codex-account-orchestrator 1.0.0

package/CHANGELOG.md

@@ -0,0 +1,31 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.0.0] - 2025-01-27
+
+### Added
+
+- Account management with separate CODEX_HOME directories per account
+- OAuth login support with browser and device auth flows
+- Automatic fallback to next account on quota exhaustion
+- Gateway mode for seamless account switching without session drops
+- Codex shim installation for transparent traffic routing
+- Token refresh and session management
+- Configurable cooldown and retry settings
+- Debug logging with header sanitization
+
+### Commands
+
+- `cao add <name>` - Register a new account
+- `cao list` - List registered accounts
+- `cao use <name>` - Set default account
+- `cao remove <name>` - Remove an account
+- `cao run` - Run codex with automatic fallback
+- `cao gateway start` - Start local gateway server
+- `cao gateway enable` - Install codex routing shim
+- `cao gateway disable` - Remove shim and restore config
+- `cao gateway status` - Show gateway and account status

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 DAWNCR0W
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,140 @@
+# codex-account-orchestrator
+
+Codex OAuth account fallback orchestrator. It keeps **separate `CODEX_HOME` directories per account** and automatically falls back to the next account when quota is exhausted.
+
+## Install (local dev)
+
+```bash
+npm install
+npm run build
+npm link  # Makes 'cao' command available globally
+```
+
+## Usage
+
+### Add accounts
+
+```bash
+cao add accountA
+cao add accountB
+```
+
+`cao add` starts OAuth login by default and should open a browser window. Use `--no-login` to skip:
+
+```bash
+cao add accountA --no-login
+```
+
+If you prefer device auth:
+
+```bash
+cao add accountA --device-auth
+```
+
+### Set default account
+
+```bash
+cao use accountA
+```
+
+### List accounts
+
+```bash
+cao list
+```
+
+### Remove an account
+
+```bash
+cao remove accountB
+```
+
+To keep files on disk:
+
+```bash
+cao remove accountB --keep-files
+```
+
+### Run with fallback
+
+```bash
+cao run
+```
+
+To pass arguments to Codex, put them after `--`:
+
+```bash
+cao run -- exec "summarize README"
+```
+
+To recheck all accounts when everyone is quota-limited, use multiple passes:
+
+```bash
+cao run --max-passes 2 --retry-delay 5
+```
+
+### Run a specific account (no fallback)
+
+```bash
+cao run --no-fallback --account accountB -- codex
+```
+
+### Custom data directory
+
+```bash
+cao --data-dir /path/to/data run -- codex
+```
+
+## How it works
+
+- Each account is stored in its own `CODEX_HOME` directory under:
+  - `~/.codex-account-orchestrator/<account>/`
+- A `config.toml` is created with:
+  - `cli_auth_credentials_store = "file"`
+  - `forced_login_method = "chatgpt"`
+- On quota errors (detected via output keywords), the CLI re-runs Codex with the next account and can recheck all accounts for a configurable number of passes.
+
+## Gateway mode (no session drop)
+
+Gateway mode keeps the Codex session open while switching accounts on quota errors. It requires routing Codex traffic through the local gateway.
+
+### Start the gateway
+
+```bash
+cao gateway start
+```
+
+For troubleshooting, you can pass through the current Codex auth without overriding it:
+
+```bash
+cao gateway start --passthrough-auth
+```
+
+### Enable routing for Codex
+
+```bash
+cao gateway enable
+```
+
+This installs a small `codex` shim (in `~/.local/bin`) that sets `OPENAI_BASE_URL` to the gateway. You can revert with:
+
+```bash
+cao gateway disable
+```
+
+If `~/.local/bin` is not in your PATH, add it so the shim is used.
+
+### Check gateway status
+
+```bash
+cao gateway status
+```
+
+### Debug logging
+
+Set `CAO_DEBUG_HEADERS=1` to log sanitized request/response headers in the gateway process. To capture the last request body for inspection, also set `CAO_CAPTURE_BODY=1` (saved to `/tmp/cao-last-body.json` by default).
+
+## Notes
+
+- Fallback requires capturing output; this may make Codex detect a non-TTY stdout. If you want a pure TTY session, use `--no-fallback`.
+- The quota detector is keyword-based and can be extended in `src/constants.ts`.

package/dist/account_manager.d.ts

@@ -0,0 +1,9 @@
+import { Registry } from "./registry_store";
+export declare function validateAccountName(name: string): string;
+export declare function ensureBaseDir(baseDir: string): void;
+export declare function ensureAccountDir(baseDir: string, accountName: string): string;
+export declare function ensureAccountConfig(accountDir: string): void;
+export declare function addAccount(baseDir: string, accountName: string): Registry;
+export declare function setDefaultAccount(baseDir: string, accountName: string): Registry;
+export declare function removeAccount(baseDir: string, accountName: string, removeFiles: boolean): Registry;
+export declare function getAccountOrder(registry: Registry): string[];

package/dist/account_manager.js

@@ -0,0 +1,103 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateAccountName = validateAccountName;
+exports.ensureBaseDir = ensureBaseDir;
+exports.ensureAccountDir = ensureAccountDir;
+exports.ensureAccountConfig = ensureAccountConfig;
+exports.addAccount = addAccount;
+exports.setDefaultAccount = setDefaultAccount;
+exports.removeAccount = removeAccount;
+exports.getAccountOrder = getAccountOrder;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const constants_1 = require("./constants");
+const paths_1 = require("./paths");
+const registry_store_1 = require("./registry_store");
+function validateAccountName(name) {
+    const trimmed = name.trim();
+    if (trimmed.length === 0) {
+        throw new Error("Account name cannot be empty.");
+    }
+    if (!/^[a-zA-Z0-9_-]+$/.test(trimmed)) {
+        throw new Error("Account name must use letters, numbers, underscores, or hyphens only.");
+    }
+    return trimmed;
+}
+function ensureBaseDir(baseDir) {
+    if (!fs_1.default.existsSync(baseDir)) {
+        fs_1.default.mkdirSync(baseDir, { recursive: true });
+    }
+}
+function ensureAccountDir(baseDir, accountName) {
+    const accountDir = (0, paths_1.getAccountDir)(baseDir, accountName);
+    if (!fs_1.default.existsSync(accountDir)) {
+        fs_1.default.mkdirSync(accountDir, { recursive: true });
+    }
+    return accountDir;
+}
+function ensureAccountConfig(accountDir) {
+    const configPath = path_1.default.join(accountDir, "config.toml");
+    if (!fs_1.default.existsSync(configPath)) {
+        fs_1.default.writeFileSync(configPath, constants_1.DEFAULT_CONFIG_TOML, "utf8");
+    }
+}
+function addAccount(baseDir, accountName) {
+    ensureBaseDir(baseDir);
+    const registry = (0, registry_store_1.loadRegistry)(baseDir);
+    const normalizedName = validateAccountName(accountName);
+    ensureAccountConfig(ensureAccountDir(baseDir, normalizedName));
+    if (!registry.accounts.includes(normalizedName)) {
+        registry.accounts.push(normalizedName);
+    }
+    if (!registry.default_account) {
+        registry.default_account = normalizedName;
+    }
+    (0, registry_store_1.saveRegistry)(baseDir, registry);
+    return registry;
+}
+function setDefaultAccount(baseDir, accountName) {
+    ensureBaseDir(baseDir);
+    const registry = (0, registry_store_1.loadRegistry)(baseDir);
+    const normalizedName = validateAccountName(accountName);
+    if (!registry.accounts.includes(normalizedName)) {
+        throw new Error(`Account not found: ${normalizedName}`);
+    }
+    registry.default_account = normalizedName;
+    (0, registry_store_1.saveRegistry)(baseDir, registry);
+    return registry;
+}
+function removeAccount(baseDir, accountName, removeFiles) {
+    ensureBaseDir(baseDir);
+    const registry = (0, registry_store_1.loadRegistry)(baseDir);
+    const normalizedName = validateAccountName(accountName);
+    const index = registry.accounts.indexOf(normalizedName);
+    if (index === -1) {
+        throw new Error(`Account not found: ${normalizedName}`);
+    }
+    registry.accounts.splice(index, 1);
+    if (registry.default_account === normalizedName) {
+        registry.default_account = registry.accounts.length > 0 ? registry.accounts[0] : null;
+    }
+    if (removeFiles) {
+        const accountDir = (0, paths_1.getAccountDir)(baseDir, normalizedName);
+        if (fs_1.default.existsSync(accountDir)) {
+            fs_1.default.rmSync(accountDir, { recursive: true, force: true });
+        }
+    }
+    (0, registry_store_1.saveRegistry)(baseDir, registry);
+    return registry;
+}
+function getAccountOrder(registry) {
+    if (registry.accounts.length === 0) {
+        return [];
+    }
+    const defaultName = registry.default_account;
+    if (!defaultName) {
+        return [...registry.accounts];
+    }
+    const rest = registry.accounts.filter((name) => name !== defaultName);
+    return [defaultName, ...rest];
+}

package/dist/cli_main.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/cli_main.js

@@ -0,0 +1,334 @@
+#!/usr/bin/env node
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const account_manager_1 = require("./account_manager");
+const codex_auth_1 = require("./codex_auth");
+const constants_1 = require("./constants");
+const codex_config_1 = require("./gateway/codex_config");
+const account_pool_1 = require("./gateway/account_pool");
+const gateway_config_1 = require("./gateway/gateway_config");
+const server_1 = require("./gateway/server");
+const codex_shim_1 = require("./gateway/codex_shim");
+const paths_1 = require("./paths");
+const registry_store_1 = require("./registry_store");
+const process_runner_1 = require("./process_runner");
+const program = new commander_1.Command();
+program
+    .name("codex-account-orchestrator")
+    .description("Codex OAuth account fallback orchestrator")
+    .option("--data-dir <path>", "Custom data directory");
+program
+    .command("add")
+    .argument("<name>", "Account name")
+    .description("Register a new account and create its config")
+    .option("--codex <path>", "Path to the codex binary", "codex")
+    .option("--no-login", "Skip OAuth login")
+    .option("--device-auth", "Use device auth flow")
+    .action(async (name, options) => {
+    const baseDir = (0, paths_1.getBaseDir)(program.opts().dataDir);
+    const registry = (0, account_manager_1.addAccount)(baseDir, name);
+    const normalizedName = (0, account_manager_1.validateAccountName)(name);
+    const accountDir = (0, paths_1.getAccountDir)(baseDir, normalizedName);
+    process.stdout.write(`Added account: ${normalizedName}\n`);
+    process.stdout.write(`Account directory: ${accountDir}\n`);
+    process.stdout.write(`Default account: ${registry.default_account ?? "(none)"}\n`);
+    process.stdout.write("Run `cao run` to start with fallback.\n");
+    if (!options.login) {
+        return;
+    }
+    const alreadyLoggedIn = await (0, codex_auth_1.isCodexLoggedIn)(options.codex, accountDir);
+    if (alreadyLoggedIn) {
+        process.stdout.write("OAuth already configured for this account.\n");
+        return;
+    }
+    process.stdout.write("Starting OAuth login...\n");
+    const exitCode = await (0, codex_auth_1.runCodexLogin)(options.codex, accountDir, options.deviceAuth);
+    if (exitCode !== 0) {
+        process.stderr.write("OAuth login failed.\n");
+        process.exit(exitCode);
+    }
+    const authPath = getAuthFilePath(accountDir);
+    if (!fs_1.default.existsSync(authPath)) {
+        process.stderr.write("Warning: OAuth login completed but auth.json was not found. Check your Codex auth store.\n");
+    }
+});
+program
+    .command("list")
+    .description("List registered accounts")
+    .action(() => {
+    const baseDir = (0, paths_1.getBaseDir)(program.opts().dataDir);
+    (0, account_manager_1.ensureBaseDir)(baseDir);
+    const registry = (0, registry_store_1.loadRegistry)(baseDir);
+    if (registry.accounts.length === 0) {
+        process.stdout.write("No accounts registered. Use `cao add <name>` first.\n");
+        return;
+    }
+    for (const name of registry.accounts) {
+        const marker = registry.default_account === name ? "*" : " ";
+        const accountDir = (0, paths_1.getAccountDir)(baseDir, name);
+        const loggedIn = fs_1.default.existsSync(getAuthFilePath(accountDir));
+        const status = loggedIn ? "logged-in" : "not-logged-in";
+        process.stdout.write(`${marker} ${name} (${status})\n`);
+    }
+});
+program
+    .command("use")
+    .argument("<name>", "Account name")
+    .description("Set the default account")
+    .action((name) => {
+    const baseDir = (0, paths_1.getBaseDir)(program.opts().dataDir);
+    const registry = (0, account_manager_1.setDefaultAccount)(baseDir, name);
+    process.stdout.write(`Default account set to: ${registry.default_account}\n`);
+});
+program
+    .command("remove")
+    .argument("<name>", "Account name")
+    .option("--keep-files", "Keep account files on disk")
+    .description("Remove an account from fallback rotation")
+    .action((name, options) => {
+    const baseDir = (0, paths_1.getBaseDir)(program.opts().dataDir);
+    const registry = (0, account_manager_1.removeAccount)(baseDir, name, !options.keepFiles);
+    process.stdout.write(`Removed account: ${name}\n`);
+    process.stdout.write(`Default account: ${registry.default_account ?? "(none)"}\n`);
+});
+const gateway = program.command("gateway").description("Manage CAO gateway");
+gateway
+    .command("start")
+    .description("Start the local gateway for seamless account switching")
+    .option("--bind <address>", "Bind address", "127.0.0.1")
+    .option("--port <port>", "Port", "4319")
+    .option("--base-url <url>", "Upstream OpenAI base URL", "https://chatgpt.com/backend-api/codex")
+    .option("--cooldown-seconds <seconds>", "Cooldown for quota-hit accounts", "900")
+    .option("--max-retry-passes <count>", "Max retry passes per request", "1")
+    .option("--timeout-ms <ms>", "Request timeout in milliseconds", "120000")
+    .option("--passthrough-auth", "Do not override Authorization header")
+    .option("--save", "Persist options to gateway.json")
+    .action((options) => {
+    const baseDir = (0, paths_1.getBaseDir)(program.opts().dataDir);
+    (0, account_manager_1.ensureBaseDir)(baseDir);
+    const overrides = buildGatewayOverrides(options);
+    const merged = (0, gateway_config_1.resolveGatewayConfig)({
+        ...(0, gateway_config_1.loadGatewayConfig)(),
+        ...overrides
+    });
+    if (options.save) {
+        (0, gateway_config_1.saveGatewayConfig)({
+            bindAddress: merged.bindAddress,
+            port: merged.port,
+            baseUrl: merged.baseUrl,
+            cooldownSeconds: merged.cooldownSeconds,
+            maxRetryPasses: merged.maxRetryPasses,
+            requestTimeoutMs: merged.requestTimeoutMs,
+            overrideAuth: merged.overrideAuth
+        });
+    }
+    const pool = account_pool_1.AccountPool.loadFromRegistry(baseDir);
+    if (pool.getAccounts().length === 0) {
+        process.stderr.write("No accounts with auth.json were found. Run `cao add` first.\n");
+        process.exit(1);
+        return;
+    }
+    const server = (0, server_1.startGatewayServer)(pool, merged);
+    process.stdout.write(`Gateway started on http://${merged.bindAddress}:${merged.port} (upstream ${merged.baseUrl})\n`);
+    process.on("SIGINT", () => {
+        server.close(() => {
+            process.stdout.write("Gateway stopped.\n");
+            process.exit(0);
+        });
+    });
+});
+gateway
+    .command("status")
+    .description("Show gateway config and account readiness")
+    .action(() => {
+    const baseDir = (0, paths_1.getBaseDir)(program.opts().dataDir);
+    const config = (0, gateway_config_1.resolveGatewayConfig)((0, gateway_config_1.loadGatewayConfig)());
+    const pool = account_pool_1.AccountPool.loadFromRegistry(baseDir);
+    process.stdout.write(`Bind: ${config.bindAddress}:${config.port}\n`);
+    process.stdout.write(`Upstream: ${config.baseUrl}\n`);
+    process.stdout.write(`Override auth: ${config.overrideAuth ? "yes" : "no"}\n`);
+    process.stdout.write(`Accounts: ${pool.getAccounts().length}\n`);
+    for (const account of pool.getAccounts()) {
+        const cooldown = account.cooldownUntilMs > Date.now()
+            ? `cooldown ${Math.ceil((account.cooldownUntilMs - Date.now()) / 1000)}s`
+            : "ready";
+        process.stdout.write(`- ${account.name} (${cooldown})\n`);
+    }
+});
+gateway
+    .command("enable")
+    .description("Install a codex shim that routes traffic through the gateway")
+    .option("--base-url <url>", "Gateway base URL", "http://127.0.0.1:4319")
+    .action((options) => {
+    (0, codex_config_1.disableGatewayConfig)();
+    const result = (0, codex_shim_1.enableGatewayShim)(options.baseUrl);
+    process.stdout.write(`Codex shim installed: ${result.shimPath}\n`);
+    process.stdout.write(`Real codex: ${result.realCodexPath}\n`);
+    if (!result.inPath) {
+        process.stdout.write(`Warning: ${path_1.default.dirname(result.shimPath)} is not in PATH. Update PATH to use the shim.\n`);
+    }
+});
+gateway
+    .command("disable")
+    .description("Remove the codex shim and restore config backup if present")
+    .action(() => {
+    const removed = (0, codex_shim_1.disableGatewayShim)();
+    (0, codex_config_1.disableGatewayConfig)();
+    process.stdout.write(`Codex config restored: ${(0, codex_config_1.getCodexConfigPath)()}\n`);
+    process.stdout.write(removed ? "Codex shim removed.\n" : "No codex shim found.\n");
+});
+program
+    .command("run")
+    .option("--account <name>", "Run with a specific account")
+    .option("--codex <path>", "Path to the codex binary", "codex")
+    .option("--no-fallback", "Disable automatic fallback")
+    .option("--max-passes <count>", "Retry passes when all accounts hit quota", "2")
+    .option("--retry-delay <seconds>", "Delay between retry passes in seconds", "0")
+    .description("Run codex with OAuth fallback across accounts")
+    .allowUnknownOption(true)
+    .allowExcessArguments(true)
+    .action(async (options) => {
+    const baseDir = (0, paths_1.getBaseDir)(program.opts().dataDir);
+    (0, account_manager_1.ensureBaseDir)(baseDir);
+    const registry = (0, registry_store_1.loadRegistry)(baseDir);
+    const orderedAccounts = (0, account_manager_1.getAccountOrder)(registry);
+    const codexArgs = normalizeCodexArgs(getCodexArgs(process.argv), options.codex);
+    if (orderedAccounts.length === 0) {
+        process.stderr.write("No accounts registered. Use `cao add <name>` first.\n");
+        process.exit(1);
+        return;
+    }
+    const resolvedAccounts = resolveAccounts(orderedAccounts, options.account);
+    if (resolvedAccounts.length === 0) {
+        process.stderr.write("No matching accounts found.\n");
+        process.exit(1);
+        return;
+    }
+    await runWithFallback(options, baseDir, resolvedAccounts, codexArgs);
+});
+program.parse(process.argv);
+function resolveAccounts(ordered, requested) {
+    if (!requested) {
+        return ordered;
+    }
+    const normalized = (0, account_manager_1.validateAccountName)(requested);
+    if (ordered.includes(normalized)) {
+        return [normalized];
+    }
+    return [];
+}
+function getCodexArgs(argv) {
+    const separatorIndex = argv.indexOf("--");
+    if (separatorIndex === -1) {
+        return [];
+    }
+    return argv.slice(separatorIndex + 1);
+}
+function normalizeCodexArgs(args, codexBin) {
+    if (args.length === 0) {
+        return args;
+    }
+    if (codexBin === "codex" && args[0] === "codex") {
+        return args.slice(1);
+    }
+    return args;
+}
+function getAuthFilePath(accountDir) {
+    return path_1.default.join(accountDir, constants_1.AUTH_FILE_NAME);
+}
+function buildGatewayOverrides(options) {
+    const overrides = {};
+    overrides.bindAddress = options.bind;
+    overrides.baseUrl = options.baseUrl;
+    overrides.overrideAuth = !options.passthroughAuth;
+    const port = Number.parseInt(options.port, 10);
+    if (!Number.isNaN(port)) {
+        overrides.port = port;
+    }
+    const cooldown = Number.parseInt(options.cooldownSeconds, 10);
+    if (!Number.isNaN(cooldown)) {
+        overrides.cooldownSeconds = cooldown;
+    }
+    const maxRetries = Number.parseInt(options.maxRetryPasses, 10);
+    if (!Number.isNaN(maxRetries)) {
+        overrides.maxRetryPasses = maxRetries;
+    }
+    const timeout = Number.parseInt(options.timeoutMs, 10);
+    if (!Number.isNaN(timeout)) {
+        overrides.requestTimeoutMs = timeout;
+    }
+    return overrides;
+}
+async function runWithFallback(options, baseDir, accounts, codexArgs) {
+    const codexBin = options.codex;
+    const maxPasses = normalizeMaxPasses(options.maxPasses);
+    const retryDelayMs = normalizeDelay(options.retryDelay);
+    for (let passIndex = 0; passIndex < maxPasses; passIndex += 1) {
+        let quotaFailures = 0;
+        let lastExitCode = 1;
+        for (let index = 0; index < accounts.length; index += 1) {
+            const name = accounts[index];
+            const accountDir = (0, account_manager_1.ensureAccountDir)(baseDir, name);
+            (0, account_manager_1.ensureAccountConfig)(accountDir);
+            process.stderr.write(`Using account: ${name}\n`);
+            const result = await (0, process_runner_1.runCodexOnce)(codexBin, codexArgs, accountDir, options.fallback);
+            lastExitCode = result.exitCode;
+            if (result.exitCode === 0) {
+                process.exit(0);
+                return;
+            }
+            if (!options.fallback) {
+                process.exit(result.exitCode);
+                return;
+            }
+            if (!result.quotaError) {
+                process.exit(result.exitCode);
+                return;
+            }
+            quotaFailures += 1;
+            const nextName = accounts[index + 1];
+            if (nextName) {
+                process.stderr.write(`Quota exhausted. Falling back to: ${nextName}\n`);
+            }
+        }
+        if (!options.fallback) {
+            process.exit(lastExitCode);
+            return;
+        }
+        if (quotaFailures === accounts.length) {
+            if (passIndex < maxPasses - 1) {
+                process.stderr.write("All accounts hit quota. Rechecking...\n");
+                if (retryDelayMs > 0) {
+                    await delay(retryDelayMs);
+                }
+                continue;
+            }
+            process.stderr.write("All accounts exhausted due to quota.\n");
+            process.exit(lastExitCode);
+            return;
+        }
+    }
+}
+function normalizeMaxPasses(value) {
+    const parsed = Number.parseInt(value, 10);
+    if (Number.isNaN(parsed) || parsed < 1) {
+        return 1;
+    }
+    return parsed;
+}
+function normalizeDelay(value) {
+    const parsed = Number.parseFloat(value);
+    if (Number.isNaN(parsed) || parsed <= 0) {
+        return 0;
+    }
+    return Math.floor(parsed * 1000);
+}
+function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}

package/dist/codex_auth.d.ts

@@ -0,0 +1,2 @@
+export declare function isCodexLoggedIn(codexBin: string, accountDir: string): Promise<boolean>;
+export declare function runCodexLogin(codexBin: string, accountDir: string, useDeviceAuth: boolean): Promise<number>;

package/dist/codex_auth.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isCodexLoggedIn = isCodexLoggedIn;
+exports.runCodexLogin = runCodexLogin;
+const child_process_1 = require("child_process");
+function runCodexCommand(codexBin, args, accountDir, stdio) {
+    return new Promise((resolve) => {
+        const child = (0, child_process_1.spawn)(codexBin, args, {
+            env: { ...process.env, CODEX_HOME: accountDir },
+            stdio
+        });
+        child.on("close", (code) => {
+            resolve({ exitCode: code ?? 1 });
+        });
+        child.on("error", (error) => {
+            process.stderr.write(`Failed to start codex: ${error.message}\n`);
+            resolve({ exitCode: 1 });
+        });
+    });
+}
+async function isCodexLoggedIn(codexBin, accountDir) {
+    const result = await runCodexCommand(codexBin, ["login", "status"], accountDir, "ignore");
+    return result.exitCode === 0;
+}
+async function runCodexLogin(codexBin, accountDir, useDeviceAuth) {
+    const args = useDeviceAuth ? ["login", "--device-auth"] : ["login"];
+    const result = await runCodexCommand(codexBin, args, accountDir, "inherit");
+    return result.exitCode;
+}

package/dist/constants.d.ts

@@ -0,0 +1,5 @@
+export declare const REGISTRY_FILE_NAME = "registry.json";
+export declare const AUTH_FILE_NAME = "auth.json";
+export declare const DEFAULT_CONFIG_TOML: string;
+export declare const QUOTA_ERROR_PATTERNS: RegExp[];
+export declare const MAX_CAPTURED_LINES = 200;