedPattern(input.rule.pathPattern));
+  const backupPath = path11.join(input.backupRoot, normalizedPattern(input.rule.pathPattern));
+  if (!await pathExists4(sourcePath)) {
+    input.logger.debug("account_activation.backup.skip", {
+      pathPattern: input.rule.pathPattern,
+      sourcePath,
+      reason: "missing"
+    });
+    return;
+  }
+  await mkdir7(path11.dirname(backupPath), { recursive: true });
+  if (isDirectoryPattern(input.rule)) {
+    await cp3(sourcePath, backupPath, { recursive: true });
+  } else {
+    await copyFile3(sourcePath, backupPath);
+  }
+  input.logger.debug("account_activation.backup.complete", {
+    pathPattern: input.rule.pathPattern,
+    sourcePath,
+    backupPath
+  });
+}
+async function replaceRuntimeArtifact(input) {
+  const sourcePath = path11.join(input.accountStateRoot, normalizedPattern(input.rule.pathPattern));
+  const targetPath = path11.join(input.sharedCodexHome, normalizedPattern(input.rule.pathPattern));
+  await rm5(targetPath, { force: true, recursive: true }).catch(() => void 0);
+  if (!await pathExists4(sourcePath)) {
+    input.logger.debug("account_activation.replace.skip", {
+      pathPattern: input.rule.pathPattern,
+      sourcePath,
+      reason: "missing"
+    });
+    return;
+  }
+  await mkdir7(path11.dirname(targetPath), { recursive: true });
+  if (isDirectoryPattern(input.rule)) {
+    await cp3(sourcePath, targetPath, { recursive: true });
+  } else {
+    await copyFile3(sourcePath, targetPath);
+  }
+  input.logger.debug("account_activation.replace.complete", {
+    pathPattern: input.rule.pathPattern,
+    sourcePath,
+    targetPath
+  });
+}
+async function syncRuntimeArtifact(input) {
+  const sourcePath = path11.join(input.sharedCodexHome, normalizedPattern(input.rule.pathPattern));
+  const targetPath = path11.join(input.accountStateRoot, normalizedPattern(input.rule.pathPattern));
+  if (!await pathExists4(sourcePath)) {
+    input.logger.debug("account_sync.skip", {
+      pathPattern: input.rule.pathPattern,
+      sourcePath,
+      reason: "missing"
+    });
+    return;
+  }
+  const changed = await hasArtifactChanged(sourcePath, targetPath, isDirectoryPattern(input.rule));
+  if (!changed) {
+    input.logger.debug("account_sync.no_change", {
+      pathPattern: input.rule.pathPattern,
+      sourcePath,
+      targetPath
+    });
+    return;
+  }
+  await rm5(targetPath, { force: true, recursive: true }).catch(() => void 0);
+  await mkdir7(path11.dirname(targetPath), { recursive: true });
+  if (isDirectoryPattern(input.rule)) {
+    await cp3(sourcePath, targetPath, { recursive: true });
+  } else {
+    await copyFile3(sourcePath, targetPath);
+  }
+  input.logger.info("account_sync.updated", {
+    pathPattern: input.rule.pathPattern,
+    sourcePath,
+    targetPath
+  });
+}
+async function restoreRuntimeArtifact(input) {
+  const backupPath = path11.join(input.backupRoot, normalizedPattern(input.rule.pathPattern));
+  const targetPath = path11.join(input.sharedCodexHome, normalizedPattern(input.rule.pathPattern));
+  await rm5(targetPath, { force: true, recursive: true }).catch(() => void 0);
+  if (!await pathExists4(backupPath)) {
+    input.logger.debug("account_activation.restore.skip", {
+      pathPattern: input.rule.pathPattern,
+      backupPath,
+      reason: "missing"
+    });
+    return;
+  }
+  await mkdir7(path11.dirname(targetPath), { recursive: true });
+  if (isDirectoryPattern(input.rule)) {
+    await cp3(backupPath, targetPath, { recursive: true });
+  } else {
+    await copyFile3(backupPath, targetPath);
+  }
+  input.logger.debug("account_activation.restore.complete_artifact", {
+    pathPattern: input.rule.pathPattern,
+    backupPath,
+    targetPath
+  });
+}
+function isDirectoryPattern(rule) {
+  return rule.pathPattern.endsWith("/**");
+}
+function normalizedPattern(pattern) {
+  return pattern.endsWith("/**") ? pattern.slice(0, -3) : pattern;
+}
+async function hasArtifactChanged(sourcePath, targetPath, isDirectory) {
+  if (!await pathExists4(targetPath)) {
+    return true;
+  }
+  if (isDirectory) {
+    const [sourceHash2, targetHash2] = await Promise.all([
+      hashDirectory(sourcePath),
+      hashDirectory(targetPath)
+    ]);
+    return sourceHash2 !== targetHash2;
+  }
+  const [sourceHash, targetHash] = await Promise.all([
+    hashFile(sourcePath),
+    hashFile(targetPath)
+  ]);
+  return sourceHash !== targetHash;
+}
+async function hashFile(filePath) {
+  const content = await readFile8(filePath);
+  return createHash("sha256").update(content).digest("hex");
+}
+async function hashDirectory(directoryPath) {
+  const entries = await collectFiles(directoryPath);
+  const hash = createHash("sha256");
+  for (const entry of entries.sort()) {
+    hash.update(entry.relativePath);
+    hash.update(await readFile8(entry.absolutePath));
+  }
+  return hash.digest("hex");
+}
+async function collectFiles(root) {
+  const rootStats = await stat6(root).catch(() => null);
+  if (!rootStats) {
+    return [];
+  }
+  if (!rootStats.isDirectory()) {
+    return [{ absolutePath: root, relativePath: path11.basename(root) }];
+  }
+  const results = [];
+  const stack = [root];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    if (!current) {
+      continue;
+    }
+    const entries = await import("node:fs/promises").then(
+      (fs) => fs.readdir(current, { withFileTypes: true })
+    );
+    for (const entry of entries) {
+      const absolutePath = path11.join(current, entry.name);
+      if (entry.isDirectory()) {
+        stack.push(absolutePath);
+        continue;
+      }
+      if (entry.isFile()) {
+        results.push({
+          absolutePath,
+          relativePath: path11.relative(root, absolutePath).split(path11.sep).join("/")
+        });
+      }
+    }
+  }
+  return results;
+}
+async function pathExists4(targetPath) {
+  try {
+    await stat6(targetPath);
+    return true;
+  } catch (error) {
+    if (typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT") {
+      return false;
+    }
+    throw error;
+  }
+}
+
+// src/process/spawn-codex-command.ts
+import { spawn as spawn2 } from "node:child_process";
+async function spawnCodexCommand(input) {
+  const launchSpec = await resolveCodexLaunchSpec(input.codexBinaryPath, input.argv);
+  input.logger.info("spawn_codex.start", {
+    codexBinaryPath: input.codexBinaryPath,
+    resolvedCommand: launchSpec.command,
+    codexHome: input.codexHome,
+    argv: launchSpec.args,
+    stdinIsTTY: process.stdin.isTTY ?? false,
+    stdoutIsTTY: process.stdout.isTTY ?? false,
+    stderrIsTTY: process.stderr.isTTY ?? false
+  });
+  return new Promise((resolve, reject) => {
+    const child = spawn2(launchSpec.command, launchSpec.args, {
+      env: {
+        ...process.env,
+        CODEX_HOME: input.codexHome
+      },
+      shell: false,
+      stdio: "inherit",
+      windowsHide: false
+    });
+    let settled = false;
+    const forwardSignal = (signal) => {
+      input.logger.warn("spawn_codex.parent_signal", {
+        signal,
+        pid: child.pid ?? null
+      });
+      child.kill(signal);
+    };
+    const signalHandlers = {
+      SIGINT: () => forwardSignal("SIGINT"),
+      SIGTERM: () => forwardSignal("SIGTERM")
+    };
+    process.on("SIGINT", signalHandlers.SIGINT);
+    process.on("SIGTERM", signalHandlers.SIGTERM);
+    const cleanup = () => {
+      process.off("SIGINT", signalHandlers.SIGINT);
+      process.off("SIGTERM", signalHandlers.SIGTERM);
+    };
+    child.on("error", (error) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      cleanup();
+      input.logger.error("spawn_codex.error", {
+        codexBinaryPath: input.codexBinaryPath,
+        message: error.message
+      });
+      reject(error);
+    });
+    child.on("exit", (exitCode2, signal) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      cleanup();
+      input.logger.info("spawn_codex.complete", {
+        codexBinaryPath: input.codexBinaryPath,
+        exitCode: exitCode2,
+        signal
+      });
+      resolve(exitCode2 ?? 1);
+    });
+  });
+}
+
+// src/selection/account-auth-state.ts
+import { readFile as readFile9 } from "node:fs/promises";
+import path12 from "node:path";
+async function readAccountAuthState(input) {
+  const filePath = path12.join(input.account.authDirectory, "state", "auth.json");
+  input.logger.debug("selection.account_auth_state.read_start", {
+    accountId: input.account.id,
+    label: input.account.label,
+    filePath
+  });
+  try {
+    const raw = await readFile9(filePath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (!isRecord(parsed)) {
+      input.logger.warn("selection.account_auth_state.unsupported_shape", {
+        accountId: input.account.id,
+        label: input.account.label,
+        filePath,
+        topLevelType: typeof parsed
+      });
+      return {
+        ok: false,
+        category: "unsupported-auth-shape",
+        filePath,
+        message: "auth.json is not a JSON object."
+      };
+    }
+    const accessToken = resolveString(
+      parsed.access_token,
+      getNestedString(parsed, ["tokens", "access_token"]),
+      getNestedString(parsed, ["tokens", "accessToken"])
+    );
+    if (!accessToken) {
+      input.logger.warn("selection.account_auth_state.access_token_missing", {
+        accountId: input.account.id,
+        label: input.account.label,
+        filePath,
+        hasTokensObject: isRecord(parsed.tokens)
+      });
+      return {
+        ok: false,
+        category: "missing-access-token",
+        filePath,
+        message: "auth.json does not contain an access_token."
+      };
+    }
+    const result = {
+      ok: true,
+      filePath,
+      state: {
+        accessToken,
+        accountId: resolveString(
+          parsed.account_id,
+          parsed.accountId,
+          getNestedString(parsed, ["tokens", "account_id"]),
+          getNestedString(parsed, ["tokens", "accountId"])
+        ),
+        authMode: resolveString(
+          parsed.auth_mode,
+          parsed.authMode,
+          getNestedString(parsed, ["tokens", "auth_mode"]),
+          getNestedString(parsed, ["tokens", "authMode"])
+        ),
+        lastRefresh: resolveString(
+          parsed.last_refresh,
+          parsed.lastRefresh,
+          parsed.refresh_at,
+          parsed.refreshAt
+        )
+      }
+    };
+    input.logger.debug("selection.account_auth_state.read_complete", {
+      accountId: input.account.id,
+      label: input.account.label,
+      filePath,
+      hasAccessToken: true,
+      authAccountId: result.state.accountId,
+      authMode: result.state.authMode,
+      hasRefreshMetadata: result.state.lastRefresh !== null
+    });
+    return result;
+  } catch (error) {
+    if (isNodeErrorWithCode(error, "ENOENT")) {
+      input.logger.warn("selection.account_auth_state.missing_file", {
+        accountId: input.account.id,
+        label: input.account.label,
+        filePath
+      });
+      return {
+        ok: false,
+        category: "missing-file",
+        filePath,
+        message: "auth.json was not found for the account profile."
+      };
+    }
+    if (error instanceof SyntaxError) {
+      input.logger.warn("selection.account_auth_state.malformed_json", {
+        accountId: input.account.id,
+        label: input.account.label,
+        filePath,
+        message: error.message
+      });
+      return {
+        ok: false,
+        category: "malformed-json",
+        filePath,
+        message: error.message
+      };
+    }
+    input.logger.warn("selection.account_auth_state.unsupported_shape", {
+      accountId: input.account.id,
+      label: input.account.label,
+      filePath,
+      message: error instanceof Error ? error.message : String(error)
+    });
+    return {
+      ok: false,
+      category: "unsupported-auth-shape",
+      filePath,
+      message: error instanceof Error ? error.message : String(error)
+    };
+  }
+}
+function getNestedString(value, pathParts) {
+  let current = value;
+  for (const part of pathParts) {
+    if (!isRecord(current) || typeof current[part] === "undefined") {
+      return null;
+    }
+    current = current[part];
+  }
+  return typeof current === "string" && current.trim().length > 0 ? current : null;
+}
+function resolveString(...values) {
+  for (const value of values) {
+    if (typeof value === "string" && value.trim().length > 0) {
+      return value;
+    }
+  }
+  return null;
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function isNodeErrorWithCode(error, code) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === code;
+}
+
+// src/selection/usage-normalize.ts
+function normalizeWhamUsageResponse(input) {
+  input.logger.debug("selection.usage_normalize.start", {
+    accountIdHint: input.accountIdHint ?? null,
+    topLevelKeys: Object.keys(input.raw).sort()
+  });
+  const daily = normalizeUsageWindow({
+    accountIdHint: input.accountIdHint,
+    logger: input.logger,
+    raw: resolveUsageWindow(input.raw, "daily"),
+    window: "daily"
+  });
+  const weekly = normalizeUsageWindow({
+    accountIdHint: input.accountIdHint,
+    logger: input.logger,
+    raw: resolveUsageWindow(input.raw, "weekly"),
+    window: "weekly"
+  });
+  const accountId = pickString(input.raw.account_id, input.raw.accountId, input.accountIdHint);
+  const allowed = typeof input.raw.allowed === "boolean" ? input.raw.allowed : true;
+  const limitReached = typeof input.raw.limit_reached === "boolean" ? input.raw.limit_reached : daily.limitReached || weekly.limitReached;
+  const status = classifyUsageStatus({
+    allowed,
+    dailyRemaining: daily.remaining,
+    limitReached,
+    weeklyRemaining: weekly.remaining
+  });
+  const snapshot = {
+    accountId,
+    allowed,
+    limitReached,
+    dailyRemaining: daily.remaining,
+    weeklyRemaining: weekly.remaining,
+    dailyResetsAt: daily.resetsAt,
+    weeklyResetsAt: weekly.resetsAt,
+    dailyPercentUsed: daily.percentUsed,
+    weeklyPercentUsed: weekly.percentUsed,
+    observedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    status,
+    statusReason: describeUsageStatus(status),
+    windows: {
+      daily,
+      weekly
+    }
+  };
+  input.logger.debug("selection.usage_normalize.complete", {
+    accountId: snapshot.accountId,
+    allowed: snapshot.allowed,
+    limitReached: snapshot.limitReached,
+    dailyRemaining: snapshot.dailyRemaining,
+    weeklyRemaining: snapshot.weeklyRemaining,
+    dailyResetsAt: snapshot.dailyResetsAt,
+    weeklyResetsAt: snapshot.weeklyResetsAt,
+    status: snapshot.status,
+    statusReason: snapshot.statusReason
+  });
+  return snapshot;
+}
+function normalizeUsageWindow(input) {
+  if (!input.raw) {
+    input.logger.debug("selection.usage_normalize.window_missing", {
+      accountIdHint: input.accountIdHint ?? null,
+      window: input.window
+    });
+    return {
+      limit: null,
+      used: null,
+      remaining: null,
+      limitReached: false,
+      resetsAt: null,
+      percentUsed: null,
+      source: null
+    };
+  }
+  const limit = pickNumber(input.raw.limit);
+  const used = pickNumber(input.raw.used, calculateUsed(limit, pickNumber(input.raw.remaining)));
+  const remaining = pickNumber(
+    input.raw.remaining,
+    calculateRemaining(limit, used)
+  );
+  const limitReached = typeof input.raw.limit_reached === "boolean" ? input.raw.limit_reached : remaining !== null ? remaining <= 0 : false;
+  const percentUsed = pickNumber(
+    input.raw.percent_used,
+    input.raw.percentage_used,
+    calculatePercentUsed(limit, used, remaining)
+  );
+  const resetsAt = normalizeTimestamp(
+    input.raw.reset_at,
+    input.raw.resets_at,
+    input.raw.next_reset_at
+  );
+  const source = resolveWindowSource(input.raw);
+  input.logger.debug("selection.usage_normalize.window_complete", {
+    accountIdHint: input.accountIdHint ?? null,
+    window: input.window,
+    limit,
+    used,
+    remaining,
+    limitReached,
+    percentUsed,
+    resetsAt,
+    source
+  });
+  return {
+    limit,
+    used,
+    remaining,
+    limitReached,
+    resetsAt,
+    percentUsed,
+    source
+  };
+}
+function resolveUsageWindow(raw, window) {
+  const candidates = [raw[window], raw.usage?.[window], raw.quotas?.[window]];
+  for (const candidate of candidates) {
+    if (isRecord2(candidate)) {
+      return candidate;
+    }
+  }
+  return null;
+}
+function resolveWindowSource(raw) {
+  if (typeof raw.source === "string") {
+    return raw.source;
+  }
+  if (typeof raw.kind === "string") {
+    return raw.kind;
+  }
+  return null;
+}
+function classifyUsageStatus(input) {
+  if (!input.allowed) {
+    return "not-allowed";
+  }
+  if (input.limitReached) {
+    return "limit-reached";
+  }
+  if (input.dailyRemaining === null && input.weeklyRemaining === null) {
+    return "missing-usage-data";
+  }
+  return "usable";
+}
+function describeUsageStatus(status) {
+  switch (status) {
+    case "not-allowed":
+      return "usage endpoint reported that the account is not allowed to launch";
+    case "limit-reached":
+      return "usage endpoint reported an exhausted limit window";
+    case "missing-usage-data":
+      return "usage endpoint did not expose enough quota fields to rank this account";
+    case "usable":
+      return "usage endpoint exposed enough quota fields to rank this account";
+  }
+}
+function normalizeTimestamp(...values) {
+  for (const value of values) {
+    if (typeof value === "string") {
+      const parsed = new Date(value);
+      if (!Number.isNaN(parsed.valueOf())) {
+        return parsed.toISOString();
+      }
+    }
+    if (typeof value === "number" && Number.isFinite(value)) {
+      const normalizedValue = value > 1e10 ? value : value * 1e3;
+      const parsed = new Date(normalizedValue);
+      if (!Number.isNaN(parsed.valueOf())) {
+        return parsed.toISOString();
+      }
+    }
+  }
+  return null;
+}
+function calculateRemaining(limit, used) {
+  if (limit === null || used === null) {
+    return null;
+  }
+  return limit - used;
+}
+function calculateUsed(limit, remaining) {
+  if (limit === null || remaining === null) {
+    return null;
+  }
+  return limit - remaining;
+}
+function calculatePercentUsed(limit, used, remaining) {
+  if (limit === null || limit <= 0) {
+    return null;
+  }
+  const numerator = used ?? calculateUsed(limit, remaining);
+  if (numerator === null) {
+    return null;
+  }
+  return Number((numerator / limit * 100).toFixed(2));
+}
+function pickString(...values) {
+  for (const value of values) {
+    if (typeof value === "string" && value.trim().length > 0) {
+      return value;
+    }
+  }
+  return null;
+}
+function pickNumber(...values) {
+  for (const value of values) {
+    if (typeof value === "number" && Number.isFinite(value)) {
+      return value;
+    }
+  }
+  return null;
+}
+function isRecord2(value) {
+  return typeof value === "object" && value !== null;
+}
+
+// src/selection/usage-client.ts
+var WHAM_USAGE_URL = "https://chatgpt.com/backend-api/wham/usage";
+async function probeAccountUsage(input) {
+  const fetchImpl = input.fetchImpl ?? fetch;
+  input.logger.info("selection.usage_probe.start", {
+    accountId: input.account.id,
+    label: input.account.label,
+    timeoutMs: input.probeConfig.probeTimeoutMs,
+    useAccountIdHeader: input.probeConfig.useAccountIdHeader
+  });
+  const authState = await readAccountAuthState({
+    account: input.account,
+    logger: input.logger
+  });
+  if (!authState.ok) {
+    input.logger.warn("selection.usage_probe.auth_missing", {
+      accountId: input.account.id,
+      label: input.account.label,
+      category: authState.category,
+      filePath: authState.filePath
+    });
+    return {
+      ok: false,
+      account: input.account,
+      category: "auth-missing",
+      message: authState.message,
+      source: "fresh"
+    };
+  }
+  try {
+    const response = await fetchImpl(WHAM_USAGE_URL, {
+      method: "GET",
+      headers: buildUsageHeaders({
+        accessToken: authState.state.accessToken,
+        accountId: authState.state.accountId,
+        useAccountIdHeader: input.probeConfig.useAccountIdHeader
+      }),
+      signal: AbortSignal.timeout(input.probeConfig.probeTimeoutMs)
+    });
+    input.logger.debug("selection.usage_probe.http_complete", {
+      accountId: input.account.id,
+      label: input.account.label,
+      status: response.status,
+      ok: response.ok
+    });
+    if (!response.ok) {
+      input.logger.warn("selection.usage_probe.http_error", {
+        accountId: input.account.id,
+        label: input.account.label,
+        status: response.status
+      });
+      return {
+        ok: false,
+        account: input.account,
+        category: "http-error",
+        message: `Usage probe returned HTTP ${response.status}.`,
+        source: "fresh"
+      };
+    }
+    const body = await response.json();
+    if (!isRecord3(body)) {
+      input.logger.warn("selection.usage_probe.invalid_response", {
+        accountId: input.account.id,
+        label: input.account.label,
+        bodyType: typeof body
+      });
+      return {
+        ok: false,
+        account: input.account,
+        category: "invalid-response",
+        message: "Usage probe returned a non-object JSON payload.",
+        source: "fresh"
+      };
+    }
+    const snapshot = normalizeWhamUsageResponse({
+      accountIdHint: authState.state.accountId ?? input.account.id,
+      logger: input.logger,
+      raw: body
+    });
+    input.logger.info("selection.usage_probe.success", {
+      accountId: input.account.id,
+      label: input.account.label,
+      snapshotStatus: snapshot.status,
+      dailyRemaining: snapshot.dailyRemaining,
+      weeklyRemaining: snapshot.weeklyRemaining,
+      limitReached: snapshot.limitReached
+    });
+    return {
+      ok: true,
+      account: input.account,
+      snapshot,
+      source: "fresh"
+    };
+  } catch (error) {
+    if (isAbortError(error)) {
+      input.logger.warn("selection.usage_probe.timeout", {
+        accountId: input.account.id,
+        label: input.account.label,
+        timeoutMs: input.probeConfig.probeTimeoutMs
+      });
+      return {
+        ok: false,
+        account: input.account,
+        category: "timeout",
+        message: `Usage probe timed out after ${input.probeConfig.probeTimeoutMs}ms.`,
+        source: "fresh"
+      };
+    }
+    input.logger.error("selection.usage_probe.request_failed", {
+      accountId: input.account.id,
+      label: input.account.label,
+      message: error instanceof Error ? error.message : String(error)
+    });
+    return {
+      ok: false,
+      account: input.account,
+      category: "invalid-response",
+      message: error instanceof Error ? error.message : String(error),
+      source: "fresh"
+    };
+  }
+}
+function buildUsageHeaders(input) {
+  const headers = new Headers({
+    accept: "application/json",
+    authorization: `Bearer ${input.accessToken}`,
+    "user-agent": "codexes/0.1 experimental-usage-probe"
+  });
+  if (input.useAccountIdHeader && input.accountId) {
+    headers.set("OpenAI-Account-ID", input.accountId);
+  }
+  return headers;
+}
+function isAbortError(error) {
+  return error instanceof Error && (error.name === "AbortError" || error.name === "TimeoutError");
+}
+function isRecord3(value) {
+  return typeof value === "object" && value !== null;
+}
+
+// src/selection/usage-cache.ts
+import { mkdir as mkdir8, readFile as readFile10, rename as rename2, writeFile as writeFile6 } from "node:fs/promises";
+import path13 from "node:path";
+var USAGE_CACHE_SCHEMA_VERSION = 1;
+async function loadUsageCache(input) {
+  try {
+    const raw = await readFile10(input.cacheFilePath, "utf8");
+    const parsed = JSON.parse(raw);
+    const normalized = normalizeUsageCacheDocument(parsed);
+    input.logger.debug("selection.usage_cache.load_success", {
+      cacheFilePath: input.cacheFilePath,
+      entryCount: normalized.entries.length
+    });
+    return normalized.entries;
+  } catch (error) {
+    if (isNodeErrorWithCode2(error, "ENOENT")) {
+      input.logger.debug("selection.usage_cache.missing", {
+        cacheFilePath: input.cacheFilePath
+      });
+      return [];
+    }
+    const backupPath = `${input.cacheFilePath}.corrupt-${Date.now()}`;
+    await rename2(input.cacheFilePath, backupPath).catch(() => void 0);
+    input.logger.warn("selection.usage_cache.corrupt", {
+      cacheFilePath: input.cacheFilePath,
+      backupPath,
+      message: error instanceof Error ? error.message : String(error)
+    });
+    return [];
+  }
+}
+async function persistUsageCache(input) {
+  await mkdir8(path13.dirname(input.cacheFilePath), { recursive: true });
+  const document = {
+    schemaVersion: USAGE_CACHE_SCHEMA_VERSION,
+    entries: input.entries
+  };
+  const tempFile = `${input.cacheFilePath}.tmp`;
+  const serialized = JSON.stringify(document, null, 2);
+  await writeFile6(tempFile, serialized, "utf8");
+  await rename2(tempFile, input.cacheFilePath);
+  input.logger.debug("selection.usage_cache.persisted", {
+    cacheFilePath: input.cacheFilePath,
+    entryCount: input.entries.length
+  });
+}
+function resolveFreshUsageCacheEntry(input) {
+  const entry = input.entries.find((candidate) => candidate.accountId === input.accountId) ?? null;
+  if (!entry) {
+    input.logger.debug("selection.usage_cache.miss", {
+      accountId: input.accountId,
+      ttlMs: input.ttlMs
+    });
+    return null;
+  }
+  const ageMs = input.now - new Date(entry.cachedAt).valueOf();
+  if (!Number.isFinite(ageMs) || ageMs > input.ttlMs) {
+    input.logger.debug("selection.usage_cache.expired", {
+      accountId: input.accountId,
+      cachedAt: entry.cachedAt,
+      ageMs: Number.isFinite(ageMs) ? ageMs : null,
+      ttlMs: input.ttlMs
+    });
+    return null;
+  }
+  input.logger.debug("selection.usage_cache.hit", {
+    accountId: input.accountId,
+    cachedAt: entry.cachedAt,
+    ageMs,
+    ttlMs: input.ttlMs
+  });
+  return entry;
+}
+function normalizeUsageCacheDocument(value) {
+  if (!isRecord4(value)) {
+    throw new Error("Usage cache document is not an object.");
+  }
+  const schemaVersion = typeof value.schemaVersion === "number" ? value.schemaVersion : USAGE_CACHE_SCHEMA_VERSION;
+  if (schemaVersion !== USAGE_CACHE_SCHEMA_VERSION) {
+    throw new Error(`Unsupported usage cache schema version ${schemaVersion}.`);
+  }
+  const entries = Array.isArray(value.entries) ? value.entries.filter(isUsageCacheEntry) : [];
+  return {
+    schemaVersion: USAGE_CACHE_SCHEMA_VERSION,
+    entries
+  };
+}
+function isUsageCacheEntry(value) {
+  return isRecord4(value) && typeof value.accountId === "string" && typeof value.accountLabel === "string" && typeof value.cachedAt === "string" && isRecord4(value.snapshot);
+}
+function isRecord4(value) {
+  return typeof value === "object" && value !== null;
+}
+function isNodeErrorWithCode2(error, code) {
+  return typeof error === "object" && error !== null && "code" in error && error.code === code;
+}
+
+// src/selection/usage-probe-coordinator.ts
+async function resolveAccountUsageSnapshots(input) {
+  const now = Date.now();
+  input.logger.info("selection.usage_probe_coordinator.start", {
+    accountCount: input.accounts.length,
+    cacheFilePath: input.cacheFilePath,
+    cacheTtlMs: input.probeConfig.cacheTtlMs,
+    timeoutMs: input.probeConfig.probeTimeoutMs
+  });
+  const cacheEntries = await loadUsageCache({
+    cacheFilePath: input.cacheFilePath,
+    logger: input.logger
+  });
+  const freshCacheEntries = [...cacheEntries];
+  const resolutions = await Promise.all(
+    input.accounts.map(async (account) => {
+      const cached = resolveFreshUsageCacheEntry({
+        accountId: account.id,
+        entries: freshCacheEntries,
+        logger: input.logger,
+        now,
+        ttlMs: input.probeConfig.cacheTtlMs
+      });
+      if (cached) {
+        return {
+          ok: true,
+          account,
+          snapshot: cached.snapshot,
+          source: "cache"
+        };
+      }
+      const fresh = await probeAccountUsage({
+        account,
+        fetchImpl: input.fetchImpl,
+        logger: input.logger,
+        probeConfig: input.probeConfig
+      });
+      if (fresh.ok) {
+        upsertCacheEntry(freshCacheEntries, {
+          accountId: account.id,
+          accountLabel: account.label,
+          cachedAt: new Date(now).toISOString(),
+          snapshot: fresh.snapshot
+        });
+      }
+      return fresh;
+    })
+  );
+  await persistUsageCache({
+    cacheFilePath: input.cacheFilePath,
+    entries: freshCacheEntries,
+    logger: input.logger
+  });
+  input.logger.info("selection.usage_probe_coordinator.complete", {
+    accountCount: input.accounts.length,
+    cacheHitCount: resolutions.filter((entry) => entry.ok && entry.source === "cache").length,
+    freshSuccessCount: resolutions.filter((entry) => entry.ok && entry.source === "fresh").length,
+    failureCount: resolutions.filter((entry) => !entry.ok).length
+  });
+  return resolutions;
+}
+function upsertCacheEntry(entries, nextEntry) {
+  const existingIndex = entries.findIndex((entry) => entry.accountId === nextEntry.accountId);
+  if (existingIndex >= 0) {
+    entries.splice(existingIndex, 1, nextEntry);
+    return;
+  }
+  entries.push(nextEntry);
+}
+
+// src/selection/select-account.ts
+async function selectAccountForExecution(input) {
+  const accounts = await input.registry.listAccounts();
+  input.logger.info("selection.start", {
+    strategy: input.strategy,
+    accountCount: accounts.length
+  });
+  if (accounts.length === 0) {
+    input.logger.warn("selection.none");
+    throw new Error("No accounts configured. Add one with `codexes account add <label>`.");
+  }
+  switch (input.strategy) {
+    case "manual-default":
+      return selectManualDefaultAccount(input.registry, input.logger, accounts);
+    case "single-account":
+      return selectSingleAccountOnly(input.registry, input.logger, accounts);
+    case "remaining-limit-experimental":
+      return selectExperimentalRemainingLimitAccount({
+        accounts,
+        experimentalSelection: input.experimentalSelection,
+        fetchImpl: input.fetchImpl,
+        logger: input.logger,
+        registry: input.registry,
+        selectionCacheFilePath: input.selectionCacheFilePath
+      });
+  }
+}
+async function selectManualDefaultAccount(registry, logger, accounts) {
+  const defaultAccount = await registry.getDefaultAccount();
+  if (defaultAccount) {
+    logger.info("selection.manual_default", {
+      accountId: defaultAccount.id,
+      label: defaultAccount.label
+    });
+    return defaultAccount;
+  }
+  if (accounts.length === 1) {
+    const [singleAccount] = accounts;
+    if (!singleAccount) {
+      throw new Error("No accounts configured.");
+    }
+    logger.info("selection.manual_default_fallback_single", {
+      accountId: singleAccount.id,
+      label: singleAccount.label
+    });
+    return registry.selectAccount(singleAccount.id);
+  }
+  logger.warn("selection.manual_default_missing", {
+    accountCount: accounts.length
+  });
+  throw new Error(
+    "Multiple accounts are configured but no default account is selected. Use `codexes account use <account-id-or-label>` first."
+  );
+}
+async function selectSingleAccountOnly(registry, logger, accounts) {
+  if (accounts.length !== 1) {
+    logger.warn("selection.single_account_invalid", {
+      accountCount: accounts.length
+    });
+    throw new Error(
+      "The single-account strategy requires exactly one configured account."
+    );
+  }
+  const [singleAccount] = accounts;
+  if (!singleAccount) {
+    throw new Error("No accounts configured.");
+  }
+  logger.info("selection.single_account", {
+    accountId: singleAccount.id,
+    label: singleAccount.label
+  });
+  const defaultAccount = await registry.getDefaultAccount();
+  if (defaultAccount?.id === singleAccount.id) {
+    return singleAccount;
+  }
+  return registry.selectAccount(singleAccount.id);
+}
+async function selectExperimentalRemainingLimitAccount(input) {
+  if (!input.experimentalSelection?.enabled || !input.selectionCacheFilePath) {
+    input.logger.warn("selection.experimental_config_missing", {
+      enabled: input.experimentalSelection?.enabled ?? false,
+      hasSelectionCacheFilePath: Boolean(input.selectionCacheFilePath)
+    });
+    return selectManualDefaultAccount(input.registry, input.logger, input.accounts);
+  }
+  const defaultAccount = await input.registry.getDefaultAccount();
+  const probeResults = await resolveAccountUsageSnapshots({
+    accounts: input.accounts,
+    cacheFilePath: input.selectionCacheFilePath,
+    fetchImpl: input.fetchImpl,
+    logger: input.logger,
+    probeConfig: input.experimentalSelection
+  });
+  const failedProbes = probeResults.filter((entry) => !entry.ok);
+  if (failedProbes.length > 0) {
+    const eventName = failedProbes.length === probeResults.length ? "selection.experimental_fallback_all_probes_failed" : "selection.experimental_fallback_mixed_probe_outcomes";
+    input.logger.warn(eventName, {
+      failedAccountIds: failedProbes.map((entry) => entry.account.id),
+      failureCategories: failedProbes.map((entry) => entry.category),
+      successfulAccountIds: probeResults.filter((entry) => entry.ok).map((entry) => entry.account.id)
+    });
+    return selectManualDefaultAccount(input.registry, input.logger, input.accounts);
+  }
+  const successfulProbes = probeResults.filter((entry) => entry.ok);
+  const candidates = successfulProbes.filter((entry) => entry.snapshot.status === "usable").sort(
+    (left, right) => compareExperimentalCandidates({
+      defaultAccountId: defaultAccount?.id ?? null,
+      left,
+      right,
+      registryOrder: input.accounts
+    })
+  );
+  input.logger.info("selection.experimental_ranked", {
+    candidateOrder: candidates.map((entry) => ({
+      accountId: entry.account.id,
+      label: entry.account.label,
+      dailyRemaining: entry.snapshot.dailyRemaining,
+      weeklyRemaining: entry.snapshot.weeklyRemaining,
+      source: entry.source
+    })),
+    defaultAccountId: defaultAccount?.id ?? null
+  });
+  const selected = candidates[0];
+  if (!selected) {
+    const allExhausted = successfulProbes.every(
+      (entry) => entry.snapshot.limitReached || entry.snapshot.status === "limit-reached"
+    );
+    input.logger.warn(
+      allExhausted ? "selection.experimental_fallback_all_accounts_exhausted" : "selection.experimental_fallback_ambiguous_usage",
+      {
+        usableProbeCount: candidates.length,
+        probeStatuses: successfulProbes.map((entry) => ({
+          accountId: entry.account.id,
+          snapshotStatus: entry.snapshot.status,
+          limitReached: entry.snapshot.limitReached,
+          dailyRemaining: entry.snapshot.dailyRemaining,
+          weeklyRemaining: entry.snapshot.weeklyRemaining
+        }))
+      }
+    );
+    return selectManualDefaultAccount(input.registry, input.logger, input.accounts);
+  }
+  input.logger.info("selection.experimental_selected", {
+    accountId: selected.account.id,
+    label: selected.account.label,
+    dailyRemaining: selected.snapshot.dailyRemaining,
+    weeklyRemaining: selected.snapshot.weeklyRemaining,
+    source: selected.source
+  });
+  return selected.account;
+}
+function compareExperimentalCandidates(input) {
+  const dailyDelta = (input.right.snapshot.dailyRemaining ?? Number.NEGATIVE_INFINITY) - (input.left.snapshot.dailyRemaining ?? Number.NEGATIVE_INFINITY);
+  if (dailyDelta !== 0) {
+    return dailyDelta;
+  }
+  const weeklyDelta = (input.right.snapshot.weeklyRemaining ?? Number.NEGATIVE_INFINITY) - (input.left.snapshot.weeklyRemaining ?? Number.NEGATIVE_INFINITY);
+  if (weeklyDelta !== 0) {
+    return weeklyDelta;
+  }
+  const leftIsDefault = input.left.account.id === input.defaultAccountId;
+  const rightIsDefault = input.right.account.id === input.defaultAccountId;
+  if (leftIsDefault !== rightIsDefault) {
+    return leftIsDefault ? -1 : 1;
+  }
+  return input.registryOrder.findIndex((account) => account.id === input.left.account.id) - input.registryOrder.findIndex((account) => account.id === input.right.account.id);
+}
+
+// src/commands/root/run-root-command.ts
+async function runRootCommand(context) {
+  const logger = createLogger({
+    level: context.logging.level,
+    name: "root",
+    sink: context.logging.sink
+  });
+  logger.debug("argv.received", { argv: context.argv });
+  logger.debug("runtime.detected", {
+    sharedCodexHome: context.paths.sharedCodexHome,
+    accountRoot: context.paths.accountRoot,
+    runtimeRoot: context.paths.runtimeRoot,
+    registryFile: context.paths.registryFile,
+    wrapperConfigFile: context.paths.wrapperConfigFile,
+    selectionCacheFile: context.paths.selectionCacheFile,
+    firstRun: context.runtimeInitialization.firstRun,
+    copiedSharedArtifacts: context.runtimeInitialization.copiedSharedArtifacts,
+    createdRuntimeFiles: context.runtimeInitialization.createdFiles,
+    credentialStoreMode: context.wrapperConfig.credentialStoreMode,
+    accountSelectionStrategy: context.wrapperConfig.accountSelectionStrategy,
+    experimentalSelection: context.wrapperConfig.experimentalSelection,
+    codexBinaryPath: context.codexBinary.path,
+    recursionGuardSource: context.executablePath
+  });
+  const runtimeContract = createRuntimeContract({
+    accountRoot: context.paths.accountRoot,
+    credentialStoreMode: context.wrapperConfig.credentialStoreMode,
+    logger,
+    runtimeRoot: context.paths.runtimeRoot,
+    sharedCodexHome: context.paths.sharedCodexHome
+  });
+  const runtimeSummary = summarizeRuntimeContract(runtimeContract);
+  logger.debug("runtime.contract_ready", runtimeSummary);
+  if (context.wrapperConfig.credentialStoreMode !== "file") {
+    logger.warn("credential_store.unsupported", {
+      credentialStoreMode: context.wrapperConfig.credentialStoreMode,
+      codexConfigFile: context.paths.codexConfigFile,
+      reason: context.wrapperConfig.credentialStorePolicyReason
+    });
+  }
+  if (context.argv[0] === "account" && context.argv[1] === "add") {
+    logger.info("command.dispatch", {
+      command: "account add",
+      argv: context.argv.slice(2)
+    });
+    return runAccountAddCommand(context, context.argv.slice(2));
+  }
+  if (context.argv[0] === "account" && context.argv[1] === "list") {
+    logger.info("command.dispatch", {
+      command: "account list",
+      argv: context.argv.slice(2)
+    });
+    return runAccountListCommand(context);
+  }
+  if (context.argv[0] === "account" && context.argv[1] === "remove") {
+    logger.info("command.dispatch", {
+      command: "account remove",
+      argv: context.argv.slice(2)
+    });
+    return runAccountRemoveCommand(context, context.argv.slice(2));
+  }
+  if (context.argv[0] === "account" && context.argv[1] === "use") {
+    logger.info("command.dispatch", {
+      command: "account use",
+      argv: context.argv.slice(2)
+    });
+    return runAccountUseCommand(context, context.argv.slice(2));
+  }
+  if (context.argv.includes("--help")) {
+    context.io.stdout.write(`${buildHelpText()}
+`);
+    logger.info("help.rendered");
+    return 0;
+  }
+  if (!context.codexBinary.path) {
+    logger.error("command.binary_missing", {
+      candidates: context.codexBinary.candidates,
+      rejectedCandidates: context.codexBinary.rejectedCandidates
+    });
+    throw new Error("Could not find the real `codex` binary on PATH.");
+  }
+  const registry = createAccountRegistry({
+    accountRoot: context.paths.accountRoot,
+    logger,
+    registryFile: context.paths.registryFile
+  });
+  if (context.wrapperConfig.accountSelectionStrategy === "remaining-limit-experimental") {
+    logger.warn("selection.experimental_enabled", {
+      endpoint: "https://chatgpt.com/backend-api/wham/usage",
+      fallbackStrategy: "manual-default",
+      timeoutMs: context.wrapperConfig.experimentalSelection.probeTimeoutMs,
+      cacheTtlMs: context.wrapperConfig.experimentalSelection.cacheTtlMs,
+      useAccountIdHeader: context.wrapperConfig.experimentalSelection.useAccountIdHeader
+    });
+  }
+  const activeAccount = await selectAccountForExecution({
+    experimentalSelection: context.wrapperConfig.experimentalSelection,
+    fetchImpl: fetch,
+    logger,
+    registry,
+    selectionCacheFilePath: context.paths.selectionCacheFile,
+    strategy: context.wrapperConfig.accountSelectionStrategy
+  });
+  const lock = await acquireRuntimeLock({
+    logger,
+    runtimeRoot: context.paths.runtimeRoot
+  });
+  try {
+    const activation = await activateAccountIntoSharedRuntime({
+      account: activeAccount,
+      logger,
+      runtimeContract,
+      sharedCodexHome: context.paths.sharedCodexHome
+    });
+    try {
+      const exitCode2 = await spawnCodexCommand({
+        argv: context.argv,
+        codexBinaryPath: context.codexBinary.path,
+        codexHome: context.paths.sharedCodexHome,
+        logger
+      });
+      await syncSharedRuntimeBackToAccount({
+        logger,
+        session: activation
+      });
+      return exitCode2;
+    } catch (error) {
+      await restoreSharedRuntimeFromBackup({
+        account: activeAccount,
+        backupRoot: activation.backupRoot,
+        logger,
+        runtimeContract,
+        sharedCodexHome: context.paths.sharedCodexHome
+      });
+      throw error;
+    }
+  } finally {
+    await lock.release();
+  }
+}
+function buildHelpText() {
+  return [
+    "codexes",
+    "",
+    "Transparent multi-account wrapper around the Codex CLI.",
+    "",
+    "Usage:",
+    "  codexes [args...]",
+    "  codexes account add <label> [--timeout-ms <milliseconds>]",
+    "  codexes account list",
+    "  codexes account use <account-id-or-label>",
+    "  codexes account remove <account-id-or-label>",
+    "",
+    "Runtime model:",
+    "  Shared CODEX_HOME is preserved in a wrapper-owned runtime root.",
+    "  Account auth state is stored per account and synced back selectively.",
+    "",
+    "Current status:",
+    "  Account management and default Codex passthrough are implemented.",
+    "  Selection strategies: manual-default, single-account, remaining-limit-experimental.",
+    "  Experimental mode probes https://chatgpt.com/backend-api/wham/usage and falls back to manual-default when ranking is unreliable."
+  ].join("\n");
+}
+
+// src/core/bootstrap.ts
+async function runCli(argv, io) {
+  const context = await buildAppContext(argv, io);
+  const logger = createLogger({
+    level: context.logging.level,
+    name: "bootstrap",
+    sink: context.logging.sink
+  });
+  logger.debug("bootstrap.start", {
+    argv,
+    cwd: context.environment.cwd,
+    platform: context.environment.platform,
+    runtime: context.environment.runtime
+  });
+  try {
+    const exitCode2 = await runRootCommand(context);
+    logger.debug("bootstrap.exit", { exitCode: exitCode2 });
+    return exitCode2;
+  } catch (error) {
+    const normalized = error instanceof Error ? error : new Error(String(error));
+    logger.error("bootstrap.fatal", {
+      message: normalized.message,
+      stack: normalized.stack
+    });
+    context.io.stderr.write(`codexes: ${normalized.message}
+`);
+    return 1;
+  }
+}
+
+// src/cli.ts
+var exitCode = await runCli(process.argv.slice(2), {
+  cwd: process.cwd(),
+  env: process.env,
+  executablePath: process.argv[1] ?? process.execPath,
+  stderr: process.stderr,
+  stdout: process.stdout
+});
+process.exit(exitCode);
+//# sourceMappingURL=cli.js.map