@open-vibe-lab/open-sub-auth 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 open-sub-auth contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,218 @@
+# open-sub-auth
+
+**Open Source Subscription OAuth Authentication Library for AI Providers**
+
+> Login once with your subscription. Call native APIs directly.
+
+A lightweight, open-source TypeScript library that handles OAuth login for AI subscription plans (Claude Pro/Max, ChatGPT Plus/Pro) and provides authenticated headers to call each provider's native API directly.
+
+## Features
+
+- **OAuth 2.0 + PKCE** — Secure authorization code flow with PKCE for Claude and OpenAI Codex
+- **Automatic & Manual modes** — Browser-based auto-callback or manual code paste for headless/CI environments
+- **Secure token storage** — OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service) with encrypted file fallback
+- **Auto token refresh** — Transparent refresh with concurrency-safe mutex
+- **Multi-provider, multi-account** — Manage credentials for multiple providers and accounts
+- **Minimal dependencies** — Only 1 runtime dependency (`cross-keychain`)
+- **Full TypeScript** — Complete type safety throughout
+- **CLI included** — `open-sub-auth login claude` and you're done
+
+## Supported Providers
+
+| Provider                        | Auth Method | Status  |
+| ------------------------------- | ----------- | ------- |
+| Claude Pro/Max                  | OAuth PKCE  | MVP     |
+| OpenAI ChatGPT Plus/Pro (Codex) | OAuth PKCE  | MVP     |
+| GitHub Copilot                  | Device Code | Planned |
+
+## Installation
+
+```bash
+npm install @open-vibe-lab/open-sub-auth
+```
+
+## Quick Start
+
+### CLI
+
+```bash
+# Login to Claude
+npx open-sub-auth login claude
+
+# Login to OpenAI Codex
+npx open-sub-auth login openai-codex
+
+# Check status
+npx open-sub-auth status
+
+# Get a token for piping
+npx open-sub-auth token claude | pbcopy
+
+# Headless/CI mode (manual code paste)
+npx open-sub-auth login claude --manual
+```
+
+### Library
+
+```typescript
+import { TokenManager, createTokenStore } from "@open-vibe-lab/open-sub-auth";
+
+// Initialize
+const store = await createTokenStore();
+const manager = new TokenManager(store);
+
+// Login (opens browser)
+await manager.login("claude");
+
+// Get authenticated headers for API calls
+const headers = await manager.getAuthHeaders("claude");
+
+// Call the API directly with fetch
+const response = await fetch("https://api.anthropic.com/v1/messages", {
+  method: "POST",
+  headers, // Includes Authorization: Bearer + anthropic-beta header automatically
+  body: JSON.stringify({
+    model: "claude-sonnet-4-20250514",
+    max_tokens: 1024,
+    messages: [{ role: "user", content: "Hello!" }],
+  }),
+});
+```
+
+### OpenAI Codex
+
+```typescript
+await manager.login("openai-codex");
+const headers = await manager.getAuthHeaders("openai-codex");
+
+const response = await fetch("https://chatgpt.com/backend-api/codex/responses", {
+  method: "POST",
+  headers, // Includes Authorization: Bearer automatically
+  body: JSON.stringify({
+    model: "gpt-5-codex-mini",
+    input: [{ role: "user", type: "message", content: "Hello!" }],
+    stream: false,
+  }),
+});
+```
+
+### Import Existing Codex CLI Tokens
+
+If you've already authenticated with OpenAI's Codex CLI, you can import those tokens:
+
+```typescript
+import { importFromCodexCli } from "@open-vibe-lab/open-sub-auth";
+
+const tokens = importFromCodexCli(); // Reads ~/.codex/auth.json
+if (tokens) {
+  console.log("Found existing tokens!");
+}
+```
+
+## API Reference
+
+### `TokenManager`
+
+The central class for managing OAuth tokens.
+
+```typescript
+const manager = new TokenManager(store: TokenStore);
+
+// Interactive login
+await manager.login(provider: string, options?: LoginOptions): Promise<StoredCredential>;
+
+// Get a valid access token (auto-refreshes if needed)
+await manager.getToken(provider: string, accountId?: string): Promise<string>;
+
+// Get authenticated headers for API calls
+await manager.getAuthHeaders(provider: string, accountId?: string): Promise<AuthHeaders>;
+
+// Remove stored tokens
+await manager.logout(provider: string, accountId?: string): Promise<void>;
+
+// Check status of all credentials
+await manager.status(): Promise<CredentialStatus[]>;
+```
+
+### `createTokenStore()`
+
+Creates a token store with OS keychain preferred, encrypted file fallback.
+
+```typescript
+const store = await createTokenStore(preferKeychain?: boolean): Promise<TokenStore>;
+```
+
+### `LoginOptions`
+
+```typescript
+interface LoginOptions {
+  port?: number; // Override callback server port
+  timeout?: number; // Login timeout in ms (default: 120000)
+  manual?: boolean; // Use manual code paste mode
+}
+```
+
+## Architecture
+
+```
+open-sub-auth/
+├── src/
+│   ├── core/           # OAuth flow engines (PKCE, callback server, crypto)
+│   ├── providers/      # Provider implementations (Claude, OpenAI Codex)
+│   ├── storage/        # Token storage (keychain, encrypted file)
+│   ├── token/          # Token manager, JWT utilities
+│   └── cli/            # CLI tool
+```
+
+### Design Decisions
+
+- **`getAuthHeaders()` instead of high-level Client API** — Each provider's API surface is completely different (Claude uses `x-api-key`, OpenAI Codex uses a private endpoint with non-standard format). A unified client would be a leaky abstraction. Instead, we provide authenticated headers and let you use `fetch` directly.
+
+- **OS keychain with encrypted file fallback** — Tokens are stored in the system keychain by default. On systems without keychain access, an AES-256-GCM encrypted file is used.
+
+- **Concurrent refresh protection** — A per-account mutex prevents multiple simultaneous token refresh requests.
+
+## Important Warnings
+
+### Terms of Service
+
+Using subscription OAuth tokens in third-party tools may violate provider Terms of Service:
+
+- **Claude**: Anthropic restricts subscription OAuth tokens to official tooling. Third-party use may result in account restrictions.
+- **OpenAI Codex**: The `chatgpt.com/backend-api/codex/responses` endpoint is private and undocumented. It may change or be restricted at any time.
+
+**This library is provided for personal learning and local use only. Use at your own risk.**
+
+### API Endpoint Stability
+
+The API endpoints used by subscription tokens are not the same as the standard public APIs:
+
+| Provider     | Endpoint                                  | Notes                                                            |
+| ------------ | ----------------------------------------- | ---------------------------------------------------------------- |
+| Claude       | `api.anthropic.com/v1/messages`           | Requires `Authorization: Bearer` header + `anthropic-beta: oauth-2025-04-20` |
+| OpenAI Codex | `chatgpt.com/backend-api/codex/responses` | Private endpoint, non-standard request format                    |
+
+These endpoints may change without notice.
+
+## Development
+
+```bash
+# Install dependencies
+npm install
+
+# Run tests
+npm test
+
+# Type check
+npm run typecheck
+
+# Build
+npm run build
+
+# Lint
+npm run lint
+```
+
+## License
+
+MIT

package/dist/cli/claude-3WKImhqM.mjs

@@ -0,0 +1,56 @@
+#!/usr/bin/env node
+import { r as registerProvider } from "./registry-Cp-_Ipc6.mjs";
+import { n as refreshAccessToken, t as executePKCEFlow } from "./oauth-pkce-Bi02-h23.mjs";
+import { createHash } from "node:crypto";
+//#region src/providers/claude.ts
+const CLAUDE_CONFIG = {
+	name: "claude",
+	displayName: "Claude Pro/Max",
+	authorizationEndpoint: "https://claude.ai/oauth/authorize",
+	tokenEndpoint: "https://console.anthropic.com/v1/oauth/token",
+	clientId: "9d1c250a-e61b-44d9-88ed-5944d1962f5e",
+	scopes: [
+		"org:create_api_key",
+		"user:profile",
+		"user:inference"
+	],
+	grantType: "authorization_code",
+	tokenBodyFormat: "json",
+	stateIsVerifier: true
+};
+/** Redirect URI used in manual/headless mode (user copies code from browser) */
+const MANUAL_REDIRECT_URI = "https://console.anthropic.com/oauth/code/callback";
+var ClaudeProvider = class {
+	config = CLAUDE_CONFIG;
+	async login(options) {
+		return executePKCEFlow({
+			config: this.config,
+			loginOptions: {
+				...options,
+				manual: true
+			},
+			manualRedirectUri: MANUAL_REDIRECT_URI
+		});
+	}
+	async refresh(refreshToken) {
+		return refreshAccessToken(this.config, refreshToken);
+	}
+	getAuthHeaders(accessToken) {
+		return {
+			authorization: `Bearer ${accessToken}`,
+			"anthropic-version": "2023-06-01",
+			"anthropic-beta": "oauth-2025-04-20",
+			"content-type": "application/json"
+		};
+	}
+	getAccountId(tokenSet) {
+		const source = tokenSet.refreshToken ?? tokenSet.accessToken;
+		return createHash("sha256").update(source).digest("hex").slice(0, 16);
+	}
+	getAccountLabel(_tokenSet) {}
+};
+registerProvider("claude", () => new ClaudeProvider());
+//#endregion
+export { ClaudeProvider };
+
+//# sourceMappingURL=claude-3WKImhqM.mjs.map

package/dist/cli/claude-3WKImhqM.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"claude-3WKImhqM.mjs","names":[],"sources":["../../src/providers/claude.ts"],"sourcesContent":["import { createHash } from \"node:crypto\";\nimport { executePKCEFlow, refreshAccessToken } from \"@/core/oauth-pkce.ts\";\nimport type { AuthHeaders, LoginOptions, Provider, ProviderConfig, TokenSet } from \"@/types.ts\";\nimport { registerProvider } from \"@/providers/registry.ts\";\n\nconst CLAUDE_CONFIG: ProviderConfig = {\n  name: \"claude\",\n  displayName: \"Claude Pro/Max\",\n  authorizationEndpoint: \"https://claude.ai/oauth/authorize\",\n  tokenEndpoint: \"https://console.anthropic.com/v1/oauth/token\",\n  clientId: \"9d1c250a-e61b-44d9-88ed-5944d1962f5e\",\n  scopes: [\"org:create_api_key\", \"user:profile\", \"user:inference\"],\n  grantType: \"authorization_code\",\n  // Claude only supports console.anthropic.com redirect URI (no localhost),\n  // and its token endpoint requires JSON body with state field\n  tokenBodyFormat: \"json\",\n  stateIsVerifier: true,\n};\n\n/** Redirect URI used in manual/headless mode (user copies code from browser) */\nconst MANUAL_REDIRECT_URI = \"https://console.anthropic.com/oauth/code/callback\";\n\nexport class ClaudeProvider implements Provider {\n  readonly config = CLAUDE_CONFIG;\n\n  async login(options?: LoginOptions): Promise<TokenSet> {\n    // Claude only allows console.anthropic.com/oauth/code/callback as redirect URI.\n    // Local callback server is not supported, so always use manual (code-paste) mode.\n    return executePKCEFlow({\n      config: this.config,\n      loginOptions: { ...options, manual: true },\n      manualRedirectUri: MANUAL_REDIRECT_URI,\n    });\n  }\n\n  async refresh(refreshToken: string): Promise<TokenSet> {\n    return refreshAccessToken(this.config, refreshToken);\n  }\n\n  getAuthHeaders(accessToken: string): AuthHeaders {\n    return {\n      authorization: `Bearer ${accessToken}`,\n      \"anthropic-version\": \"2023-06-01\",\n      \"anthropic-beta\": \"oauth-2025-04-20\",\n      \"content-type\": \"application/json\",\n    };\n  }\n\n  getAccountId(tokenSet: TokenSet): string {\n    // Claude doesn't provide a profile endpoint, so derive ID from refresh token hash\n    const source = tokenSet.refreshToken ?? tokenSet.accessToken;\n    return createHash(\"sha256\").update(source).digest(\"hex\").slice(0, 16);\n  }\n\n  getAccountLabel(_tokenSet: TokenSet): string | undefined {\n    // Claude tokens don't carry user identity info\n    return undefined;\n  }\n}\n\n// Auto-register\nregisterProvider(\"claude\", () => new ClaudeProvider());\n"],"mappings":";;;;;AAKA,MAAM,gBAAgC;CACpC,MAAM;CACN,aAAa;CACb,uBAAuB;CACvB,eAAe;CACf,UAAU;CACV,QAAQ;EAAC;EAAsB;EAAgB;EAAiB;CAChE,WAAW;CAGX,iBAAiB;CACjB,iBAAiB;CAClB;;AAGD,MAAM,sBAAsB;AAE5B,IAAa,iBAAb,MAAgD;CAC9C,SAAkB;CAElB,MAAM,MAAM,SAA2C;AAGrD,SAAO,gBAAgB;GACrB,QAAQ,KAAK;GACb,cAAc;IAAE,GAAG;IAAS,QAAQ;IAAM;GAC1C,mBAAmB;GACpB,CAAC;;CAGJ,MAAM,QAAQ,cAAyC;AACrD,SAAO,mBAAmB,KAAK,QAAQ,aAAa;;CAGtD,eAAe,aAAkC;AAC/C,SAAO;GACL,eAAe,UAAU;GACzB,qBAAqB;GACrB,kBAAkB;GAClB,gBAAgB;GACjB;;CAGH,aAAa,UAA4B;EAEvC,MAAM,SAAS,SAAS,gBAAgB,SAAS;AACjD,SAAO,WAAW,SAAS,CAAC,OAAO,OAAO,CAAC,OAAO,MAAM,CAAC,MAAM,GAAG,GAAG;;CAGvE,gBAAgB,WAAyC;;AAO3D,iBAAiB,gBAAgB,IAAI,gBAAgB,CAAC"}

package/dist/cli/index.d.mts

@@ -0,0 +1,2 @@
+
+export { };

package/dist/cli/index.mjs

@@ -0,0 +1,90 @@
+#!/usr/bin/env node
+import { t as printError } from "./ui-CdGEuLwh.mjs";
+import { parseArgs } from "node:util";
+//#region src/cli/index.ts
+const HELP = `
+open-sub-auth - OAuth authentication for AI subscription APIs
+
+Usage:
+  open-sub-auth <command> [provider] [options]
+
+Commands:
+  login [provider]     Login to an AI provider via OAuth
+  logout [provider]    Remove stored tokens for a provider
+  status               Show status of all stored credentials
+  token [provider]     Output a valid access token to stdout
+  providers            List available providers
+
+Options:
+  --manual             Use manual code paste mode (for headless/CI)
+  --help, -h           Show this help message
+  --version, -v        Show version
+
+Examples:
+  open-sub-auth login claude
+  open-sub-auth login openai-codex
+  open-sub-auth login claude --manual
+  open-sub-auth token claude | pbcopy
+  open-sub-auth status
+`.trim();
+async function main() {
+	const { positionals } = parseArgs({
+		allowPositionals: true,
+		strict: false
+	});
+	if (process.argv.includes("--help") || process.argv.includes("-h")) {
+		console.log(HELP);
+		return;
+	}
+	if (process.argv.includes("--version") || process.argv.includes("-v")) {
+		console.log("0.1.0");
+		return;
+	}
+	const command = positionals[0];
+	const providerArg = positionals[1];
+	switch (command) {
+		case "login": {
+			const { loginCommand } = await import("./login-_HdTW5J_.mjs");
+			await loginCommand(providerArg);
+			break;
+		}
+		case "logout": {
+			const { logoutCommand } = await import("./logout-CZm-tSVH.mjs");
+			await logoutCommand(providerArg);
+			break;
+		}
+		case "status": {
+			const { statusCommand } = await import("./status-C-vkcjVM.mjs");
+			await statusCommand();
+			break;
+		}
+		case "token": {
+			const { tokenCommand } = await import("./token-DF_-h4Rb.mjs");
+			await tokenCommand(providerArg);
+			break;
+		}
+		case "providers": {
+			await Promise.all([import("./claude-3WKImhqM.mjs"), import("./openai-codex-DJi_Q6Zm.mjs")]);
+			const { listProviders } = await import("./registry-Cp-_Ipc6.mjs").then((n) => n.i);
+			const providers = listProviders();
+			console.log("Available providers:");
+			for (const p of providers) console.log(`  - ${p}`);
+			break;
+		}
+		default:
+			if (command) printError(`Unknown command: ${command}`);
+			console.log(HELP);
+			process.exit(command ? 1 : 0);
+	}
+}
+process.stdout.on("error", (err) => {
+	if (err.code === "EPIPE") process.exit(0);
+});
+main().catch((err) => {
+	printError(err instanceof Error ? err.message : String(err));
+	process.exit(1);
+});
+//#endregion
+export {};
+
+//# sourceMappingURL=index.mjs.map

package/dist/cli/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../src/cli/index.ts"],"sourcesContent":["import { parseArgs } from \"node:util\";\nimport { printError } from \"@/cli/ui.ts\";\n\nconst HELP = `\nopen-sub-auth - OAuth authentication for AI subscription APIs\n\nUsage:\n  open-sub-auth <command> [provider] [options]\n\nCommands:\n  login [provider]     Login to an AI provider via OAuth\n  logout [provider]    Remove stored tokens for a provider\n  status               Show status of all stored credentials\n  token [provider]     Output a valid access token to stdout\n  providers            List available providers\n\nOptions:\n  --manual             Use manual code paste mode (for headless/CI)\n  --help, -h           Show this help message\n  --version, -v        Show version\n\nExamples:\n  open-sub-auth login claude\n  open-sub-auth login openai-codex\n  open-sub-auth login claude --manual\n  open-sub-auth token claude | pbcopy\n  open-sub-auth status\n`.trim();\n\nasync function main(): Promise<void> {\n  const { positionals } = parseArgs({\n    allowPositionals: true,\n    strict: false,\n  });\n\n  if (process.argv.includes(\"--help\") || process.argv.includes(\"-h\")) {\n    console.log(HELP);\n    return;\n  }\n\n  if (process.argv.includes(\"--version\") || process.argv.includes(\"-v\")) {\n    console.log(\"0.1.0\");\n    return;\n  }\n\n  const command = positionals[0];\n  const providerArg = positionals[1];\n\n  switch (command) {\n    case \"login\": {\n      const { loginCommand } = await import(\"@/cli/commands/login.ts\");\n      await loginCommand(providerArg);\n      break;\n    }\n    case \"logout\": {\n      const { logoutCommand } = await import(\"@/cli/commands/logout.ts\");\n      await logoutCommand(providerArg);\n      break;\n    }\n    case \"status\": {\n      const { statusCommand } = await import(\"@/cli/commands/status.ts\");\n      await statusCommand();\n      break;\n    }\n    case \"token\": {\n      const { tokenCommand } = await import(\"@/cli/commands/token.ts\");\n      await tokenCommand(providerArg);\n      break;\n    }\n    case \"providers\": {\n      await Promise.all([import(\"@/providers/claude.ts\"), import(\"@/providers/openai-codex.ts\")]);\n      const { listProviders } = await import(\"@/providers/registry.ts\");\n      const providers = listProviders();\n      console.log(\"Available providers:\");\n      for (const p of providers) {\n        console.log(`  - ${p}`);\n      }\n      break;\n    }\n    default: {\n      if (command) {\n        printError(`Unknown command: ${command}`);\n      }\n      console.log(HELP);\n      process.exit(command ? 1 : 0);\n    }\n  }\n}\n\n// Suppress EPIPE errors (e.g. when stdout is piped to a command that exits early)\nprocess.stdout.on(\"error\", (err: NodeJS.ErrnoException) => {\n  if (err.code === \"EPIPE\") process.exit(0);\n});\n\nmain().catch((err) => {\n  printError(err instanceof Error ? err.message : String(err));\n  process.exit(1);\n});\n"],"mappings":";;;;AAGA,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;EAwBX,MAAM;AAER,eAAe,OAAsB;CACnC,MAAM,EAAE,gBAAgB,UAAU;EAChC,kBAAkB;EAClB,QAAQ;EACT,CAAC;AAEF,KAAI,QAAQ,KAAK,SAAS,SAAS,IAAI,QAAQ,KAAK,SAAS,KAAK,EAAE;AAClE,UAAQ,IAAI,KAAK;AACjB;;AAGF,KAAI,QAAQ,KAAK,SAAS,YAAY,IAAI,QAAQ,KAAK,SAAS,KAAK,EAAE;AACrE,UAAQ,IAAI,QAAQ;AACpB;;CAGF,MAAM,UAAU,YAAY;CAC5B,MAAM,cAAc,YAAY;AAEhC,SAAQ,SAAR;EACE,KAAK,SAAS;GACZ,MAAM,EAAE,iBAAiB,MAAM,OAAO;AACtC,SAAM,aAAa,YAAY;AAC/B;;EAEF,KAAK,UAAU;GACb,MAAM,EAAE,kBAAkB,MAAM,OAAO;AACvC,SAAM,cAAc,YAAY;AAChC;;EAEF,KAAK,UAAU;GACb,MAAM,EAAE,kBAAkB,MAAM,OAAO;AACvC,SAAM,eAAe;AACrB;;EAEF,KAAK,SAAS;GACZ,MAAM,EAAE,iBAAiB,MAAM,OAAO;AACtC,SAAM,aAAa,YAAY;AAC/B;;EAEF,KAAK,aAAa;AAChB,SAAM,QAAQ,IAAI,CAAC,OAAO,0BAA0B,OAAO,+BAA+B,CAAC;GAC3F,MAAM,EAAE,kBAAkB,MAAM,OAAO,2BAAA,MAAA,MAAA,EAAA,EAAA;GACvC,MAAM,YAAY,eAAe;AACjC,WAAQ,IAAI,uBAAuB;AACnC,QAAK,MAAM,KAAK,UACd,SAAQ,IAAI,OAAO,IAAI;AAEzB;;EAEF;AACE,OAAI,QACF,YAAW,oBAAoB,UAAU;AAE3C,WAAQ,IAAI,KAAK;AACjB,WAAQ,KAAK,UAAU,IAAI,EAAE;;;AAMnC,QAAQ,OAAO,GAAG,UAAU,QAA+B;AACzD,KAAI,IAAI,SAAS,QAAS,SAAQ,KAAK,EAAE;EACzC;AAEF,MAAM,CAAC,OAAO,QAAQ;AACpB,YAAW,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI,CAAC;AAC5D,SAAQ,KAAK,EAAE;EACf"}

package/dist/cli/login-_HdTW5J_.mjs

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+import { n as listProviders } from "./registry-Cp-_Ipc6.mjs";
+import { n as printSuccess, r as promptSelect, t as printError } from "./ui-CdGEuLwh.mjs";
+import { n as createTokenStore, t as TokenManager } from "./manager-CKGbp7Yz.mjs";
+//#region src/cli/commands/login.ts
+async function loginCommand(providerArg) {
+	await Promise.all([import("./claude-3WKImhqM.mjs"), import("./openai-codex-DJi_Q6Zm.mjs")]);
+	const providers = listProviders();
+	if (providers.length === 0) {
+		printError("No providers registered.");
+		process.exit(1);
+	}
+	let providerName = providerArg;
+	if (!providerName) providerName = await promptSelect("Select a provider:", providers);
+	if (!providers.includes(providerName)) {
+		printError(`Unknown provider "${providerName}". Available: ${providers.join(", ")}`);
+		process.exit(1);
+	}
+	const manual = process.argv.includes("--manual");
+	const manager = new TokenManager(await createTokenStore());
+	try {
+		const credential = await manager.login(providerName, { manual });
+		const label = credential.metadata.accountLabel ? ` (${credential.metadata.accountLabel})` : "";
+		printSuccess(`Logged in to ${providerName}${label}. Token stored securely.`);
+	} catch (err) {
+		printError(`Login failed: ${err instanceof Error ? err.message : String(err)}`);
+		process.exit(1);
+	}
+}
+//#endregion
+export { loginCommand };
+
+//# sourceMappingURL=login-_HdTW5J_.mjs.map

package/dist/cli/login-_HdTW5J_.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"login-_HdTW5J_.mjs","names":[],"sources":["../../src/cli/commands/login.ts"],"sourcesContent":["import { listProviders } from \"@/providers/registry.ts\";\nimport { createTokenStore } from \"@/storage/store.ts\";\nimport { TokenManager } from \"@/token/manager.ts\";\nimport { promptSelect, printError, printSuccess } from \"@/cli/ui.ts\";\n\nexport async function loginCommand(providerArg?: string): Promise<void> {\n  await Promise.all([import(\"@/providers/claude.ts\"), import(\"@/providers/openai-codex.ts\")]);\n\n  const providers = listProviders();\n  if (providers.length === 0) {\n    printError(\"No providers registered.\");\n    process.exit(1);\n  }\n\n  let providerName = providerArg;\n  if (!providerName) {\n    providerName = await promptSelect(\"Select a provider:\", providers);\n  }\n\n  if (!providers.includes(providerName)) {\n    printError(`Unknown provider \"${providerName}\". Available: ${providers.join(\", \")}`);\n    process.exit(1);\n  }\n\n  const manual = process.argv.includes(\"--manual\");\n  const store = await createTokenStore();\n  const manager = new TokenManager(store);\n\n  try {\n    const credential = await manager.login(providerName, { manual });\n    const label = credential.metadata.accountLabel ? ` (${credential.metadata.accountLabel})` : \"\";\n    printSuccess(`Logged in to ${providerName}${label}. Token stored securely.`);\n  } catch (err) {\n    printError(`Login failed: ${err instanceof Error ? err.message : String(err)}`);\n    process.exit(1);\n  }\n}\n"],"mappings":";;;;;AAKA,eAAsB,aAAa,aAAqC;AACtE,OAAM,QAAQ,IAAI,CAAC,OAAO,0BAA0B,OAAO,+BAA+B,CAAC;CAE3F,MAAM,YAAY,eAAe;AACjC,KAAI,UAAU,WAAW,GAAG;AAC1B,aAAW,2BAA2B;AACtC,UAAQ,KAAK,EAAE;;CAGjB,IAAI,eAAe;AACnB,KAAI,CAAC,aACH,gBAAe,MAAM,aAAa,sBAAsB,UAAU;AAGpE,KAAI,CAAC,UAAU,SAAS,aAAa,EAAE;AACrC,aAAW,qBAAqB,aAAa,gBAAgB,UAAU,KAAK,KAAK,GAAG;AACpF,UAAQ,KAAK,EAAE;;CAGjB,MAAM,SAAS,QAAQ,KAAK,SAAS,WAAW;CAEhD,MAAM,UAAU,IAAI,aADN,MAAM,kBAAkB,CACC;AAEvC,KAAI;EACF,MAAM,aAAa,MAAM,QAAQ,MAAM,cAAc,EAAE,QAAQ,CAAC;EAChE,MAAM,QAAQ,WAAW,SAAS,eAAe,KAAK,WAAW,SAAS,aAAa,KAAK;AAC5F,eAAa,gBAAgB,eAAe,MAAM,0BAA0B;UACrE,KAAK;AACZ,aAAW,iBAAiB,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI,GAAG;AAC/E,UAAQ,KAAK,EAAE"}

package/dist/cli/logout-CZm-tSVH.mjs

@@ -0,0 +1,23 @@
+#!/usr/bin/env node
+import { n as listProviders } from "./registry-Cp-_Ipc6.mjs";
+import { n as printSuccess, r as promptSelect, t as printError } from "./ui-CdGEuLwh.mjs";
+import { n as createTokenStore, t as TokenManager } from "./manager-CKGbp7Yz.mjs";
+//#region src/cli/commands/logout.ts
+async function logoutCommand(providerArg) {
+	await Promise.all([import("./claude-3WKImhqM.mjs"), import("./openai-codex-DJi_Q6Zm.mjs")]);
+	const providers = listProviders();
+	let providerName = providerArg;
+	if (!providerName) providerName = await promptSelect("Select a provider to logout:", providers);
+	const manager = new TokenManager(await createTokenStore());
+	try {
+		await manager.logout(providerName);
+		printSuccess(`Logged out of ${providerName}. Stored tokens removed.`);
+	} catch (err) {
+		printError(`Logout failed: ${err instanceof Error ? err.message : String(err)}`);
+		process.exit(1);
+	}
+}
+//#endregion
+export { logoutCommand };
+
+//# sourceMappingURL=logout-CZm-tSVH.mjs.map

package/dist/cli/logout-CZm-tSVH.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout-CZm-tSVH.mjs","names":[],"sources":["../../src/cli/commands/logout.ts"],"sourcesContent":["import { listProviders } from \"@/providers/registry.ts\";\nimport { createTokenStore } from \"@/storage/store.ts\";\nimport { TokenManager } from \"@/token/manager.ts\";\nimport { printError, printSuccess, promptSelect } from \"@/cli/ui.ts\";\n\nexport async function logoutCommand(providerArg?: string): Promise<void> {\n  await Promise.all([import(\"@/providers/claude.ts\"), import(\"@/providers/openai-codex.ts\")]);\n\n  const providers = listProviders();\n  let providerName = providerArg;\n  if (!providerName) {\n    providerName = await promptSelect(\"Select a provider to logout:\", providers);\n  }\n\n  const store = await createTokenStore();\n  const manager = new TokenManager(store);\n\n  try {\n    await manager.logout(providerName);\n    printSuccess(`Logged out of ${providerName}. Stored tokens removed.`);\n  } catch (err) {\n    printError(`Logout failed: ${err instanceof Error ? err.message : String(err)}`);\n    process.exit(1);\n  }\n}\n"],"mappings":";;;;;AAKA,eAAsB,cAAc,aAAqC;AACvE,OAAM,QAAQ,IAAI,CAAC,OAAO,0BAA0B,OAAO,+BAA+B,CAAC;CAE3F,MAAM,YAAY,eAAe;CACjC,IAAI,eAAe;AACnB,KAAI,CAAC,aACH,gBAAe,MAAM,aAAa,gCAAgC,UAAU;CAI9E,MAAM,UAAU,IAAI,aADN,MAAM,kBAAkB,CACC;AAEvC,KAAI;AACF,QAAM,QAAQ,OAAO,aAAa;AAClC,eAAa,iBAAiB,aAAa,0BAA0B;UAC9D,KAAK;AACZ,aAAW,kBAAkB,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI,GAAG;AAChF,UAAQ,KAAK,EAAE"}