agent-control-plane 0.1.0

package/tools/vendor/codex-quota/lib/codex-accounts.js

@@ -0,0 +1,205 @@
+/**
+ * Codex account loading, dedup, active-label resolution.
+ * Depends on: lib/constants.js, lib/jwt.js, lib/container.js, lib/paths.js
+ */
+
+import { existsSync, readFileSync } from "node:fs";
+import { MULTI_ACCOUNT_PATHS } from "./constants.js";
+import { extractAccountId, extractProfile } from "./jwt.js";
+import { readMultiAccountContainer } from "./container.js";
+import { getCodexCliAuthPath } from "./paths.js";
+
+/**
+ * Load accounts from CODEX_ACCOUNTS environment variable
+ * @returns {Array<{label: string, accountId: string, access: string, refresh: string, expires?: number, source: string}>}
+ */
+export function loadAccountsFromEnv() {
+	const envAccounts = process.env.CODEX_ACCOUNTS;
+	if (!envAccounts) return [];
+
+	try {
+		const parsed = JSON.parse(envAccounts);
+		const accounts = Array.isArray(parsed) ? parsed : parsed?.accounts ?? [];
+		return accounts
+			.filter(isValidAccount)
+			.map(a => ({ ...a, source: "env" }));
+	} catch {
+		console.error("Warning: CODEX_ACCOUNTS env var is not valid JSON");
+		return [];
+	}
+}
+
+/**
+ * Load accounts from a multi-account JSON file
+ * @param {string} filePath - Path to the JSON file
+ * @returns {Array<{label: string, accountId: string, access: string, refresh: string, expires?: number, source: string}>}
+ */
+export function loadAccountsFromFile(filePath) {
+	const container = readMultiAccountContainer(filePath);
+	if (!container.exists) return [];
+	return container.accounts
+		.filter(isValidAccount)
+		.map(a => ({ ...a, source: filePath }));
+}
+
+/**
+ * Load account from Codex CLI auth.json (single account format)
+ * Returns array with single account for consistency with other loaders
+ * @returns {Array<{label: string, accountId: string, access: string, refresh: string, expires?: number, source: string}>}
+ */
+export function loadAccountFromCodexCli() {
+	const codexAuthPath = getCodexCliAuthPath();
+	if (!existsSync(codexAuthPath)) return [];
+
+	try {
+		const raw = readFileSync(codexAuthPath, "utf-8");
+		const parsed = JSON.parse(raw);
+		const tokens = parsed?.tokens;
+
+		if (!tokens?.access_token || !tokens?.refresh_token) {
+			return [];
+		}
+
+		const accountId = typeof tokens.account_id === "string" && tokens.account_id
+			? tokens.account_id
+			: extractAccountId(tokens.access_token);
+		if (!accountId) {
+			return [];
+		}
+
+		return [{
+			label: "codex-cli",
+			accountId,
+			access: tokens.access_token,
+			refresh: tokens.refresh_token,
+			expires: tokens.expires_at ? tokens.expires_at * 1000 : Date.now() - 1000,
+			source: codexAuthPath,
+		}];
+	} catch {
+		return [];
+	}
+}
+
+export function isValidAccount(a) {
+	return a?.label && a?.accountId && a?.access && a?.refresh;
+}
+
+/**
+ * Deduplicate accounts by email+accountId (from JWT token), keeping the first occurrence.
+ * Same user on different team accounts (different accountId) will be kept separately
+ * because each team has its own quota.
+ * Optionally prefer a specific label so the active account remains visible.
+ * @param {Array<{access: string, accountId?: string, label?: string}>} accounts
+ * @param {{ preferredLabel?: string | null }} [options]
+ * @returns {Array<{access: string, accountId?: string, label?: string}>}
+ */
+export function deduplicateAccountsByEmail(accounts, options = {}) {
+	const preferredLabel = options.preferredLabel ?? null;
+	let preferredKey = null;
+	if (preferredLabel) {
+		const preferredAccount = accounts.find(account => account.label === preferredLabel);
+		if (preferredAccount?.access) {
+			const email = extractProfile(preferredAccount.access)?.email ?? null;
+			if (email) {
+				preferredKey = `${email}|${preferredAccount.accountId ?? ""}`;
+			}
+		}
+	}
+
+	const seen = new Set();
+	return accounts.filter(account => {
+		if (!account.access) return true;
+		const profile = extractProfile(account.access);
+		const email = profile?.email;
+		if (!email) return true;
+		const key = `${email}|${account.accountId ?? ""}`;
+		if (preferredKey && key === preferredKey) {
+			return account.label === preferredLabel;
+		}
+		if (seen.has(key)) return false;
+		seen.add(key);
+		return true;
+	});
+}
+
+/**
+ * Resolve the multi-account file that stores activeLabel for Codex.
+ * @returns {string}
+ */
+export function resolveCodexActiveStorePath() {
+	for (const path of MULTI_ACCOUNT_PATHS) {
+		if (existsSync(path)) return path;
+	}
+	return MULTI_ACCOUNT_PATHS[0];
+}
+
+/**
+ * Read the active-label store container for Codex.
+ * @returns {{ path: string, container: ReturnType<typeof readMultiAccountContainer> }}
+ */
+export function readCodexActiveStoreContainer() {
+	const path = resolveCodexActiveStorePath();
+	const container = readMultiAccountContainer(path);
+	return { path, container };
+}
+
+/**
+ * Get the activeLabel stored for Codex (if any).
+ * @returns {{ activeLabel: string | null, path: string, schemaVersion: number }}
+ */
+export function getCodexActiveLabelInfo() {
+	const { path, container } = readCodexActiveStoreContainer();
+	return {
+		activeLabel: container.activeLabel ?? null,
+		path,
+		schemaVersion: container.schemaVersion ?? 0,
+	};
+}
+
+/**
+ * Load ALL accounts from ALL sources without deduplication by email.
+ * @param {{ local?: boolean }} [options] - When local=true, skip harness auth files
+ * @returns {Array<{label: string, accountId: string, access: string, refresh: string, expires?: number, source: string}>}
+ */
+export function loadAllAccountsNoDedup(options = {}) {
+	const all = [];
+	all.push(...loadAccountsFromEnv());
+	for (const path of MULTI_ACCOUNT_PATHS) {
+		all.push(...loadAccountsFromFile(path));
+	}
+	if (all.length === 0 && !options.local) {
+		all.push(...loadAccountFromCodexCli());
+	}
+	return all;
+}
+
+/**
+ * Load ALL accounts from ALL sources (env, file paths, codex-cli)
+ * Deduplicates by email to prevent showing same user twice
+ * @param {string | null} [preferredLabel]
+ * @param {{ local?: boolean }} [options]
+ * @returns {Array<{label: string, accountId: string, access: string, refresh: string, expires?: number, source: string}>}
+ */
+export function loadAllAccounts(preferredLabel = null, options = {}) {
+	const all = loadAllAccountsNoDedup(options);
+	return deduplicateAccountsByEmail(all, { preferredLabel });
+}
+
+/**
+ * Find an account by label from all sources
+ * @param {string} label
+ * @returns {{label: string, accountId: string, access: string, refresh: string, expires?: number, source: string} | null}
+ */
+export function findAccountByLabel(label) {
+	const accounts = loadAllAccountsNoDedup();
+	return accounts.find(a => a.label === label) ?? null;
+}
+
+/**
+ * Get all labels from all account sources
+ * @returns {string[]}
+ */
+export function getAllLabels() {
+	const accounts = loadAllAccountsNoDedup();
+	return [...new Set(accounts.map(a => a.label))];
+}

package/tools/vendor/codex-quota/lib/codex-tokens.js

@@ -0,0 +1,326 @@
+/**
+ * OpenAI token refresh and multi-store persistence.
+ * Depends on: lib/constants.js, lib/paths.js, lib/jwt.js, lib/token-match.js, lib/container.js, lib/fs.js
+ */
+
+import { existsSync, readFileSync } from "node:fs";
+import { TOKEN_URL, CLIENT_ID, MULTI_ACCOUNT_PATHS, OPENAI_OAUTH_REFRESH_BUFFER_MS } from "./constants.js";
+import { getOpencodeAuthPath, getCodexCliAuthPath, getPiAuthPath } from "./paths.js";
+import { extractAccountId } from "./jwt.js";
+import { isOauthTokenMatch, normalizeEntryTokens, updateEntryTokens, OPENAI_TOKEN_FIELDS } from "./token-match.js";
+import { readMultiAccountContainer, writeMultiAccountContainer, mapContainerAccounts } from "./container.js";
+import { writeFileAtomic } from "./fs.js";
+
+// Keep the original function names as internal helpers for backward compat
+function isOpenAiOauthTokenMatch(params) {
+	return isOauthTokenMatch(params);
+}
+
+function normalizeOpenAiOauthEntryTokens(entry) {
+	return normalizeEntryTokens(entry, OPENAI_TOKEN_FIELDS);
+}
+
+function updateOpenAiOauthEntry(entry, account) {
+	const fields = {
+		access: account.access,
+		refresh: account.refresh,
+		expires: account.expires ?? null,
+		accountId: account.accountId,
+	};
+	// Only include idToken when truthy (matches original behavior)
+	if (account.idToken) {
+		fields.idToken = account.idToken;
+	}
+	return updateEntryTokens(entry, fields, OPENAI_TOKEN_FIELDS);
+}
+
+/**
+ * Update OpenCode auth.json with new OpenAI OAuth tokens
+ * @param {{ access: string, refresh: string, expires?: number, accountId: string }} account
+ * @returns {{ updated: boolean, path: string, error?: string, skipped?: boolean }}
+ */
+export function updateOpencodeAuth(account) {
+	const authPath = getOpencodeAuthPath();
+	if (!existsSync(authPath)) {
+		return { updated: false, path: authPath, skipped: true };
+	}
+
+	let existingAuth = {};
+	try {
+		const raw = readFileSync(authPath, "utf-8");
+		const parsed = JSON.parse(raw);
+		if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+			return { updated: false, path: authPath, error: "Invalid OpenCode auth.json format" };
+		}
+		existingAuth = parsed;
+	} catch (err) {
+		const message = err?.message ?? String(err);
+		return { updated: false, path: authPath, error: `Failed to read OpenCode auth.json: ${message}` };
+	}
+
+	const openaiEntry = existingAuth.openai;
+	const openaiAuth = openaiEntry && typeof openaiEntry === "object" ? openaiEntry : {};
+	const expires = account.expires ?? Date.now() - 1000;
+	const updatedAuth = {
+		...existingAuth,
+		openai: {
+			...openaiAuth,
+			type: "oauth",
+			access: account.access,
+			refresh: account.refresh,
+			expires: expires,
+			accountId: account.accountId,
+		},
+	};
+
+	try {
+		writeFileAtomic(authPath, JSON.stringify(updatedAuth, null, 2) + "\n", { mode: 0o600 });
+	} catch (err) {
+		const message = err?.message ?? String(err);
+		return { updated: false, path: authPath, error: `Failed to write OpenCode auth.json: ${message}` };
+	}
+
+	return { updated: true, path: authPath };
+}
+
+/**
+ * Update pi auth.json with new OpenAI Codex OAuth tokens
+ * @param {{ access: string, refresh: string, expires?: number, accountId: string }} account
+ * @returns {{ updated: boolean, path: string, error?: string, skipped?: boolean }}
+ */
+export function updatePiAuth(account) {
+	const authPath = getPiAuthPath();
+	if (!existsSync(authPath)) {
+		return { updated: false, path: authPath, skipped: true };
+	}
+
+	let existingAuth = {};
+	try {
+		const raw = readFileSync(authPath, "utf-8");
+		const parsed = JSON.parse(raw);
+		if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+			return { updated: false, path: authPath, error: "Invalid pi auth.json format" };
+		}
+		existingAuth = parsed;
+	} catch (err) {
+		const message = err?.message ?? String(err);
+		return { updated: false, path: authPath, error: `Failed to read pi auth.json: ${message}` };
+	}
+
+	const codexEntry = existingAuth["openai-codex"];
+	const codexAuth = codexEntry && typeof codexEntry === "object" ? codexEntry : {};
+	const expires = account.expires ?? Date.now() - 1000;
+	const updatedAuth = {
+		...existingAuth,
+		"openai-codex": {
+			...codexAuth,
+			type: "oauth",
+			access: account.access,
+			refresh: account.refresh,
+			expires: expires,
+			accountId: account.accountId,
+		},
+	};
+
+	try {
+		writeFileAtomic(authPath, JSON.stringify(updatedAuth, null, 2) + "\n", { mode: 0o600 });
+	} catch (err) {
+		const message = err?.message ?? String(err);
+		return { updated: false, path: authPath, error: `Failed to write pi auth.json: ${message}` };
+	}
+
+	return { updated: true, path: authPath };
+}
+
+/**
+ * Persist refreshed OpenAI OAuth tokens to all known stores that match.
+ * @param {{ label: string, access: string, refresh: string, expires?: number, accountId: string, idToken?: string, source?: string }} account
+ * @param {{ previousAccessToken?: string | null, previousRefreshToken?: string | null }} previousTokens
+ * @returns {{ updatedPaths: string[], errors: string[] }}
+ */
+export function persistOpenAiOAuthTokens(account, previousTokens = {}) {
+	const updatedPaths = [];
+	const errors = [];
+	const previousAccess = previousTokens.previousAccessToken ?? null;
+	const previousRefresh = previousTokens.previousRefreshToken ?? null;
+
+	if (account.source?.startsWith("env")) {
+		return { updatedPaths, errors };
+	}
+
+	const codexAuthPath = getCodexCliAuthPath();
+	if (existsSync(codexAuthPath)) {
+		try {
+			const raw = readFileSync(codexAuthPath, "utf-8");
+			const parsed = JSON.parse(raw);
+			const tokens = parsed?.tokens;
+			if (!tokens || typeof tokens !== "object" || Array.isArray(tokens)) {
+				errors.push(`Invalid Codex auth.json format at ${codexAuthPath}`);
+			} else {
+				const storedAccess = tokens.access_token ?? null;
+				const storedRefresh = tokens.refresh_token ?? null;
+				if (isOpenAiOauthTokenMatch({
+					storedAccess,
+					storedRefresh,
+					previousAccess,
+					previousRefresh,
+					label: account.label,
+					storedLabel: parsed?.codex_quota_label ?? null,
+				})) {
+					const updatedTokens = {
+						...tokens,
+						access_token: account.access,
+						refresh_token: account.refresh,
+						account_id: account.accountId,
+					};
+					if (account.expires) {
+						updatedTokens.expires_at = Math.floor(account.expires / 1000);
+					}
+					if (account.idToken) {
+						updatedTokens.id_token = account.idToken;
+					}
+					const updatedPayload = { ...parsed, tokens: updatedTokens };
+					writeFileAtomic(codexAuthPath, JSON.stringify(updatedPayload, null, 2) + "\n", { mode: 0o600 });
+					updatedPaths.push(codexAuthPath);
+				}
+			}
+		} catch (err) {
+			const message = err?.message ?? String(err);
+			errors.push(`Failed to update ${codexAuthPath}: ${message}`);
+		}
+	}
+
+	const opencodePath = getOpencodeAuthPath();
+	if (existsSync(opencodePath)) {
+		try {
+			const raw = readFileSync(opencodePath, "utf-8");
+			const parsed = JSON.parse(raw);
+			const openai = parsed?.openai ?? null;
+			const storedAccess = openai?.access ?? null;
+			const storedRefresh = openai?.refresh ?? null;
+			if (isOpenAiOauthTokenMatch({
+				storedAccess,
+				storedRefresh,
+				previousAccess,
+				previousRefresh,
+				label: account.label,
+				storedLabel: "opencode",
+			})) {
+				const result = updateOpencodeAuth(account);
+				if (result.updated) updatedPaths.push(result.path);
+				if (result.error) errors.push(result.error);
+			}
+		} catch {
+			// ignore parse errors, handled by updateOpencodeAuth
+		}
+	}
+
+	const piPath = getPiAuthPath();
+	if (existsSync(piPath)) {
+		try {
+			const raw = readFileSync(piPath, "utf-8");
+			const parsed = JSON.parse(raw);
+			const codex = parsed?.["openai-codex"] ?? null;
+			const storedAccess = codex?.access ?? null;
+			const storedRefresh = codex?.refresh ?? null;
+			if (isOpenAiOauthTokenMatch({
+				storedAccess,
+				storedRefresh,
+				previousAccess,
+				previousRefresh,
+				label: account.label,
+				storedLabel: "pi",
+			})) {
+				const result = updatePiAuth(account);
+				if (result.updated) updatedPaths.push(result.path);
+				if (result.error) errors.push(result.error);
+			}
+		} catch {
+			// ignore parse errors, handled by updatePiAuth
+		}
+	}
+
+	for (const path of MULTI_ACCOUNT_PATHS) {
+		if (!existsSync(path)) continue;
+		try {
+			const container = readMultiAccountContainer(path);
+			if (container.rootType === "invalid") {
+				errors.push(`Failed to parse ${path}`);
+				continue;
+			}
+			const mapped = mapContainerAccounts(container, (entry) => {
+				if (!entry || typeof entry !== "object") return entry;
+				const stored = normalizeOpenAiOauthEntryTokens(entry);
+				const matches = isOpenAiOauthTokenMatch({
+					storedAccess: stored.access,
+					storedRefresh: stored.refresh,
+					previousAccess,
+					previousRefresh,
+					label: account.label,
+					storedLabel: entry?.label ?? null,
+				});
+				if (!matches) return entry;
+				return updateOpenAiOauthEntry({ ...entry }, account);
+			});
+
+			if (mapped.updated) {
+				writeMultiAccountContainer(path, container, mapped.accounts, {}, { mode: 0o600 });
+				updatedPaths.push(path);
+			}
+		} catch (err) {
+			const message = err?.message ?? String(err);
+			errors.push(`Failed to update ${path}: ${message}`);
+		}
+	}
+
+	return { updatedPaths, errors };
+}
+
+export async function refreshToken(refreshTokenValue) {
+	const res = await fetch(TOKEN_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			grant_type: "refresh_token",
+			refresh_token: refreshTokenValue,
+			client_id: CLIENT_ID,
+		}),
+	});
+	if (!res.ok) return null;
+	const json = await res.json();
+	if (!json?.access_token || !json?.refresh_token || typeof json?.expires_in !== "number") {
+		return null;
+	}
+	return {
+		access: json.access_token,
+		refresh: json.refresh_token,
+		expires: Date.now() + json.expires_in * 1000,
+	};
+}
+
+export function isOpenAiOauthTokenExpiring(expires) {
+	if (!expires) return true;
+	return expires <= Date.now() + OPENAI_OAUTH_REFRESH_BUFFER_MS;
+}
+
+export async function ensureFreshToken(account, allAccounts) {
+	if (!isOpenAiOauthTokenExpiring(account.expires)) return true;
+	const previousAccessToken = account.access;
+	const previousRefreshToken = account.refresh;
+	const refreshed = await refreshToken(account.refresh);
+	if (!refreshed) return false;
+
+	// Update accountId from new token (in case it changed)
+	const newAccountId = extractAccountId(refreshed.access);
+	if (newAccountId) account.accountId = newAccountId;
+
+	account.access = refreshed.access;
+	account.refresh = refreshed.refresh;
+	account.expires = refreshed.expires;
+	account.updatedAt = Date.now();
+	persistOpenAiOAuthTokens(account, {
+		previousAccessToken,
+		previousRefreshToken,
+	});
+	return true;
+}

package/tools/vendor/codex-quota/lib/codex-usage.js

@@ -0,0 +1,32 @@
+/**
+ * Codex usage API fetch.
+ * Depends on: lib/constants.js
+ */
+
+import { USAGE_URL } from "./constants.js";
+
+export async function fetchUsage(account) {
+	const controller = new AbortController();
+	const timeout = setTimeout(() => controller.abort(), 15000);
+
+	try {
+		const res = await fetch(USAGE_URL, {
+			method: "GET",
+			headers: {
+				Authorization: `Bearer ${account.access}`,
+				accept: "application/json",
+				"chatgpt-account-id": account.accountId,
+				originator: "codex_cli_rs",
+			},
+			signal: controller.signal,
+		});
+		if (!res.ok) {
+			return { error: `HTTP ${res.status}` };
+		}
+		return await res.json();
+	} catch (e) {
+		return { error: e.message };
+	} finally {
+		clearTimeout(timeout);
+	}
+}

package/tools/vendor/codex-quota/lib/color.js

@@ -0,0 +1,72 @@
+/**
+ * Terminal color output helpers.
+ * Zero internal dependencies — only uses Node.js built-ins.
+ */
+
+import { readFileSync } from "node:fs";
+import { PACKAGE_JSON_PATH } from "./constants.js";
+
+// ANSI color codes
+export const GREEN = "\x1b[32m";
+export const RED = "\x1b[31m";
+export const YELLOW = "\x1b[33m";
+export const RESET = "\x1b[0m";
+
+// Global flag set by main() based on CLI args
+let noColorFlag = false;
+
+/**
+ * Set the noColorFlag value (for testing purposes)
+ * @param {boolean} value - Whether to disable colors
+ */
+export function setNoColorFlag(value) {
+	noColorFlag = value;
+}
+
+/**
+ * Check if terminal supports colors
+ * Respects NO_COLOR env var (https://no-color.org/) and --no-color flag
+ * @returns {boolean} true if colors should be used
+ */
+export function supportsColor() {
+	// Respect --no-color CLI flag
+	if (noColorFlag) return false;
+	// Respect NO_COLOR env var (any non-empty value disables color)
+	if (process.env.NO_COLOR) return false;
+	// Check if stdout is a TTY (not piped/redirected)
+	if (!process.stdout.isTTY) return false;
+	return true;
+}
+
+/**
+ * Apply color to text if terminal supports it
+ * @param {string} text - Text to colorize
+ * @param {string} color - ANSI color code (GREEN, RED, YELLOW)
+ * @returns {string} Colorized text or plain text if colors disabled
+ */
+export function colorize(text, color) {
+	if (!supportsColor()) return text;
+	return `${color}${text}${RESET}`;
+}
+
+/**
+ * Output data as formatted JSON to stdout
+ * Standardizes JSON output across all handlers with 2-space indent
+ * @param {any} data - Data to serialize and output
+ */
+export function outputJson(data) {
+	console.log(JSON.stringify(data, null, 2));
+}
+
+/**
+ * Get the CLI version from package.json
+ * @returns {string}
+ */
+export function getPackageVersion() {
+	try {
+		const pkg = JSON.parse(readFileSync(PACKAGE_JSON_PATH, "utf-8"));
+		return pkg.version || "unknown";
+	} catch {
+		return "unknown";
+	}
+}

package/tools/vendor/codex-quota/lib/constants.js

@@ -0,0 +1,57 @@
+/**
+ * All configuration constants for codex-quota.
+ * Zero internal dependencies — only uses Node.js built-ins.
+ */
+
+import { homedir } from "node:os";
+import { join, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+
+// OAuth config (matches OpenAI Codex CLI)
+export const TOKEN_URL = "https://auth.openai.com/oauth/token";
+export const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
+export const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+export const REDIRECT_URI = "http://localhost:1455/auth/callback";
+export const SCOPE = "openid profile email offline_access";
+export const OAUTH_TIMEOUT_MS = 120000; // 2 minutes
+export const OPENAI_OAUTH_REFRESH_BUFFER_MS = 60 * 1000;
+export const USAGE_URL = "https://chatgpt.com/backend-api/wham/usage";
+export const JWT_CLAIM = "https://api.openai.com/auth";
+export const JWT_PROFILE = "https://api.openai.com/profile";
+export const CLAUDE_CREDENTIALS_PATH = join(homedir(), ".claude", ".credentials.json");
+export const CLAUDE_MULTI_ACCOUNT_PATHS = [
+	join(homedir(), ".claude-accounts.json"),
+];
+export const CLAUDE_API_BASE = "https://claude.ai/api";
+export const CLAUDE_ORIGIN = "https://claude.ai";
+export const CLAUDE_ORGS_URL = `${CLAUDE_API_BASE}/organizations`;
+export const CLAUDE_ACCOUNT_URL = `${CLAUDE_API_BASE}/account`;
+export const CLAUDE_TIMEOUT_MS = 15000;
+export const CLAUDE_USER_AGENT = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36";
+
+// Claude OAuth API configuration (new official endpoint)
+export const CLAUDE_OAUTH_USAGE_URL = "https://api.anthropic.com/api/oauth/usage";
+export const CLAUDE_OAUTH_VERSION = "2023-06-01";
+export const CLAUDE_OAUTH_BETA = "oauth-2025-04-20";
+export const CLAUDE_OAUTH_REFRESH_BUFFER_MS = 5 * 60 * 1000;
+
+// Claude OAuth browser flow configuration
+export const CLAUDE_OAUTH_AUTHORIZE_URL = "https://claude.ai/oauth/authorize";
+export const CLAUDE_OAUTH_TOKEN_URL = "https://console.anthropic.com/v1/oauth/token";
+export const CLAUDE_OAUTH_REDIRECT_URI = "https://console.anthropic.com/oauth/code/callback";
+export const CLAUDE_OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+export const CLAUDE_OAUTH_SCOPES = "org:create_api_key user:profile user:inference";
+
+// CLI command names
+export const PRIMARY_CMD = "codex-quota";
+export const PACKAGE_JSON_PATH = fileURLToPath(new URL("../package.json", import.meta.url));
+
+export const MULTI_ACCOUNT_PATHS = [
+	join(homedir(), ".codex-accounts.json"),
+	join(homedir(), ".opencode", "openai-codex-auth-accounts.json"),
+];
+
+export const CODEX_CLI_AUTH_PATH = join(homedir(), ".codex", "auth.json");
+export const PI_AUTH_PATH = join(homedir(), ".pi", "agent", "auth.json");
+export const DEFAULT_XDG_DATA_HOME = join(homedir(), ".local", "share");
+export const MULTI_ACCOUNT_SCHEMA_VERSION = 1;