aicomputer 0.1.7 → 0.1.9

package/dist/index.js

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import { Command as Command11 } from "commander";
-import chalk11 from "chalk";
+import { Command as Command12 } from "commander";
+import chalk12 from "chalk";
 import { readFileSync as readFileSync3 } from "fs";
 import { basename as basename2 } from "path";
 
@@ -1524,20 +1524,218 @@ fleetCommand.command("status").description("List open agent sessions across all
 });
 
 // src/commands/claude-auth.ts
-import { randomBytes, createHash } from "crypto";
-import { spawn as spawn2 } from "child_process";
+import { randomBytes as randomBytes2, createHash } from "crypto";
 import { input as textInput } from "@inquirer/prompts";
 import { Command as Command4 } from "commander";
 import chalk5 from "chalk";
+import ora4 from "ora";
+
+// src/lib/remote-auth.ts
+import { randomBytes } from "crypto";
+import { spawn as spawn2 } from "child_process";
 import ora3 from "ora";
+var readyPollIntervalMs = 2e3;
+var readyPollTimeoutMs = 18e4;
+async function prepareAuthTarget(options, config) {
+  if (options.machine?.trim()) {
+    const computer2 = await resolveComputer(options.machine.trim());
+    assertSSHAuthTarget(computer2);
+    return {
+      computer: computer2,
+      helperCreated: false,
+      sharedInstall: isSharedInstallTarget(computer2),
+      detail: describeTarget(computer2, false)
+    };
+  }
+  const computers = await listComputers();
+  const filesystemSettings = await getFilesystemSettings().catch(() => null);
+  if (filesystemSettings?.shared_enabled) {
+    const existing = pickSharedRunningComputer(computers);
+    if (existing) {
+      return {
+        computer: existing,
+        helperCreated: false,
+        sharedInstall: true,
+        detail: describeTarget(existing, false)
+      };
+    }
+    const spinner = ora3(`Creating temporary ${config.helperPrefix} helper...`).start();
+    try {
+      const helper = await createComputer({
+        handle: `${config.helperPrefix}-${randomSuffix(6)}`,
+        display_name: config.helperDisplayName,
+        runtime_family: "managed-worker",
+        use_platform_default: true,
+        ssh_enabled: true,
+        vnc_enabled: false
+      });
+      spinner.succeed(`Created temporary helper ${helper.handle}`);
+      return {
+        computer: helper,
+        helperCreated: true,
+        sharedInstall: true,
+        detail: describeTarget(helper, true)
+      };
+    } catch (error) {
+      spinner.fail(
+        error instanceof Error ? error.message : "Failed to create temporary helper"
+      );
+      throw error;
+    }
+  }
+  const computer = await promptForSSHComputer(computers, config.promptMessage);
+  return {
+    computer,
+    helperCreated: false,
+    sharedInstall: isSharedInstallTarget(computer),
+    detail: describeTarget(computer, false)
+  };
+}
+async function waitForRunning(initial) {
+  if (initial.status === "running") {
+    return initial;
+  }
+  const spinner = ora3(`Waiting for ${initial.handle} to be ready...`).start();
+  const deadline = Date.now() + readyPollTimeoutMs;
+  let lastStatus = initial.status;
+  while (Date.now() < deadline) {
+    const current = await getComputerByID(initial.id);
+    if (current.status === "running") {
+      spinner.succeed(`${current.handle} is ready`);
+      return current;
+    }
+    if (current.status !== lastStatus) {
+      lastStatus = current.status;
+      spinner.text = `Waiting for ${current.handle}... ${current.status}`;
+    }
+    if (current.status === "error" || current.status === "deleted" || current.status === "stopped") {
+      spinner.fail(`${current.handle} entered ${current.status}`);
+      throw new Error(current.last_error || `${current.handle} entered ${current.status}`);
+    }
+    await delay(readyPollIntervalMs);
+  }
+  spinner.fail(`Timed out waiting for ${initial.handle}`);
+  throw new Error(`timed out waiting for ${initial.handle} to be ready`);
+}
+async function resolveSSHTarget(computer) {
+  assertSSHAuthTarget(computer);
+  const registered = await ensureDefaultSSHKeyRegistered();
+  const info = await getConnectionInfo(computer.id);
+  if (!info.connection.ssh_available) {
+    throw new Error(`SSH is not available for ${computer.handle}`);
+  }
+  return {
+    handle: computer.handle,
+    host: info.connection.ssh_host,
+    port: info.connection.ssh_port,
+    user: info.connection.ssh_user,
+    identityFile: registered.privateKeyPath
+  };
+}
+async function verifySecondaryMachine(primaryComputerID, sharedInstall, skip, verify) {
+  if (!sharedInstall) {
+    return { status: "skipped", reason: "target uses isolated filesystem" };
+  }
+  if (skip) {
+    return { status: "skipped", reason: "cross-check skipped by flag" };
+  }
+  const secondary = (await listComputers()).filter(
+    (computer) => computer.id !== primaryComputerID && computer.runtime_family === "managed-worker" && computer.filesystem_mode === "shared" && computer.ssh_enabled && computer.status === "running"
+  ).sort(
+    (left, right) => new Date(right.updated_at).getTime() - new Date(left.updated_at).getTime()
+  )[0];
+  if (!secondary) {
+    return {
+      status: "skipped",
+      reason: "no second running shared managed-worker was available"
+    };
+  }
+  const sshTarget = await resolveSSHTarget(secondary);
+  const verification = await verify(sshTarget);
+  if (verification.status !== "verified") {
+    return { status: "skipped", reason: verification.detail };
+  }
+  return { status: "verified", handle: secondary.handle };
+}
+async function runRemoteCommand(target, remoteArgs, script) {
+  const args = [
+    "-T",
+    "-i",
+    target.identityFile,
+    "-p",
+    String(target.port),
+    `${target.user}@${target.host}`,
+    ...remoteArgs
+  ];
+  return new Promise((resolve, reject) => {
+    const child = spawn2("ssh", args, {
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", reject);
+    child.on("exit", (code) => {
+      if (code === 0) {
+        resolve({ stdout, stderr });
+        return;
+      }
+      const message = stderr.trim() || stdout.trim() || `ssh exited with code ${code ?? 1}`;
+      reject(new Error(message));
+    });
+    if (script !== void 0) {
+      child.stdin.end(script);
+      return;
+    }
+    child.stdin.end();
+  });
+}
+function isSharedInstallTarget(computer) {
+  return computer.runtime_family === "managed-worker" && computer.filesystem_mode === "shared";
+}
+function assertSSHAuthTarget(computer) {
+  if (!computer.ssh_enabled) {
+    throw new Error(`${computer.handle} does not have SSH enabled`);
+  }
+}
+function randomSuffix(length) {
+  return randomBytes(Math.ceil(length / 2)).toString("hex").slice(0, length);
+}
+function pickSharedRunningComputer(computers) {
+  const candidates = computers.filter(
+    (computer) => computer.runtime_family === "managed-worker" && computer.filesystem_mode === "shared" && computer.ssh_enabled && computer.status === "running"
+  ).sort(
+    (left, right) => new Date(right.updated_at).getTime() - new Date(left.updated_at).getTime()
+  );
+  return candidates[0] ?? null;
+}
+function describeTarget(computer, helperCreated) {
+  if (helperCreated) {
+    return `created temporary helper ${computer.handle}`;
+  }
+  if (isSharedInstallTarget(computer)) {
+    return `using shared machine ${computer.handle}`;
+  }
+  return `using ${computer.handle}`;
+}
+function delay(ms) {
+  return new Promise((resolve) => {
+    setTimeout(resolve, ms);
+  });
+}
+
+// src/commands/claude-auth.ts
 var CLAUDE_OAUTH_CLIENT_ID = process.env.CLAUDE_OAUTH_CLIENT_ID ?? "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
 var CLAUDE_OAUTH_AUTHORIZE_URL = process.env.CLAUDE_OAUTH_AUTHORIZE_URL ?? "https://claude.ai/oauth/authorize";
 var CLAUDE_OAUTH_TOKEN_URL = process.env.CLAUDE_OAUTH_TOKEN_URL ?? "https://platform.claude.com/v1/oauth/token";
 var CLAUDE_OAUTH_REDIRECT_URL = process.env.CLAUDE_OAUTH_REDIRECT_URL ?? "https://platform.claude.com/oauth/code/callback";
 var CLAUDE_OAUTH_SCOPES = (process.env.CLAUDE_OAUTH_SCOPES ?? "user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload").split(/\s+/).filter(Boolean);
-var readyPollIntervalMs = 2e3;
-var readyPollTimeoutMs = 18e4;
-var claudeAuthCommand = new Command4("claude-auth").alias("claude-login").description("Authenticate Claude Code on a computer").option("--machine <id-or-handle>", "Use a specific computer").option("--keep-helper", "Keep a temporary helper machine if one is created").option("--skip-cross-check", "Skip verification on a second shared machine").action(async (options) => {
+var claudeLoginCommand = new Command4("claude-login").alias("claude-auth").description("Authenticate Claude Code on a computer").option("--machine <id-or-handle>", "Use a specific computer").option("--keep-helper", "Keep a temporary helper machine if one is created").option("--skip-cross-check", "Skip verification on a second shared machine").option("--verbose", "Show step-by-step auth diagnostics").action(async (options) => {
   const todos = createTodoList();
   let target = null;
   let helperCreated = false;
@@ -1573,19 +1771,24 @@ var claudeAuthCommand = new Command4("claude-auth").alias("claude-login").descri
       sharedInstall ? `installed Claude login on shared home via ${target.handle}` : `installed Claude login on ${target.handle}`
     );
     activeTodoID = "verify-primary";
-    await verifyStoredAuth(sshTarget);
-    markTodo(
+    const primaryVerification = await verifyTargetMachine(target.handle, sshTarget);
+    markVerificationTodo(
       todos,
       "verify-primary",
-      "done",
+      primaryVerification,
       `${target.handle} fresh login shell sees Claude auth`
     );
     activeTodoID = "verify-shared";
-    const sharedCheck = await verifySecondaryMachine(
+    const sharedCheck = primaryVerification.status === "verified" ? await verifySharedInstall(
+      target.handle,
       target.id,
       sharedInstall,
-      Boolean(options.skipCrossCheck)
-    );
+      Boolean(options.skipCrossCheck),
+      verifyStoredAuth
+    ) : {
+      status: "skipped",
+      reason: "primary verification was inconclusive"
+    };
     if (sharedCheck.status === "verified") {
       markTodo(
         todos,
@@ -1623,7 +1826,9 @@ var claudeAuthCommand = new Command4("claude-auth").alias("claude-login").descri
     } else {
       markTodo(todos, "cleanup", "skipped", "no helper created");
     }
-    printTodoList(todos);
+    if (options.verbose) {
+      printTodoList(todos);
+    }
   }
   if (failureMessage) {
     console.error(chalk5.red(`
@@ -1631,7 +1836,9 @@ ${failureMessage}`));
     process.exit(1);
   }
   if (target) {
-    console.log(chalk5.green(`Claude is ready on ${chalk5.bold(target.handle)}.`));
+    console.log(
+      chalk5.green(`Claude login installed on ${chalk5.bold(target.handle)}.`)
+    );
     console.log();
   }
 });
@@ -1654,6 +1861,13 @@ function markTodo(items, id, state, detail) {
   item.state = state;
   item.detail = detail;
 }
+function markVerificationTodo(items, id, result, successDetail) {
+  if (result.status === "verified") {
+    markTodo(items, id, "done", successDetail);
+    return;
+  }
+  markTodo(items, id, "skipped", result.detail);
+}
 function printTodoList(items) {
   console.log();
   console.log(chalk5.dim("TODO"));
@@ -1666,130 +1880,28 @@ function printTodoList(items) {
   console.log();
 }
 async function prepareTargetMachine(options) {
-  if (options.machine?.trim()) {
-    const computer2 = await resolveComputer(options.machine.trim());
-    assertClaudeAuthTarget(computer2);
-    return {
-      computer: computer2,
-      helperCreated: false,
-      sharedInstall: isSharedInstallTarget(computer2),
-      detail: describeTarget(computer2, false)
-    };
-  }
-  const computers = await listComputers();
-  const filesystemSettings = await getFilesystemSettings().catch(() => null);
-  if (filesystemSettings?.shared_enabled) {
-    const existing = pickSharedRunningComputer(computers);
-    if (existing) {
-      return {
-        computer: existing,
-        helperCreated: false,
-        sharedInstall: true,
-        detail: describeTarget(existing, false)
-      };
-    }
-    const spinner = ora3("Creating temporary shared helper...").start();
-    try {
-      const helper = await createComputer({
-        handle: `claude-auth-${randomSuffix(6)}`,
-        display_name: "Claude Auth Helper",
-        runtime_family: "managed-worker",
-        use_platform_default: true,
-        ssh_enabled: true,
-        vnc_enabled: false
-      });
-      spinner.succeed(`Created temporary helper ${chalk5.bold(helper.handle)}`);
-      return {
-        computer: helper,
-        helperCreated: true,
-        sharedInstall: true,
-        detail: describeTarget(helper, true)
-      };
-    } catch (error) {
-      spinner.fail(
-        error instanceof Error ? error.message : "Failed to create temporary helper"
-      );
-      throw error;
-    }
+  return prepareAuthTarget(options, {
+    helperPrefix: "claude-auth",
+    helperDisplayName: "Claude Auth Helper",
+    promptMessage: "Select a computer for Claude auth"
+  });
+}
+async function runManualOAuthFlow() {
+  const codeVerifier = base64url(randomBytes2(32));
+  const state = randomBytes2(16).toString("hex");
+  const codeChallenge = base64url(createHash("sha256").update(codeVerifier).digest());
+  const url = buildAuthorizationURL(codeChallenge, state);
+  console.log("We will open your browser so you can authenticate with Claude.");
+  console.log("If the browser does not open automatically, use the URL below:\n");
+  console.log(url);
+  console.log();
+  try {
+    await openBrowserURL(url);
+  } catch {
+    console.log(chalk5.yellow("Unable to open the browser automatically."));
   }
-  const computer = await promptForSSHComputer(
-    computers,
-    "Select a computer for Claude auth"
-  );
-  return {
-    computer,
-    helperCreated: false,
-    sharedInstall: isSharedInstallTarget(computer),
-    detail: describeTarget(computer, false)
-  };
-}
-function pickSharedRunningComputer(computers) {
-  const candidates = computers.filter(
-    (computer) => computer.runtime_family === "managed-worker" && computer.filesystem_mode === "shared" && computer.ssh_enabled && computer.status === "running"
-  ).sort(
-    (left, right) => new Date(right.updated_at).getTime() - new Date(left.updated_at).getTime()
-  );
-  return candidates[0] ?? null;
-}
-function assertClaudeAuthTarget(computer) {
-  if (!computer.ssh_enabled) {
-    throw new Error(`${computer.handle} does not have SSH enabled`);
-  }
-}
-function isSharedInstallTarget(computer) {
-  return computer.runtime_family === "managed-worker" && computer.filesystem_mode === "shared";
-}
-function describeTarget(computer, helperCreated) {
-  if (helperCreated) {
-    return `created temporary helper ${computer.handle}`;
-  }
-  if (isSharedInstallTarget(computer)) {
-    return `using shared machine ${computer.handle}`;
-  }
-  return `using ${computer.handle}`;
-}
-async function waitForRunning(initial) {
-  if (initial.status === "running") {
-    return initial;
-  }
-  const spinner = ora3(`Waiting for ${chalk5.bold(initial.handle)} to be ready...`).start();
-  const deadline = Date.now() + readyPollTimeoutMs;
-  let lastStatus = initial.status;
-  while (Date.now() < deadline) {
-    const current = await getComputerByID(initial.id);
-    if (current.status === "running") {
-      spinner.succeed(`${chalk5.bold(current.handle)} is ready`);
-      return current;
-    }
-    if (current.status !== lastStatus) {
-      lastStatus = current.status;
-      spinner.text = `Waiting for ${chalk5.bold(current.handle)}... ${chalk5.dim(current.status)}`;
-    }
-    if (current.status === "error" || current.status === "deleted" || current.status === "stopped") {
-      spinner.fail(`${current.handle} entered ${current.status}`);
-      throw new Error(current.last_error || `${current.handle} entered ${current.status}`);
-    }
-    await delay(readyPollIntervalMs);
-  }
-  spinner.fail(`Timed out waiting for ${initial.handle}`);
-  throw new Error(`timed out waiting for ${initial.handle} to be ready`);
-}
-async function runManualOAuthFlow() {
-  const codeVerifier = base64url(randomBytes(32));
-  const state = randomBytes(16).toString("hex");
-  const codeChallenge = base64url(createHash("sha256").update(codeVerifier).digest());
-  const url = buildAuthorizationURL(codeChallenge, state);
-  console.log("We will open your browser so you can authenticate with Claude.");
-  console.log("If the browser does not open automatically, use the URL below:\n");
-  console.log(url);
-  console.log();
-  try {
-    await openBrowserURL(url);
-  } catch {
-    console.log(chalk5.yellow("Unable to open the browser automatically."));
-  }
-  console.log(
-    "After completing authentication, copy the code shown on the success page."
+  console.log(
+    "After completing authentication, copy the code shown on the success page."
   );
   console.log("You can paste either the full URL, or a value formatted as CODE#STATE.\n");
   const pasted = (await textInput({
@@ -1799,7 +1911,7 @@ async function runManualOAuthFlow() {
     throw new Error("no authorization code provided");
   }
   const parsed = parseAuthorizationInput(pasted, state);
-  const spinner = ora3("Exchanging authorization code...").start();
+  const spinner = ora4("Exchanging authorization code...").start();
   try {
     const response = await fetch(CLAUDE_OAUTH_TOKEN_URL, {
       method: "POST",
@@ -1871,25 +1983,11 @@ function parseAuthorizationInput(value, expectedState) {
   }
   return { code, state };
 }
-async function resolveSSHTarget(computer) {
-  const registered = await ensureDefaultSSHKeyRegistered();
-  const info = await getConnectionInfo(computer.id);
-  if (!info.connection.ssh_available) {
-    throw new Error(`SSH is not available for ${computer.handle}`);
-  }
-  return {
-    handle: computer.handle,
-    host: info.connection.ssh_host,
-    port: info.connection.ssh_port,
-    user: info.connection.ssh_user,
-    identityFile: registered.privateKeyPath
-  };
-}
 async function installClaudeAuth(target, oauth) {
-  const spinner = ora3(`Installing Claude auth on ${chalk5.bold(target.handle)}...`).start();
+  const spinner = ora4(`Installing Claude auth on ${chalk5.bold(target.handle)}...`).start();
   try {
     const installScript = buildInstallScript(oauth.refreshToken, oauth.scope);
-    const result = await runRemoteBash(target, ["-s"], installScript);
+    const result = await runRemoteCommand(target, ["bash", "-s"], installScript);
     if (result.stdout.trim()) {
       spinner.succeed(`Installed Claude auth on ${chalk5.bold(target.handle)}`);
       return;
@@ -1902,9 +2000,36 @@ async function installClaudeAuth(target, oauth) {
     throw error;
   }
 }
+async function verifyTargetMachine(handle, target) {
+  const spinner = ora4(`Verifying Claude login on ${chalk5.bold(handle)}...`).start();
+  const result = await verifyStoredAuth(target);
+  if (result.status === "verified") {
+    spinner.succeed(`Verified Claude login on ${chalk5.bold(handle)}`);
+    return result;
+  }
+  spinner.warn(result.detail);
+  return result;
+}
+async function verifySharedInstall(primaryHandle, primaryComputerID, sharedInstall, skip, verify) {
+  const spinner = ora4(
+    `Verifying shared-home Claude login from ${chalk5.bold(primaryHandle)}...`
+  ).start();
+  const result = await verifySecondaryMachine(
+    primaryComputerID,
+    sharedInstall,
+    skip,
+    verify
+  );
+  if (result.status === "verified") {
+    spinner.succeed(`Verified shared-home Claude login on ${chalk5.bold(result.handle)}`);
+    return result;
+  }
+  spinner.info(result.reason);
+  return result;
+}
 function buildInstallScript(refreshToken, scopes) {
-  const tokenMarker = `TOKEN_${randomSuffix(12)}`;
-  const scopeMarker = `SCOPES_${randomSuffix(12)}`;
+  const tokenMarker = `TOKEN_${randomSuffix2(12)}`;
+  const scopeMarker = `SCOPES_${randomSuffix2(12)}`;
   return [
     "set -euo pipefail",
     'command -v claude >/dev/null 2>&1 || { echo "claude is not installed on this computer" >&2; exit 1; }',
@@ -1922,113 +2047,65 @@ function buildInstallScript(refreshToken, scopes) {
   ].join("\n");
 }
 async function verifyStoredAuth(target) {
-  const command = freshShellCommand("claude auth status --json");
-  const result = await runRemoteBash(target, ["-lc", command]);
-  const payload = parseStatusOutput(result.stdout);
-  if (!payload.loggedIn) {
-    throw new Error(`Claude auth is not visible on ${target.handle}`);
-  }
-}
-function freshShellCommand(inner) {
-  return [
-    "env -i",
-    'HOME="$HOME"',
-    'USER="${USER:-node}"',
-    'SHELL="/bin/bash"',
-    'PATH="$HOME/.local/bin:/usr/local/bin:/usr/bin:/bin"',
-    "bash -lc",
-    shellQuote(inner)
-  ].join(" ");
-}
-function parseStatusOutput(stdout) {
-  const start = stdout.indexOf("{");
-  const end = stdout.lastIndexOf("}");
-  if (start === -1 || end === -1 || end <= start) {
-    throw new Error("could not parse claude auth status output");
-  }
-  const parsed = JSON.parse(stdout.slice(start, end + 1));
-  return { loggedIn: parsed.loggedIn === true };
-}
-async function verifySecondaryMachine(primaryComputerID, sharedInstall, skip) {
-  if (!sharedInstall) {
-    return { status: "skipped", reason: "target uses isolated filesystem" };
-  }
-  if (skip) {
-    return { status: "skipped", reason: "cross-check skipped by flag" };
-  }
-  const secondary = (await listComputers()).filter(
-    (computer) => computer.id !== primaryComputerID && computer.runtime_family === "managed-worker" && computer.filesystem_mode === "shared" && computer.ssh_enabled && computer.status === "running"
-  ).sort(
-    (left, right) => new Date(right.updated_at).getTime() - new Date(left.updated_at).getTime()
-  )[0];
-  if (!secondary) {
+  try {
+    const result = await runRemoteCommand(target, [
+      "bash",
+      "--noprofile",
+      "--norc",
+      "-lc",
+      "claude auth status --json 2>/dev/null || claude auth status"
+    ]);
+    const payload = parseStatusOutput(result.stdout, result.stderr);
+    if (payload.loggedIn) {
+      return { status: "verified", detail: "verified" };
+    }
     return {
-      status: "skipped",
-      reason: "no second running shared managed-worker was available"
+      status: "failed",
+      detail: payload.detail ? `verification failed: ${payload.detail}` : "verification failed"
+    };
+  } catch (error) {
+    return {
+      status: "inconclusive",
+      detail: error instanceof Error ? error.message : "verification command did not complete cleanly"
     };
   }
-  const sshTarget = await resolveSSHTarget(secondary);
-  await verifyStoredAuth(sshTarget);
-  return { status: "verified", handle: secondary.handle };
 }
-async function runRemoteBash(target, bashArgs, script) {
-  const args = [
-    "-T",
-    "-i",
-    target.identityFile,
-    "-p",
-    String(target.port),
-    `${target.user}@${target.host}`,
-    "bash",
-    ...bashArgs
-  ];
-  return new Promise((resolve, reject) => {
-    const child = spawn2("ssh", args, {
-      stdio: ["pipe", "pipe", "pipe"]
-    });
-    let stdout = "";
-    let stderr = "";
-    child.stdout.on("data", (chunk) => {
-      stdout += chunk.toString();
-    });
-    child.stderr.on("data", (chunk) => {
-      stderr += chunk.toString();
-    });
-    child.on("error", reject);
-    child.on("exit", (code) => {
-      if (code === 0) {
-        resolve({ stdout, stderr });
-        return;
-      }
-      const message = stderr.trim() || stdout.trim() || `ssh exited with code ${code ?? 1}`;
-      reject(new Error(message));
-    });
-    if (script !== void 0) {
-      child.stdin.end(script);
-    } else {
-      child.stdin.end();
+function parseStatusOutput(stdout, stderr) {
+  const combined = [stdout, stderr].map((value) => value.trim()).filter(Boolean).join("\n");
+  const start = combined.indexOf("{");
+  const end = combined.lastIndexOf("}");
+  if (start === -1 || end === -1 || end <= start) {
+    const normalized = combined.toLowerCase();
+    if (normalized.includes("not logged in") || normalized.includes("logged out")) {
+      return { loggedIn: false, detail: firstStatusLine(combined) };
     }
-  });
+    if (normalized.includes("logged in")) {
+      return { loggedIn: true };
+    }
+    throw new Error(
+      combined ? `could not verify Claude auth from status output: ${firstStatusLine(combined)}` : "could not verify Claude auth from empty status output"
+    );
+  }
+  const parsed = JSON.parse(combined.slice(start, end + 1));
+  return {
+    loggedIn: parsed.loggedIn === true,
+    detail: parsed.loggedIn === true ? void 0 : parsed.error
+  };
 }
-function shellQuote(value) {
-  return `'${value.replace(/'/g, `'\\''`)}'`;
+function firstStatusLine(value) {
+  return value.split(/\r?\n/).map((line) => line.trim()).find(Boolean) ?? "unknown output";
 }
 function base64url(buffer) {
   return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
 }
-function randomSuffix(length) {
-  return randomBytes(Math.ceil(length / 2)).toString("hex").slice(0, length);
-}
-function delay(ms) {
-  return new Promise((resolve) => {
-    setTimeout(resolve, ms);
-  });
+function randomSuffix2(length) {
+  return randomBytes2(Math.ceil(length / 2)).toString("hex").slice(0, length);
 }
 
 // src/commands/computers.ts
 import { Command as Command5 } from "commander";
 import chalk6 from "chalk";
-import ora4 from "ora";
+import ora5 from "ora";
 import { select as select2, input as textInput2, confirm } from "@inquirer/prompts";
 
 // src/lib/machine-sources.ts
@@ -2193,7 +2270,7 @@ function printComputerTableVerbose(computers) {
   console.log();
 }
 var lsCommand = new Command5("ls").description("List computers").option("--json", "Print raw JSON").option("-v, --verbose", "Show all URLs for each computer").action(async (options) => {
-  const spinner = options.json ? null : ora4("Fetching computers...").start();
+  const spinner = options.json ? null : ora5("Fetching computers...").start();
   try {
     const computers = await listComputers();
     spinner?.stop();
@@ -2224,7 +2301,7 @@ var lsCommand = new Command5("ls").description("List computers").option("--json"
   }
 });
 var getCommand = new Command5("get").description("Show computer details").argument("<id-or-handle>", "Computer id or handle").option("--json", "Print raw JSON").action(async (identifier, options) => {
-  const spinner = options.json ? null : ora4("Fetching computer...").start();
+  const spinner = options.json ? null : ora5("Fetching computer...").start();
   try {
     const computer = await resolveComputer(identifier);
     spinner?.stop();
@@ -2265,7 +2342,7 @@ var createCommand = new Command5("create").description("Create a computer").argu
     if (provisioningNote) {
       console.log(chalk6.dim(provisioningNote));
     }
-    spinner = ora4(createSpinnerText(runtimeFamily, filesystemSettings, 0)).start();
+    spinner = ora5(createSpinnerText(runtimeFamily, filesystemSettings, 0)).start();
     startTime = Date.now();
     timer = setInterval(() => {
       const elapsed2 = (Date.now() - startTime) / 1e3;
@@ -2371,7 +2448,7 @@ async function resolveCreateOptions(options) {
 var removeCommand = new Command5("rm").description("Delete a computer").argument("<id-or-handle>", "Computer id or handle").option("-y, --yes", "Skip confirmation prompt").action(async (identifier, options, cmd) => {
   const globalYes = cmd.parent?.opts()?.yes;
   const skipConfirm = Boolean(options.yes || globalYes);
-  const spinner = ora4("Resolving computer...").start();
+  const spinner = ora5("Resolving computer...").start();
   try {
     const computer = await resolveComputer(identifier);
     spinner.stop();
@@ -2385,7 +2462,7 @@ var removeCommand = new Command5("rm").description("Delete a computer").argument
         return;
       }
     }
-    const deleteSpinner = ora4("Deleting computer...").start();
+    const deleteSpinner = ora5("Deleting computer...").start();
     await api(`/v1/computers/${computer.id}`, {
       method: "DELETE"
     });
@@ -2524,8 +2601,10 @@ _computer() {
     'login:Authenticate the CLI'
     'logout:Remove stored API key'
     'whoami:Show current user'
-    'claude-auth:Authenticate Claude Code on a computer'
-    'claude-login:Alias for claude-auth'
+    'claude-login:Authenticate Claude Code on a computer'
+    'claude-auth:Alias for claude-login'
+    'codex-login:Authenticate Codex on a computer'
+    'codex-auth:Alias for codex-login'
     'create:Create a computer'
     'ls:List computers'
     'get:Show computer details'
@@ -2578,11 +2657,12 @@ _computer() {
         whoami)
           _arguments '--json[Print raw JSON]'
           ;;
-        claude-auth|claude-login)
+        claude-auth|claude-login|codex-auth|codex-login)
           _arguments \\
             '--machine[Use a specific computer]:computer:_computer_handles' \\
             '--keep-helper[Keep a temporary helper machine]' \\
-            '--skip-cross-check[Skip second-machine verification]'
+            '--skip-cross-check[Skip second-machine verification]' \\
+            '--verbose[Show step-by-step auth diagnostics]'
           ;;
         create)
           _arguments \\
@@ -2730,7 +2810,7 @@ var BASH_SCRIPT = `_computer() {
   local cur prev words cword
   _init_completion || return
 
-  local commands="login logout whoami claude-auth claude-login create ls get image open ssh ports agent fleet acp rm completion help"
+  local commands="login logout whoami claude-login claude-auth codex-login codex-auth create ls get image open ssh ports agent fleet acp rm completion help"
   local ports_commands="ls publish rm"
   local image_commands="ls save default rebuild rm"
 
@@ -2748,8 +2828,8 @@ var BASH_SCRIPT = `_computer() {
     whoami)
       COMPREPLY=($(compgen -W "--json" -- "$cur"))
       ;;
-    claude-auth|claude-login)
-      COMPREPLY=($(compgen -W "--machine --keep-helper --skip-cross-check" -- "$cur"))
+    claude-auth|claude-login|codex-auth|codex-login)
+      COMPREPLY=($(compgen -W "--machine --keep-helper --skip-cross-check --verbose" -- "$cur"))
       ;;
     create)
       COMPREPLY=($(compgen -W "--name --tier --interactive --runtime-family --source-kind --image-family --image-ref --use-platform-default --primary-port --primary-path --healthcheck-type --healthcheck-value --ssh-enabled --ssh-disabled --vnc-enabled --vnc-disabled" -- "$cur"))
@@ -2847,14 +2927,344 @@ var completionCommand = new Command6("completion").description("Generate shell c
   }
 });
 
-// src/commands/images.ts
-import { confirm as confirm2, input as textInput3, select as select3 } from "@inquirer/prompts";
+// src/commands/codex-login.ts
+import { spawn as spawn3 } from "child_process";
+import { readFile as readFile3 } from "fs/promises";
+import { homedir as homedir4 } from "os";
+import { join as join3 } from "path";
 import { Command as Command7 } from "commander";
 import chalk7 from "chalk";
-import ora5 from "ora";
-var imageCommand = new Command7("image").description("Manage machine image sources");
+import ora6 from "ora";
+var codexLoginCommand = new Command7("codex-login").alias("codex-auth").description("Authenticate Codex on a computer").option("--machine <id-or-handle>", "Use a specific computer").option("--keep-helper", "Keep a temporary helper machine if one is created").option("--skip-cross-check", "Skip verification on a second shared machine").option("--verbose", "Show step-by-step auth diagnostics").action(async (options) => {
+  const todos = createTodoList2();
+  let target = null;
+  let helperCreated = false;
+  let sharedInstall = false;
+  let activeTodoID = "target";
+  let failureMessage = null;
+  console.log();
+  console.log(chalk7.cyan("Authenticating with Codex...\n"));
+  try {
+    const prepared = await prepareTargetMachine2(options);
+    target = prepared.computer;
+    helperCreated = prepared.helperCreated;
+    sharedInstall = prepared.sharedInstall;
+    markTodo2(todos, "target", "done", prepared.detail);
+    activeTodoID = "ready";
+    target = await waitForRunning(target);
+    markTodo2(todos, "ready", "done", `${target.handle} is running`);
+    activeTodoID = "local-auth";
+    const localAuth = await ensureLocalCodexAuth();
+    markTodo2(todos, "local-auth", "done", localAuth.detail);
+    activeTodoID = "install";
+    const sshTarget = await resolveSSHTarget(target);
+    await installCodexAuth(sshTarget, localAuth.authJSON);
+    markTodo2(
+      todos,
+      "install",
+      "done",
+      sharedInstall ? `installed Codex login on shared home via ${target.handle}` : `installed Codex login on ${target.handle}`
+    );
+    activeTodoID = "verify-primary";
+    const primaryVerification = await verifyTargetMachine2(target.handle, sshTarget);
+    markVerificationTodo2(
+      todos,
+      "verify-primary",
+      primaryVerification,
+      `${target.handle} fresh login shell sees Codex auth`
+    );
+    activeTodoID = "verify-shared";
+    const sharedCheck = primaryVerification.status === "verified" ? await verifySharedInstall2(
+      target.handle,
+      target.id,
+      sharedInstall,
+      Boolean(options.skipCrossCheck),
+      verifyStoredCodexAuth
+    ) : {
+      status: "skipped",
+      reason: "primary verification was inconclusive"
+    };
+    if (sharedCheck.status === "verified") {
+      markTodo2(
+        todos,
+        "verify-shared",
+        "done",
+        `${sharedCheck.handle} also sees stored Codex auth`
+      );
+    } else {
+      markTodo2(todos, "verify-shared", "skipped", sharedCheck.reason);
+    }
+  } catch (error) {
+    failureMessage = error instanceof Error ? error.message : "Failed to authenticate Codex";
+    markTodo2(todos, activeTodoID, "failed", failureMessage);
+  } finally {
+    if (helperCreated && target && !options.keepHelper) {
+      try {
+        await deleteComputer(target.id);
+        markTodo2(
+          todos,
+          "cleanup",
+          "done",
+          `removed temporary helper ${target.handle}`
+        );
+      } catch (error) {
+        const message = error instanceof Error ? error.message : "failed to remove helper";
+        markTodo2(todos, "cleanup", "failed", message);
+      }
+    } else if (helperCreated && target && options.keepHelper) {
+      markTodo2(todos, "cleanup", "skipped", `kept helper ${target.handle}`);
+    } else {
+      markTodo2(todos, "cleanup", "skipped", "no helper created");
+    }
+    if (options.verbose) {
+      printTodoList2(todos);
+    }
+  }
+  if (failureMessage) {
+    console.error(chalk7.red(`
+${failureMessage}`));
+    process.exit(1);
+  }
+  if (target) {
+    console.log(
+      chalk7.green(`Codex login installed on ${chalk7.bold(target.handle)}.`)
+    );
+    console.log();
+  }
+});
+function createTodoList2() {
+  return [
+    { id: "target", label: "Pick target computer", state: "pending" },
+    { id: "ready", label: "Wait for machine readiness", state: "pending" },
+    { id: "local-auth", label: "Complete local Codex auth", state: "pending" },
+    { id: "install", label: "Install stored Codex login", state: "pending" },
+    { id: "verify-primary", label: "Verify on target machine", state: "pending" },
+    { id: "verify-shared", label: "Verify shared-home propagation", state: "pending" },
+    { id: "cleanup", label: "Clean up temporary helper", state: "pending" }
+  ];
+}
+function markTodo2(items, id, state, detail) {
+  const item = items.find((entry) => entry.id === id);
+  if (!item) {
+    return;
+  }
+  item.state = state;
+  item.detail = detail;
+}
+function markVerificationTodo2(items, id, result, successDetail) {
+  if (result.status === "verified") {
+    markTodo2(items, id, "done", successDetail);
+    return;
+  }
+  markTodo2(items, id, "skipped", result.detail);
+}
+function printTodoList2(items) {
+  console.log();
+  console.log(chalk7.dim("TODO"));
+  console.log();
+  for (const item of items) {
+    const marker = item.state === "done" ? chalk7.green("[x]") : item.state === "skipped" ? chalk7.yellow("[-]") : item.state === "failed" ? chalk7.red("[!]") : chalk7.dim("[ ]");
+    const detail = item.detail ? chalk7.dim(`  ${item.detail}`) : "";
+    console.log(`  ${marker} ${item.label}${detail ? ` ${detail}` : ""}`);
+  }
+  console.log();
+}
+async function prepareTargetMachine2(options) {
+  return prepareAuthTarget(options, {
+    helperPrefix: "codex-login",
+    helperDisplayName: "Codex Login Helper",
+    promptMessage: "Select a computer for Codex login"
+  });
+}
+async function ensureLocalCodexAuth() {
+  const localStatus = await getLocalCodexStatus();
+  if (localStatus.loggedIn) {
+    return {
+      authJSON: await readLocalCodexAuthFile(),
+      detail: "reused existing local Codex login"
+    };
+  }
+  if (!process.stdin.isTTY || !process.stdout.isTTY) {
+    throw new Error("local Codex login is required when not running interactively");
+  }
+  console.log("We will open your browser so you can authenticate Codex locally.");
+  console.log("If Codex falls back to device auth, complete that flow and return here.\n");
+  await runInteractiveCodexLogin();
+  const refreshedStatus = await getLocalCodexStatus();
+  if (!refreshedStatus.loggedIn) {
+    throw new Error(
+      refreshedStatus.detail || "codex login did not complete successfully"
+    );
+  }
+  return {
+    authJSON: await readLocalCodexAuthFile(),
+    detail: "local Codex login completed"
+  };
+}
+async function getLocalCodexStatus() {
+  const result = await captureLocalCommand("codex", ["login", "status"]);
+  return parseCodexStatusOutput(result.stdout, result.stderr);
+}
+async function readLocalCodexAuthFile() {
+  const authPath = join3(homedir4(), ".codex", "auth.json");
+  let raw;
+  try {
+    raw = await readFile3(authPath, "utf8");
+  } catch (error) {
+    throw new Error(
+      error instanceof Error ? `failed to read ${authPath}: ${error.message}` : `failed to read ${authPath}`
+    );
+  }
+  try {
+    JSON.parse(raw);
+  } catch (error) {
+    throw new Error(
+      error instanceof Error ? `local Codex auth file is invalid JSON: ${error.message}` : "local Codex auth file is invalid JSON"
+    );
+  }
+  return `${raw.trimEnd()}
+`;
+}
+async function runInteractiveCodexLogin() {
+  await new Promise((resolve, reject) => {
+    const child = spawn3("codex", ["login"], {
+      stdio: "inherit"
+    });
+    child.on("error", (error) => {
+      reject(
+        error instanceof Error ? new Error(`failed to start local codex login: ${error.message}`) : new Error("failed to start local codex login")
+      );
+    });
+    child.on("exit", (code, signal) => {
+      if (code === 0) {
+        resolve();
+        return;
+      }
+      if (signal) {
+        reject(new Error(`codex login was interrupted by ${signal}`));
+        return;
+      }
+      reject(new Error(`codex login exited with code ${code ?? 1}`));
+    });
+  });
+}
+async function captureLocalCommand(command, args) {
+  return new Promise((resolve, reject) => {
+    const child = spawn3(command, args, {
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", reject);
+    child.on("exit", (code) => {
+      resolve({ stdout, stderr, exitCode: code });
+    });
+  });
+}
+async function installCodexAuth(target, authJSON) {
+  const spinner = ora6(`Installing Codex login on ${chalk7.bold(target.handle)}...`).start();
+  try {
+    const installScript = buildInstallScript2(authJSON);
+    await runRemoteCommand(target, ["bash", "-s"], installScript);
+    spinner.succeed(`Installed Codex login on ${chalk7.bold(target.handle)}`);
+  } catch (error) {
+    spinner.fail(
+      error instanceof Error ? error.message : `Failed to install Codex login on ${target.handle}`
+    );
+    throw error;
+  }
+}
+async function verifyTargetMachine2(handle, target) {
+  const spinner = ora6(`Verifying Codex login on ${chalk7.bold(handle)}...`).start();
+  const result = await verifyStoredCodexAuth(target);
+  if (result.status === "verified") {
+    spinner.succeed(`Verified Codex login on ${chalk7.bold(handle)}`);
+    return result;
+  }
+  spinner.warn(result.detail);
+  return result;
+}
+async function verifySharedInstall2(primaryHandle, primaryComputerID, sharedInstall, skip, verify) {
+  const spinner = ora6(
+    `Verifying shared-home Codex login from ${chalk7.bold(primaryHandle)}...`
+  ).start();
+  const result = await verifySecondaryMachine(
+    primaryComputerID,
+    sharedInstall,
+    skip,
+    verify
+  );
+  if (result.status === "verified") {
+    spinner.succeed(`Verified shared-home Codex login on ${chalk7.bold(result.handle)}`);
+    return result;
+  }
+  spinner.info(result.reason);
+  return result;
+}
+function buildInstallScript2(authJSON) {
+  const authMarker = `AUTH_${randomSuffix(12)}`;
+  return [
+    "set -euo pipefail",
+    'command -v codex >/dev/null 2>&1 || { echo "codex is not installed on this computer" >&2; exit 1; }',
+    'mkdir -p "$HOME/.codex"',
+    'chmod 700 "$HOME/.codex"',
+    `cat > "$HOME/.codex/auth.json" <<'${authMarker}'`,
+    authJSON.trimEnd(),
+    authMarker,
+    'chmod 600 "$HOME/.codex/auth.json"'
+  ].join("\n");
+}
+async function verifyStoredCodexAuth(target) {
+  try {
+    const result = await runRemoteCommand(target, [
+      'PATH="$HOME/.local/bin:$PATH" codex login status 2>&1 || true'
+    ]);
+    const payload = parseCodexStatusOutput(result.stdout, result.stderr);
+    if (payload.loggedIn) {
+      return { status: "verified", detail: "verified" };
+    }
+    return {
+      status: "failed",
+      detail: payload.detail ? `verification failed: ${payload.detail}` : "verification failed"
+    };
+  } catch (error) {
+    return {
+      status: "inconclusive",
+      detail: error instanceof Error ? error.message : "verification command did not complete cleanly"
+    };
+  }
+}
+function parseCodexStatusOutput(stdout, stderr) {
+  const combined = [stdout, stderr].map((value) => value.trim()).filter(Boolean).join("\n");
+  const normalized = combined.toLowerCase();
+  if (normalized.includes("not logged in") || normalized.includes("logged out")) {
+    return { loggedIn: false, detail: firstStatusLine2(combined) };
+  }
+  if (normalized.includes("logged in")) {
+    return { loggedIn: true };
+  }
+  throw new Error(
+    combined ? `could not verify Codex auth from status output: ${firstStatusLine2(combined)}` : "could not verify Codex auth from empty status output"
+  );
+}
+function firstStatusLine2(value) {
+  return value.split(/\r?\n/).map((line) => line.trim()).find(Boolean) ?? "unknown output";
+}
+
+// src/commands/images.ts
+import { confirm as confirm2, input as textInput3, select as select3 } from "@inquirer/prompts";
+import { Command as Command8 } from "commander";
+import chalk8 from "chalk";
+import ora7 from "ora";
+var imageCommand = new Command8("image").description("Manage machine image sources");
 imageCommand.command("ls").description("List machine image sources").option("--json", "Print raw JSON").action(async (options) => {
-  const spinner = options.json ? null : ora5("Fetching machine images...").start();
+  const spinner = options.json ? null : ora7("Fetching machine images...").start();
   try {
     const settings = await getMachineSourceSettings();
     spinner?.stop();
@@ -2873,7 +3283,7 @@ imageCommand.command("ls").description("List machine image sources").option("--j
   }
 });
 imageCommand.command("save").description("Create or update a machine image source").option("--id <id>", "Existing source id to update").option("--kind <kind>", "oci-image or nix-git").option("--requested-ref <ref>", "OCI image ref or explicit resolved ref").option("--git-url <url>", "Repository URL for a Nix git source").option("--git-ref <ref>", "Git ref for a Nix git source").option("--git-subpath <path>", "Subdirectory for a Nix git source").option("--set-as-default", "Select this source as the default after saving").option("--json", "Print raw JSON").action(async (options) => {
-  const spinner = options.json ? null : ora5("Saving machine image source...").start();
+  const spinner = options.json ? null : ora7("Saving machine image source...").start();
   try {
     const input = await resolveSaveInput(options);
     const settings = await upsertMachineSource(input);
@@ -2883,7 +3293,7 @@ imageCommand.command("save").description("Create or update a machine image sourc
       return;
     }
     console.log();
-    console.log(chalk7.green("Saved machine image source."));
+    console.log(chalk8.green("Saved machine image source."));
     printMachineSourceSettings(settings);
   } catch (error) {
     if (spinner) {
@@ -2896,7 +3306,7 @@ imageCommand.command("save").description("Create or update a machine image sourc
 });
 imageCommand.command("default").description("Set the default machine image source").argument("[source-id]", "Source id to select; use 'platform' or omit for the platform default").option("--json", "Print raw JSON").action(async (sourceID, options) => {
   const usePlatformDefault = !sourceID || sourceID === "platform";
-  const spinner = options.json ? null : ora5("Updating machine image default...").start();
+  const spinner = options.json ? null : ora7("Updating machine image default...").start();
   try {
     let settings;
     if (usePlatformDefault) {
@@ -2922,9 +3332,9 @@ imageCommand.command("default").description("Set the default machine image sourc
     if (!usePlatformDefault) {
       const selected = settings.default_machine_source ?? void 0;
       const label = selected ? summarizeMachineSource(selected) : sourceID;
-      console.log(chalk7.green(`Selected ${chalk7.bold(label)} as the default machine image.`));
+      console.log(chalk8.green(`Selected ${chalk8.bold(label)} as the default machine image.`));
     } else {
-      console.log(chalk7.green("Using the AgentComputer platform default image."));
+      console.log(chalk8.green("Using the AgentComputer platform default image."));
     }
     printMachineSourceSettings(settings);
   } catch (error) {
@@ -2937,7 +3347,7 @@ imageCommand.command("default").description("Set the default machine image sourc
   }
 });
 imageCommand.command("rebuild").description("Rebuild a machine image source").argument("<source-id>", "Source id to rebuild").option("--json", "Print raw JSON").action(async (sourceID, options) => {
-  const spinner = options.json ? null : ora5("Queueing machine image rebuild...").start();
+  const spinner = options.json ? null : ora7("Queueing machine image rebuild...").start();
   try {
     const settings = await rebuildMachineSource(sourceID);
     spinner?.stop();
@@ -2946,7 +3356,7 @@ imageCommand.command("rebuild").description("Rebuild a machine image source").ar
       return;
     }
     console.log();
-    console.log(chalk7.green(`Queued rebuild for ${chalk7.bold(sourceID)}.`));
+    console.log(chalk8.green(`Queued rebuild for ${chalk8.bold(sourceID)}.`));
     printMachineSourceSettings(settings);
   } catch (error) {
     if (spinner) {
@@ -2965,11 +3375,11 @@ imageCommand.command("rm").description("Delete a machine image source").argument
     if (!skipConfirm && process.stdin.isTTY) {
       const confirmed = await confirmDeletion(sourceID);
       if (!confirmed) {
-        console.log(chalk7.dim("  Cancelled."));
+        console.log(chalk8.dim("  Cancelled."));
         return;
       }
     }
-    spinner = options.json ? null : ora5("Deleting machine image source...").start();
+    spinner = options.json ? null : ora7("Deleting machine image source...").start();
     const settings = await deleteMachineSource(sourceID);
     spinner?.stop();
     if (options.json) {
@@ -2977,7 +3387,7 @@ imageCommand.command("rm").description("Delete a machine image source").argument
       return;
     }
     console.log();
-    console.log(chalk7.green(`Deleted machine image source ${chalk7.bold(sourceID)}.`));
+    console.log(chalk8.green(`Deleted machine image source ${chalk8.bold(sourceID)}.`));
     printMachineSourceSettings(settings);
   } catch (error) {
     if (spinner) {
@@ -2989,10 +3399,10 @@ imageCommand.command("rm").description("Delete a machine image source").argument
   }
 });
 function printMachineSourceSettings(settings) {
-  console.log(`  ${chalk7.dim("Default")}  ${chalk7.white(summarizeMachineSourceSelection(settings))}`);
+  console.log(`  ${chalk8.dim("Default")}  ${chalk8.white(summarizeMachineSourceSelection(settings))}`);
   console.log();
   if (settings.sources.length === 0) {
-    console.log(chalk7.dim("  No custom machine images configured yet."));
+    console.log(chalk8.dim("  No custom machine images configured yet."));
     console.log();
     return;
   }
@@ -3001,17 +3411,17 @@ function printMachineSourceSettings(settings) {
   }
 }
 function printMachineSourceCard(source, isDefault) {
-  console.log(`  ${chalk7.bold(machineSourceTitle(source))}${isDefault ? chalk7.green("  (default)") : ""}`);
-  console.log(`  ${chalk7.dim("    ID")}      ${source.id}`);
-  console.log(`  ${chalk7.dim("    Kind")}    ${source.kind}`);
-  console.log(`  ${chalk7.dim("    Status")}  ${source.status}${source.latest_build ? ` | latest build ${source.latest_build.status}` : ""}`);
+  console.log(`  ${chalk8.bold(machineSourceTitle(source))}${isDefault ? chalk8.green("  (default)") : ""}`);
+  console.log(`  ${chalk8.dim("    ID")}      ${source.id}`);
+  console.log(`  ${chalk8.dim("    Kind")}    ${source.kind}`);
+  console.log(`  ${chalk8.dim("    Status")}  ${source.status}${source.latest_build ? ` | latest build ${source.latest_build.status}` : ""}`);
   if (source.resolved_image_ref) {
-    console.log(`  ${chalk7.dim("    Resolved")} ${source.resolved_image_ref}`);
+    console.log(`  ${chalk8.dim("    Resolved")} ${source.resolved_image_ref}`);
   }
   if (source.error) {
-    console.log(`  ${chalk7.dim("    Error")}    ${chalk7.red(source.error)}`);
+    console.log(`  ${chalk8.dim("    Error")}    ${chalk8.red(source.error)}`);
   }
-  console.log(`  ${chalk7.dim("    Source")}   ${summarizeMachineSource(source)}`);
+  console.log(`  ${chalk8.dim("    Source")}   ${summarizeMachineSource(source)}`);
   console.log();
 }
 function machineSourceTitle(source) {
@@ -3128,18 +3538,18 @@ async function confirmDeletion(sourceID) {
 }
 
 // src/commands/login.ts
-import { Command as Command8 } from "commander";
-import chalk8 from "chalk";
-import ora6 from "ora";
+import { Command as Command9 } from "commander";
+import chalk9 from "chalk";
+import ora8 from "ora";
 
 // src/lib/browser-login.ts
-import { randomBytes as randomBytes2 } from "crypto";
+import { randomBytes as randomBytes3 } from "crypto";
 import { createServer } from "http";
 var CALLBACK_HOST = "127.0.0.1";
 var CALLBACK_PATH = "/callback";
 var LOGIN_TIMEOUT_MS = 5 * 60 * 1e3;
 async function createBrowserLoginAttempt() {
-  const state = randomBytes2(16).toString("hex");
+  const state = randomBytes3(16).toString("hex");
   const deferred = createDeferred();
   let callbackURL = "";
   let closed = false;
@@ -3358,11 +3768,11 @@ function escapeHTML(value) {
 }
 
 // src/commands/login.ts
-var loginCommand = new Command8("login").description("Authenticate the CLI").option("--api-key <key>", "API key starting with ac_live_").option("--stdin", "Read the API key from stdin").option("-f, --force", "Overwrite an existing stored API key").action(async (options) => {
+var loginCommand = new Command9("login").description("Authenticate the CLI").option("--api-key <key>", "API key starting with ac_live_").option("--stdin", "Read the API key from stdin").option("-f, --force", "Overwrite an existing stored API key").action(async (options) => {
   const existingKey = getStoredAPIKey();
   if (existingKey && !options.force) {
     console.log();
-    console.log(chalk8.yellow("  Already logged in. Use --force to overwrite."));
+    console.log(chalk9.yellow("  Already logged in. Use --force to overwrite."));
     console.log();
     return;
   }
@@ -3370,8 +3780,8 @@ var loginCommand = new Command8("login").description("Authenticate the CLI").opt
   const apiKey = await resolveAPIKeyInput(options.apiKey, options.stdin);
   if (!apiKey && wantsManualLogin) {
     console.log();
-    console.log(chalk8.dim("  Usage: computer login --api-key <ac_live_...>"));
-    console.log(chalk8.dim(`  API:   ${getBaseURL()}`));
+    console.log(chalk9.dim("  Usage: computer login --api-key <ac_live_...>"));
+    console.log(chalk9.dim(`  API:   ${getBaseURL()}`));
     console.log();
     process.exit(1);
   }
@@ -3381,15 +3791,15 @@ var loginCommand = new Command8("login").description("Authenticate the CLI").opt
   }
   if (!apiKey.startsWith("ac_live_")) {
     console.log();
-    console.log(chalk8.red("  API key must start with ac_live_"));
+    console.log(chalk9.red("  API key must start with ac_live_"));
     console.log();
     process.exit(1);
   }
-  const spinner = ora6("Authenticating...").start();
+  const spinner = ora8("Authenticating...").start();
   try {
     const me = await apiWithKey(apiKey, "/v1/me");
     setAPIKey(apiKey);
-    spinner.succeed(`Logged in as ${chalk8.bold(me.user.email)}`);
+    spinner.succeed(`Logged in as ${chalk9.bold(me.user.email)}`);
   } catch (error) {
     spinner.fail(
       error instanceof Error ? error.message : "Failed to validate API key"
@@ -3398,7 +3808,7 @@ var loginCommand = new Command8("login").description("Authenticate the CLI").opt
   }
 });
 async function runBrowserLogin() {
-  const spinner = ora6("Starting browser login...").start();
+  const spinner = ora8("Starting browser login...").start();
   let attempt = null;
   try {
     attempt = await createBrowserLoginAttempt();
@@ -3408,14 +3818,14 @@ async function runBrowserLogin() {
     } catch {
       spinner.stop();
       console.log();
-      console.log(chalk8.yellow("  Browser auto-open failed. Open this URL to continue:"));
-      console.log(chalk8.dim(`  ${attempt.loginURL}`));
+      console.log(chalk9.yellow("  Browser auto-open failed. Open this URL to continue:"));
+      console.log(chalk9.dim(`  ${attempt.loginURL}`));
       console.log();
       spinner.start("Waiting for browser login...");
     }
     spinner.text = "Waiting for browser login...";
     const result = await attempt.waitForResult();
-    spinner.succeed(`Logged in as ${chalk8.bold(result.me.user.email)}`);
+    spinner.succeed(`Logged in as ${chalk9.bold(result.me.user.email)}`);
   } catch (error) {
     spinner.fail(error instanceof Error ? error.message : "Browser login failed");
     process.exit(1);
@@ -3441,33 +3851,33 @@ async function resolveAPIKeyInput(flagValue, readFromStdin) {
 }
 
 // src/commands/logout.ts
-import { Command as Command9 } from "commander";
-import chalk9 from "chalk";
-var logoutCommand = new Command9("logout").description("Remove stored API key").action(() => {
+import { Command as Command10 } from "commander";
+import chalk10 from "chalk";
+var logoutCommand = new Command10("logout").description("Remove stored API key").action(() => {
   if (!getStoredAPIKey()) {
     console.log();
-    console.log(chalk9.dim("  Not logged in."));
+    console.log(chalk10.dim("  Not logged in."));
     if (hasEnvAPIKey()) {
-      console.log(chalk9.dim("  Environment API key is still active in this shell."));
+      console.log(chalk10.dim("  Environment API key is still active in this shell."));
     }
     console.log();
     return;
   }
   clearAPIKey();
   console.log();
-  console.log(chalk9.green("  Logged out."));
+  console.log(chalk10.green("  Logged out."));
   if (hasEnvAPIKey()) {
-    console.log(chalk9.dim("  Environment API key is still active in this shell."));
+    console.log(chalk10.dim("  Environment API key is still active in this shell."));
   }
   console.log();
 });
 
 // src/commands/whoami.ts
-import { Command as Command10 } from "commander";
-import chalk10 from "chalk";
-import ora7 from "ora";
-var whoamiCommand = new Command10("whoami").description("Show current user").option("--json", "Print raw JSON").action(async (options) => {
-  const spinner = options.json ? null : ora7("Loading user...").start();
+import { Command as Command11 } from "commander";
+import chalk11 from "chalk";
+import ora9 from "ora";
+var whoamiCommand = new Command11("whoami").description("Show current user").option("--json", "Print raw JSON").action(async (options) => {
+  const spinner = options.json ? null : ora9("Loading user...").start();
   try {
     const me = await api("/v1/me");
     spinner?.stop();
@@ -3476,14 +3886,14 @@ var whoamiCommand = new Command10("whoami").description("Show current user").opt
       return;
     }
     console.log();
-    console.log(`  ${chalk10.bold.white(me.user.display_name || me.user.email)}`);
+    console.log(`  ${chalk11.bold.white(me.user.display_name || me.user.email)}`);
     if (me.user.display_name) {
-      console.log(`  ${chalk10.dim(me.user.email)}`);
+      console.log(`  ${chalk11.dim(me.user.email)}`);
     }
     if (me.api_key.name) {
-      console.log(`  ${chalk10.dim("Key:")}  ${me.api_key.name}`);
+      console.log(`  ${chalk11.dim("Key:")}  ${me.api_key.name}`);
     }
-    console.log(`  ${chalk10.dim("API:")}  ${chalk10.dim(getBaseURL())}`);
+    console.log(`  ${chalk11.dim("API:")}  ${chalk11.dim(getBaseURL())}`);
     console.log();
   } catch (error) {
     if (spinner) {
@@ -3500,15 +3910,15 @@ var pkg2 = JSON.parse(
   readFileSync3(new URL("../package.json", import.meta.url), "utf8")
 );
 var cliName = process.argv[1] ? basename2(process.argv[1]) : "agentcomputer";
-var program = new Command11();
+var program = new Command12();
 function appendTextSection(lines, title, values) {
   if (values.length === 0) {
     return;
   }
-  lines.push(`  ${chalk11.dim(title)}`);
+  lines.push(`  ${chalk12.dim(title)}`);
   lines.push("");
   for (const value of values) {
-    lines.push(`    ${chalk11.white(value)}`);
+    lines.push(`    ${chalk12.white(value)}`);
   }
   lines.push("");
 }
@@ -3517,10 +3927,10 @@ function appendTableSection(lines, title, entries) {
     return;
   }
   const width = Math.max(...entries.map((entry) => entry.term.length), 0) + 2;
-  lines.push(`  ${chalk11.dim(title)}`);
+  lines.push(`  ${chalk12.dim(title)}`);
   lines.push("");
   for (const entry of entries) {
-    lines.push(`    ${chalk11.white(padEnd(entry.term, width))}${chalk11.dim(entry.desc)}`);
+    lines.push(`    ${chalk12.white(padEnd(entry.term, width))}${chalk12.dim(entry.desc)}`);
   }
   lines.push("");
 }
@@ -3545,17 +3955,17 @@ function formatRootHelp(cmd) {
     ["Other", []]
   ];
   const otherGroup = groups.find(([name]) => name === "Other")[1];
-  lines.push(`${chalk11.bold(cliName)} ${chalk11.dim(`v${version}`)}`);
+  lines.push(`${chalk12.bold(cliName)} ${chalk12.dim(`v${version}`)}`);
   lines.push("");
   if (cmd.description()) {
-    lines.push(`  ${chalk11.dim(cmd.description())}`);
+    lines.push(`  ${chalk12.dim(cmd.description())}`);
     lines.push("");
   }
   appendTextSection(lines, "Usage", [`${cliName} <command> [options]`]);
   for (const sub of cmd.commands) {
     const name = sub.name();
     const entry = { term: name, desc: sub.description() };
-    if (["login", "logout", "whoami", "claude-auth"].includes(name)) {
+    if (["login", "logout", "whoami", "claude-login", "codex-login"].includes(name)) {
       groups[0][1].push(entry);
     } else if (["create", "ls", "get", "rm"].includes(name)) {
       groups[1][1].push(entry);
@@ -3599,10 +4009,10 @@ function formatSubcommandHelp(cmd, helper) {
     term: helper.optionTerm(option),
     desc: helper.optionDescription(option)
   }));
-  lines.push(chalk11.bold(commandPath(cmd)));
+  lines.push(chalk12.bold(commandPath(cmd)));
   lines.push("");
   if (description) {
-    lines.push(`  ${chalk11.dim(description)}`);
+    lines.push(`  ${chalk12.dim(description)}`);
     lines.push("");
   }
   appendTextSection(lines, "Usage", [helper.commandUsage(cmd)]);
@@ -3629,7 +4039,8 @@ program.name(cliName).description("Agent Computer CLI").version(pkg2.version ??
 program.addCommand(loginCommand);
 program.addCommand(logoutCommand);
 program.addCommand(whoamiCommand);
-program.addCommand(claudeAuthCommand);
+program.addCommand(claudeLoginCommand);
+program.addCommand(codexLoginCommand);
 program.addCommand(createCommand);
 program.addCommand(lsCommand);
 program.addCommand(getCommand);