cdx-manager 0.6.3 → 0.6.5

package/README.md

@@ -1,6 +1,6 @@
 # CDX Manager
 
-[![License](https://img.shields.io/badge/license-MIT-4C8BF5)](LICENSE) ![Version](https://img.shields.io/badge/version-v0.6.3-4C8BF5) ![Python](https://img.shields.io/badge/python-3.9%2B-3776AB?logo=python&logoColor=white)
+[![License](https://img.shields.io/badge/license-MIT-4C8BF5)](LICENSE) ![Version](https://img.shields.io/badge/version-v0.6.5-4C8BF5) ![Python](https://img.shields.io/badge/python-3.9%2B-3776AB?logo=python&logoColor=white)
 
 **Run multiple Codex, Claude, Antigravity, and Ollama sessions from one terminal. Switch between accounts instantly.**
 
@@ -51,7 +51,7 @@ One command to launch any session. Zero auth juggling.
 
 ## Technical Overview
 
-- Python 3.9+, zero runtime dependencies.
+- Python 3.9+.
 - Environment isolation per session:
   - Codex sessions override `CODEX_HOME` to a dedicated profile directory.
   - Claude sessions override `HOME` to a dedicated profile directory and disable Claude Code commit co-author attribution by default.
@@ -134,7 +134,7 @@ For a specific version:
 
 ```bash
 curl -fsSL https://raw.githubusercontent.com/AlexAgo83/cdx-manager/main/install.sh -o install.sh
-CDX_VERSION=v0.6.3 sh install.sh
+CDX_VERSION=v0.6.5 sh install.sh
 ```
 
 From source:

package/changelogs/CHANGELOGS_0_6_4.md

@@ -0,0 +1,31 @@
+# Changelog (`0.6.3 -> 0.6.4`)
+
+Release date: 2026-05-29
+
+## Claude Multi-Account Authentication
+
+- Fixed Claude auth status reconciliation so `cdx status` no longer reports stale `authenticated` state after Claude CLI credentials are missing or logged out.
+- Stopped trusting `credentials/default.json` alone as proof of Claude login; cdx now validates real Claude CLI credentials or probes `claude auth status`.
+- Preferred Claude CLI credentials over setup-token fallback files for usage refreshes, avoiding HTTP 400 failures from stale or malformed fallback tokens.
+- Hardened setup-token extraction to ignore placeholder hints such as `CLAUDE_CODE_OAUTH_TOKEN=<token>` and continue scanning for the real `sk-ant-oat...` token.
+- Stripped terminal ANSI sequences from captured setup tokens before saving them.
+
+## Status Accuracy
+
+- Added an explicit `AUTH` column to `cdx status` and `auth_status` fields to JSON rows.
+- Marked Ollama and Antigravity authentication as `n/a` in the status table because cdx does not manage provider login for those sessions.
+- Excluded explicitly logged-out sessions from priority recommendations while still showing their cached quota rows.
+- Parsed Claude "No stats available yet" screens as a usable zero-usage status instead of leaving the row with unknown quota.
+
+## Release Metadata and Documentation
+
+- Updated package metadata, CLI version output, README badge, and pinned installer example to `v0.6.4`.
+
+## Validation and Regression Coverage
+
+- Added regression coverage for Claude setup-token placeholder extraction, malformed fallback tokens, CLI credential precedence, status auth rendering, and logged-out priority filtering.
+
+## Validation and Regression Evidence
+
+- `npm run lint`
+- `npm test`

package/changelogs/CHANGELOGS_0_6_5.md

@@ -0,0 +1,35 @@
+# Changelog (`0.6.4 -> 0.6.5`)
+
+Release date: 2026-05-29
+
+## Installer Integrity
+
+- Fixed standalone installer checksum resolution so the Unix installer can validate published GitHub archive checksums correctly.
+- Added regression coverage for the release checksum lookup path used by the standalone installer.
+
+## Claude Authentication
+
+- Preserved the captured Claude setup-token transcript when token extraction fails, making failed login setup recoverable and easier to inspect.
+- Reordered Claude status handling so authentication is checked before refreshing usage, avoiding noisy usage refresh failures when Claude credentials are absent or invalid.
+
+## Codex Authentication
+
+- Hardened Codex auth detection so an empty or unusable `auth.json` is no longer treated as an authenticated session.
+- Added coverage for usable-token validation instead of relying on file presence alone.
+
+## Auth Bundle Security
+
+- Replaced the previous homegrown auth bundle encryption with AEAD encryption via `cryptography`.
+- Added wrong-passphrase and auth bundle regression tests for the new encrypted bundle format.
+- Updated CI and publish workflows to install Python package dependencies before running Python-backed lint, tests, and version validation.
+
+## Release Metadata and Documentation
+
+- Updated package metadata, CLI version output, README badge, pinned installer example, and release changelog to `v0.6.5`.
+
+## Validation and Regression Evidence
+
+- `npm run lint`
+- `npm test`
+- `python -m build --sdist --wheel`
+- `npm pack --dry-run`

package/checksums/release-archives.json

@@ -16,6 +16,14 @@
     "v0.6.2": {
       "github_tarball_sha256": "0a00fba132453d265a72fa551bff750a9a400011f895d9da33149b335324e02e",
       "github_zip_sha256": "424b1c9652da5054bdc4cf26f31764ea34ddc4609d6eb8075efbf8068112cd50"
+    },
+    "v0.6.3": {
+      "github_tarball_sha256": "539bc299fe2211cddcbe58db71a859ebbd1cb76aec254f6feef501fc038d7c62",
+      "github_zip_sha256": "138c7c67ea1b512d71ed745559f8eed395accb9a06b3ed9d82c3ccc454aba12b"
+    },
+    "v0.6.4": {
+      "github_tarball_sha256": "f7c83dd1ae7506cf1ae6420e718a285f4dc96a10fb3a19e24cc17e79d75a46b4",
+      "github_zip_sha256": "d602800cf6b54f1e0adea751cc6b686ab2fc4a224715ade94f761df2ff7da2af"
     }
   }
 }

package/install.sh

@@ -34,7 +34,7 @@ sha256_file() {
 
 resolve_expected_sha256() {
   curl -fsSL "$CHECKSUMS_URL" |
-    python3 - "$1" <<'PY'
+    python3 -c '
 import json
 import sys
 
@@ -48,7 +48,7 @@ release = (payload.get("releases") or {}).get(tag) or {}
 value = release.get("github_tarball_sha256")
 if value:
     print(value)
-PY
+' "$1"
 }
 
 if [ -z "$VERSION" ]; then

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cdx-manager",
-  "version": "0.6.3",
+  "version": "0.6.5",
   "description": "Terminal session manager for Codex and Claude accounts.",
   "license": "MIT",
   "author": "Alexandre Agostini",

package/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "cdx-manager"
-version = "0.6.3"
+version = "0.6.5"
 description = "Terminal session manager for Codex and Claude accounts."
 readme = "README.md"
 requires-python = ">=3.9"
@@ -26,7 +26,7 @@ classifiers = [
   "Topic :: Software Development",
   "Topic :: Terminals",
 ]
-dependencies = []
+dependencies = ["cryptography>=42"]
 
 [project.urls]
 Homepage = "https://github.com/AlexAgo83/cdx-manager"

package/src/backup_bundle.py

@@ -11,10 +11,13 @@ from .errors import CdxError
 BUNDLE_SCHEMA_VERSION = 1
 _SALT_BYTES = 16
 _NONCE_BYTES = 16
+_AEAD_NONCE_BYTES = 12
 _SCRYPT_N = 2 ** 14
 _SCRYPT_R = 8
 _SCRYPT_P = 1
 _PBKDF2_ITERATIONS = 200000
+_AEAD_ALGORITHM = "aes-256-gcm"
+_LEGACY_ALGORITHM = "sha256-xor-hmac"
 
 
 def _now_iso():
@@ -68,6 +71,22 @@ def _derive_keys(passphrase, salt):
     return key_material[:32], key_material[32:]
 
 
+def _derive_aead_key(passphrase, salt):
+    enc_key, _mac_key = _derive_keys(passphrase, salt)
+    return enc_key
+
+
+def _load_aesgcm():
+    try:
+        from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+    except ImportError as error:
+        raise CdxError(
+            "Auth bundle encryption requires the Python package 'cryptography'. "
+            "Install cdx-manager through pipx/uv/pip, or install cryptography for the Python used by cdx."
+        ) from error
+    return AESGCM
+
+
 def _xor_keystream(data, key, nonce):
     output = bytearray()
     counter = 0
@@ -90,14 +109,14 @@ def encode_bundle(payload, include_auth=False, passphrase=None):
     }
     if include_auth:
         salt = os.urandom(_SALT_BYTES)
-        nonce = os.urandom(_NONCE_BYTES)
-        enc_key, mac_key = _derive_keys(passphrase, salt)
-        ciphertext = _xor_keystream(payload_bytes, enc_key, nonce)
-        mac = hmac.new(mac_key, nonce + ciphertext, hashlib.sha256).digest()
+        nonce = os.urandom(_AEAD_NONCE_BYTES)
+        aesgcm = _load_aesgcm()(_derive_aead_key(passphrase, salt))
+        ciphertext = aesgcm.encrypt(nonce, payload_bytes, None)
         wrapper.update({
+            "encryption": _AEAD_ALGORITHM,
+            "kdf": "scrypt" if hasattr(hashlib, "scrypt") else "pbkdf2-hmac-sha256",
             "salt": _b64_encode(salt),
             "nonce": _b64_encode(nonce),
-            "hmac_sha256": _b64_encode(mac),
             "payload": _b64_encode(ciphertext),
         })
     else:
@@ -116,13 +135,23 @@ def decode_bundle(data, passphrase=None):
     if encrypted:
         salt = _b64_decode(wrapper.get("salt", ""))
         nonce = _b64_decode(wrapper.get("nonce", ""))
-        expected_mac = _b64_decode(wrapper.get("hmac_sha256", ""))
         ciphertext = _b64_decode(payload_b64)
-        enc_key, mac_key = _derive_keys(passphrase, salt)
-        actual_mac = hmac.new(mac_key, nonce + ciphertext, hashlib.sha256).digest()
-        if not hmac.compare_digest(actual_mac, expected_mac):
-            raise CdxError("Invalid bundle passphrase or corrupted bundle.")
-        payload_bytes = _xor_keystream(ciphertext, enc_key, nonce)
+        algorithm = wrapper.get("encryption") or _LEGACY_ALGORITHM
+        if algorithm == _AEAD_ALGORITHM:
+            aesgcm = _load_aesgcm()(_derive_aead_key(passphrase, salt))
+            try:
+                payload_bytes = aesgcm.decrypt(nonce, ciphertext, None)
+            except Exception as error:
+                raise CdxError("Invalid bundle passphrase or corrupted bundle.") from error
+        elif algorithm == _LEGACY_ALGORITHM:
+            expected_mac = _b64_decode(wrapper.get("hmac_sha256", ""))
+            enc_key, mac_key = _derive_keys(passphrase, salt)
+            actual_mac = hmac.new(mac_key, nonce + ciphertext, hashlib.sha256).digest()
+            if not hmac.compare_digest(actual_mac, expected_mac):
+                raise CdxError("Invalid bundle passphrase or corrupted bundle.")
+            payload_bytes = _xor_keystream(ciphertext, enc_key, nonce)
+        else:
+            raise CdxError("Unsupported bundle encryption algorithm.")
     else:
         payload_bytes = _b64_decode(payload_b64)
 

package/src/claude_refresh.py

@@ -38,6 +38,7 @@ def _refresh_claude_sessions(service, refresh_fn=None, target_names=None, force=
         s for s in sessions
         if s["provider"] == PROVIDER_CLAUDE
         and s.get("enabled", True) is not False
+        and (s.get("auth") or {}).get("status") != "logged_out"
         and (not target_names or s["name"] in target_names)
         and (force or _is_stale(s, ttl_seconds=ttl_seconds))
     ]

package/src/claude_usage.py

@@ -1,5 +1,6 @@
 import json
 import os
+import re
 import subprocess
 import sys
 import urllib.request
@@ -14,24 +15,37 @@ CLAUDE_STATUS_PROBE_MODEL = os.environ.get("CDX_CLAUDE_STATUS_MODEL", "claude-ha
 CLAUDE_AUTH_STATUS_TIMEOUT_SECONDS = 15
 
 
+def _clean_oauth_token(token):
+    if not token:
+        return None
+    text = re.sub(r"\x1b\[[0-9;?]*[ -/]*[@-~]", "", str(token)).strip()
+    if not text or text.startswith("<") or any(ord(ch) < 32 or ord(ch) == 127 for ch in text):
+        return None
+    return text
+
+
 def _read_claude_credentials(auth_home):
-    anthropic_cred_path = os.path.join(auth_home, "credentials", "default.json")
+    cred_path = os.path.join(auth_home, ".claude", ".credentials.json")
     try:
-        with open(anthropic_cred_path, "r", encoding="utf-8") as f:
+        with open(cred_path, "r", encoding="utf-8") as f:
             data = json.load(f)
-        token = data.get("access_token") if isinstance(data, dict) else None
+        creds = data.get("claudeAiOauth") if isinstance(data, dict) else None
+        token = _clean_oauth_token(creds.get("accessToken")) if isinstance(creds, dict) else None
         if token:
-            return {"accessToken": token}
+            return {**creds, "accessToken": token}
     except (FileNotFoundError, json.JSONDecodeError, OSError):
         pass
 
-    cred_path = os.path.join(auth_home, ".claude", ".credentials.json")
+    anthropic_cred_path = os.path.join(auth_home, "credentials", "default.json")
     try:
-        with open(cred_path, "r", encoding="utf-8") as f:
+        with open(anthropic_cred_path, "r", encoding="utf-8") as f:
             data = json.load(f)
-        return data.get("claudeAiOauth")
+        token = _clean_oauth_token(data.get("access_token") if isinstance(data, dict) else None)
+        if token:
+            return {"accessToken": token}
     except (FileNotFoundError, json.JSONDecodeError, OSError):
-        return None
+        pass
+    return None
 
 
 def _home_env_overrides(auth_home):

package/src/cli.py

@@ -55,7 +55,7 @@ from .status_view import (
 )
 from .update_check import check_for_update
 
-VERSION = "0.6.3"
+VERSION = "0.6.5"
 
 
 # ---------------------------------------------------------------------------

package/src/cli_commands.py

@@ -33,6 +33,7 @@ from .notify import (
 from .provider_runtime import (
     _ensure_session_authentication,
     _list_launch_transcript_paths,
+    _probe_provider_auth,
     _run_interactive_provider_command,
 )
 from .repair import format_repair_report, repair_health
@@ -840,6 +841,7 @@ def _resolve_confirmation(confirm_fn, name):
 def _extract_claude_oauth_token(text):
     if not text:
         return None
+    text = re.sub(r"\x1b\[[0-9;?]*[ -/]*[@-~]", "", str(text))
     patterns = [
         r"CLAUDE_CODE_OAUTH_TOKEN=([^\s\"']+)",
         r"(sk-ant-oat[0-9A-Za-z._-]+)",
@@ -847,7 +849,10 @@ def _extract_claude_oauth_token(text):
     for pattern in patterns:
         match = re.search(pattern, text)
         if match:
-            return match.group(1).strip()
+            token = match.group(1).strip()
+            if token.startswith("<") or any(ord(ch) < 32 or ord(ch) == 127 for ch in token):
+                continue
+            return token
     return None
 
 
@@ -887,19 +892,18 @@ def _bootstrap_claude_setup_token(session, ctx):
             "Claude setup-token completed, but cdx could not capture the token. "
             "Run claude setup-token and save the token under credentials/default.json."
         )
-    try:
-        with open(transcript_path, "r", encoding="utf-8", errors="replace") as handle:
-            transcript = handle.read()
-    finally:
-        try:
-            os.remove(transcript_path)
-        except OSError:
-            pass
+    with open(transcript_path, "r", encoding="utf-8", errors="replace") as handle:
+        transcript = handle.read()
     token = _extract_claude_oauth_token(transcript)
     if not token:
         raise CdxError(
-            "Claude setup-token completed, but cdx could not find CLAUDE_CODE_OAUTH_TOKEN in the output."
+            "Claude setup-token completed, but cdx could not find CLAUDE_CODE_OAUTH_TOKEN in the output. "
+            f"Transcript kept at: {transcript_path}"
         )
+    try:
+        os.remove(transcript_path)
+    except OSError:
+        pass
     return _write_claude_oauth_token(session.get("authHome") or "", token)
 
 
@@ -1594,6 +1598,20 @@ def handle_status(rest, ctx):
     if len(args) == 1 and parsed["small"]:
         raise CdxError(STATUS_USAGE)
 
+    auth_refresh = _refresh_claude_auth_states(
+        ctx["service"],
+        target_names=args if len(args) == 1 else None,
+        spawn_sync=ctx.get("spawn_sync"),
+        env_override=ctx.get("env"),
+    )
+    warnings = [
+        {
+            "code": "claude_auth_probe_failed",
+            "session": item.get("session") or "unknown",
+            "message": item.get("error") or "unknown error",
+        }
+        for item in auth_refresh.get("errors", [])
+    ]
     refresh_result = _refresh_claude_sessions(
         ctx["service"],
         ctx.get("refresh_fn"),
@@ -1607,14 +1625,14 @@ def handle_status(rest, ctx):
         }
         for item in refresh_result.get("errors", [])
     ]
-    warnings = [
+    warnings.extend([
         {
             "code": "claude_refresh_failed",
             "session": item.get("session") or "unknown",
             "message": item.get("error") or "unknown error",
         }
         for item in refresh_errors
-    ]
+    ])
     update_warning = _update_notice_warning(ctx)
     if update_warning:
         warnings.append(update_warning)
@@ -1645,6 +1663,38 @@ def handle_status(rest, ctx):
     return 0
 
 
+def _refresh_claude_auth_states(service, target_names=None, spawn_sync=None, env_override=None):
+    target_names = set(target_names or [])
+    errors = []
+    updated = []
+    for session in service["list_sessions"]():
+        if session["provider"] != PROVIDER_CLAUDE:
+            continue
+        if session.get("enabled", True) is False:
+            continue
+        if target_names and session["name"] not in target_names:
+            continue
+        if (session.get("auth") or {}).get("status") not in ("authenticated", "logged_out"):
+            continue
+        try:
+            authenticated = _probe_provider_auth(
+                session,
+                spawn_sync=spawn_sync,
+                env_override=env_override,
+            )
+            now = _local_now_iso()
+            service["update_auth_state"](session["name"], lambda auth: {
+                **auth,
+                "status": "authenticated" if authenticated else "logged_out",
+                "lastCheckedAt": now,
+                **({"lastAuthenticatedAt": now} if authenticated else {}),
+            })
+            updated.append(session["name"])
+        except Exception as error:
+            errors.append({"session": session["name"], "error": str(error)})
+    return {"updated": updated, "errors": errors}
+
+
 def _write_refresh_warnings(refresh_errors, ctx, stream="out"):
     write = ctx["err"] if stream == "err" and "err" in ctx else ctx["out"]
     for item in refresh_errors:

package/src/provider_runtime.py

@@ -1,5 +1,6 @@
 import json
 import os
+import re
 import signal
 import shlex
 import shutil
@@ -58,6 +59,15 @@ def _anthropic_credentials_path(auth_home):
     return os.path.join(auth_home, "credentials", f"{_anthropic_profile_name()}.json")
 
 
+def _clean_oauth_token(token):
+    if not token:
+        return None
+    text = re.sub(r"\x1b\[[0-9;?]*[ -/]*[@-~]", "", str(token)).strip()
+    if not text or text.startswith("<") or any(ord(ch) < 32 or ord(ch) == 127 for ch in text):
+        return None
+    return text
+
+
 def _claude_env(base_env, auth_home):
     env = {**base_env, **_home_env_overrides(auth_home)}
     env.pop("CLAUDE_CONFIG_DIR", None)
@@ -73,9 +83,34 @@ def _read_anthropic_oauth_token(auth_home):
     except (FileNotFoundError, OSError, json.JSONDecodeError):
         return None
     token = credentials.get("access_token") if isinstance(credentials, dict) else None
-    if not token:
-        return None
-    return str(token)
+    return _clean_oauth_token(token)
+
+
+def _has_local_claude_auth(auth_home):
+    try:
+        with open(os.path.join(auth_home, ".claude", ".credentials.json"), "r", encoding="utf-8") as handle:
+            credentials = json.load(handle)
+    except (FileNotFoundError, OSError, json.JSONDecodeError):
+        return False
+    oauth = credentials.get("claudeAiOauth") if isinstance(credentials, dict) else None
+    return bool(isinstance(oauth, dict) and _clean_oauth_token(oauth.get("accessToken")))
+
+
+def _has_local_codex_auth(auth_home):
+    try:
+        with open(os.path.join(auth_home, "auth.json"), "r", encoding="utf-8") as handle:
+            auth = json.load(handle)
+    except (FileNotFoundError, OSError, json.JSONDecodeError):
+        return False
+    if not isinstance(auth, dict):
+        return False
+    tokens = auth.get("tokens")
+    if not isinstance(tokens, dict):
+        return False
+    return any(
+        _clean_oauth_token(tokens.get(name))
+        for name in ("id_token", "access_token", "refresh_token")
+    )
 
 
 def _read_claude_account_email(auth_home):
@@ -377,10 +412,10 @@ def _resolve_command(command, env=None):
 def _probe_provider_auth(session, spawn_sync=None, env_override=None):
     spawn_sync = spawn_sync or subprocess.run
     spec = _build_login_status_spec(session, env_override)
-    if session.get("provider") == PROVIDER_CODEX:
-        auth_path = os.path.join(_get_auth_home(session), "auth.json")
-        if os.path.isfile(auth_path):
-            return True
+    if session.get("provider") == PROVIDER_CLAUDE and _has_local_claude_auth(_get_auth_home(session)):
+        return True
+    if session.get("provider") == PROVIDER_CODEX and _has_local_codex_auth(_get_auth_home(session)):
+        return True
     try:
         if spawn_sync is subprocess.run:
             command = _resolve_command(spec["command"], spec["env"])

package/src/session_service.py

@@ -961,6 +961,8 @@ def create_session_service(options=None):
                 "enabled": enabled,
                 "active": bool(_session_runtime(s["name"])) if enabled else False,
                 "status": "enabled" if enabled else "disabled",
+                "auth_status": (s.get("auth") or {}).get("status") or "unknown",
+                "auth_checked_at": _to_local_iso((s.get("auth") or {}).get("lastCheckedAt")),
                 "remaining_5h_pct": row_status.get("remaining_5h_pct") if row_status else None,
                 "remaining_week_pct": row_status.get("remaining_week_pct") if row_status else None,
                 "credits": row_status.get("credits") if row_status else None,

package/src/status_source.py

@@ -212,6 +212,14 @@ def _extract_status_blocks_from_text(text, provider=None, source_ref=None, times
             ]],
         ):
             items.append({"source_ref": source_ref, "timestamp": timestamp, "text": block})
+        for block in collect_blocks(
+            re.compile(r"No stats available yet\.?\s+Start using Claude Code", re.I),
+            [re.compile(p, re.I) for p in [
+                r"^Esc to cancel\b", r"^To continue this session\b", r"^╰",
+            ]],
+            max_span=40,
+        ):
+            items.append({"source_ref": source_ref, "timestamp": timestamp, "text": block})
 
     if provider != PROVIDER_CLAUDE:
         for block in collect_blocks(
@@ -457,6 +465,11 @@ def extract_named_statuses_from_text(text):
         if "remaining_week_pct" not in result and week_used is not None:
             result["remaining_week_pct"] = max(0, 100 - week_used)
 
+    if re.search(r"No stats available yet\.?\s+Start using Claude Code", normalized, re.I):
+        result.setdefault("usage_pct", 0)
+        result.setdefault("remaining_5h_pct", 100)
+        result.setdefault("remaining_week_pct", 100)
+
     # Table header row
     header_idx = next(
         (i for i, l in enumerate(lines)

package/src/status_view.py

@@ -66,27 +66,40 @@ def _format_status_rows(rows, use_color=False, small=False):
     if small:
         headers = ["SESSION", "STATUS", "OK", "5H", "WEEK", "RESET 5H", "RESET WEEK"]
     elif has_provider:
-        headers = ["SESSION", "PROV.", "STATUS", "OK", "5H", "WEEK", "BLOCK", "CR", "RESET 5H", "RESET WEEK", "UPDATED"]
+        headers = ["SESSION", "PROV.", "STATUS", "AUTH", "OK", "5H", "WEEK", "BLOCK", "CR", "RESET 5H", "RESET WEEK", "UPDATED"]
     else:
-        headers = ["SESSION", "STATUS", "OK", "5H", "WEEK", "BLOCK", "CR", "RESET 5H", "RESET WEEK", "UPDATED"]
+        headers = ["SESSION", "STATUS", "AUTH", "OK", "5H", "WEEK", "BLOCK", "CR", "RESET 5H", "RESET WEEK", "UPDATED"]
     if not rows:
         if small:
             return "SESSION  STATUS  OK  5H  WEEK  RESET 5H  RESET WEEK\nNo saved sessions yet."
         return "SESSION  STATUS  OK  5H  WEEK  BLOCK  CR  RESET 5H  RESET WEEK  UPDATED\nNo saved sessions yet."
     headers = [_style(header, "1", use_color) for header in headers]
     active_rows = [r for r in rows if r.get("enabled", True) is not False]
+    priority_candidates = [
+        r for r in active_rows
+        if _format_auth_status(r) != "logged out"
+    ]
     disabled_rows = sorted(
         [r for r in rows if r.get("enabled", True) is False],
         key=lambda r: r.get("session_name") or "",
     )
-    priority = _recommend_priority_sessions(active_rows)
+    priority = _recommend_priority_sessions(priority_candidates)
+    priority_names = {r.get("session_name") for r in priority}
+    non_priority_active = [
+        r for r in active_rows
+        if r.get("session_name") not in priority_names
+    ]
     table_rows = []
-    for r in priority + disabled_rows:
+    for r in priority + non_priority_active + disabled_rows:
         base = [_format_session_name(r)]
         if has_provider:
             base.append(r.get("provider") or "n/a")
         status = r.get("status") or ("enabled" if r.get("enabled", True) else "disabled")
         base.append(_style(status, "2" if status == "disabled" else "32", use_color))
+        if not small:
+            auth = _format_auth_status(r)
+            auth_color = "32" if auth == "logged" else "31" if auth == "logged out" else "2"
+            base.append(_style(auth, auth_color, use_color))
         if r.get("enabled", True) is False:
             usage_columns = [_style("-", "2", use_color)] * 5
         else:
@@ -142,6 +155,19 @@ def _format_session_name(row):
     return f"{row['session_name']}*" if row.get("active") else row["session_name"]
 
 
+def _format_auth_status(row):
+    if row.get("enabled", True) is False:
+        return "-"
+    if row.get("provider") in ("antigravity", "ollama"):
+        return "n/a"
+    status = str(row.get("auth_status") or "").strip().lower()
+    if status == "authenticated":
+        return "logged"
+    if status == "logged_out":
+        return "logged out"
+    return "unknown"
+
+
 def _recommend_priority_sessions(rows):
     if not rows:
         return []
@@ -295,10 +321,13 @@ def _now_timestamp():
 
 
 def _format_status_detail(row, use_color=False):
+    auth = _format_auth_status(row)
+    auth_color = "32" if auth == "logged" else "31" if auth == "logged out" else "2"
     lines = [
         f"{_style('Session:', '1', use_color)} {_format_session_name(row)}",
         f"{_style('Provider:', '1', use_color)} {row.get('provider') or 'n/a'}",
         f"{_style('Status:', '1', use_color)} {_style(row.get('status') or ('enabled' if row.get('enabled', True) else 'disabled'), '2' if row.get('enabled', True) is False else '32', use_color)}",
+        f"{_style('Auth:', '1', use_color)} {_style(auth, auth_color, use_color)}",
         f"{_style('Available:', '1', use_color)} {_style_pct(row.get('available_pct'), use_color)}",
         f"{_style('5h left:', '1', use_color)} {_style_pct(row.get('remaining_5h_pct'), use_color)}",
         f"{_style('Week left:', '1', use_color)} {_style_pct(row.get('remaining_week_pct'), use_color)}",