cdx-manager 0.6.4 → 0.6.5

package/README.md

@@ -1,6 +1,6 @@
 # CDX Manager
 
-[![License](https://img.shields.io/badge/license-MIT-4C8BF5)](LICENSE) ![Version](https://img.shields.io/badge/version-v0.6.4-4C8BF5) ![Python](https://img.shields.io/badge/python-3.9%2B-3776AB?logo=python&logoColor=white)
+[![License](https://img.shields.io/badge/license-MIT-4C8BF5)](LICENSE) ![Version](https://img.shields.io/badge/version-v0.6.5-4C8BF5) ![Python](https://img.shields.io/badge/python-3.9%2B-3776AB?logo=python&logoColor=white)
 
 **Run multiple Codex, Claude, Antigravity, and Ollama sessions from one terminal. Switch between accounts instantly.**
 
@@ -51,7 +51,7 @@ One command to launch any session. Zero auth juggling.
 
 ## Technical Overview
 
-- Python 3.9+, zero runtime dependencies.
+- Python 3.9+.
 - Environment isolation per session:
   - Codex sessions override `CODEX_HOME` to a dedicated profile directory.
   - Claude sessions override `HOME` to a dedicated profile directory and disable Claude Code commit co-author attribution by default.
@@ -134,7 +134,7 @@ For a specific version:
 
 ```bash
 curl -fsSL https://raw.githubusercontent.com/AlexAgo83/cdx-manager/main/install.sh -o install.sh
-CDX_VERSION=v0.6.4 sh install.sh
+CDX_VERSION=v0.6.5 sh install.sh
 ```
 
 From source:

package/changelogs/CHANGELOGS_0_6_5.md

@@ -0,0 +1,35 @@
+# Changelog (`0.6.4 -> 0.6.5`)
+
+Release date: 2026-05-29
+
+## Installer Integrity
+
+- Fixed standalone installer checksum resolution so the Unix installer can validate published GitHub archive checksums correctly.
+- Added regression coverage for the release checksum lookup path used by the standalone installer.
+
+## Claude Authentication
+
+- Preserved the captured Claude setup-token transcript when token extraction fails, making failed login setup recoverable and easier to inspect.
+- Reordered Claude status handling so authentication is checked before refreshing usage, avoiding noisy usage refresh failures when Claude credentials are absent or invalid.
+
+## Codex Authentication
+
+- Hardened Codex auth detection so an empty or unusable `auth.json` is no longer treated as an authenticated session.
+- Added coverage for usable-token validation instead of relying on file presence alone.
+
+## Auth Bundle Security
+
+- Replaced the previous homegrown auth bundle encryption with AEAD encryption via `cryptography`.
+- Added wrong-passphrase and auth bundle regression tests for the new encrypted bundle format.
+- Updated CI and publish workflows to install Python package dependencies before running Python-backed lint, tests, and version validation.
+
+## Release Metadata and Documentation
+
+- Updated package metadata, CLI version output, README badge, pinned installer example, and release changelog to `v0.6.5`.
+
+## Validation and Regression Evidence
+
+- `npm run lint`
+- `npm test`
+- `python -m build --sdist --wheel`
+- `npm pack --dry-run`

package/checksums/release-archives.json

@@ -20,6 +20,10 @@
     "v0.6.3": {
       "github_tarball_sha256": "539bc299fe2211cddcbe58db71a859ebbd1cb76aec254f6feef501fc038d7c62",
       "github_zip_sha256": "138c7c67ea1b512d71ed745559f8eed395accb9a06b3ed9d82c3ccc454aba12b"
+    },
+    "v0.6.4": {
+      "github_tarball_sha256": "f7c83dd1ae7506cf1ae6420e718a285f4dc96a10fb3a19e24cc17e79d75a46b4",
+      "github_zip_sha256": "d602800cf6b54f1e0adea751cc6b686ab2fc4a224715ade94f761df2ff7da2af"
     }
   }
 }

package/install.sh

@@ -34,7 +34,7 @@ sha256_file() {
 
 resolve_expected_sha256() {
   curl -fsSL "$CHECKSUMS_URL" |
-    python3 - "$1" <<'PY'
+    python3 -c '
 import json
 import sys
 
@@ -48,7 +48,7 @@ release = (payload.get("releases") or {}).get(tag) or {}
 value = release.get("github_tarball_sha256")
 if value:
     print(value)
-PY
+' "$1"
 }
 
 if [ -z "$VERSION" ]; then

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cdx-manager",
-  "version": "0.6.4",
+  "version": "0.6.5",
   "description": "Terminal session manager for Codex and Claude accounts.",
   "license": "MIT",
   "author": "Alexandre Agostini",

package/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "cdx-manager"
-version = "0.6.4"
+version = "0.6.5"
 description = "Terminal session manager for Codex and Claude accounts."
 readme = "README.md"
 requires-python = ">=3.9"
@@ -26,7 +26,7 @@ classifiers = [
   "Topic :: Software Development",
   "Topic :: Terminals",
 ]
-dependencies = []
+dependencies = ["cryptography>=42"]
 
 [project.urls]
 Homepage = "https://github.com/AlexAgo83/cdx-manager"

package/src/backup_bundle.py

@@ -11,10 +11,13 @@ from .errors import CdxError
 BUNDLE_SCHEMA_VERSION = 1
 _SALT_BYTES = 16
 _NONCE_BYTES = 16
+_AEAD_NONCE_BYTES = 12
 _SCRYPT_N = 2 ** 14
 _SCRYPT_R = 8
 _SCRYPT_P = 1
 _PBKDF2_ITERATIONS = 200000
+_AEAD_ALGORITHM = "aes-256-gcm"
+_LEGACY_ALGORITHM = "sha256-xor-hmac"
 
 
 def _now_iso():
@@ -68,6 +71,22 @@ def _derive_keys(passphrase, salt):
     return key_material[:32], key_material[32:]
 
 
+def _derive_aead_key(passphrase, salt):
+    enc_key, _mac_key = _derive_keys(passphrase, salt)
+    return enc_key
+
+
+def _load_aesgcm():
+    try:
+        from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+    except ImportError as error:
+        raise CdxError(
+            "Auth bundle encryption requires the Python package 'cryptography'. "
+            "Install cdx-manager through pipx/uv/pip, or install cryptography for the Python used by cdx."
+        ) from error
+    return AESGCM
+
+
 def _xor_keystream(data, key, nonce):
     output = bytearray()
     counter = 0
@@ -90,14 +109,14 @@ def encode_bundle(payload, include_auth=False, passphrase=None):
     }
     if include_auth:
         salt = os.urandom(_SALT_BYTES)
-        nonce = os.urandom(_NONCE_BYTES)
-        enc_key, mac_key = _derive_keys(passphrase, salt)
-        ciphertext = _xor_keystream(payload_bytes, enc_key, nonce)
-        mac = hmac.new(mac_key, nonce + ciphertext, hashlib.sha256).digest()
+        nonce = os.urandom(_AEAD_NONCE_BYTES)
+        aesgcm = _load_aesgcm()(_derive_aead_key(passphrase, salt))
+        ciphertext = aesgcm.encrypt(nonce, payload_bytes, None)
         wrapper.update({
+            "encryption": _AEAD_ALGORITHM,
+            "kdf": "scrypt" if hasattr(hashlib, "scrypt") else "pbkdf2-hmac-sha256",
             "salt": _b64_encode(salt),
             "nonce": _b64_encode(nonce),
-            "hmac_sha256": _b64_encode(mac),
             "payload": _b64_encode(ciphertext),
         })
     else:
@@ -116,13 +135,23 @@ def decode_bundle(data, passphrase=None):
     if encrypted:
         salt = _b64_decode(wrapper.get("salt", ""))
         nonce = _b64_decode(wrapper.get("nonce", ""))
-        expected_mac = _b64_decode(wrapper.get("hmac_sha256", ""))
         ciphertext = _b64_decode(payload_b64)
-        enc_key, mac_key = _derive_keys(passphrase, salt)
-        actual_mac = hmac.new(mac_key, nonce + ciphertext, hashlib.sha256).digest()
-        if not hmac.compare_digest(actual_mac, expected_mac):
-            raise CdxError("Invalid bundle passphrase or corrupted bundle.")
-        payload_bytes = _xor_keystream(ciphertext, enc_key, nonce)
+        algorithm = wrapper.get("encryption") or _LEGACY_ALGORITHM
+        if algorithm == _AEAD_ALGORITHM:
+            aesgcm = _load_aesgcm()(_derive_aead_key(passphrase, salt))
+            try:
+                payload_bytes = aesgcm.decrypt(nonce, ciphertext, None)
+            except Exception as error:
+                raise CdxError("Invalid bundle passphrase or corrupted bundle.") from error
+        elif algorithm == _LEGACY_ALGORITHM:
+            expected_mac = _b64_decode(wrapper.get("hmac_sha256", ""))
+            enc_key, mac_key = _derive_keys(passphrase, salt)
+            actual_mac = hmac.new(mac_key, nonce + ciphertext, hashlib.sha256).digest()
+            if not hmac.compare_digest(actual_mac, expected_mac):
+                raise CdxError("Invalid bundle passphrase or corrupted bundle.")
+            payload_bytes = _xor_keystream(ciphertext, enc_key, nonce)
+        else:
+            raise CdxError("Unsupported bundle encryption algorithm.")
     else:
         payload_bytes = _b64_decode(payload_b64)
 

package/src/claude_refresh.py

@@ -38,6 +38,7 @@ def _refresh_claude_sessions(service, refresh_fn=None, target_names=None, force=
         s for s in sessions
         if s["provider"] == PROVIDER_CLAUDE
         and s.get("enabled", True) is not False
+        and (s.get("auth") or {}).get("status") != "logged_out"
         and (not target_names or s["name"] in target_names)
         and (force or _is_stale(s, ttl_seconds=ttl_seconds))
     ]

package/src/cli.py

@@ -55,7 +55,7 @@ from .status_view import (
 )
 from .update_check import check_for_update
 
-VERSION = "0.6.4"
+VERSION = "0.6.5"
 
 
 # ---------------------------------------------------------------------------

package/src/cli_commands.py

@@ -892,19 +892,18 @@ def _bootstrap_claude_setup_token(session, ctx):
             "Claude setup-token completed, but cdx could not capture the token. "
             "Run claude setup-token and save the token under credentials/default.json."
         )
-    try:
-        with open(transcript_path, "r", encoding="utf-8", errors="replace") as handle:
-            transcript = handle.read()
-    finally:
-        try:
-            os.remove(transcript_path)
-        except OSError:
-            pass
+    with open(transcript_path, "r", encoding="utf-8", errors="replace") as handle:
+        transcript = handle.read()
     token = _extract_claude_oauth_token(transcript)
     if not token:
         raise CdxError(
-            "Claude setup-token completed, but cdx could not find CLAUDE_CODE_OAUTH_TOKEN in the output."
+            "Claude setup-token completed, but cdx could not find CLAUDE_CODE_OAUTH_TOKEN in the output. "
+            f"Transcript kept at: {transcript_path}"
         )
+    try:
+        os.remove(transcript_path)
+    except OSError:
+        pass
     return _write_claude_oauth_token(session.get("authHome") or "", token)
 
 
@@ -1599,6 +1598,20 @@ def handle_status(rest, ctx):
     if len(args) == 1 and parsed["small"]:
         raise CdxError(STATUS_USAGE)
 
+    auth_refresh = _refresh_claude_auth_states(
+        ctx["service"],
+        target_names=args if len(args) == 1 else None,
+        spawn_sync=ctx.get("spawn_sync"),
+        env_override=ctx.get("env"),
+    )
+    warnings = [
+        {
+            "code": "claude_auth_probe_failed",
+            "session": item.get("session") or "unknown",
+            "message": item.get("error") or "unknown error",
+        }
+        for item in auth_refresh.get("errors", [])
+    ]
     refresh_result = _refresh_claude_sessions(
         ctx["service"],
         ctx.get("refresh_fn"),
@@ -1612,27 +1625,13 @@ def handle_status(rest, ctx):
         }
         for item in refresh_result.get("errors", [])
     ]
-    warnings = [
+    warnings.extend([
         {
             "code": "claude_refresh_failed",
             "session": item.get("session") or "unknown",
             "message": item.get("error") or "unknown error",
         }
         for item in refresh_errors
-    ]
-    auth_refresh = _refresh_claude_auth_states(
-        ctx["service"],
-        target_names=args if len(args) == 1 else None,
-        spawn_sync=ctx.get("spawn_sync"),
-        env_override=ctx.get("env"),
-    )
-    warnings.extend([
-        {
-            "code": "claude_auth_probe_failed",
-            "session": item.get("session") or "unknown",
-            "message": item.get("error") or "unknown error",
-        }
-        for item in auth_refresh.get("errors", [])
     ])
     update_warning = _update_notice_warning(ctx)
     if update_warning:

package/src/provider_runtime.py

@@ -96,6 +96,23 @@ def _has_local_claude_auth(auth_home):
     return bool(isinstance(oauth, dict) and _clean_oauth_token(oauth.get("accessToken")))
 
 
+def _has_local_codex_auth(auth_home):
+    try:
+        with open(os.path.join(auth_home, "auth.json"), "r", encoding="utf-8") as handle:
+            auth = json.load(handle)
+    except (FileNotFoundError, OSError, json.JSONDecodeError):
+        return False
+    if not isinstance(auth, dict):
+        return False
+    tokens = auth.get("tokens")
+    if not isinstance(tokens, dict):
+        return False
+    return any(
+        _clean_oauth_token(tokens.get(name))
+        for name in ("id_token", "access_token", "refresh_token")
+    )
+
+
 def _read_claude_account_email(auth_home):
     config_path = os.path.join(auth_home, ".claude.json")
     try:
@@ -397,10 +414,8 @@ def _probe_provider_auth(session, spawn_sync=None, env_override=None):
     spec = _build_login_status_spec(session, env_override)
     if session.get("provider") == PROVIDER_CLAUDE and _has_local_claude_auth(_get_auth_home(session)):
         return True
-    if session.get("provider") == PROVIDER_CODEX:
-        auth_path = os.path.join(_get_auth_home(session), "auth.json")
-        if os.path.isfile(auth_path):
-            return True
+    if session.get("provider") == PROVIDER_CODEX and _has_local_codex_auth(_get_auth_home(session)):
+        return True
     try:
         if spawn_sync is subprocess.run:
             command = _resolve_command(spec["command"], spec["env"])