codexuse-cli 2.1.0

package/dist/index.js

@@ -0,0 +1,3439 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// ../../lib/auto-roll-settings.ts
+function clampNumber(value, min, max) {
+  return Math.min(max, Math.max(min, value));
+}
+function normalizeAutoRollSettings(raw) {
+  const enabled = typeof raw?.enabled === "boolean" ? raw.enabled : DEFAULT_AUTO_ROLL_ENABLED;
+  const rawWarning = typeof raw?.warningThreshold === "number" && Number.isFinite(raw.warningThreshold) ? raw.warningThreshold : DEFAULT_AUTO_ROLL_WARNING_THRESHOLD;
+  const rawSwitch = typeof raw?.switchThreshold === "number" && Number.isFinite(raw.switchThreshold) ? raw.switchThreshold : DEFAULT_AUTO_ROLL_SWITCH_THRESHOLD;
+  const normalizedWarning = clampNumber(rawWarning, AUTO_ROLL_WARNING_MIN, 99);
+  const normalizedSwitch = clampNumber(rawSwitch, normalizedWarning + 1, 100);
+  return {
+    enabled,
+    warningThreshold: normalizedWarning,
+    switchThreshold: normalizedSwitch
+  };
+}
+var DEFAULT_AUTO_ROLL_ENABLED, DEFAULT_AUTO_ROLL_WARNING_THRESHOLD, DEFAULT_AUTO_ROLL_SWITCH_THRESHOLD, AUTO_ROLL_WARNING_MIN;
+var init_auto_roll_settings = __esm({
+  "../../lib/auto-roll-settings.ts"() {
+    "use strict";
+    DEFAULT_AUTO_ROLL_ENABLED = false;
+    DEFAULT_AUTO_ROLL_WARNING_THRESHOLD = 85;
+    DEFAULT_AUTO_ROLL_SWITCH_THRESHOLD = 95;
+    AUTO_ROLL_WARNING_MIN = 50;
+  }
+});
+
+// ../../lib/sqlite-db.ts
+var sqlite_db_exports = {};
+__export(sqlite_db_exports, {
+  __debugResolveDbPath: () => __debugResolveDbPath,
+  flushDatabase: () => flushDatabase,
+  getDatabase: () => getDatabase,
+  resetDatabaseConnection: () => resetDatabaseConnection
+});
+async function flushDatabase() {
+  if (globalCache.cachedDbPromise) {
+    const db = await globalCache.cachedDbPromise;
+    if (db instanceof SqliteWasmDatabase) {
+      await db.flushPersistence();
+    }
+  }
+}
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function normalizeNamedParameters(params) {
+  const normalized = {};
+  for (const [key, rawValue] of Object.entries(params)) {
+    if (key.startsWith("@") || key.startsWith(":") || key.startsWith("$")) {
+      normalized[key] = rawValue;
+    } else {
+      normalized[`@${key}`] = rawValue;
+    }
+  }
+  return normalized;
+}
+function bindParameters(statement, args) {
+  if (args.length === 0) {
+    return;
+  }
+  if (args.length === 1 && isPlainObject(args[0])) {
+    statement.bind(normalizeNamedParameters(args[0]));
+    return;
+  }
+  statement.bind(args);
+}
+function resolveHomeDir() {
+  const homeDir = process.env.HOME || process.env.USERPROFILE;
+  if (!homeDir) {
+    throw new Error("HOME directory is not set. Unable to initialize CodexUse storage.");
+  }
+  return homeDir;
+}
+function resolveStorageDirectory() {
+  return import_node_path.default.join(resolveHomeDir(), STORAGE_DIRECTORY_NAME);
+}
+function resolveDbPath() {
+  return import_node_path.default.join(resolveStorageDirectory(), STORAGE_FILENAME);
+}
+function ensureStorageDirExists(targetPath) {
+  (0, import_node_fs.mkdirSync)(import_node_path.default.dirname(targetPath), { recursive: true });
+}
+async function instantiateDatabase(dbPath) {
+  try {
+    const bakPath = `${dbPath}.bak`;
+    if ((0, import_node_fs.existsSync)(dbPath)) {
+      const size = (0, import_node_fs.statSync)(dbPath).size;
+      if (size < 1024 && (0, import_node_fs.existsSync)(bakPath)) {
+        const bakSize = (0, import_node_fs.statSync)(bakPath).size;
+        if (bakSize > size) {
+          const backup = (0, import_node_fs.readFileSync)(bakPath);
+          (0, import_node_fs.writeFileSync)(dbPath, backup);
+          console.warn("Detected near-empty SQLite file; restored from backup.");
+        }
+      }
+    }
+  } catch (error) {
+    console.warn("Failed to check/restore SQLite backup:", error);
+  }
+  const SQL = await sqlModulePromise;
+  let fileBuffer;
+  if ((0, import_node_fs.existsSync)(dbPath)) {
+    fileBuffer = new Uint8Array((0, import_node_fs.readFileSync)(dbPath));
+  }
+  const driver = fileBuffer ? new SQL.Database(fileBuffer) : new SQL.Database();
+  const database = new SqliteWasmDatabase(driver, dbPath);
+  database.exec("PRAGMA journal_mode = WAL;");
+  database.exec("PRAGMA foreign_keys = ON;");
+  runMigrations(database);
+  database.persist();
+  return database;
+}
+function readUserVersion(database) {
+  const result = database.prepare("PRAGMA user_version").get();
+  const version = result?.user_version;
+  return typeof version === "number" ? version : 0;
+}
+function ensureChatTables(database) {
+  database.exec(`
+    PRAGMA foreign_keys = ON;
+
+    CREATE TABLE IF NOT EXISTS chat_threads (
+      thread_key TEXT PRIMARY KEY,
+      title TEXT,
+      account_id TEXT,
+      profile_name TEXT,
+      project_label TEXT,
+      project_path TEXT,
+      source_path TEXT,
+      started_at TEXT,
+      ended_at TEXT,
+      last_message_at TEXT,
+      message_count INTEGER DEFAULT 0
+    );
+
+    CREATE TABLE IF NOT EXISTS chat_messages (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      thread_key TEXT NOT NULL,
+      role TEXT,
+      content TEXT NOT NULL,
+      account_id TEXT,
+      profile_name TEXT,
+      created_at TEXT,
+      FOREIGN KEY(thread_key) REFERENCES chat_threads(thread_key) ON DELETE CASCADE
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_chat_messages_thread ON chat_messages(thread_key);
+    CREATE INDEX IF NOT EXISTS idx_chat_messages_created ON chat_messages(created_at);
+
+    CREATE TABLE IF NOT EXISTS chat_ingest_offsets (
+      file_path TEXT PRIMARY KEY,
+      offset INTEGER NOT NULL,
+      mtime_ms INTEGER NOT NULL,
+      size INTEGER NOT NULL
+    );
+  `);
+}
+function ensureSessionTables(database) {
+  database.exec(`
+    PRAGMA foreign_keys = ON;
+
+    CREATE TABLE IF NOT EXISTS sessions (
+      id TEXT PRIMARY KEY,
+      title TEXT,
+      status TEXT,
+      model TEXT,
+      project_label TEXT,
+      project_path TEXT,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL,
+      last_message_at TEXT
+    );
+
+    CREATE TABLE IF NOT EXISTS tool_panels (
+      id TEXT PRIMARY KEY,
+      session_id TEXT NOT NULL,
+      type TEXT NOT NULL,
+      title TEXT,
+      state TEXT,
+      metadata TEXT,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL,
+      FOREIGN KEY(session_id) REFERENCES sessions(id) ON DELETE CASCADE
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_tool_panels_session ON tool_panels(session_id);
+    CREATE INDEX IF NOT EXISTS idx_tool_panels_type ON tool_panels(type);
+
+    CREATE TABLE IF NOT EXISTS panel_outputs (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      panel_id TEXT NOT NULL,
+      session_id TEXT NOT NULL,
+      type TEXT NOT NULL,
+      data TEXT NOT NULL,
+      created_at TEXT NOT NULL,
+      FOREIGN KEY(panel_id) REFERENCES tool_panels(id) ON DELETE CASCADE,
+      FOREIGN KEY(session_id) REFERENCES sessions(id) ON DELETE CASCADE
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_panel_outputs_panel ON panel_outputs(panel_id);
+    CREATE INDEX IF NOT EXISTS idx_panel_outputs_session ON panel_outputs(session_id);
+    CREATE INDEX IF NOT EXISTS idx_panel_outputs_created ON panel_outputs(created_at);
+
+    CREATE TABLE IF NOT EXISTS notes (
+      id TEXT PRIMARY KEY,
+      user_id TEXT,
+      title TEXT NOT NULL,
+      content TEXT NOT NULL,
+      tags TEXT,
+      is_favorited INTEGER NOT NULL DEFAULT 0,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL,
+      synced_at TEXT
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_notes_user ON notes(user_id);
+    CREATE INDEX IF NOT EXISTS idx_notes_updated ON notes(updated_at);
+  `);
+}
+function ensureUsageTables(database) {
+  database.exec(`
+    CREATE TABLE IF NOT EXISTS usage (
+      session_id TEXT PRIMARY KEY,
+      rollout_path TEXT NOT NULL,
+      project_path TEXT,
+      model TEXT,
+      input_tokens INTEGER NOT NULL,
+      cached_input_tokens INTEGER NOT NULL,
+      output_tokens INTEGER NOT NULL,
+      reasoning_output_tokens INTEGER NOT NULL,
+      total_tokens INTEGER NOT NULL,
+      timestamp TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_usage_timestamp ON usage(timestamp);
+  `);
+}
+function runMigrations(database) {
+  let userVersion = readUserVersion(database);
+  if (userVersion < 1) {
+    database.exec(`
+      CREATE TABLE IF NOT EXISTS profiles (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        name TEXT NOT NULL UNIQUE,
+        data TEXT NOT NULL,
+        account_id TEXT,
+        workspace_id TEXT,
+        workspace_name TEXT,
+        email TEXT,
+        auth_method TEXT,
+        created_at TEXT,
+        updated_at TEXT
+      );
+
+      CREATE UNIQUE INDEX IF NOT EXISTS idx_profiles_account_workspace
+        ON profiles(account_id, workspace_id)
+        WHERE account_id IS NOT NULL;
+
+      PRAGMA user_version = 1;
+    `);
+    userVersion = 1;
+  }
+  if (userVersion < 2) {
+    database.exec(`PRAGMA user_version = 2;`);
+    userVersion = 2;
+  }
+  if (userVersion < 3) {
+    database.exec(`PRAGMA user_version = 3;`);
+    userVersion = 3;
+  }
+  if (userVersion < 4) {
+    let legacySettings = null;
+    try {
+      const hasKvStore = Boolean(
+        database.prepare(
+          "SELECT name FROM sqlite_master WHERE type = 'table' AND name = 'kv_store'"
+        ).get()
+      );
+      if (hasKvStore) {
+        const row = database.prepare("SELECT value FROM kv_store WHERE key = 'settings'").get();
+        if (row?.value) {
+          const parsed = JSON.parse(row.value);
+          if (parsed && typeof parsed === "object") {
+            legacySettings = parsed;
+          }
+        }
+      }
+    } catch (error) {
+      console.warn("Failed to read legacy Codex settings:", error);
+    }
+    database.exec(`
+      PRAGMA foreign_keys = OFF;
+
+      DROP TABLE IF EXISTS rate_limit_snapshots;
+      DROP TABLE IF EXISTS chat_messages;
+      DROP TABLE IF EXISTS chat_threads;
+      DROP TABLE IF EXISTS kv_store;
+
+      CREATE TABLE IF NOT EXISTS app_settings (
+        id INTEGER PRIMARY KEY CHECK (id = 1),
+        last_profile_name TEXT,
+        license_key TEXT,
+        purchase_email TEXT,
+        last_verified_at TEXT,
+        next_check_at TEXT,
+        last_verification_error TEXT,
+        status TEXT
+      );
+
+      INSERT OR IGNORE INTO app_settings (id) VALUES (1);
+
+      PRAGMA foreign_keys = ON;
+    `);
+    if (legacySettings) {
+      const license = legacySettings.license;
+      database.prepare(
+        `UPDATE app_settings
+         SET last_profile_name = @lastProfileName,
+             license_key = @licenseKey,
+             purchase_email = @purchaseEmail,
+             last_verified_at = @lastVerifiedAt,
+             next_check_at = @nextCheckAt,
+             last_verification_error = @lastVerificationError,
+             status = @status
+         WHERE id = 1`
+      ).run({
+        lastProfileName: typeof legacySettings.lastProfileName === "string" ? legacySettings.lastProfileName : null,
+        licenseKey: license && typeof license.licenseKey === "string" ? license.licenseKey : null,
+        purchaseEmail: license && typeof license.purchaseEmail === "string" ? license.purchaseEmail : null,
+        lastVerifiedAt: license && typeof license.lastVerifiedAt === "string" ? license.lastVerifiedAt : null,
+        nextCheckAt: license && typeof license.nextCheckAt === "string" ? license.nextCheckAt : null,
+        lastVerificationError: license && typeof license.lastVerificationError === "string" ? license.lastVerificationError : null,
+        status: license && typeof license.status === "string" ? license.status : null
+      });
+    }
+    database.exec(`PRAGMA user_version = 4;`);
+    userVersion = 4;
+  }
+  if (userVersion < 5) {
+    database.exec(`
+      ALTER TABLE app_settings ADD COLUMN auto_roll_enabled INTEGER;
+      ALTER TABLE app_settings ADD COLUMN auto_roll_warning_threshold INTEGER;
+      ALTER TABLE app_settings ADD COLUMN auto_roll_switch_threshold INTEGER;
+
+      PRAGMA user_version = 5;
+    `);
+    userVersion = 5;
+  }
+  if (userVersion < 6) {
+    database.exec(`
+      CREATE TABLE IF NOT EXISTS app_kv (
+        key TEXT PRIMARY KEY,
+        value TEXT NOT NULL
+      );
+    `);
+    let appSettingsRow = null;
+    try {
+      const hasAppSettings = Boolean(
+        database.prepare(
+          "SELECT name FROM sqlite_master WHERE type = 'table' AND name = 'app_settings'"
+        ).get()
+      );
+      if (hasAppSettings) {
+        appSettingsRow = database.prepare(
+          `SELECT last_profile_name, license_key, purchase_email,
+                    last_verified_at, next_check_at, last_verification_error, status,
+                    auto_roll_enabled, auto_roll_warning_threshold, auto_roll_switch_threshold
+             FROM app_settings
+             WHERE id = 1`
+        ).get();
+      }
+    } catch (error) {
+      console.warn("Failed to read legacy app_settings row:", error);
+    }
+    try {
+      const upsertKv = database.prepare("INSERT OR REPLACE INTO app_kv (key, value) VALUES (@key, @value)");
+      if (appSettingsRow) {
+        const lastProfile = typeof appSettingsRow.last_profile_name === "string" ? appSettingsRow.last_profile_name.trim() : "";
+        if (lastProfile) {
+          upsertKv.run({ key: "last_profile_name", value: JSON.stringify(lastProfile) });
+        }
+        const license = {
+          licenseKey: typeof appSettingsRow.license_key === "string" ? appSettingsRow.license_key : null,
+          purchaseEmail: typeof appSettingsRow.purchase_email === "string" ? appSettingsRow.purchase_email : null,
+          lastVerifiedAt: typeof appSettingsRow.last_verified_at === "string" ? appSettingsRow.last_verified_at : null,
+          nextCheckAt: typeof appSettingsRow.next_check_at === "string" ? appSettingsRow.next_check_at : null,
+          lastVerificationError: typeof appSettingsRow.last_verification_error === "string" ? appSettingsRow.last_verification_error : null,
+          status: typeof appSettingsRow.status === "string" ? appSettingsRow.status : null
+        };
+        const hasLicenseData = Boolean(
+          license.licenseKey ?? license.purchaseEmail ?? license.lastVerifiedAt ?? license.nextCheckAt ?? license.lastVerificationError ?? license.status
+        );
+        if (hasLicenseData) {
+          upsertKv.run({ key: "license", value: JSON.stringify(license) });
+        }
+        const hasAutoRollData = typeof appSettingsRow.auto_roll_enabled === "number" || typeof appSettingsRow.auto_roll_warning_threshold === "number" || typeof appSettingsRow.auto_roll_switch_threshold === "number";
+        if (hasAutoRollData) {
+          const warning = typeof appSettingsRow.auto_roll_warning_threshold === "number" ? appSettingsRow.auto_roll_warning_threshold : DEFAULT_AUTO_ROLL_WARNING_THRESHOLD;
+          const switchThreshold = typeof appSettingsRow.auto_roll_switch_threshold === "number" ? appSettingsRow.auto_roll_switch_threshold : DEFAULT_AUTO_ROLL_SWITCH_THRESHOLD;
+          const autoRoll = {
+            enabled: Boolean(appSettingsRow.auto_roll_enabled ?? DEFAULT_AUTO_ROLL_ENABLED),
+            warningThreshold: warning,
+            switchThreshold
+          };
+          upsertKv.run({ key: "auto_roll", value: JSON.stringify(autoRoll) });
+        }
+      }
+      try {
+        database.exec("DROP TABLE IF EXISTS app_settings;");
+      } catch (error) {
+        console.warn("Failed to drop legacy app_settings table:", error);
+      }
+    } catch (error) {
+      console.warn("Failed to migrate app_settings to app_kv:", error);
+    }
+    database.exec(`PRAGMA user_version = 6;`);
+    userVersion = 6;
+  }
+  if (userVersion < 7) {
+    try {
+      const columns = database.prepare("PRAGMA table_info(profiles)").all();
+      const hasWorkspaceId = Boolean(columns?.some((column) => column.name === "workspace_id"));
+      const hasWorkspaceName = Boolean(columns?.some((column) => column.name === "workspace_name"));
+      if (!hasWorkspaceId) {
+        database.exec(`ALTER TABLE profiles ADD COLUMN workspace_id TEXT;`);
+      }
+      if (!hasWorkspaceName) {
+        database.exec(`ALTER TABLE profiles ADD COLUMN workspace_name TEXT;`);
+      }
+    } catch (error) {
+      console.warn("Failed to add workspace columns during migration:", error);
+    }
+    database.exec(`
+      DROP INDEX IF EXISTS idx_profiles_account;
+      DROP INDEX IF EXISTS idx_profiles_account_workspace;
+
+      CREATE UNIQUE INDEX IF NOT EXISTS idx_profiles_account_workspace
+        ON profiles(account_id, workspace_id)
+        WHERE account_id IS NOT NULL;
+    `);
+    try {
+      const rows = database.prepare("SELECT name, workspace_id FROM profiles").all();
+      const update = database.prepare(
+        "UPDATE profiles SET workspace_id = @workspaceId WHERE name = @name AND (workspace_id IS NULL OR workspace_id = '')"
+      );
+      for (const row of rows) {
+        const name = typeof row.name === "string" ? row.name : null;
+        if (!name) {
+          continue;
+        }
+        const existingWorkspace = typeof row.workspace_id === "string" ? row.workspace_id.trim() : "";
+        if (existingWorkspace) {
+          continue;
+        }
+        update.run({ name, workspaceId: "__default__" });
+      }
+    } catch (error) {
+      console.warn("Failed to backfill workspace_id during migration:", error);
+    }
+    database.exec(`PRAGMA user_version = 7;`);
+    userVersion = 7;
+  }
+  if (userVersion < 8) {
+    ensureChatTables(database);
+    database.exec(`PRAGMA user_version = 8;`);
+    userVersion = 8;
+  }
+  if (userVersion < 9) {
+    ensureSessionTables(database);
+    database.exec(`PRAGMA user_version = 9;`);
+    userVersion = 9;
+  }
+  if (userVersion < 10) {
+    ensureUsageTables(database);
+    database.exec(`PRAGMA user_version = 10;`);
+    userVersion = 10;
+  }
+  if (userVersion < 11) {
+    try {
+      database.exec(`ALTER TABLE usage ADD COLUMN model TEXT;`);
+    } catch {
+    }
+    database.exec(`PRAGMA user_version = 11;`);
+    userVersion = 11;
+  }
+  try {
+    database.exec("PRAGMA foreign_keys = ON;");
+  } catch {
+  }
+  ensureChatTables(database);
+  ensureSessionTables(database);
+  ensureUsageTables(database);
+}
+async function getDatabase() {
+  const dbPath = resolveDbPath();
+  if (!globalCache.cachedDbPromise || globalCache.cachedDbPath !== dbPath) {
+    if (globalCache.cachedDbPromise) {
+      try {
+        const previous = await globalCache.cachedDbPromise;
+        previous.close();
+      } catch {
+      }
+    }
+    globalCache.cachedDbPath = dbPath;
+    globalCache.cachedDbPromise = instantiateDatabase(dbPath);
+  }
+  const db = await globalCache.cachedDbPromise;
+  try {
+    runMigrations(db);
+  } catch (error) {
+    console.warn("Failed to ensure migrations:", error);
+  }
+  return db;
+}
+async function resetDatabaseConnection() {
+  if (globalCache.cachedDbPromise) {
+    try {
+      const db = await globalCache.cachedDbPromise;
+      db.close();
+    } catch {
+    }
+  }
+  globalCache.cachedDbPromise = null;
+  globalCache.cachedDbPath = null;
+}
+function __debugResolveDbPath() {
+  return resolveDbPath();
+}
+var import_node_fs, import_node_path, import_node_module, import_sql, require2, wasmDir, sqlModulePromise, SqliteWasmDatabase, SqliteWasmStatement, STORAGE_DIRECTORY_NAME, STORAGE_FILENAME, GLOBAL_CACHE_KEY, globalCache;
+var init_sqlite_db = __esm({
+  "../../lib/sqlite-db.ts"() {
+    "use strict";
+    import_node_fs = require("fs");
+    import_node_path = __toESM(require("path"));
+    import_node_module = require("module");
+    import_sql = __toESM(require("sql.js"));
+    init_auto_roll_settings();
+    require2 = (0, import_node_module.createRequire)(__filename);
+    wasmDir = import_node_path.default.dirname(require2.resolve("sql.js/dist/sql-wasm.wasm"));
+    sqlModulePromise = (0, import_sql.default)({
+      locateFile: (file) => import_node_path.default.join(wasmDir, file)
+    });
+    SqliteWasmDatabase = class {
+      constructor(driver, dbPath) {
+        this.driver = driver;
+        this.dbPath = dbPath;
+        this.closed = false;
+        this.persistTimeout = null;
+      }
+      get open() {
+        return !this.closed;
+      }
+      prepare(sql) {
+        this.assertOpen();
+        return new SqliteWasmStatement(this, sql);
+      }
+      createStatement(sql) {
+        this.assertOpen();
+        return this.driver.prepare(sql);
+      }
+      exec(sql) {
+        this.assertOpen();
+        this.driver.exec(sql);
+      }
+      getRowsModified() {
+        this.assertOpen();
+        return this.driver.getRowsModified();
+      }
+      async persist() {
+        this.assertOpen();
+        ensureStorageDirExists(this.dbPath);
+        if (this.persistTimeout) {
+          clearTimeout(this.persistTimeout);
+        }
+        this.persistTimeout = setTimeout(async () => {
+          try {
+            const contents = Buffer.from(this.driver.export());
+            await import_node_fs.promises.writeFile(this.dbPath, contents);
+            this.persistTimeout = null;
+          } catch (error) {
+            console.error("Failed to persist database:", error);
+          }
+        }, 500);
+      }
+      close() {
+        if (!this.closed) {
+          if (this.persistTimeout) {
+            clearTimeout(this.persistTimeout);
+            this.persistTimeout = null;
+            try {
+              const contents = Buffer.from(this.driver.export());
+              (0, import_node_fs.writeFileSync)(this.dbPath, contents);
+            } catch (error) {
+              if (error.code !== "ENOENT") {
+                console.error("Failed to flush database on close:", error);
+              }
+            }
+          }
+          this.driver.close();
+          this.closed = true;
+        }
+      }
+      async flushPersistence() {
+        if (this.persistTimeout) {
+          clearTimeout(this.persistTimeout);
+          this.persistTimeout = null;
+          try {
+            const contents = Buffer.from(this.driver.export());
+            await import_node_fs.promises.writeFile(this.dbPath, contents);
+          } catch (error) {
+            console.error("Failed to flush database persistence:", error);
+          }
+        }
+      }
+      assertOpen() {
+        if (!this.open) {
+          throw new Error("SQLite database connection is closed.");
+        }
+      }
+    };
+    SqliteWasmStatement = class {
+      constructor(database, sql) {
+        this.database = database;
+        this.sql = sql;
+      }
+      get(...params) {
+        const statement = this.database.createStatement(this.sql);
+        try {
+          bindParameters(statement, params);
+          if (!statement.step()) {
+            return void 0;
+          }
+          return statement.getAsObject();
+        } finally {
+          statement.free();
+        }
+      }
+      all(...params) {
+        const rows = [];
+        const statement = this.database.createStatement(this.sql);
+        try {
+          bindParameters(statement, params);
+          while (statement.step()) {
+            rows.push(statement.getAsObject());
+          }
+        } finally {
+          statement.free();
+        }
+        return rows;
+      }
+      run(...params) {
+        const statement = this.database.createStatement(this.sql);
+        try {
+          bindParameters(statement, params);
+          statement.step();
+        } finally {
+          statement.free();
+        }
+        const changes = this.database.getRowsModified();
+        void this.database.persist();
+        return { changes };
+      }
+    };
+    STORAGE_DIRECTORY_NAME = ".f86eb5e712267207";
+    STORAGE_FILENAME = "state-d64ce728d7a20214.sqlite";
+    GLOBAL_CACHE_KEY = /* @__PURE__ */ Symbol.for("codex.sqliteCache");
+    globalCache = globalThis[GLOBAL_CACHE_KEY] ?? (globalThis[GLOBAL_CACHE_KEY] = {
+      cachedDbPath: null,
+      cachedDbPromise: null
+    });
+  }
+});
+
+// ../../lib/profile-manager.ts
+var import_fs = require("fs");
+var import_path = __toESM(require("path"));
+var import_path2 = require("path");
+var import_toml = require("@iarna/toml");
+
+// ../../lib/codex-settings.ts
+var import_node_fs2 = require("fs");
+var import_node_path2 = __toESM(require("path"));
+
+// ../../lib/logger.ts
+var isTestEnv = process.env.NODE_ENV === "test" || process.env.VITEST === "true" || process.env.VITEST === "1";
+function isMocked(fn) {
+  return Boolean(fn && typeof fn === "function" && "mock" in fn);
+}
+function logWarn(...args) {
+  if (isTestEnv && !isMocked(console.warn)) {
+    return;
+  }
+  console.warn(...args);
+}
+function logError(...args) {
+  if (isTestEnv && !isMocked(console.error)) {
+    return;
+  }
+  console.error(...args);
+}
+
+// ../../lib/codex-settings.ts
+init_auto_roll_settings();
+
+// ../../lib/codex-cli-channel.ts
+var KNOWN_CHANNELS = /* @__PURE__ */ new Set(["stable", "alpha"]);
+function parseCodexCliChannel(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const normalized = value.trim().toLowerCase();
+  if (!normalized) {
+    return null;
+  }
+  return KNOWN_CHANNELS.has(normalized) ? normalized : null;
+}
+
+// ../../lib/codex-settings.ts
+var KEY_LAST_PROFILE_NAME = "last_profile_name";
+var KEY_LICENSE = "license";
+var KEY_AUTO_ROLL = "auto_roll";
+var KEY_LAST_APP_VERSION = "last_app_version";
+var KEY_PENDING_UPDATE_VERSION = "pending_update_version";
+var KEY_CLI_CHANNEL = "cli_channel";
+var SETTINGS_FILE = "settings.json";
+var SETTINGS_BACKUP_FILE = "settings.json.bak";
+function resolveCodexDir() {
+  const homeDir = process.env.HOME || process.env.USERPROFILE || "";
+  return homeDir ? import_node_path2.default.join(homeDir, ".codex") : ".codex";
+}
+function resolveSettingsPath() {
+  return import_node_path2.default.join(resolveCodexDir(), SETTINGS_FILE);
+}
+function resolveBackupSettingsPath() {
+  return import_node_path2.default.join(resolveCodexDir(), SETTINGS_BACKUP_FILE);
+}
+async function ensureCodexDir() {
+  try {
+    await import_node_fs2.promises.mkdir(resolveCodexDir(), { recursive: true });
+  } catch (error) {
+    logWarn("Failed to ensure Codex directory exists:", error);
+  }
+}
+async function writeAtomic(filePath, contents) {
+  const tempPath = `${filePath}.tmp`;
+  await import_node_fs2.promises.mkdir(import_node_path2.default.dirname(filePath), { recursive: true });
+  await import_node_fs2.promises.writeFile(tempPath, contents, "utf8");
+  try {
+    await import_node_fs2.promises.rename(tempPath, filePath);
+  } catch (error) {
+    const code = error.code;
+    if (code === "ENOENT") {
+      await import_node_fs2.promises.writeFile(filePath, contents, "utf8");
+    } else {
+      throw error;
+    }
+  }
+  try {
+    await import_node_fs2.promises.rm(tempPath, { force: true });
+  } catch {
+  }
+}
+function normalizeStoredLicense(raw) {
+  if (!raw || typeof raw !== "object") {
+    return null;
+  }
+  const source = raw;
+  const licenseKey = typeof source.licenseKey === "string" ? source.licenseKey : typeof source.license_key === "string" ? source.license_key : null;
+  const purchaseEmail = typeof source.purchaseEmail === "string" ? source.purchaseEmail : typeof source.purchase_email === "string" ? source.purchase_email : null;
+  const lastVerifiedAt = typeof source.lastVerifiedAt === "string" ? source.lastVerifiedAt : typeof source.last_verified_at === "string" ? source.last_verified_at : null;
+  const nextCheckAt = typeof source.nextCheckAt === "string" ? source.nextCheckAt : typeof source.next_check_at === "string" ? source.next_check_at : null;
+  const lastVerificationError = typeof source.lastVerificationError === "string" ? source.lastVerificationError : typeof source.last_verification_error === "string" ? source.last_verification_error : null;
+  const signature = typeof source.signature === "string" ? source.signature : null;
+  const statusCandidate = typeof source.status === "string" ? source.status : void 0;
+  const license = {
+    licenseKey,
+    purchaseEmail,
+    lastVerifiedAt,
+    nextCheckAt,
+    lastVerificationError,
+    signature,
+    status: statusCandidate
+  };
+  const hasLicenseData = Boolean(
+    license.licenseKey ?? license.purchaseEmail ?? license.lastVerifiedAt ?? license.nextCheckAt ?? license.lastVerificationError ?? license.status
+  );
+  return hasLicenseData ? license : null;
+}
+function normalizeStoredAutoRoll(raw) {
+  if (!raw) {
+    return null;
+  }
+  const parsed = typeof raw === "string" ? parseJsonValue(raw) : raw;
+  if (!parsed || typeof parsed !== "object") {
+    return null;
+  }
+  try {
+    return normalizeAutoRollSettings(parsed);
+  } catch {
+    return null;
+  }
+}
+function parseStoredProfileName(raw) {
+  if (raw === null || raw === void 0) {
+    return null;
+  }
+  if (typeof raw === "string" || typeof raw === "number") {
+    const normalized = String(raw).trim();
+    return normalized.length > 0 ? normalized : null;
+  }
+  const candidate = typeof raw === "string" ? parseJsonValue(raw) : parseJsonValue(raw);
+  if (typeof candidate === "string" || typeof candidate === "number") {
+    const normalized = String(candidate).trim();
+    return normalized.length > 0 ? normalized : null;
+  }
+  return null;
+}
+async function markSettingsCorrupt(settingsPath, raw) {
+  try {
+    const suffix = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+    const backupPath = `${settingsPath}.corrupt-${suffix}`;
+    await import_node_fs2.promises.writeFile(backupPath, raw, "utf8");
+  } catch {
+  }
+}
+async function tryRestoreSettings(fromPath, _targetPath) {
+  try {
+    const raw = await import_node_fs2.promises.readFile(fromPath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== "object") {
+      return null;
+    }
+    const normalized = normalizeParsedSettings(parsed);
+    await writeSettingsFile(normalized);
+    return normalized;
+  } catch {
+    return null;
+  }
+}
+function normalizeParsedSettings(parsed) {
+  const license = normalizeStoredLicense(parsed.license ?? parsed[KEY_LICENSE]);
+  const autoRoll = normalizeStoredAutoRoll(parsed.autoRoll ?? parsed[KEY_AUTO_ROLL]);
+  const lastProfileName = parseStoredProfileName(
+    parsed.lastProfileName ?? parsed[KEY_LAST_PROFILE_NAME]
+  );
+  const lastAppVersion = typeof parsed.lastAppVersion === "string" ? parsed.lastAppVersion : typeof parsed[KEY_LAST_APP_VERSION] === "string" ? parsed[KEY_LAST_APP_VERSION] : null;
+  const pendingUpdateVersion = typeof parsed.pendingUpdateVersion === "string" ? parsed.pendingUpdateVersion : typeof parsed[KEY_PENDING_UPDATE_VERSION] === "string" ? parsed[KEY_PENDING_UPDATE_VERSION] : null;
+  const cliChannel = parseCodexCliChannel(
+    parsed.cliChannel ?? parsed[KEY_CLI_CHANNEL]
+  );
+  return {
+    ...license ? { license } : {},
+    ...autoRoll ? { autoRoll } : {},
+    ...lastProfileName ? { lastProfileName } : {},
+    ...lastAppVersion ? { lastAppVersion } : {},
+    ...pendingUpdateVersion ? { pendingUpdateVersion } : {},
+    ...cliChannel ? { cliChannel } : {}
+  };
+}
+async function readSettingsFromDisk() {
+  const settingsPath = resolveSettingsPath();
+  try {
+    const raw = await import_node_fs2.promises.readFile(settingsPath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== "object") {
+      return null;
+    }
+    return normalizeParsedSettings(parsed);
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return null;
+    }
+    if (error instanceof SyntaxError) {
+      try {
+        const raw = await import_node_fs2.promises.readFile(settingsPath, "utf8");
+        await markSettingsCorrupt(settingsPath, raw);
+        const restoredFromTemp = await tryRestoreSettings(`${settingsPath}.tmp`, settingsPath);
+        if (restoredFromTemp) {
+          return restoredFromTemp;
+        }
+        const restoredFromBackup = await tryRestoreSettings(resolveBackupSettingsPath(), settingsPath);
+        if (restoredFromBackup) {
+          return restoredFromBackup;
+        }
+        await import_node_fs2.promises.writeFile(settingsPath, "{}\n", "utf8");
+      } catch {
+      }
+    }
+    logWarn("Failed to parse Codex settings file, using defaults:", error);
+    return null;
+  }
+}
+async function migrateSettingsFromDatabase() {
+  try {
+    const { __debugResolveDbPath: __debugResolveDbPath2, getDatabase: getDatabase2 } = await Promise.resolve().then(() => (init_sqlite_db(), sqlite_db_exports));
+    const dbPath = __debugResolveDbPath2();
+    try {
+      await import_node_fs2.promises.access(dbPath);
+    } catch {
+      return null;
+    }
+    const db = await getDatabase2();
+    const rows = db.prepare(
+      `SELECT key, value
+         FROM app_kv
+         WHERE key IN ('${KEY_LAST_PROFILE_NAME}', '${KEY_LICENSE}', '${KEY_AUTO_ROLL}', '${KEY_LAST_APP_VERSION}', '${KEY_PENDING_UPDATE_VERSION}', '${KEY_CLI_CHANNEL}')`
+    ).all();
+    if (!rows || rows.length === 0) {
+      return null;
+    }
+    const kv = /* @__PURE__ */ new Map();
+    for (const row of rows) {
+      if (!row.key) continue;
+      if (typeof row.value === "string") {
+        kv.set(row.key, parseJsonValue(row.value));
+      } else {
+        kv.set(row.key, row.value);
+      }
+    }
+    const license = normalizeStoredLicense(kv.get(KEY_LICENSE));
+    const autoRoll = normalizeStoredAutoRoll(kv.get(KEY_AUTO_ROLL));
+    const lastProfileName = parseStoredProfileName(kv.get(KEY_LAST_PROFILE_NAME));
+    const lastAppVersion = typeof kv.get(KEY_LAST_APP_VERSION) === "string" ? kv.get(KEY_LAST_APP_VERSION) : null;
+    const pendingUpdateVersion = typeof kv.get(KEY_PENDING_UPDATE_VERSION) === "string" ? kv.get(KEY_PENDING_UPDATE_VERSION) : null;
+    const cliChannel = parseCodexCliChannel(kv.get(KEY_CLI_CHANNEL));
+    const settings = {
+      ...license ? { license } : {},
+      ...autoRoll ? { autoRoll } : {},
+      ...lastProfileName ? { lastProfileName } : {},
+      ...lastAppVersion ? { lastAppVersion } : {},
+      ...pendingUpdateVersion ? { pendingUpdateVersion } : {},
+      ...cliChannel ? { cliChannel } : {}
+    };
+    if (Object.keys(settings).length === 0) {
+      return null;
+    }
+    await writeSettingsFile(settings);
+    return settings;
+  } catch (error) {
+    logWarn("Failed to migrate Codex settings from database:", error);
+    return null;
+  }
+}
+async function readSettingsFile() {
+  await ensureCodexDir();
+  const diskSettings = await readSettingsFromDisk();
+  if (diskSettings) {
+    return diskSettings;
+  }
+  const migrated = await migrateSettingsFromDatabase();
+  if (migrated) {
+    return migrated;
+  }
+  return {};
+}
+async function writeSettingsFile(settings) {
+  await ensureCodexDir();
+  const normalizedAutoRoll = settings.autoRoll ? normalizeAutoRollSettings(settings.autoRoll) : null;
+  const normalizedLicense = settings.license ? {
+    licenseKey: settings.license.licenseKey ?? null,
+    purchaseEmail: settings.license.purchaseEmail ?? null,
+    lastVerifiedAt: settings.license.lastVerifiedAt ?? null,
+    nextCheckAt: settings.license.nextCheckAt ?? null,
+    lastVerificationError: settings.license.lastVerificationError ?? null,
+    status: settings.license.status ?? void 0,
+    signature: settings.license.signature ?? null
+  } : null;
+  const payload = {
+    ...settings.lastProfileName ? { lastProfileName: settings.lastProfileName } : {},
+    ...normalizedLicense ? { license: normalizedLicense } : {},
+    ...normalizedAutoRoll ? { autoRoll: normalizedAutoRoll } : {},
+    ...settings.lastAppVersion ? { lastAppVersion: settings.lastAppVersion } : {},
+    ...settings.pendingUpdateVersion ? { pendingUpdateVersion: settings.pendingUpdateVersion } : {},
+    ...settings.cliChannel ? { cliChannel: settings.cliChannel } : {}
+  };
+  const serialized = JSON.stringify(payload, null, 2);
+  const settingsPath = resolveSettingsPath();
+  const backupPath = resolveBackupSettingsPath();
+  const contents = `${serialized}
+`;
+  await writeAtomic(settingsPath, contents);
+  try {
+    await writeAtomic(backupPath, contents);
+  } catch (error) {
+    logWarn("Failed to write Codex settings backup:", error);
+  }
+}
+function parseJsonValue(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  try {
+    return JSON.parse(value);
+  } catch {
+    return value;
+  }
+}
+async function getCodexSettings() {
+  return readSettingsFile();
+}
+async function setCodexSettings(settings) {
+  await writeSettingsFile(settings);
+}
+async function getLastProfileName() {
+  const settings = await getCodexSettings();
+  const candidate = settings.lastProfileName;
+  if (typeof candidate !== "string") {
+    return null;
+  }
+  const trimmed = candidate.trim();
+  return trimmed.length === 0 ? null : trimmed;
+}
+async function persistLastProfileName(profileName) {
+  const settings = await getCodexSettings();
+  if (profileName && profileName.trim().length > 0) {
+    settings.lastProfileName = profileName.trim();
+  } else if (settings.lastProfileName) {
+    delete settings.lastProfileName;
+  }
+  await setCodexSettings(settings);
+}
+async function getStoredLicense() {
+  const settings = await getCodexSettings();
+  if (!settings.license) {
+    return null;
+  }
+  return settings.license;
+}
+async function persistLicense(license) {
+  const settings = await getCodexSettings();
+  if (license) {
+    settings.license = {
+      licenseKey: license.licenseKey ?? null,
+      purchaseEmail: license.purchaseEmail ?? null,
+      lastVerifiedAt: license.lastVerifiedAt ?? null,
+      nextCheckAt: license.nextCheckAt ?? null,
+      lastVerificationError: license.lastVerificationError ?? null,
+      status: license.status ?? "inactive",
+      signature: license.signature ?? null
+    };
+  } else if (settings.license) {
+    delete settings.license;
+  }
+  await setCodexSettings(settings);
+}
+
+// ../../lib/profile-manager.ts
+var TOKEN_EXPIRING_SOON_WINDOW_MS = 15 * 60 * 1e3;
+var REFRESH_TOKEN_REDEEMED_SNIPPET = "refresh token was already used";
+var REFRESH_TOKEN_REDEEMED_REASON = "Your access token could not be refreshed because your refresh token was already used. Please log out and sign in again.";
+var AUTH_BACKUP_MISSING_MARKER = "__codexuse_missing_auth__";
+var DEFAULT_WORKSPACE_ID = "__default__";
+var PROFILE_RECORD_FILENAME = "profile.json";
+var ProfileManager = class {
+  constructor() {
+    const homeDir = process.env.HOME || process.env.USERPROFILE || "";
+    this.codexDir = (0, import_path2.join)(homeDir, ".codex");
+    this.profilesDir = (0, import_path2.join)(this.codexDir, "profiles");
+    this.profileHomesRoot = (0, import_path2.join)(this.codexDir, "profile-homes");
+    this.migrationsDir = (0, import_path2.join)(this.codexDir, "migrations");
+    this.profileMigrationMarker = (0, import_path2.join)(this.migrationsDir, "profiles-v1");
+    this.activeAuth = (0, import_path2.join)(this.codexDir, "auth.json");
+    this.activeAuthBackup = `${this.activeAuth}.swap`;
+    this.lastActiveAuthErrorSignature = null;
+    this.authSwapLock = Promise.resolve();
+  }
+  computeExpiryIso(data) {
+    if (!data) {
+      return void 0;
+    }
+    if (typeof data.expired === "string" && data.expired.trim()) {
+      const parsed = Date.parse(data.expired);
+      if (!Number.isNaN(parsed)) {
+        return new Date(parsed).toISOString();
+      }
+    }
+    const expiresIn = typeof data.expires_in === "number" && Number.isFinite(data.expires_in) ? data.expires_in : void 0;
+    const issuedMs = typeof data.timestamp === "number" && Number.isFinite(data.timestamp) ? data.timestamp : void 0;
+    const issuedAt = issuedMs ? issuedMs : void 0;
+    const baseMs = issuedAt ?? Date.now();
+    if (expiresIn && expiresIn > 0) {
+      return new Date(baseMs + expiresIn * 1e3).toISOString();
+    }
+    return void 0;
+  }
+  normalizeProfileName(name) {
+    if (typeof name !== "string") {
+      throw new Error("Profile name is required");
+    }
+    const trimmed = name.trim();
+    if (!trimmed) {
+      throw new Error("Profile name must not be empty.");
+    }
+    if (trimmed === "." || trimmed === "..") {
+      throw new Error(`Profile name '${name}' is not allowed.`);
+    }
+    if (/[\\/]/.test(trimmed)) {
+      throw new Error("Profile name cannot contain path separators.");
+    }
+    if (trimmed.includes("\0")) {
+      throw new Error("Profile name contains invalid characters.");
+    }
+    return trimmed;
+  }
+  isNotFoundError(error) {
+    return Boolean(
+      error && typeof error === "object" && "code" in error && error.code === "ENOENT"
+    );
+  }
+  async readPreferredProfileName() {
+    try {
+      return await getLastProfileName();
+    } catch (error) {
+      logWarn("Failed to read preferred profile name:", error);
+      return null;
+    }
+  }
+  async persistPreferredProfileName(name) {
+    try {
+      await persistLastProfileName(name);
+    } catch (error) {
+      logWarn("Failed to persist preferred profile name:", error);
+    }
+  }
+  getProfileRecordPath(profileName) {
+    return (0, import_path2.join)(this.getProfileHomePath(profileName), PROFILE_RECORD_FILENAME);
+  }
+  parseProfileRecordPayload(profileName, parsed) {
+    if (!parsed || typeof parsed !== "object") {
+      return null;
+    }
+    const dataRaw = parsed["data"];
+    let data = null;
+    if (dataRaw && typeof dataRaw === "object") {
+      data = dataRaw;
+    } else if (typeof dataRaw === "string") {
+      try {
+        data = JSON.parse(dataRaw);
+      } catch (error) {
+        logWarn(`Failed to parse data payload for profile '${profileName}':`, error);
+        return null;
+      }
+    } else {
+      return null;
+    }
+    const createdAt = typeof parsed["createdAt"] === "string" ? parsed["createdAt"] : typeof parsed["created_at"] === "string" ? parsed["created_at"] : null;
+    const updatedAt = typeof parsed["updatedAt"] === "string" ? parsed["updatedAt"] : typeof parsed["updated_at"] === "string" ? parsed["updated_at"] : null;
+    const metadata = parsed["metadata"] && typeof parsed["metadata"] === "object" ? parsed["metadata"] : void 0;
+    const displayName = typeof parsed["displayName"] === "string" ? parsed["displayName"] : typeof parsed["display_name"] === "string" ? parsed["display_name"] : null;
+    return {
+      name: profileName,
+      displayName,
+      data,
+      metadata,
+      accountId: typeof parsed["accountId"] === "string" ? parsed["accountId"] : typeof parsed["account_id"] === "string" ? parsed["account_id"] : null,
+      workspaceId: typeof parsed["workspaceId"] === "string" ? parsed["workspaceId"] : typeof parsed["workspace_id"] === "string" ? parsed["workspace_id"] : null,
+      workspaceName: typeof parsed["workspaceName"] === "string" ? parsed["workspaceName"] : typeof parsed["workspace_name"] === "string" ? parsed["workspace_name"] : null,
+      email: typeof parsed["email"] === "string" ? parsed["email"] : typeof parsed["email"] === "boolean" ? null : null,
+      authMethod: typeof parsed["authMethod"] === "string" ? parsed["authMethod"] : typeof parsed["auth_method"] === "string" ? parsed["auth_method"] : null,
+      createdAt,
+      updatedAt
+    };
+  }
+  decodeProfileRecord(profileName, raw, sourceLabel) {
+    try {
+      const parsed = JSON.parse(raw);
+      return this.parseProfileRecordPayload(profileName, parsed);
+    } catch (error) {
+      logWarn(`Failed to parse profile record '${profileName}' from '${sourceLabel}':`, error);
+      return null;
+    }
+  }
+  async recoverProfileRecord(recordPath, profileName) {
+    const candidates = [`${recordPath}.bak`, `${recordPath}.tmp`];
+    for (const candidate of candidates) {
+      let raw;
+      try {
+        raw = await import_fs.promises.readFile(candidate, "utf8");
+      } catch (error) {
+        if (!this.isNotFoundError(error)) {
+          logWarn(`Failed to read backup for '${profileName}' from '${candidate}':`, error);
+        }
+        continue;
+      }
+      const decoded = this.decodeProfileRecord(profileName, raw, candidate);
+      if (!decoded) {
+        continue;
+      }
+      try {
+        await this.writeProfileRecord(decoded);
+      } catch (error) {
+        logWarn(`Failed to restore profile '${profileName}' from '${candidate}':`, error);
+      }
+      return decoded;
+    }
+    return null;
+  }
+  async readProfileRecord(profileName) {
+    const recordPath = this.getProfileRecordPath(profileName);
+    try {
+      const raw = await import_fs.promises.readFile(recordPath, "utf8");
+      const decoded = this.decodeProfileRecord(profileName, raw, recordPath);
+      if (decoded) {
+        return decoded;
+      }
+    } catch (error) {
+      if (!this.isNotFoundError(error)) {
+        logWarn(`Failed to read profile record '${profileName}':`, error);
+      }
+    }
+    return this.recoverProfileRecord(recordPath, profileName);
+  }
+  async listProfileRecords() {
+    const records = [];
+    let entries = [];
+    try {
+      entries = await import_fs.promises.readdir(this.profileHomesRoot);
+    } catch (error) {
+      if (!this.isNotFoundError(error)) {
+        logWarn("Failed to list profile homes:", error);
+      }
+      return records;
+    }
+    for (const entry of entries) {
+      const homePath = (0, import_path2.join)(this.profileHomesRoot, entry);
+      try {
+        const stat = await import_fs.promises.stat(homePath);
+        if (!stat.isDirectory()) {
+          continue;
+        }
+      } catch (error) {
+        if (!this.isNotFoundError(error)) {
+          logWarn(`Failed to inspect profile home '${entry}':`, error);
+        }
+        continue;
+      }
+      try {
+        const normalizedName = this.normalizeProfileName(entry);
+        const record = await this.readProfileRecord(normalizedName);
+        if (record) {
+          records.push(record);
+          continue;
+        }
+        const authPath = (0, import_path2.join)(homePath, "auth.json");
+        try {
+          const authRaw = await import_fs.promises.readFile(authPath, "utf8");
+          const authData = JSON.parse(authRaw);
+          const normalized = this.normalizeProfileData(authData);
+          const metadata = this.extractProfileMetadata(normalized);
+          await this.persistProfileRecord(normalizedName, normalized, metadata);
+          const restored = await this.readProfileRecord(normalizedName);
+          if (restored) {
+            records.push(restored);
+          }
+        } catch (error) {
+          if (!this.isNotFoundError(error)) {
+            logWarn(`Failed to restore profile record for '${normalizedName}' from auth.json:`, error);
+          }
+        }
+      } catch (error) {
+        logWarn(`Skipping invalid profile home '${entry}':`, error);
+      }
+    }
+    return records;
+  }
+  async snapshotExistingProfileRecord(recordPath) {
+    try {
+      const existing = await import_fs.promises.readFile(recordPath, "utf8");
+      if (existing && existing.trim()) {
+        await this.writeAtomic(`${recordPath}.bak`, existing);
+      }
+    } catch (error) {
+      if (!this.isNotFoundError(error)) {
+        logWarn(`Failed to snapshot existing profile record '${recordPath}':`, error);
+      }
+    }
+  }
+  async writeProfileRecord(record) {
+    const recordPath = this.getProfileRecordPath(record.name);
+    const payload = {
+      name: record.name,
+      display_name: record.displayName,
+      data: record.data,
+      metadata: record.metadata,
+      account_id: record.accountId,
+      workspace_id: record.workspaceId,
+      workspace_name: record.workspaceName,
+      email: record.email,
+      auth_method: record.authMethod,
+      created_at: record.createdAt,
+      updated_at: record.updatedAt
+    };
+    const serialized = `${JSON.stringify(payload, null, 2)}
+`;
+    await this.snapshotExistingProfileRecord(recordPath);
+    await this.writeAtomic(recordPath, serialized);
+    try {
+      await this.writeAtomic(`${recordPath}.bak`, serialized);
+    } catch (error) {
+      logWarn(`Failed to persist profile backup for '${record.name}':`, error);
+    }
+  }
+  resolveAuthMethod(data) {
+    const raw = typeof data?.auth_method === "string" ? data.auth_method.trim().toLowerCase() : "";
+    return raw || "codex-cli";
+  }
+  async readActiveAuthFile() {
+    try {
+      const raw = await import_fs.promises.readFile(this.activeAuth, "utf8");
+      const trimmed = raw.trim();
+      if (!trimmed) {
+        return null;
+      }
+      return JSON.parse(trimmed);
+    } catch (error) {
+      if (this.isNotFoundError(error)) {
+        return null;
+      }
+      const message = error instanceof Error ? error.message : "unknown error";
+      const signature = typeof message === "string" ? `${message}:${this.activeAuth}` : this.activeAuth;
+      if (this.lastActiveAuthErrorSignature !== signature) {
+        logWarn("Failed to read active auth file:", error);
+        this.lastActiveAuthErrorSignature = signature;
+      }
+      return null;
+    }
+  }
+  async getActiveAuthAccountId() {
+    const activeAuth = await this.readActiveAuthFile();
+    if (!activeAuth) {
+      return void 0;
+    }
+    return this.getAccountIdFromData(activeAuth);
+  }
+  /**
+   * Decode a JWT payload into an object without validating the signature.
+   */
+  decodeJwtPayload(token) {
+    if (!token || typeof token !== "string") {
+      return null;
+    }
+    const segments = token.split(".");
+    if (segments.length < 2) {
+      return null;
+    }
+    try {
+      const payload = Buffer.from(segments[1], "base64url").toString("utf8");
+      return JSON.parse(payload);
+    } catch {
+      return null;
+    }
+  }
+  toIsoStringFromSeconds(seconds) {
+    if (typeof seconds !== "number" || Number.isNaN(seconds)) {
+      return void 0;
+    }
+    try {
+      return new Date(seconds * 1e3).toISOString();
+    } catch {
+      return void 0;
+    }
+  }
+  normalizeEmailCandidate(value) {
+    if (typeof value !== "string") {
+      return void 0;
+    }
+    const trimmed = value.trim();
+    if (!trimmed || trimmed.includes(" ")) {
+      return void 0;
+    }
+    const atIndex = trimmed.indexOf("@");
+    if (atIndex <= 0 || atIndex === trimmed.length - 1) {
+      return void 0;
+    }
+    const domain = trimmed.slice(atIndex + 1);
+    if (!domain || !domain.includes(".")) {
+      return void 0;
+    }
+    return trimmed;
+  }
+  pickFirstEmail(candidates) {
+    for (const candidate of candidates) {
+      const normalized = this.normalizeEmailCandidate(candidate);
+      if (normalized) {
+        return normalized;
+      }
+    }
+    return void 0;
+  }
+  findEmailInObject(value, seen = /* @__PURE__ */ new Set()) {
+    if (!value || typeof value !== "object") {
+      return void 0;
+    }
+    if (seen.has(value)) {
+      return void 0;
+    }
+    seen.add(value);
+    if (Array.isArray(value)) {
+      for (const entry of value) {
+        const nested = this.findEmailInObject(entry, seen);
+        if (nested) {
+          return nested;
+        }
+      }
+      return void 0;
+    }
+    for (const [key, entry] of Object.entries(value)) {
+      if (typeof entry === "string") {
+        const normalized = this.normalizeEmailCandidate(entry);
+        const lowerKey = key.toLowerCase();
+        const keyHintsAtEmail = lowerKey.includes("email") || lowerKey.includes("contact") || lowerKey.includes("username") || lowerKey.includes("login");
+        if (normalized && (keyHintsAtEmail || entry.includes("@"))) {
+          return normalized;
+        }
+      }
+      if (entry && typeof entry === "object") {
+        const nested = this.findEmailInObject(entry, seen);
+        if (nested) {
+          return nested;
+        }
+      }
+    }
+    return void 0;
+  }
+  resolveProfileEmail(data, metadata) {
+    const direct = this.normalizeEmailCandidate(data.email);
+    if (direct) {
+      return direct;
+    }
+    if (metadata?.email) {
+      return metadata.email;
+    }
+    return this.findEmailInObject(data);
+  }
+  evaluateTokenStatus(data, metadata) {
+    const expiresAt = metadata?.tokenExpiresAt ?? this.computeExpiryIso(data);
+    const parsedExpiry = expiresAt ? Date.parse(expiresAt) : Number.NaN;
+    const hasExpiry = !Number.isNaN(parsedExpiry);
+    const tokenAlert = data.tokenAlert;
+    if (!data || typeof data !== "object" || Object.keys(data).length === 0) {
+      return {
+        state: "missing",
+        reason: "No authentication data saved for this profile.",
+        expiresAt,
+        issue: "auth-missing",
+        requiresUserAction: true
+      };
+    }
+    if (tokenAlert?.issue) {
+      const reason = typeof tokenAlert.reason === "string" && tokenAlert.reason.trim().length > 0 ? tokenAlert.reason.trim() : tokenAlert.issue === "refresh-redeemed" ? REFRESH_TOKEN_REDEEMED_REASON : "Authentication needs attention. Re-login this profile.";
+      const issue = tokenAlert.issue ?? "auth-missing";
+      return {
+        state: "invalid",
+        reason,
+        expiresAt,
+        issue,
+        requiresUserAction: true
+      };
+    }
+    if (!data.access_token) {
+      return {
+        state: "missing",
+        reason: "Access token is missing. Re-authenticate with Codex CLI.",
+        expiresAt,
+        issue: "access-missing",
+        requiresUserAction: true
+      };
+    }
+    if (!this.decodeJwtPayload(data.access_token)) {
+      return {
+        state: "invalid",
+        reason: "Access token is corrupted or not a valid JWT.",
+        expiresAt,
+        issue: "access-invalid",
+        requiresUserAction: true
+      };
+    }
+    const refreshToken = typeof data.refresh_token === "string" ? data.refresh_token.trim() : "";
+    if (!refreshToken) {
+      return {
+        state: "missing",
+        reason: "Refresh token is missing. Run Codex login again.",
+        expiresAt,
+        issue: "refresh-missing",
+        requiresUserAction: true
+      };
+    }
+    if (hasExpiry) {
+      const diff = parsedExpiry - Date.now();
+      if (diff <= 0) {
+        return {
+          state: "expiring",
+          reason: "Access token expired.",
+          expiresAt,
+          accessTokenExpired: true,
+          issue: "access-expired",
+          requiresUserAction: false
+        };
+      }
+      if (diff <= TOKEN_EXPIRING_SOON_WINDOW_MS) {
+        return {
+          state: "expiring",
+          reason: "Access token expires soon.",
+          expiresAt,
+          issue: "access-expiring",
+          requiresUserAction: false
+        };
+      }
+    }
+    return {
+      state: "ok",
+      expiresAt,
+      requiresUserAction: false
+    };
+  }
+  extractProfileMetadata(data) {
+    const idPayload = this.decodeJwtPayload(data.id_token);
+    const accessPayload = this.decodeJwtPayload(data.access_token);
+    if (!idPayload && !accessPayload) {
+      return void 0;
+    }
+    const authInfo = idPayload?.["https://api.openai.com/auth"] ?? accessPayload?.["https://api.openai.com/auth"];
+    const profileInfo = accessPayload?.["https://api.openai.com/profile"];
+    const getNumber = (obj, key) => typeof obj?.[key] === "number" ? obj[key] : void 0;
+    const getString = (obj, key) => typeof obj?.[key] === "string" ? obj[key] : void 0;
+    const exp = getNumber(idPayload, "exp") ?? getNumber(accessPayload, "exp");
+    const iat = getNumber(idPayload, "iat") ?? getNumber(accessPayload, "iat");
+    const authTime = getNumber(idPayload, "auth_time") ?? getNumber(accessPayload, "auth_time");
+    const organizationsRaw = Array.isArray(authInfo?.["organizations"]) ? authInfo?.["organizations"] : void 0;
+    const organizations = organizationsRaw ? organizationsRaw.map((org) => {
+      const record = org;
+      return {
+        id: getString(record, "id"),
+        title: getString(record, "title"),
+        role: getString(record, "role"),
+        isDefault: typeof record?.["is_default"] === "boolean" ? record?.["is_default"] : void 0
+      };
+    }).filter(
+      (org) => org.id || org.title || org.role || typeof org.isDefault === "boolean"
+    ) : void 0;
+    const groups = Array.isArray(authInfo?.["groups"]) ? (authInfo?.["groups"]).filter((group) => typeof group === "string") : void 0;
+    const emailVerified = typeof profileInfo?.["email_verified"] === "boolean" ? profileInfo?.["email_verified"] : typeof idPayload?.["email_verified"] === "boolean" ? idPayload?.["email_verified"] : typeof accessPayload?.["email_verified"] === "boolean" ? accessPayload?.["email_verified"] : void 0;
+    const email = this.pickFirstEmail([
+      getString(profileInfo, "email"),
+      getString(profileInfo, "email_address"),
+      getString(profileInfo, "primary_email"),
+      getString(profileInfo, "default_email"),
+      getString(profileInfo, "contact_email")
+    ]) ?? this.findEmailInObject(profileInfo) ?? this.pickFirstEmail([
+      getString(authInfo, "user_email"),
+      getString(authInfo, "email"),
+      getString(authInfo, "userEmail"),
+      getString(authInfo, "chatgpt_user_email")
+    ]) ?? this.findEmailInObject(authInfo) ?? this.pickFirstEmail([
+      getString(idPayload, "email"),
+      getString(idPayload, "preferred_username"),
+      getString(idPayload, "username")
+    ]) ?? this.findEmailInObject(idPayload) ?? this.pickFirstEmail([
+      getString(accessPayload, "email")
+    ]) ?? this.findEmailInObject(accessPayload);
+    const subscription = authInfo ? {
+      activeStart: getString(authInfo, "chatgpt_subscription_active_start"),
+      activeUntil: getString(authInfo, "chatgpt_subscription_active_until"),
+      lastChecked: getString(authInfo, "chatgpt_subscription_last_checked")
+    } : void 0;
+    const planType = getString(authInfo, "chatgpt_plan_type");
+    const chatgptUserId = getString(authInfo, "chatgpt_user_id");
+    const chatgptAccountUserId = getString(authInfo, "chatgpt_account_user_id");
+    const userId = getString(authInfo, "user_id") ?? chatgptAccountUserId ?? getString(idPayload ?? void 0, "sub") ?? getString(accessPayload ?? void 0, "sub");
+    const metadata = {
+      email,
+      planType,
+      subscription,
+      organizations,
+      groups,
+      userId,
+      chatgptUserId,
+      emailVerified,
+      tokenExpiresAt: this.toIsoStringFromSeconds(exp),
+      tokenIssuedAt: this.toIsoStringFromSeconds(iat),
+      tokenAuthTime: this.toIsoStringFromSeconds(authTime)
+    };
+    const hasMeaningfulData = Boolean(metadata.planType) || Boolean(
+      metadata.subscription && (metadata.subscription.activeStart || metadata.subscription.activeUntil || metadata.subscription.lastChecked)
+    ) || Boolean(metadata.organizations && metadata.organizations.length > 0) || Boolean(metadata.groups && metadata.groups.length > 0) || Boolean(metadata.userId) || Boolean(metadata.chatgptUserId) || Boolean(metadata.email) || typeof metadata.emailVerified === "boolean" || Boolean(metadata.tokenExpiresAt) || Boolean(metadata.tokenIssuedAt) || Boolean(metadata.tokenAuthTime);
+    return hasMeaningfulData ? metadata : void 0;
+  }
+  /**
+   * Initialize the profile manager and create necessary directories
+   */
+  async initialize() {
+    try {
+      await import_fs.promises.mkdir(this.codexDir, { recursive: true });
+    } catch (error) {
+      logError("Failed to ensure Codex directory exists:", error);
+      throw new Error("Failed to initialize profile manager");
+    }
+    try {
+      await import_fs.promises.mkdir(this.profileHomesRoot, { recursive: true });
+    } catch (error) {
+      logError("Failed to ensure profile homes directory exists:", error);
+      throw new Error("Failed to initialize profile manager");
+    }
+    await this.recoverActiveAuthBackup();
+    const migrationsComplete = await this.hasCompletedMigrations();
+    if (!migrationsComplete) {
+      await this.migrateLegacyProfiles();
+      await this.migrateProfilesFromDatabase();
+      await this.removeLegacyArtifacts();
+      await this.markMigrationsComplete();
+    }
+  }
+  /**
+   * Remove deprecated files that previously tracked the current profile.
+   * These are now redundant since we infer the active profile from auth.json.
+   */
+  async removeLegacyArtifacts() {
+    const legacyTargets = [
+      (0, import_path2.join)(this.codexDir, "current-profile.json"),
+      (0, import_path2.join)(this.profilesDir, ".current"),
+      `${this.activeAuth}.backup`,
+      (0, import_path2.join)(this.codexDir, "cache", "rate-limits")
+    ];
+    for (const target of legacyTargets) {
+      try {
+        await import_fs.promises.rm(target, { recursive: true, force: true });
+      } catch (error) {
+        if (!this.isNotFoundError(error)) {
+          logWarn(`Failed to remove legacy artifact '${target}':`, error);
+        }
+      }
+    }
+    try {
+      await import_fs.promises.rm(this.profilesDir, { recursive: true, force: true });
+    } catch (error) {
+      if (!this.isNotFoundError(error)) {
+        logWarn(`Failed to remove legacy profiles directory '${this.profilesDir}':`, error);
+      }
+    }
+  }
+  async hasCompletedMigrations() {
+    try {
+      await import_fs.promises.access(this.profileMigrationMarker);
+      return true;
+    } catch (error) {
+      if (!this.isNotFoundError(error)) {
+        logWarn("Failed to read profile migration marker:", error);
+      }
+      return false;
+    }
+  }
+  async markMigrationsComplete() {
+    try {
+      await import_fs.promises.mkdir(this.migrationsDir, { recursive: true });
+      await import_fs.promises.writeFile(this.profileMigrationMarker, "ok");
+    } catch (error) {
+      logWarn("Failed to persist profile migration marker:", error);
+    }
+  }
+  async migrateLegacyProfiles() {
+    let files;
+    try {
+      files = await import_fs.promises.readdir(this.profilesDir);
+    } catch (error) {
+      if (!this.isNotFoundError(error)) {
+        logWarn("Failed to inspect legacy profiles directory:", error);
+      }
+      return;
+    }
+    if (files.length === 0) {
+      return;
+    }
+    const accountCandidates = /* @__PURE__ */ new Map();
+    const orphanCandidates = [];
+    const insertedNames = /* @__PURE__ */ new Set();
+    for (const file of files) {
+      if (!file.endsWith(".json")) {
+        continue;
+      }
+      const name = file.replace(/\.json$/, "");
+      const filePath = (0, import_path2.join)(this.profilesDir, file);
+      try {
+        const raw = await import_fs.promises.readFile(filePath, "utf8");
+        const data = JSON.parse(raw);
+        const normalizedName = this.normalizeProfileName(name);
+        const metadata = this.extractProfileMetadata(data);
+        const resolvedEmail = this.resolveProfileEmail(data, metadata);
+        if (resolvedEmail) {
+          data.email = resolvedEmail;
+        }
+        const accountId = this.getAccountIdFromData(data);
+        const candidate = {
+          name: normalizedName,
+          data,
+          profile: this.buildProfileFromData(normalizedName, data),
+          accountId
+        };
+        if (accountId) {
+          const existing = accountCandidates.get(accountId);
+          if (existing) {
+            const preferred = this.selectPreferredProfile([existing.profile, candidate.profile]);
+            if (preferred === candidate.profile) {
+              logWarn(
+                `Replacing legacy profile '${existing.name}' with '${normalizedName}' for account '${accountId}'.`
+              );
+              accountCandidates.set(accountId, candidate);
+            } else {
+              logWarn(
+                `Skipping legacy profile '${name}' because account '${accountId}' already exists as '${existing.name}'.`
+              );
+            }
+          } else {
+            accountCandidates.set(accountId, candidate);
+          }
+        } else {
+          orphanCandidates.push(candidate);
+        }
+        await import_fs.promises.rm(filePath, { force: true });
+      } catch (error) {
+        logWarn(`Failed to migrate legacy profile '${name}':`, error);
+      }
+    }
+    const persistQueue = [...accountCandidates.values(), ...orphanCandidates];
+    const existingRecords = await this.listProfileRecords();
+    for (const record of existingRecords) {
+      insertedNames.add(record.name);
+    }
+    for (const candidate of persistQueue) {
+      if (insertedNames.has(candidate.name)) {
+        logWarn(`Skipping legacy profile '${candidate.name}' because it was already imported.`);
+        continue;
+      }
+      try {
+        await this.persistProfileRecord(candidate.name, candidate.data, candidate.profile.metadata);
+        insertedNames.add(candidate.name);
+      } catch (error) {
+        logWarn(`Failed to persist migrated profile '${candidate.name}':`, error);
+      }
+    }
+  }
+  async migrateProfilesFromDatabase() {
+    let rows = [];
+    try {
+      const { getDatabase: getDatabase2 } = await Promise.resolve().then(() => (init_sqlite_db(), sqlite_db_exports));
+      const db = await getDatabase2();
+      rows = db.prepare(
+        "SELECT name, data, account_id, workspace_id, workspace_name, email, auth_method, created_at, updated_at FROM profiles"
+      ).all();
+    } catch (error) {
+      logWarn("Failed to read existing database profiles for migration:", error);
+      return;
+    }
+    if (!rows || rows.length === 0) {
+      return;
+    }
+    const existingNames = new Set((await this.listProfileRecords()).map((record) => record.name));
+    for (const row of rows) {
+      const name = typeof row?.name === "string" ? row.name : null;
+      const serialized = typeof row?.data === "string" ? row.data : null;
+      if (!name || !serialized) {
+        continue;
+      }
+      let data;
+      try {
+        data = JSON.parse(serialized);
+      } catch (error) {
+        logWarn(`Failed to parse database profile '${name}' during migration:`, error);
+        continue;
+      }
+      try {
+        const normalizedName = this.normalizeProfileName(name);
+        if (existingNames.has(normalizedName)) {
+          continue;
+        }
+        data.created_at = data.created_at ?? (typeof row?.created_at === "string" ? row.created_at : void 0);
+        data.email = data.email ?? (typeof row?.email === "string" ? row.email : void 0);
+        data.auth_method = data.auth_method ?? (typeof row?.auth_method === "string" ? row.auth_method : void 0);
+        data.workspace_id = data.workspace_id ?? (typeof row?.workspace_id === "string" ? row.workspace_id : void 0);
+        data.workspace_name = data.workspace_name ?? (typeof row?.workspace_name === "string" ? row.workspace_name : void 0);
+        data.updated_at = data.updated_at ?? (typeof row?.updated_at === "string" ? row.updated_at : void 0);
+        const metadata = this.extractProfileMetadata(data);
+        await this.persistProfileRecord(normalizedName, data, metadata);
+        existingNames.add(normalizedName);
+      } catch (error) {
+        logWarn(`Failed to migrate database profile '${name}':`, error);
+      }
+    }
+  }
+  enqueueAuthSwap(task) {
+    const run = this.authSwapLock.then(task, task);
+    this.authSwapLock = run.then(
+      () => void 0,
+      () => void 0
+    );
+    return run;
+  }
+  async recoverActiveAuthBackup() {
+    let backup;
+    try {
+      backup = await import_fs.promises.readFile(this.activeAuthBackup, "utf8");
+    } catch (error) {
+      if (!this.isNotFoundError(error)) {
+        logWarn("Failed to inspect active auth backup:", error);
+      }
+      return;
+    }
+    try {
+      if (backup === AUTH_BACKUP_MISSING_MARKER) {
+        await import_fs.promises.rm(this.activeAuth, { force: true });
+      } else {
+        try {
+          await this.writeAtomic(this.activeAuth, backup);
+        } catch (error) {
+          logWarn("Failed to restore active auth from backup, falling back to direct write:", error);
+          try {
+            await import_fs.promises.writeFile(this.activeAuth, backup, "utf8");
+          } catch (fallbackError) {
+            logWarn("Direct write failed while restoring active auth backup:", fallbackError);
+          }
+        }
+      }
+    } catch (error) {
+      logWarn("Failed to restore active auth from backup:", error);
+    }
+    try {
+      await import_fs.promises.rm(this.activeAuthBackup, { force: true });
+    } catch (error) {
+      if (!this.isNotFoundError(error)) {
+        logWarn("Failed to remove active auth backup:", error);
+      }
+    }
+  }
+  async writeAtomic(filePath, contents) {
+    const tempPath = `${filePath}.tmp`;
+    const dir = import_path.default.dirname(filePath);
+    await import_fs.promises.mkdir(dir, { recursive: true });
+    await import_fs.promises.writeFile(tempPath, contents, "utf8");
+    try {
+      await import_fs.promises.rename(tempPath, filePath);
+    } catch (error) {
+      try {
+        await import_fs.promises.writeFile(filePath, contents, "utf8");
+      } catch (writeError) {
+        const original = error instanceof Error ? error.message : String(error);
+        const fallback = writeError instanceof Error ? writeError.message : String(writeError);
+        throw new Error(`Atomic write failed (rename: ${original}; direct write: ${fallback})`);
+      }
+    }
+    try {
+      await import_fs.promises.rm(tempPath, { force: true });
+    } catch {
+    }
+  }
+  /**
+   * Extract account_id from auth data (supports both formats)
+   */
+  getAccountIdFromData(data) {
+    if ("account_id" in data && typeof data.account_id === "string" && data.account_id.trim()) {
+      return data.account_id.trim();
+    }
+    if ("tokens" in data && data.tokens && typeof data.tokens === "object") {
+      const accountId = data.tokens.account_id;
+      if (typeof accountId === "string" && accountId.trim()) {
+        return accountId.trim();
+      }
+    }
+    const projectId = "project_id" in data && typeof data.project_id === "string" ? data.project_id?.trim() : void 0;
+    if (projectId) {
+      return projectId;
+    }
+    const email = "email" in data && typeof data.email === "string" ? data.email?.trim() : void 0;
+    return email || void 0;
+  }
+  resolveWorkspaceIdentity(data, metadata) {
+    const directId = "workspace_id" in data && typeof data.workspace_id === "string" ? data.workspace_id.trim() : void 0;
+    const directName = "workspace_name" in data && typeof data.workspace_name === "string" ? data.workspace_name.trim() : void 0;
+    if (directId) {
+      return { id: directId, name: directName };
+    }
+    const organizations = metadata?.organizations;
+    if (organizations && organizations.length > 0) {
+      const preferred = organizations.find((org) => org.isDefault) ?? organizations[0];
+      if (preferred?.id) {
+        return { id: preferred.id, name: preferred.title ?? directName };
+      }
+    }
+    return { id: DEFAULT_WORKSPACE_ID, name: directName };
+  }
+  async getProfileRowByName(name) {
+    const normalized = this.normalizeProfileName(name);
+    const record = await this.readProfileRecord(normalized);
+    return record ?? void 0;
+  }
+  async getProfileRowByAccountId(accountId, options) {
+    const records = await this.listProfileRecords();
+    const matches = records.filter((record) => {
+      const storedAccountId = record.accountId ?? this.getAccountIdFromData(record.data);
+      return storedAccountId === accountId;
+    });
+    if (matches.length === 0) {
+      return void 0;
+    }
+    const mustMatch = typeof options?.authMethod === "string" ? options.authMethod.trim().toLowerCase() : null;
+    if (mustMatch) {
+      return matches.find((record) => this.resolveAuthMethod(record.data) === mustMatch);
+    }
+    const prefer = typeof options?.preferAuthMethod === "string" ? options.preferAuthMethod.trim().toLowerCase() : null;
+    if (prefer) {
+      return matches.find((record) => this.resolveAuthMethod(record.data) === prefer) ?? matches[0];
+    }
+    return matches[0];
+  }
+  async getProfileRowByAccountAndWorkspace(accountId, workspaceId, options) {
+    const workspaceKey = workspaceId && workspaceId.trim().length > 0 ? workspaceId.trim() : DEFAULT_WORKSPACE_ID;
+    const records = await this.listProfileRecords();
+    const matches = records.filter((record) => {
+      const storedAccountId = record.accountId ?? this.getAccountIdFromData(record.data);
+      if (storedAccountId !== accountId) {
+        return false;
+      }
+      const storedWorkspace = record.workspaceId ?? record.data.workspace_id ?? DEFAULT_WORKSPACE_ID;
+      return (storedWorkspace && storedWorkspace.trim() ? storedWorkspace.trim() : DEFAULT_WORKSPACE_ID) === workspaceKey;
+    });
+    if (matches.length === 0) {
+      return void 0;
+    }
+    const mustMatch = typeof options?.authMethod === "string" ? options.authMethod.trim().toLowerCase() : null;
+    if (mustMatch) {
+      return matches.find((record) => this.resolveAuthMethod(record.data) === mustMatch);
+    }
+    const prefer = typeof options?.preferAuthMethod === "string" ? options.preferAuthMethod.trim().toLowerCase() : null;
+    if (prefer) {
+      return matches.find((record) => this.resolveAuthMethod(record.data) === prefer) ?? matches[0];
+    }
+    return matches[0];
+  }
+  async persistProfileRecord(name, data, metadata, options) {
+    const resolvedName = this.normalizeProfileName(name);
+    const existingRecord = await this.readProfileRecord(resolvedName);
+    if (typeof data.auth_method === "string") {
+      data.auth_method = data.auth_method.trim().toLowerCase();
+    }
+    if (!data.auth_method) {
+      data.auth_method = "codex-cli";
+    }
+    const resolvedMetadata = metadata ?? this.extractProfileMetadata(data) ?? existingRecord?.metadata;
+    const workspace = this.resolveWorkspaceIdentity(data, resolvedMetadata);
+    const workspaceId = workspace.id || DEFAULT_WORKSPACE_ID;
+    const workspaceName = workspace.name ?? null;
+    if (!data.workspace_id) {
+      data.workspace_id = workspaceId;
+    }
+    if (!data.workspace_name && workspaceName) {
+      data.workspace_name = workspaceName;
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const accountId = this.getAccountIdFromData(data) ?? null;
+    const resolvedEmail = this.resolveProfileEmail(data, resolvedMetadata) ?? data.email ?? null;
+    if (resolvedEmail) {
+      data.email = resolvedEmail;
+    }
+    const createdAt = data.created_at ?? existingRecord?.createdAt ?? now;
+    data.created_at = createdAt;
+    const updatedAt = data.updated_at ?? now;
+    data.updated_at = updatedAt;
+    const displayName = typeof options?.displayName === "string" && options.displayName.trim().length > 0 ? options.displayName.trim() : existingRecord?.displayName ?? resolvedName;
+    const record = {
+      name: resolvedName,
+      displayName,
+      data,
+      metadata: resolvedMetadata,
+      accountId,
+      workspaceId: data.workspace_id ?? workspaceId,
+      workspaceName: data.workspace_name ?? workspaceName,
+      email: resolvedEmail ?? null,
+      authMethod: typeof data.auth_method === "string" ? data.auth_method : null,
+      createdAt,
+      updatedAt
+    };
+    await import_fs.promises.mkdir(this.getProfileHomePath(resolvedName), { recursive: true });
+    await this.writeProfileRecord(record);
+  }
+  buildProfileFromRow(row) {
+    const profile = this.buildProfileFromData(row.name, row.data, {
+      displayName: row.displayName ?? void 0,
+      email: row.email ?? void 0,
+      createdAt: row.createdAt ?? void 0,
+      authMethod: row.authMethod ?? void 0,
+      accountId: row.accountId ?? void 0,
+      workspaceId: row.workspaceId ?? void 0,
+      workspaceName: row.workspaceName ?? void 0,
+      metadata: row.metadata
+    });
+    return profile;
+  }
+  buildProfileFromData(name, data, fallback) {
+    const metadata = fallback?.metadata ?? this.extractProfileMetadata(data);
+    const workspace = this.resolveWorkspaceIdentity(data, metadata);
+    const workspaceId = workspace.id || fallback?.workspaceId || DEFAULT_WORKSPACE_ID;
+    const workspaceName = workspace.name ?? fallback?.workspaceName ?? void 0;
+    const email = this.resolveProfileEmail(data, metadata) ?? fallback?.email ?? void 0;
+    const tokenStatus = this.evaluateTokenStatus(data, metadata);
+    const accountId = this.getAccountIdFromData(data) ?? fallback?.accountId;
+    const projectId = typeof data.project_id === "string" && data.project_id.trim().length > 0 ? data.project_id.trim() : fallback?.projectId;
+    return {
+      name,
+      displayName: fallback?.displayName ?? name,
+      isValid: Boolean(data && Object.keys(data).length > 0),
+      accountId,
+      projectId,
+      workspaceId,
+      workspaceName,
+      email,
+      createdAt: data.created_at ?? fallback?.createdAt ?? void 0,
+      authMethod: typeof data.auth_method === "string" ? data.auth_method.trim().toLowerCase() : fallback?.authMethod ?? void 0,
+      metadata,
+      tokenStatus
+    };
+  }
+  parseTimestamp(value) {
+    if (typeof value !== "string" || value.trim() === "") {
+      return null;
+    }
+    const parsed = Date.parse(value);
+    return Number.isNaN(parsed) ? null : parsed;
+  }
+  compareProfilesForPreference(a, b) {
+    if (Boolean(a.isValid) !== Boolean(b.isValid)) {
+      return a.isValid ? -1 : 1;
+    }
+    const aTimestamp = this.parseTimestamp(a.createdAt ?? null);
+    const bTimestamp = this.parseTimestamp(b.createdAt ?? null);
+    if (aTimestamp !== null || bTimestamp !== null) {
+      if (aTimestamp !== null && bTimestamp !== null) {
+        if (aTimestamp > bTimestamp) {
+          return -1;
+        }
+        if (aTimestamp < bTimestamp) {
+          return 1;
+        }
+      } else if (aTimestamp !== null) {
+        return -1;
+      } else {
+        return 1;
+      }
+    }
+    return a.name.localeCompare(b.name);
+  }
+  selectPreferredProfile(profiles) {
+    if (profiles.length <= 1) {
+      return profiles[0];
+    }
+    return profiles.slice().sort((a, b) => this.compareProfilesForPreference(a, b))[0];
+  }
+  /**
+   * Convert profile data to Codex's expected format
+   */
+  convertToCodexFormat(data) {
+    if ("tokens" in data) {
+      return data;
+    }
+    return {
+      OPENAI_API_KEY: null,
+      tokens: {
+        id_token: data.id_token,
+        access_token: data.access_token,
+        refresh_token: data.refresh_token,
+        account_id: data.account_id
+      },
+      last_refresh: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Normalize Codex auth data to flat profile format
+   */
+  normalizeProfileData(data) {
+    if ("id_token" in data) {
+      return data;
+    }
+    const tokens = data.tokens || {};
+    const profile = {
+      id_token: tokens.id_token,
+      access_token: tokens.access_token,
+      refresh_token: tokens.refresh_token,
+      account_id: tokens.account_id
+    };
+    if (data.email) {
+      profile.email = data.email;
+    }
+    return profile;
+  }
+  mergeProfileRecords(existing, incoming) {
+    const merged = {
+      ...existing,
+      ...incoming,
+      created_at: existing.created_at ?? incoming.created_at ?? (/* @__PURE__ */ new Date()).toISOString()
+    };
+    if (typeof merged.auth_method === "string") {
+      merged.auth_method = merged.auth_method.trim().toLowerCase();
+    }
+    if (!merged.auth_method) {
+      merged.auth_method = "codex-cli";
+    }
+    const metadata = this.extractProfileMetadata(merged);
+    const resolvedEmail = this.resolveProfileEmail(merged, metadata);
+    if (resolvedEmail) {
+      merged.email = resolvedEmail;
+    }
+    const workspace = this.resolveWorkspaceIdentity(merged, metadata);
+    if (!merged.workspace_id) {
+      merged.workspace_id = workspace.id || existing.workspace_id || DEFAULT_WORKSPACE_ID;
+    }
+    if (!merged.workspace_name) {
+      merged.workspace_name = workspace.name ?? existing.workspace_name;
+    }
+    if (this.hasTokenChanges(existing, incoming)) {
+      delete merged.tokenAlert;
+    }
+    return { profile: merged, metadata };
+  }
+  hasTokenChanges(existing, incoming) {
+    const tokenKeys = ["id_token", "access_token", "refresh_token", "account_id", "workspace_id"];
+    return tokenKeys.some((key) => {
+      const nextValue = incoming[key];
+      if (typeof nextValue !== "string" || nextValue.length === 0) {
+        return false;
+      }
+      return nextValue !== existing[key];
+    });
+  }
+  async flagRefreshTokenRedeemed(name, reason, options) {
+    await this.initialize();
+    const profileName = this.normalizeProfileName(name);
+    const record = await this.getProfileRowByName(profileName);
+    if (!record) {
+      logWarn(`Cannot flag refresh token issue for missing profile '${profileName}'.`);
+      return;
+    }
+    const observedAt = options?.observedAt ? Date.parse(options.observedAt) : null;
+    const updatedAt = record.updatedAt ? Date.parse(record.updatedAt) : null;
+    if (observedAt !== null && updatedAt !== null && observedAt <= updatedAt) {
+      return;
+    }
+    const data = record.data;
+    const trimmedReason = typeof reason === "string" && reason.trim().length > 0 ? reason.trim() : void 0;
+    const normalized = trimmedReason?.toLowerCase() ?? "";
+    const storedReason = normalized.includes(REFRESH_TOKEN_REDEEMED_SNIPPET) ? REFRESH_TOKEN_REDEEMED_REASON : trimmedReason ?? REFRESH_TOKEN_REDEEMED_REASON;
+    const alert = {
+      issue: "refresh-redeemed",
+      reason: storedReason,
+      recordedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    data.tokenAlert = alert;
+    try {
+      const metadata = this.extractProfileMetadata(data);
+      await this.persistProfileRecord(profileName, data, metadata);
+    } catch (error) {
+      logError(`Failed to persist token alert for profile '${profileName}':`, error);
+    }
+  }
+  async syncProfileTokensFromActiveAuth(profileName, baselineProfile, authPath) {
+    const targetPath = authPath ?? this.activeAuth;
+    try {
+      const authRaw = await import_fs.promises.readFile(targetPath, "utf8");
+      await this.syncProfileTokensFromAuthContent(profileName, baselineProfile, authRaw);
+    } catch (error) {
+      if (!this.isNotFoundError(error)) {
+        logWarn(`Failed to read Codex auth for '${profileName}' while syncing tokens:`, error);
+      }
+    }
+  }
+  async syncProfileTokensFromAuthContent(profileName, baselineProfile, authContent) {
+    let activeAuth;
+    try {
+      activeAuth = JSON.parse(authContent);
+    } catch (error) {
+      logWarn(`Failed to parse Codex auth while syncing tokens for '${profileName}':`, error);
+      return;
+    }
+    const normalized = this.normalizeProfileData(activeAuth);
+    const metadata = this.extractProfileMetadata(normalized);
+    const workspace = this.resolveWorkspaceIdentity(normalized, metadata);
+    normalized.workspace_id = normalized.workspace_id ?? workspace.id ?? DEFAULT_WORKSPACE_ID;
+    if (workspace.name) {
+      normalized.workspace_name = normalized.workspace_name ?? workspace.name;
+    }
+    const hasTokens = typeof normalized.id_token === "string" || typeof normalized.access_token === "string" || typeof normalized.refresh_token === "string";
+    if (!hasTokens) {
+      return;
+    }
+    let existing = baselineProfile;
+    const latestRow = await this.getProfileRowByName(profileName);
+    if (latestRow) {
+      existing = latestRow.data;
+    }
+    const existingAccountId = this.getAccountIdFromData(existing);
+    const newAccountId = this.getAccountIdFromData(normalized);
+    if (existingAccountId && newAccountId && existingAccountId !== newAccountId) {
+      logWarn(
+        `Skipped syncing tokens for profile '${profileName}' because Codex auth switched to account '${newAccountId}'.`
+      );
+      return;
+    }
+    if (!this.hasTokenChanges(existing, normalized)) {
+      return;
+    }
+    const { profile: merged, metadata: mergedMetadata } = this.mergeProfileRecords(existing, normalized);
+    try {
+      await this.persistProfileRecord(profileName, merged, mergedMetadata);
+    } catch (error) {
+      logError(`Failed to persist refreshed tokens for profile '${profileName}':`, error);
+    }
+  }
+  async copyCodexConfig(targetCodexHome) {
+    const candidates = ["config.toml", "config.json", "config.yaml", "config.yml"];
+    for (const file of candidates) {
+      const source = (0, import_path2.join)(this.codexDir, file);
+      const destination = (0, import_path2.join)(targetCodexHome, file);
+      try {
+        await import_fs.promises.copyFile(source, destination);
+      } catch (error) {
+        if (!this.isNotFoundError(error)) {
+          logWarn(`Failed to copy Codex config '${file}' to profile home:`, error);
+        }
+      }
+    }
+  }
+  getProfileHomePath(profileName) {
+    return (0, import_path2.join)(this.profileHomesRoot, profileName);
+  }
+  ensureTrailingNewline(content) {
+    return content.endsWith("\n") ? content : `${content}
+`;
+  }
+  async sanitizeProfileConfig(profileHome) {
+    const configPath = (0, import_path2.join)(profileHome, "config.toml");
+    let raw;
+    try {
+      raw = await import_fs.promises.readFile(configPath, "utf8");
+    } catch (error) {
+      if (!this.isNotFoundError(error)) {
+        logWarn(`Failed to read config for profile home '${profileHome}':`, error);
+      }
+      return;
+    }
+    let parsed;
+    try {
+      parsed = (0, import_toml.parse)(raw);
+    } catch (error) {
+      logWarn(`Failed to parse config.toml for profile home '${profileHome}':`, error);
+      return;
+    }
+    if (!Object.prototype.hasOwnProperty.call(parsed, "model_reasoning_effort")) {
+      return;
+    }
+    delete parsed["model_reasoning_effort"];
+    const sanitized = this.ensureTrailingNewline((0, import_toml.stringify)(parsed));
+    try {
+      await import_fs.promises.writeFile(configPath, sanitized, "utf8");
+    } catch (error) {
+      logWarn(`Failed to write sanitized config.toml for profile home '${profileHome}':`, error);
+    }
+  }
+  async prepareProfileHome(profileName, authData) {
+    const profileHome = this.getProfileHomePath(profileName);
+    await import_fs.promises.mkdir(profileHome, { recursive: true });
+    const authPath = (0, import_path2.join)(profileHome, "auth.json");
+    await this.writeAtomic(authPath, JSON.stringify(authData, null, 2));
+    await this.copyCodexConfig(profileHome);
+    await this.sanitizeProfileConfig(profileHome);
+    return profileHome;
+  }
+  /**
+   * List all available profiles
+   */
+  async profileExists(name) {
+    await this.initialize();
+    const profileName = this.normalizeProfileName(name);
+    return Boolean(await this.getProfileRowByName(profileName));
+  }
+  async listProfiles() {
+    await this.initialize();
+    try {
+      const records = await this.listProfileRecords();
+      return records.map((record) => this.buildProfileFromRow(record)).filter((profile) => !profile.authMethod || profile.authMethod === "codex-cli").sort((a, b) => {
+        const aLabel = a.displayName ?? a.name;
+        const bLabel = b.displayName ?? b.name;
+        const base = aLabel.localeCompare(bLabel);
+        return base !== 0 ? base : a.name.localeCompare(b.name);
+      });
+    } catch (error) {
+      logError("Error reading profiles from disk:", error);
+      return [];
+    }
+  }
+  /**
+   * Create a new profile by running codex login
+   */
+  async createProfile(name) {
+    await this.initialize();
+    const profileName = this.normalizeProfileName(name);
+    if (await this.getProfileRowByName(profileName)) {
+      throw new Error(`Profile '${profileName}' already exists!`);
+    }
+    let authData;
+    try {
+      const authRaw = await import_fs.promises.readFile(this.activeAuth, "utf8");
+      authData = JSON.parse(authRaw);
+    } catch (error) {
+      logError("Error creating profile:", error);
+      throw new Error("Failed to create profile. Make sure Codex CLI is installed and you are logged in.");
+    }
+    const normalizedProfile = this.normalizeProfileData(authData);
+    normalizedProfile.created_at = normalizedProfile.created_at ?? (/* @__PURE__ */ new Date()).toISOString();
+    if (typeof normalizedProfile.auth_method === "string") {
+      normalizedProfile.auth_method = normalizedProfile.auth_method.trim().toLowerCase();
+    }
+    normalizedProfile.auth_method = normalizedProfile.auth_method ?? "codex-cli";
+    const metadata = this.extractProfileMetadata(normalizedProfile);
+    const workspace = this.resolveWorkspaceIdentity(normalizedProfile, metadata);
+    normalizedProfile.workspace_id = normalizedProfile.workspace_id ?? workspace.id ?? DEFAULT_WORKSPACE_ID;
+    if (workspace.name) {
+      normalizedProfile.workspace_name = normalizedProfile.workspace_name ?? workspace.name;
+    }
+    const accountId = this.getAccountIdFromData(normalizedProfile);
+    if (accountId) {
+      const requestedWorkspace = normalizedProfile.workspace_id ?? DEFAULT_WORKSPACE_ID;
+      const duplicate = await this.getProfileRowByAccountAndWorkspace(accountId, requestedWorkspace, { authMethod: "codex-cli" });
+      if (duplicate) {
+        normalizedProfile.workspace_id = `${requestedWorkspace}:${profileName}`;
+        normalizedProfile.workspace_name = normalizedProfile.workspace_name ?? profileName;
+      }
+    }
+    const resolvedEmail = this.resolveProfileEmail(normalizedProfile, metadata);
+    if (resolvedEmail) {
+      normalizedProfile.email = resolvedEmail;
+    }
+    try {
+      await this.persistProfileRecord(profileName, normalizedProfile, metadata);
+      const stored = await this.getProfileRowByName(profileName);
+      return stored ? this.buildProfileFromRow(stored) : null;
+    } catch (error) {
+      logError("Error creating profile:", error);
+      throw new Error("Failed to create profile. Make sure Codex CLI is installed and you are logged in.");
+    }
+  }
+  /**
+   * Switch to a different profile
+   */
+  async switchToProfile(name) {
+    await this.initialize();
+    const profileName = this.normalizeProfileName(name);
+    const record = await this.getProfileRowByName(profileName);
+    if (!record) {
+      throw new Error(`Profile '${profileName}' not found!`);
+    }
+    try {
+      const profileData = record.data;
+      const codexFormat = this.convertToCodexFormat(profileData);
+      await this.writeAtomic(this.activeAuth, JSON.stringify(codexFormat, null, 2));
+      await this.persistPreferredProfileName(profileName);
+      return true;
+    } catch (error) {
+      logError("Error switching profile:", error);
+      throw new Error("Failed to switch profile");
+    }
+  }
+  async refreshProfileAuth(name) {
+    await this.initialize();
+    const profileName = this.normalizeProfileName(name);
+    const record = await this.getProfileRowByName(profileName);
+    if (!record) {
+      throw new Error(`Profile '${profileName}' not found!`);
+    }
+    const existing = record.data;
+    let activeAuth;
+    try {
+      const authContent = await import_fs.promises.readFile(this.activeAuth, "utf8");
+      activeAuth = JSON.parse(authContent);
+    } catch (error) {
+      if (this.isNotFoundError(error)) {
+        throw new Error("Codex CLI did not produce an auth file. Complete the login before refreshing this profile.");
+      }
+      logError("Failed to read Codex auth file during refresh:", error);
+      throw new Error("Failed to read Codex auth file. Complete the login and try again.");
+    }
+    const normalized = this.normalizeProfileData(activeAuth);
+    const existingAccountId = this.getAccountIdFromData(existing);
+    const newAccountId = this.getAccountIdFromData(normalized);
+    const normalizedMetadata = this.extractProfileMetadata(normalized);
+    const normalizedWorkspace = this.resolveWorkspaceIdentity(normalized, normalizedMetadata);
+    normalized.workspace_id = normalized.workspace_id ?? normalizedWorkspace.id ?? DEFAULT_WORKSPACE_ID;
+    if (normalizedWorkspace.name) {
+      normalized.workspace_name = normalized.workspace_name ?? normalizedWorkspace.name;
+    }
+    if (existingAccountId && newAccountId && existingAccountId !== newAccountId) {
+      throw new Error(
+        `Active Codex login is for account '${newAccountId}', but profile '${profileName}' is tied to '${existingAccountId}'. Create a new profile for the new account instead.`
+      );
+    }
+    if (existingAccountId && normalized.workspace_id) {
+      const currentWorkspace = this.resolveWorkspaceIdentity(existing, this.extractProfileMetadata(existing));
+      const targetWorkspaceId = normalized.workspace_id;
+      const currentWorkspaceId = currentWorkspace.id ?? DEFAULT_WORKSPACE_ID;
+      if (targetWorkspaceId !== currentWorkspaceId) {
+        const duplicate = await this.getProfileRowByAccountAndWorkspace(existingAccountId, targetWorkspaceId, {
+          authMethod: this.resolveAuthMethod(existing)
+        });
+        if (duplicate && duplicate.name !== profileName) {
+          throw new Error(
+            `Account is already saved as profile '${duplicate.name}'. Switch to or delete that profile before creating another.`
+          );
+        }
+      }
+    }
+    const { profile: merged, metadata } = this.mergeProfileRecords(existing, normalized);
+    delete merged.tokenAlert;
+    await this.persistProfileRecord(profileName, merged, metadata);
+    const updated = await this.getProfileRowByName(profileName);
+    if (!updated) {
+      throw new Error("Failed to persist refreshed profile data.");
+    }
+    const profile = this.buildProfileFromRow(updated);
+    if (metadata) {
+      profile.metadata = metadata;
+      profile.tokenStatus = this.evaluateTokenStatus(merged, metadata);
+    }
+    return profile;
+  }
+  /**
+   * Execute an action with a profile's auth injected.
+   * Creates an isolated CODEX_HOME with the profile's auth/config, invokes the action
+   * with env overrides, then syncs any refreshed tokens back to the profile.
+   */
+  async runWithProfileAuth(name, action) {
+    return this.enqueueAuthSwap(async () => {
+      await this.initialize();
+      const profileName = this.normalizeProfileName(name);
+      const record = await this.getProfileRowByName(profileName);
+      if (!record) {
+        throw new Error(`Profile '${profileName}' not found!`);
+      }
+      const profileData = record.data;
+      const profileHome = this.getProfileHomePath(profileName);
+      await import_fs.promises.mkdir(profileHome, { recursive: true });
+      if (profileData.auth_method && profileData.auth_method !== "codex-cli") {
+        throw new Error("Unsupported auth method. Codex CLI profiles only.");
+      }
+      const codexFormat = this.convertToCodexFormat(profileData);
+      await this.prepareProfileHome(profileName, codexFormat);
+      const authPath = import_path.default.join(profileHome, "auth.json");
+      const envOverrides = {
+        ...process.env,
+        HOME: profileHome,
+        USERPROFILE: profileHome,
+        CODEX_HOME: profileHome
+      };
+      try {
+        return await action(envOverrides);
+      } finally {
+        let finalAuthContent = null;
+        try {
+          finalAuthContent = await import_fs.promises.readFile(authPath, "utf8");
+        } catch (error) {
+          if (!this.isNotFoundError(error)) {
+            logWarn(`Failed to read isolated auth for '${profileName}' after action:`, error);
+          }
+        }
+        try {
+          if (finalAuthContent) {
+            await this.syncProfileTokensFromAuthContent(profileName, profileData, finalAuthContent);
+          } else {
+            await this.syncProfileTokensFromActiveAuth(profileName, profileData, authPath);
+          }
+        } catch (error) {
+          logWarn(`Failed to sync refreshed tokens for profile '${profileName}':`, error);
+        }
+      }
+    });
+  }
+  /**
+   * Rename a profile
+   */
+  async renameProfile(oldName, newName) {
+    await this.initialize();
+    const sourceName = this.normalizeProfileName(oldName);
+    const targetName = this.normalizeProfileName(newName);
+    const existing = await this.getProfileRowByName(sourceName);
+    if (!existing) {
+      throw new Error(`Profile '${sourceName}' not found!`);
+    }
+    if (await this.getProfileRowByName(targetName)) {
+      throw new Error(`Profile '${targetName}' already exists!`);
+    }
+    const preferred = await this.readPreferredProfileName();
+    if (preferred && preferred === sourceName) {
+      await this.persistPreferredProfileName(targetName);
+    }
+    const oldHome = this.getProfileHomePath(sourceName);
+    const newHome = this.getProfileHomePath(targetName);
+    try {
+      await import_fs.promises.mkdir(this.profileHomesRoot, { recursive: true });
+      await import_fs.promises.rename(oldHome, newHome);
+    } catch (error) {
+      if (!this.isNotFoundError(error)) {
+        logWarn(`Failed to move profile home from '${sourceName}' to '${targetName}':`, error);
+      }
+    }
+    try {
+      const updatedRecord = {
+        ...existing,
+        name: targetName
+      };
+      await this.writeProfileRecord(updatedRecord);
+    } catch (error) {
+      logWarn(`Failed to rewrite profile record after renaming '${sourceName}' to '${targetName}':`, error);
+    }
+    return true;
+  }
+  async updateProfileDisplayName(name, displayName) {
+    await this.initialize();
+    const profileName = this.normalizeProfileName(name);
+    const record = await this.getProfileRowByName(profileName);
+    if (!record) {
+      throw new Error(`Profile '${profileName}' not found!`);
+    }
+    const trimmed = typeof displayName === "string" ? displayName.trim() : "";
+    if (!trimmed) {
+      throw new Error("Profile name must not be empty.");
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    record.displayName = trimmed;
+    record.updatedAt = now;
+    record.data.updated_at = now;
+    await this.writeProfileRecord(record);
+    return true;
+  }
+  /**
+   * Delete a profile
+   */
+  async deleteProfile(name) {
+    await this.initialize();
+    const profileName = this.normalizeProfileName(name);
+    const record = await this.getProfileRowByName(profileName);
+    if (!record) {
+      throw new Error(`Profile '${profileName}' not found!`);
+    }
+    const preferred = await this.readPreferredProfileName();
+    if (preferred && preferred === profileName) {
+      await this.persistPreferredProfileName(null);
+    }
+    try {
+      await import_fs.promises.rm(this.getProfileHomePath(profileName), { recursive: true, force: true });
+    } catch (error) {
+      if (!this.isNotFoundError(error)) {
+        logWarn(`Failed to remove profile home for '${profileName}':`, error);
+      }
+    }
+    return true;
+  }
+  /**
+   * Delete every profile that does not appear in the allow-list.
+   * Used to enforce plan limits when local storage was tampered with.
+   */
+  async deleteProfilesNotIn(allowedNames) {
+    await this.initialize();
+    const normalized = /* @__PURE__ */ new Set();
+    for (const name of allowedNames) {
+      try {
+        normalized.add(this.normalizeProfileName(name));
+      } catch {
+      }
+    }
+    const records = await this.listProfileRecords();
+    const deleteCandidates = records.map((record) => {
+      try {
+        return this.normalizeProfileName(record.name);
+      } catch {
+        return null;
+      }
+    }).filter((name) => Boolean(name) && !normalized.has(name));
+    if (deleteCandidates.length === 0) {
+      return [];
+    }
+    const removed = [];
+    for (const name of deleteCandidates) {
+      try {
+        await import_fs.promises.rm(this.getProfileHomePath(name), { recursive: true, force: true });
+        removed.push(name);
+      } catch (error) {
+        if (!this.isNotFoundError(error)) {
+          logWarn(`Failed to remove profile '${name}' during plan enforcement:`, error);
+        }
+      }
+    }
+    const preferred = await this.readPreferredProfileName();
+    if (preferred && removed.includes(preferred)) {
+      await this.persistPreferredProfileName(null);
+    }
+    return removed;
+  }
+  /**
+   * Check if the current auth matches a profile (for smart detection)
+   */
+  async getCurrentProfile() {
+    await this.initialize();
+    const preferredName = await this.readPreferredProfileName();
+    if (preferredName) {
+      try {
+        const normalizedPreferred = this.normalizeProfileName(preferredName);
+        const preferredRecord = await this.getProfileRowByName(normalizedPreferred);
+        if (preferredRecord) {
+          return { name: normalizedPreferred, trusted: true };
+        }
+      } catch {
+      }
+    }
+    const activeAuth = await this.readActiveAuthFile();
+    if (activeAuth) {
+      const normalizedAuth = this.normalizeProfileData(activeAuth);
+      const authMetadata = this.extractProfileMetadata(normalizedAuth);
+      const workspace = this.resolveWorkspaceIdentity(normalizedAuth, authMetadata);
+      const activeAccountId = this.getAccountIdFromData(normalizedAuth);
+      if (activeAccountId) {
+        const scoped = await this.getProfileRowByAccountAndWorkspace(activeAccountId, workspace.id ?? DEFAULT_WORKSPACE_ID, {
+          preferAuthMethod: "codex-cli"
+        });
+        if (scoped) {
+          const normalized = this.normalizeProfileName(scoped.name);
+          await this.persistPreferredProfileName(normalized);
+          return { name: normalized, trusted: true };
+        }
+        const matching = await this.getProfileRowByAccountId(activeAccountId, { preferAuthMethod: "codex-cli" });
+        if (matching) {
+          const normalized = this.normalizeProfileName(matching.name);
+          await this.persistPreferredProfileName(normalized);
+          return { name: normalized, trusted: true };
+        }
+      }
+    }
+    const preferred = await this.readPreferredProfileName();
+    if (preferred) {
+      try {
+        const normalized = this.normalizeProfileName(preferred);
+        const exists = await this.getProfileRowByName(normalized);
+        if (exists) {
+          return { name: normalized, trusted: true };
+        }
+      } catch {
+        await this.persistPreferredProfileName(null);
+        return { name: null, trusted: false };
+      }
+      await this.persistPreferredProfileName(null);
+    }
+    return { name: null, trusted: false };
+  }
+  /**
+   * Export a profile to a portable format.
+   * Sensitive tokens are included but should be handled securely.
+   */
+  async exportProfile(name) {
+    await this.initialize();
+    const profileName = this.normalizeProfileName(name);
+    const record = await this.getProfileRowByName(profileName);
+    if (!record) {
+      throw new Error(`Profile '${profileName}' not found!`);
+    }
+    return {
+      name: record.name,
+      displayName: record.displayName,
+      email: record.email,
+      accountId: record.accountId,
+      workspaceId: record.workspaceId,
+      workspaceName: record.workspaceName,
+      authMethod: record.authMethod,
+      createdAt: record.createdAt,
+      metadata: record.metadata,
+      exportedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Export all profiles to a portable format.
+   */
+  async exportAllProfiles() {
+    await this.initialize();
+    const records = await this.listProfileRecords();
+    const exportedAt = (/* @__PURE__ */ new Date()).toISOString();
+    return records.map((record) => ({
+      name: record.name,
+      displayName: record.displayName,
+      email: record.email,
+      accountId: record.accountId,
+      workspaceId: record.workspaceId,
+      workspaceName: record.workspaceName,
+      authMethod: record.authMethod,
+      createdAt: record.createdAt,
+      metadata: record.metadata,
+      exportedAt
+    }));
+  }
+};
+
+// ../../lib/license-service.ts
+var import_node_crypto2 = __toESM(require("crypto"));
+
+// ../../lib/license-secret.ts
+var import_node_fs3 = require("fs");
+var import_node_path3 = __toESM(require("path"));
+var import_node_crypto = __toESM(require("crypto"));
+var SECRET_FILE = "license.secret";
+function resolveCodexDir2() {
+  const homeDir = process.env.HOME || process.env.USERPROFILE || "";
+  return homeDir ? import_node_path3.default.join(homeDir, ".codex") : ".codex";
+}
+function resolveSecretPath() {
+  return import_node_path3.default.join(resolveCodexDir2(), SECRET_FILE);
+}
+async function generateSecret() {
+  return import_node_crypto.default.randomBytes(32).toString("hex");
+}
+async function getLicenseSecret() {
+  const secretPath = resolveSecretPath();
+  try {
+    const existing = await import_node_fs3.promises.readFile(secretPath, "utf8");
+    const trimmed = existing.trim();
+    if (trimmed.length > 0) {
+      return trimmed;
+    }
+  } catch {
+  }
+  const secret = await generateSecret();
+  try {
+    await import_node_fs3.promises.mkdir(import_node_path3.default.dirname(secretPath), { recursive: true });
+  } catch {
+  }
+  await import_node_fs3.promises.writeFile(secretPath, `${secret}
+`, { mode: 384 });
+  return secret;
+}
+
+// ../../lib/license-service.ts
+var PRODUCT_PERMALINK = "codex-use";
+var PRODUCT_ID = "3_CcyVEXt2FOMiEpPx8xzw==";
+var BASE_PRICE = 19;
+var BASE_PRICE_DISPLAY = "$19";
+var PROMO_CODE = "NOELNEWYEAR50";
+var PROMO_PERCENT = 50;
+var PROMO_ACTIVE = true;
+var PROMO_PRICE_DISPLAY = `$${(BASE_PRICE * (100 - PROMO_PERCENT) / 100).toFixed(2)}`;
+var PRODUCT_URL = PROMO_ACTIVE ? `https://hweihwang.gumroad.com/l/${PRODUCT_PERMALINK}/${PROMO_CODE}` : "https://hweihwang.gumroad.com/l/codex-use";
+var LICENSE_PRICE_DISPLAY = PROMO_ACTIVE ? PROMO_PRICE_DISPLAY : BASE_PRICE_DISPLAY;
+var LICENSE_MAX_USES = 5;
+var FREE_PROFILE_LIMIT = 2;
+var LICENSE_REFRESH_INTERVAL_MS = 5 * 60 * 1e3;
+var MAX_NEXT_CHECK_MS = 60 * 60 * 1e3;
+var GRACE_MAX_AGE_MS = 3 * 60 * 60 * 1e3;
+var LicenseError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.name = "LicenseError";
+    this.code = code;
+  }
+};
+function nowIso() {
+  return (/* @__PURE__ */ new Date()).toISOString();
+}
+function maskLicenseKey(key) {
+  if (!key || typeof key !== "string") {
+    return null;
+  }
+  const trimmed = key.trim();
+  if (trimmed.length <= 4) {
+    return "\u2022\u2022\u2022\u2022";
+  }
+  const visible = trimmed.slice(-4);
+  return `\u2022\u2022\u2022\u2022${visible}`;
+}
+function resolveProfilesRemaining(limit, currentProfiles) {
+  if (typeof limit !== "number") {
+    return null;
+  }
+  return Math.max(0, limit - currentProfiles);
+}
+function determineTierFromStored(stored) {
+  if (!stored || !stored.licenseKey) {
+    return "free";
+  }
+  if (stored.status === "inactive") {
+    return "free";
+  }
+  return "pro";
+}
+function licenseSignaturePayload(license) {
+  const payload = {
+    licenseKey: license.licenseKey ?? null,
+    purchaseEmail: license.purchaseEmail ?? null,
+    lastVerifiedAt: license.lastVerifiedAt ?? null,
+    nextCheckAt: license.nextCheckAt ?? null,
+    lastVerificationError: license.lastVerificationError ?? null,
+    status: license.status ?? null
+  };
+  return JSON.stringify(payload);
+}
+function signLicense(license, secret) {
+  return import_node_crypto2.default.createHmac("sha256", secret).update(licenseSignaturePayload(license)).digest("hex");
+}
+function withSignature(license, secret) {
+  return {
+    ...license,
+    signature: signLicense(license, secret)
+  };
+}
+function isSignatureValid(license, secret) {
+  if (!license.signature) {
+    return false;
+  }
+  const expected = signLicense(license, secret);
+  return expected === license.signature;
+}
+async function requestGumroadVerify(licenseKey, mode) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), 1e4);
+  try {
+    const body = new URLSearchParams({
+      product_permalink: PRODUCT_PERMALINK,
+      product_id: PRODUCT_ID,
+      license_key: licenseKey,
+      increment_uses_count: mode === "activation" ? "true" : "false"
+    });
+    const response = await fetch("https://api.gumroad.com/v2/licenses/verify", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body,
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      const errorText = await response.text().catch(() => null);
+      const message = errorText ? `License verification failed (${response.status}): ${errorText}` : `License verification failed (${response.status}).`;
+      throw new LicenseError(message, "network");
+    }
+    const json = await response.json();
+    return json;
+  } catch (error) {
+    if (error instanceof LicenseError) {
+      throw error;
+    }
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new LicenseError("License verification timed out.", "network");
+    }
+    throw new LicenseError(
+      error instanceof Error ? error.message : "Unable to reach Gumroad for license verification.",
+      "network"
+    );
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+function normalizeVerificationResult(response) {
+  if (!response.success) {
+    const message = response.message ?? "License key is invalid.";
+    throw new LicenseError(message, "invalid");
+  }
+  if (!response.purchase) {
+    throw new LicenseError("License verification response was incomplete.", "network");
+  }
+  if (response.purchase.chargebacked || response.purchase.refunded || response.license_disabled) {
+    throw new LicenseError("This license has been revoked or refunded.", "revoked");
+  }
+  if (response.purchase.subscription_cancelled || response.purchase.subscription_failed) {
+    throw new LicenseError("This license subscription is no longer active.", "revoked");
+  }
+  const email = response.purchase.email ?? null;
+  return { email };
+}
+function ensureWithinUseLimit(response) {
+  if (!response.success) {
+    return;
+  }
+  if (typeof response.uses !== "number") {
+    return;
+  }
+  if (response.uses > LICENSE_MAX_USES) {
+    throw new LicenseError(
+      `This license has reached the activation limit (${LICENSE_MAX_USES}). Contact support to move it to another device.`,
+      "invalid"
+    );
+  }
+}
+function toLicenseStatus(stored, overrides = {}) {
+  const tier = determineTierFromStored(stored);
+  const isPro = tier === "pro";
+  const state = stored && stored.status ? stored.status : isPro ? "active" : "inactive";
+  const base = {
+    tier,
+    state,
+    isPro,
+    profileLimit: isPro ? null : FREE_PROFILE_LIMIT,
+    profilesRemaining: null,
+    purchaseEmail: stored?.purchaseEmail ?? null,
+    maskedLicenseKey: maskLicenseKey(stored?.licenseKey),
+    lastVerifiedAt: stored?.lastVerifiedAt ?? null,
+    nextCheckAt: stored?.nextCheckAt ?? null,
+    message: null,
+    error: stored?.lastVerificationError ?? null,
+    productUrl: PRODUCT_URL,
+    productId: PRODUCT_ID,
+    productPermalink: PRODUCT_PERMALINK,
+    priceDisplay: LICENSE_PRICE_DISPLAY,
+    basePriceDisplay: BASE_PRICE_DISPLAY,
+    promoCode: PROMO_ACTIVE ? PROMO_CODE : null,
+    promoPercent: PROMO_ACTIVE ? PROMO_PERCENT : null
+  };
+  return { ...base, ...overrides };
+}
+function parseTimestamp(value) {
+  if (typeof value !== "string" || value.trim() === "") {
+    return null;
+  }
+  const parsed = Date.parse(value);
+  return Number.isNaN(parsed) ? null : parsed;
+}
+var LicenseService = class {
+  constructor() {
+    this.cache = null;
+    this.refreshPromise = null;
+    this.verificationPromise = null;
+  }
+  async getCachedStatus() {
+    return this.getStatus();
+  }
+  async getStatus(options = {}) {
+    const forceRefresh = Boolean(options.forceRefresh);
+    const secret = await getLicenseSecret();
+    const stored = await getStoredLicense();
+    if (!stored?.licenseKey) {
+      const status = toLicenseStatus(null);
+      this.cache = status;
+      return status;
+    }
+    const now = Date.now();
+    const nextCheckTs = parseTimestamp(stored.nextCheckAt);
+    const lastVerifiedTs = parseTimestamp(stored.lastVerifiedAt);
+    const graceStale = (stored.status === "grace" || stored.status === "error") && (lastVerifiedTs === null || lastVerifiedTs + GRACE_MAX_AGE_MS < now);
+    let workingStored = { ...stored };
+    const signatureValid = isSignatureValid(workingStored, secret);
+    let cappedNextCheckTs = nextCheckTs;
+    if (nextCheckTs !== null && nextCheckTs > now + MAX_NEXT_CHECK_MS) {
+      cappedNextCheckTs = now;
+      const updated = {
+        ...workingStored,
+        nextCheckAt: new Date(cappedNextCheckTs).toISOString()
+      };
+      const signed = withSignature(updated, secret);
+      workingStored = signed;
+      await persistLicense(signed);
+    }
+    const tampered = Boolean(workingStored.licenseKey) && !signatureValid;
+    const cached = tampered ? toLicenseStatus(null, {
+      state: "verifying",
+      message: "License data changed, rechecking.",
+      error: "Untrusted license data."
+    }) : toLicenseStatus(workingStored);
+    this.cache = cached;
+    const shouldRefresh = forceRefresh || graceStale || tampered || cappedNextCheckTs === null || cappedNextCheckTs <= now;
+    if (!shouldRefresh) {
+      return cached;
+    }
+    if (this.verificationPromise && !forceRefresh) {
+      return this.verificationPromise;
+    }
+    const verify = async () => {
+      try {
+        const result = await requestGumroadVerify(workingStored.licenseKey, "refresh");
+        ensureWithinUseLimit(result);
+        const normalized = normalizeVerificationResult(result);
+        const updated = {
+          licenseKey: workingStored.licenseKey,
+          purchaseEmail: normalized.email,
+          lastVerifiedAt: nowIso(),
+          nextCheckAt: new Date(Date.now() + LICENSE_REFRESH_INTERVAL_MS).toISOString(),
+          status: "active",
+          lastVerificationError: null
+        };
+        const signed = withSignature(updated, secret);
+        await persistLicense(signed);
+        const status = toLicenseStatus(signed);
+        this.cache = status;
+        return status;
+      } catch (error) {
+        const message = error instanceof Error ? error.message : "License verification failed.";
+        if (error instanceof LicenseError && error.code === "network") {
+          const fallbackStored2 = withSignature(
+            {
+              ...workingStored,
+              status: tampered ? "inactive" : workingStored.status === "inactive" ? "inactive" : "grace",
+              lastVerificationError: message,
+              nextCheckAt: new Date(Date.now() + LICENSE_REFRESH_INTERVAL_MS).toISOString()
+            },
+            secret
+          );
+          await persistLicense(fallbackStored2);
+          const fallback2 = toLicenseStatus(fallbackStored2, {
+            state: fallbackStored2.status ?? "grace",
+            error: message
+          });
+          this.cache = fallback2;
+          return fallback2;
+        }
+        const fallbackStored = withSignature({
+          licenseKey: workingStored.licenseKey,
+          purchaseEmail: workingStored.purchaseEmail ?? null,
+          lastVerifiedAt: workingStored.lastVerifiedAt ?? null,
+          nextCheckAt: null,
+          status: "inactive",
+          lastVerificationError: message
+        }, secret);
+        await persistLicense(fallbackStored);
+        const fallback = toLicenseStatus(fallbackStored, { error: message });
+        this.cache = fallback;
+        return fallback;
+      }
+    };
+    this.verificationPromise = verify();
+    try {
+      return await this.verificationPromise;
+    } finally {
+      this.verificationPromise = null;
+    }
+  }
+  async activate(licenseKey) {
+    const trimmed = licenseKey.trim();
+    if (!trimmed) {
+      throw new Error("License key is required.");
+    }
+    const secret = await getLicenseSecret();
+    const digest = import_node_crypto2.default.createHash("sha256").update(trimmed).digest("hex");
+    const result = await requestGumroadVerify(trimmed, "activation");
+    ensureWithinUseLimit(result);
+    const normalized = normalizeVerificationResult(result);
+    const stored = {
+      licenseKey: trimmed,
+      purchaseEmail: normalized.email,
+      lastVerifiedAt: nowIso(),
+      nextCheckAt: new Date(Date.now() + LICENSE_REFRESH_INTERVAL_MS).toISOString(),
+      status: "active",
+      lastVerificationError: null
+    };
+    const signed = withSignature(stored, secret);
+    await persistLicense(signed);
+    const status = toLicenseStatus(signed, {
+      message: `License verified (${digest.slice(0, 8)}).`
+    });
+    this.cache = status;
+    return status;
+  }
+  applyProfileCount(status, profileCount) {
+    const profilesRemaining = resolveProfilesRemaining(status.profileLimit, profileCount);
+    return {
+      ...status,
+      profilesRemaining
+    };
+  }
+  refreshStatusInBackground(options = {}) {
+    if (this.refreshPromise) {
+      return;
+    }
+    const forceRefresh = Boolean(options.force);
+    this.refreshPromise = (async () => {
+      try {
+        await this.getStatus({ forceRefresh });
+      } catch (error) {
+        console.warn("Background license refresh failed:", error);
+      } finally {
+        this.refreshPromise = null;
+      }
+    })();
+  }
+};
+var licenseService = new LicenseService();
+
+// ../../lib/license-guard.ts
+async function assertProfileCreationAllowed(profileManager) {
+  const manager = profileManager ?? new ProfileManager();
+  await manager.initialize();
+  const license = await licenseService.getStatus();
+  const profiles = await manager.listProfiles();
+  const licenseWithCounts = licenseService.applyProfileCount(license, profiles.length);
+  if (typeof licenseWithCounts.profileLimit === "number" && licenseWithCounts.profilesRemaining !== null && licenseWithCounts.profilesRemaining <= 0) {
+    throw new Error("CodexUse Free supports up to 2 profiles. Upgrade to CodexUse Pro for unlimited profiles.");
+  }
+}
+
+// src/codex-cli.ts
+var import_node_child_process = require("child_process");
+var import_node_fs4 = require("fs");
+var import_node_path4 = __toESM(require("path"));
+var ENV_HINTS = ["CODEX_BINARY", "CODEX_CLI_PATH", "CODEX_PATH"];
+var NODE_MODULE_CANDIDATES = [
+  ["@openai", "codex"],
+  ["@openai", "codex-alpha"]
+];
+function fileExists(candidate) {
+  if (!candidate) return null;
+  const resolved = import_node_path4.default.resolve(candidate);
+  try {
+    const stat = (0, import_node_fs4.statSync)(resolved);
+    if (stat.isFile()) return resolved;
+  } catch {
+    return null;
+  }
+  return null;
+}
+function resolveFromEnv() {
+  for (const key of ENV_HINTS) {
+    const value = process.env[key];
+    if (!value) continue;
+    const resolved = fileExists(value);
+    if (resolved) return resolved;
+  }
+  return null;
+}
+function resolveFromAppResources() {
+  const roots = [
+    import_node_path4.default.resolve(__dirname, ".."),
+    import_node_path4.default.resolve(__dirname, "..", "..")
+  ];
+  for (const root of roots) {
+    const base = import_node_path4.default.join(root, "app.asar.unpacked", "node_modules");
+    for (const segments of NODE_MODULE_CANDIDATES) {
+      const candidate = fileExists(import_node_path4.default.join(base, ...segments, "bin", "codex"));
+      if (candidate) return candidate;
+      const jsCandidate = fileExists(import_node_path4.default.join(base, ...segments, "bin", "codex.js"));
+      if (jsCandidate) return jsCandidate;
+    }
+  }
+  return null;
+}
+function resolveFromNodeModules() {
+  let current = import_node_path4.default.resolve(__dirname, "..");
+  let last = "";
+  while (current !== last) {
+    for (const segments of NODE_MODULE_CANDIDATES) {
+      const candidate = fileExists(import_node_path4.default.join(current, "node_modules", ...segments, "bin", "codex"));
+      if (candidate) return candidate;
+      const jsCandidate = fileExists(import_node_path4.default.join(current, "node_modules", ...segments, "bin", "codex.js"));
+      if (jsCandidate) return jsCandidate;
+    }
+    last = current;
+    current = import_node_path4.default.dirname(current);
+  }
+  return null;
+}
+function resolveFromPath() {
+  const pathValue = process.env.PATH ?? "";
+  const entries = pathValue.split(import_node_path4.default.delimiter).filter(Boolean);
+  const names = process.platform === "win32" ? ["codex.exe", "codex.cmd", "codex.bat", "codex"] : ["codex"];
+  for (const entry of entries) {
+    for (const name of names) {
+      const candidate = fileExists(import_node_path4.default.join(entry, name));
+      if (candidate) return candidate;
+    }
+  }
+  return null;
+}
+function resolveCodexBinary() {
+  return resolveFromEnv() || resolveFromAppResources() || resolveFromNodeModules() || resolveFromPath();
+}
+function requireCodexBinary(context) {
+  const resolved = resolveCodexBinary();
+  if (resolved) return resolved;
+  const hint = "Install Codex CLI (npm i -g @openai/codex) or set CODEX_BINARY.";
+  const message = context ? `${context} ${hint}` : hint;
+  throw new Error(message);
+}
+function buildCodexCommand(codexPath, args) {
+  const normalized = codexPath.toLowerCase();
+  const isJs = normalized.endsWith(".js");
+  if (isJs) {
+    return { command: process.execPath, args: [codexPath, ...args], shell: false };
+  }
+  const useShell = process.platform === "win32";
+  return { command: codexPath, args, shell: useShell };
+}
+async function runCodexLogin() {
+  const codexPath = requireCodexBinary("Codex CLI is required to login.");
+  const { command, args, shell } = buildCodexCommand(codexPath, ["login"]);
+  const child = (0, import_node_child_process.spawn)(command, args, {
+    stdio: "inherit",
+    env: process.env,
+    shell
+  });
+  const exitCode = await new Promise((resolve) => {
+    child.on("close", (code) => resolve(code ?? 0));
+  });
+  if (exitCode !== 0) {
+    throw new Error(`Codex CLI login failed (exit code ${exitCode}).`);
+  }
+}
+
+// src/index.ts
+var VERSION = true ? "2.1.0" : "0.0.0";
+function printHelp() {
+  console.log(`CodexUse CLI v${VERSION}
+
+Usage:
+  codexuse profile list
+  codexuse profile current
+  codexuse profile add <name> [--skip-login]
+  codexuse profile refresh <name> [--skip-login]
+  codexuse profile switch <name>
+  codexuse profile delete <name>
+  codexuse profile rename <old> <new>
+
+  codexuse license status [--refresh]
+  codexuse license activate <license-key>
+
+Flags:
+  -h, --help       Show help
+  -v, --version    Show version
+`);
+}
+function hasFlag(args, flag) {
+  return args.includes(flag);
+}
+function stripFlags(args) {
+  return args.filter((arg) => !arg.startsWith("-"));
+}
+function formatProfileLabel(name, displayName) {
+  if (displayName && displayName.trim() && displayName !== name) {
+    return `${displayName} (${name})`;
+  }
+  return name;
+}
+async function handleProfile(args) {
+  const flags = args.filter((arg) => arg.startsWith("-"));
+  const params = stripFlags(args);
+  const sub = params[0];
+  if (!sub || hasFlag(flags, "--help") || hasFlag(flags, "-h")) {
+    printHelp();
+    return;
+  }
+  const manager = new ProfileManager();
+  switch (sub) {
+    case "list": {
+      const profiles = await manager.listProfiles();
+      const current = await manager.getCurrentProfile();
+      if (!profiles.length) {
+        console.log("No profiles found.");
+        return;
+      }
+      for (const profile of profiles) {
+        const marker = current.name === profile.name ? "*" : " ";
+        const label = formatProfileLabel(profile.name, profile.displayName);
+        console.log(`${marker} ${label}`);
+      }
+      return;
+    }
+    case "current": {
+      const current = await manager.getCurrentProfile();
+      if (!current.name) {
+        console.log("No active profile.");
+        return;
+      }
+      console.log(current.name);
+      return;
+    }
+    case "add": {
+      const name = params[1];
+      if (!name) {
+        throw new Error("Profile name is required.");
+      }
+      await assertProfileCreationAllowed(manager);
+      if (!hasFlag(flags, "--skip-login")) {
+        await runCodexLogin();
+      }
+      const profile = await manager.createProfile(name);
+      const label = profile ? formatProfileLabel(profile.name, profile.displayName) : name;
+      console.log(`Profile created: ${label}`);
+      return;
+    }
+    case "refresh": {
+      const name = params[1];
+      if (!name) {
+        throw new Error("Profile name is required.");
+      }
+      if (!hasFlag(flags, "--skip-login")) {
+        await runCodexLogin();
+      }
+      const profile = await manager.refreshProfileAuth(name);
+      const label = formatProfileLabel(profile.name, profile.displayName);
+      console.log(`Profile refreshed: ${label}`);
+      return;
+    }
+    case "switch": {
+      const name = params[1];
+      if (!name) {
+        throw new Error("Profile name is required.");
+      }
+      await manager.switchToProfile(name);
+      console.log(`Switched to profile: ${name}`);
+      return;
+    }
+    case "delete": {
+      const name = params[1];
+      if (!name) {
+        throw new Error("Profile name is required.");
+      }
+      await manager.deleteProfile(name);
+      console.log(`Profile deleted: ${name}`);
+      return;
+    }
+    case "rename": {
+      const from = params[1];
+      const to = params[2];
+      if (!from || !to) {
+        throw new Error("Old and new profile names are required.");
+      }
+      await manager.renameProfile(from, to);
+      console.log(`Profile renamed: ${from} -> ${to}`);
+      return;
+    }
+    default:
+      printHelp();
+      return;
+  }
+}
+async function handleLicense(args) {
+  const flags = args.filter((arg) => arg.startsWith("-"));
+  const params = stripFlags(args);
+  const sub = params[0];
+  if (!sub || hasFlag(flags, "--help") || hasFlag(flags, "-h")) {
+    printHelp();
+    return;
+  }
+  switch (sub) {
+    case "status": {
+      const forceRefresh = hasFlag(flags, "--refresh");
+      const status = await licenseService.getStatus({ forceRefresh });
+      console.log(`Tier: ${status.tier}`);
+      console.log(`State: ${status.state}`);
+      if (status.profileLimit !== null) {
+        console.log(`Profile limit: ${status.profileLimit}`);
+      }
+      if (status.profilesRemaining !== null) {
+        console.log(`Profiles remaining: ${status.profilesRemaining}`);
+      }
+      if (status.purchaseEmail) {
+        console.log(`Email: ${status.purchaseEmail}`);
+      }
+      if (status.maskedLicenseKey) {
+        console.log(`License: ${status.maskedLicenseKey}`);
+      }
+      if (status.message) {
+        console.log(`Message: ${status.message}`);
+      }
+      if (status.error) {
+        console.log(`Error: ${status.error}`);
+      }
+      return;
+    }
+    case "activate": {
+      const key = params[1];
+      if (!key) {
+        throw new Error("License key is required.");
+      }
+      const status = await licenseService.activate(key);
+      console.log(status.message ?? "License activated.");
+      return;
+    }
+    default:
+      printHelp();
+      return;
+  }
+}
+async function main() {
+  const args = process.argv.slice(2);
+  if (args.length === 0 || hasFlag(args, "--help") || hasFlag(args, "-h")) {
+    printHelp();
+    return;
+  }
+  if (hasFlag(args, "--version") || hasFlag(args, "-v")) {
+    console.log(VERSION);
+    return;
+  }
+  const command = args[0];
+  const rest = args.slice(1);
+  switch (command) {
+    case "profile":
+      await handleProfile(rest);
+      return;
+    case "license":
+      await handleLicense(rest);
+      return;
+    default:
+      printHelp();
+      return;
+  }
+}
+main().catch((error) => {
+  const message = error instanceof Error ? error.message : String(error);
+  console.error(message);
+  process.exitCode = 1;
+});
+//# sourceMappingURL=index.js.map