codexuse-cli 2.3.1 → 2.4.1

package/dist/index.js

@@ -6,13 +6,6 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __esm = (fn, res) => function __init() {
-  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
-};
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
 var __copyProps = (to, from, except, desc) => {
   if (from && typeof from === "object" || typeof from === "function") {
     for (let key of __getOwnPropNames(from))
@@ -30,7 +23,17 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
 
+// ../../lib/profile-manager.ts
+var import_fs = require("fs");
+var import_path = __toESM(require("path"));
+var import_path2 = require("path");
+var import_toml = require("@iarna/toml");
+
 // ../../lib/auto-roll-settings.ts
+var DEFAULT_AUTO_ROLL_ENABLED = false;
+var DEFAULT_AUTO_ROLL_WARNING_THRESHOLD = 85;
+var DEFAULT_AUTO_ROLL_SWITCH_THRESHOLD = 95;
+var AUTO_ROLL_WARNING_MIN = 50;
 function clampNumber(value, min, max) {
   return Math.min(max, Math.max(min, value));
 }
@@ -46,1026 +49,489 @@ function normalizeAutoRollSettings(raw) {
     switchThreshold: normalizedSwitch
   };
 }
-var DEFAULT_AUTO_ROLL_ENABLED, DEFAULT_AUTO_ROLL_WARNING_THRESHOLD, DEFAULT_AUTO_ROLL_SWITCH_THRESHOLD, AUTO_ROLL_WARNING_MIN;
-var init_auto_roll_settings = __esm({
-  "../../lib/auto-roll-settings.ts"() {
-    "use strict";
-    DEFAULT_AUTO_ROLL_ENABLED = false;
-    DEFAULT_AUTO_ROLL_WARNING_THRESHOLD = 85;
-    DEFAULT_AUTO_ROLL_SWITCH_THRESHOLD = 95;
-    AUTO_ROLL_WARNING_MIN = 50;
-  }
-});
 
-// ../../lib/sqlite-db.ts
-var sqlite_db_exports = {};
-__export(sqlite_db_exports, {
-  __debugResolveDbPath: () => __debugResolveDbPath,
-  flushDatabase: () => flushDatabase,
-  getDatabase: () => getDatabase,
-  resetDatabaseConnection: () => resetDatabaseConnection
-});
-async function flushDatabase() {
-  if (globalCache.cachedDbPromise) {
-    const db = await globalCache.cachedDbPromise;
-    if (db instanceof SqliteWasmDatabase) {
-      await db.flushPersistence();
-    }
+// ../../lib/codex-cli-channel.ts
+var KNOWN_CHANNELS = /* @__PURE__ */ new Set(["stable", "alpha"]);
+function parseCodexCliChannel(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const normalized = value.trim().toLowerCase();
+  if (!normalized) {
+    return null;
   }
+  return KNOWN_CHANNELS.has(normalized) ? normalized : null;
+}
+function normalizeCodexCliChannel(value, fallback = "stable") {
+  return parseCodexCliChannel(value) ?? fallback;
 }
-function isPlainObject(value) {
-  return typeof value === "object" && value !== null && !Array.isArray(value);
+
+// ../../lib/app-state.ts
+var import_node_fs = require("fs");
+var import_node_async_hooks = require("async_hooks");
+var import_node_path = __toESM(require("path"));
+var import_node_os = __toESM(require("os"));
+var APP_STATE_FILE = "app-state.json";
+var APP_NAME = "codexuse-desktop";
+var configuredUserDataDir = null;
+var appStateCache = null;
+var writeLock = Promise.resolve();
+var writeLockContext = new import_node_async_hooks.AsyncLocalStorage();
+function isRecord(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
-function normalizeNamedParameters(params) {
-  const normalized = {};
-  for (const [key, rawValue] of Object.entries(params)) {
-    if (key.startsWith("@") || key.startsWith(":") || key.startsWith("$")) {
-      normalized[key] = rawValue;
-    } else {
-      normalized[`@${key}`] = rawValue;
-    }
-  }
-  return normalized;
+function clone(value) {
+  return JSON.parse(JSON.stringify(value));
 }
-function bindParameters(statement, args) {
-  if (args.length === 0) {
-    return;
+function resolveDefaultUserDataDir() {
+  const home = process.env.HOME || process.env.USERPROFILE || import_node_os.default.homedir();
+  if (!home) {
+    throw new Error("Unable to resolve home directory for app state.");
   }
-  if (args.length === 1 && isPlainObject(args[0])) {
-    statement.bind(normalizeNamedParameters(args[0]));
-    return;
+  if (process.platform === "darwin") {
+    return import_node_path.default.join(home, "Library", "Application Support", APP_NAME);
   }
-  statement.bind(args);
-}
-function resolveHomeDir() {
-  const homeDir = process.env.HOME || process.env.USERPROFILE;
-  if (!homeDir) {
-    throw new Error("HOME directory is not set. Unable to initialize CodexUse storage.");
+  if (process.platform === "win32") {
+    const appData = process.env.APPDATA;
+    if (appData) {
+      return import_node_path.default.join(appData, APP_NAME);
+    }
+    return import_node_path.default.join(home, "AppData", "Roaming", APP_NAME);
   }
-  return homeDir;
+  return import_node_path.default.join(home, ".config", APP_NAME);
 }
-function resolveStorageDirectory() {
-  return import_node_path.default.join(resolveHomeDir(), STORAGE_DIRECTORY_NAME);
+function getUserDataDir() {
+  return configuredUserDataDir ?? resolveDefaultUserDataDir();
 }
-function resolveDbPath() {
-  return import_node_path.default.join(resolveStorageDirectory(), STORAGE_FILENAME);
+function resolveAppStatePath() {
+  return import_node_path.default.join(getUserDataDir(), APP_STATE_FILE);
 }
-function ensureStorageDirExists(targetPath) {
-  (0, import_node_fs.mkdirSync)(import_node_path.default.dirname(targetPath), { recursive: true });
-}
-async function instantiateDatabase(dbPath) {
-  try {
-    const bakPath = `${dbPath}.bak`;
-    if ((0, import_node_fs.existsSync)(dbPath)) {
-      const size = (0, import_node_fs.statSync)(dbPath).size;
-      if (size < 1024 && (0, import_node_fs.existsSync)(bakPath)) {
-        const bakSize = (0, import_node_fs.statSync)(bakPath).size;
-        if (bakSize > size) {
-          const backup = (0, import_node_fs.readFileSync)(bakPath);
-          (0, import_node_fs.writeFileSync)(dbPath, backup);
-          console.warn("Detected near-empty SQLite file; restored from backup.");
-        }
-      }
+function createDefaultAppState() {
+  return {
+    schemaVersion: 1,
+    autoRoll: {
+      enabled: false,
+      warningThreshold: 85,
+      switchThreshold: 95
+    },
+    app: {
+      lastAppVersion: null,
+      pendingUpdateVersion: null,
+      cliChannel: "stable",
+      lastProfileName: null
+    },
+    license: {
+      licenseKey: null,
+      purchaseEmail: null,
+      lastVerifiedAt: null,
+      nextCheckAt: null,
+      lastVerificationError: null,
+      status: "inactive",
+      signature: null
+    },
+    providers: {
+      selectedProviderId: "openai",
+      defaultModel: null,
+      defaultReasoningEffort: "medium",
+      list: [],
+      overridesByPath: {}
+    },
+    sandbox: {
+      defaultMode: "chat",
+      defaultApprovalPolicy: "on-failure",
+      overridesByPath: {}
+    },
+    preferences: {
+      excludeFolders: [],
+      enableTaskCompleteBeep: true,
+      preventSleepDuringTasks: true,
+      folderHistory: [],
+      pinnedPaths: []
+    },
+    projectSettingsByPath: {},
+    conversationCategoriesByCwd: {},
+    conversationCategoryAssignmentsByCwd: {},
+    skills: {
+      sources: [],
+      installsBySlug: {}
+    },
+    sync: {
+      lastPushAt: null,
+      lastPullAt: null,
+      lastError: null,
+      remoteUpdatedAt: null
+    },
+    telemetry: {
+      installId: null,
+      enabled: true,
+      lastFlushAt: null,
+      lastError: null
+    },
+    profilesByName: {},
+    migration: {
+      status: "pending",
+      startedAt: null,
+      completedAt: null,
+      localStorageImportedAt: null,
+      lastError: null
     }
-  } catch (error) {
-    console.warn("Failed to check/restore SQLite backup:", error);
-  }
-  const SQL = await sqlModulePromise;
-  let fileBuffer;
-  if ((0, import_node_fs.existsSync)(dbPath)) {
-    fileBuffer = new Uint8Array((0, import_node_fs.readFileSync)(dbPath));
-  }
-  const driver = fileBuffer ? new SQL.Database(fileBuffer) : new SQL.Database();
-  const database = new SqliteWasmDatabase(driver, dbPath);
-  database.exec("PRAGMA journal_mode = WAL;");
-  database.exec("PRAGMA foreign_keys = ON;");
-  runMigrations(database);
-  database.persist();
-  return database;
-}
-function readUserVersion(database) {
-  const result = database.prepare("PRAGMA user_version").get();
-  const version = result?.user_version;
-  return typeof version === "number" ? version : 0;
-}
-function ensureChatTables(database) {
-  database.exec(`
-    PRAGMA foreign_keys = ON;
-
-    CREATE TABLE IF NOT EXISTS chat_threads (
-      thread_key TEXT PRIMARY KEY,
-      title TEXT,
-      account_id TEXT,
-      profile_name TEXT,
-      project_label TEXT,
-      project_path TEXT,
-      source_path TEXT,
-      started_at TEXT,
-      ended_at TEXT,
-      last_message_at TEXT,
-      message_count INTEGER DEFAULT 0
-    );
-
-    CREATE TABLE IF NOT EXISTS chat_messages (
-      id INTEGER PRIMARY KEY AUTOINCREMENT,
-      thread_key TEXT NOT NULL,
-      role TEXT,
-      content TEXT NOT NULL,
-      account_id TEXT,
-      profile_name TEXT,
-      created_at TEXT,
-      FOREIGN KEY(thread_key) REFERENCES chat_threads(thread_key) ON DELETE CASCADE
-    );
-
-    CREATE INDEX IF NOT EXISTS idx_chat_messages_thread ON chat_messages(thread_key);
-    CREATE INDEX IF NOT EXISTS idx_chat_messages_created ON chat_messages(created_at);
-
-    CREATE TABLE IF NOT EXISTS chat_ingest_offsets (
-      file_path TEXT PRIMARY KEY,
-      offset INTEGER NOT NULL,
-      mtime_ms INTEGER NOT NULL,
-      size INTEGER NOT NULL
-    );
-  `);
+  };
 }
-function ensureSessionTables(database) {
-  database.exec(`
-    PRAGMA foreign_keys = ON;
-
-    CREATE TABLE IF NOT EXISTS sessions (
-      id TEXT PRIMARY KEY,
-      title TEXT,
-      status TEXT,
-      model TEXT,
-      project_label TEXT,
-      project_path TEXT,
-      created_at TEXT NOT NULL,
-      updated_at TEXT NOT NULL,
-      last_message_at TEXT
-    );
-
-    CREATE TABLE IF NOT EXISTS tool_panels (
-      id TEXT PRIMARY KEY,
-      session_id TEXT NOT NULL,
-      type TEXT NOT NULL,
-      title TEXT,
-      state TEXT,
-      metadata TEXT,
-      created_at TEXT NOT NULL,
-      updated_at TEXT NOT NULL,
-      FOREIGN KEY(session_id) REFERENCES sessions(id) ON DELETE CASCADE
-    );
-
-    CREATE INDEX IF NOT EXISTS idx_tool_panels_session ON tool_panels(session_id);
-    CREATE INDEX IF NOT EXISTS idx_tool_panels_type ON tool_panels(type);
-
-    CREATE TABLE IF NOT EXISTS panel_outputs (
-      id INTEGER PRIMARY KEY AUTOINCREMENT,
-      panel_id TEXT NOT NULL,
-      session_id TEXT NOT NULL,
-      type TEXT NOT NULL,
-      data TEXT NOT NULL,
-      created_at TEXT NOT NULL,
-      FOREIGN KEY(panel_id) REFERENCES tool_panels(id) ON DELETE CASCADE,
-      FOREIGN KEY(session_id) REFERENCES sessions(id) ON DELETE CASCADE
-    );
-
-    CREATE INDEX IF NOT EXISTS idx_panel_outputs_panel ON panel_outputs(panel_id);
-    CREATE INDEX IF NOT EXISTS idx_panel_outputs_session ON panel_outputs(session_id);
-    CREATE INDEX IF NOT EXISTS idx_panel_outputs_created ON panel_outputs(created_at);
-
-    CREATE TABLE IF NOT EXISTS notes (
-      id TEXT PRIMARY KEY,
-      user_id TEXT,
-      title TEXT NOT NULL,
-      content TEXT NOT NULL,
-      tags TEXT,
-      is_favorited INTEGER NOT NULL DEFAULT 0,
-      created_at TEXT NOT NULL,
-      updated_at TEXT NOT NULL,
-      synced_at TEXT
-    );
-
-    CREATE INDEX IF NOT EXISTS idx_notes_user ON notes(user_id);
-    CREATE INDEX IF NOT EXISTS idx_notes_updated ON notes(updated_at);
-  `);
-}
-function ensureUsageTables(database) {
-  database.exec(`
-    CREATE TABLE IF NOT EXISTS usage (
-      session_id TEXT PRIMARY KEY,
-      rollout_path TEXT NOT NULL,
-      project_path TEXT,
-      model TEXT,
-      input_tokens INTEGER NOT NULL,
-      cached_input_tokens INTEGER NOT NULL,
-      output_tokens INTEGER NOT NULL,
-      reasoning_output_tokens INTEGER NOT NULL,
-      total_tokens INTEGER NOT NULL,
-      timestamp TEXT NOT NULL
-    );
-
-    CREATE INDEX IF NOT EXISTS idx_usage_timestamp ON usage(timestamp);
-  `);
-}
-function runMigrations(database) {
-  let userVersion = readUserVersion(database);
-  if (userVersion < 1) {
-    database.exec(`
-      CREATE TABLE IF NOT EXISTS profiles (
-        id INTEGER PRIMARY KEY AUTOINCREMENT,
-        name TEXT NOT NULL UNIQUE,
-        data TEXT NOT NULL,
-        account_id TEXT,
-        workspace_id TEXT,
-        workspace_name TEXT,
-        email TEXT,
-        auth_method TEXT,
-        created_at TEXT,
-        updated_at TEXT
-      );
-
-      CREATE UNIQUE INDEX IF NOT EXISTS idx_profiles_account_workspace
-        ON profiles(account_id, workspace_id)
-        WHERE account_id IS NOT NULL;
-
-      PRAGMA user_version = 1;
-    `);
-    userVersion = 1;
+function asString(value) {
+  if (typeof value !== "string") {
+    return null;
   }
-  if (userVersion < 2) {
-    database.exec(`PRAGMA user_version = 2;`);
-    userVersion = 2;
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function normalizeAppState(raw) {
+  const defaults = createDefaultAppState();
+  if (!isRecord(raw)) {
+    return defaults;
   }
-  if (userVersion < 3) {
-    database.exec(`PRAGMA user_version = 3;`);
-    userVersion = 3;
+  const next = deepMerge(defaults, raw);
+  const merged = clone(next);
+  merged.schemaVersion = 1;
+  if (typeof merged.autoRoll.enabled !== "boolean") {
+    merged.autoRoll.enabled = false;
   }
-  if (userVersion < 4) {
-    let legacySettings = null;
-    try {
-      const hasKvStore = Boolean(
-        database.prepare(
-          "SELECT name FROM sqlite_master WHERE type = 'table' AND name = 'kv_store'"
-        ).get()
-      );
-      if (hasKvStore) {
-        const row = database.prepare("SELECT value FROM kv_store WHERE key = 'settings'").get();
-        if (row?.value) {
-          const parsed = JSON.parse(row.value);
-          if (parsed && typeof parsed === "object") {
-            legacySettings = parsed;
-          }
-        }
-      }
-    } catch (error) {
-      console.warn("Failed to read legacy Codex settings:", error);
-    }
-    database.exec(`
-      PRAGMA foreign_keys = OFF;
-
-      DROP TABLE IF EXISTS rate_limit_snapshots;
-      DROP TABLE IF EXISTS chat_messages;
-      DROP TABLE IF EXISTS chat_threads;
-      DROP TABLE IF EXISTS kv_store;
-
-      CREATE TABLE IF NOT EXISTS app_settings (
-        id INTEGER PRIMARY KEY CHECK (id = 1),
-        last_profile_name TEXT,
-        license_key TEXT,
-        purchase_email TEXT,
-        last_verified_at TEXT,
-        next_check_at TEXT,
-        last_verification_error TEXT,
-        status TEXT
-      );
-
-      INSERT OR IGNORE INTO app_settings (id) VALUES (1);
-
-      PRAGMA foreign_keys = ON;
-    `);
-    if (legacySettings) {
-      const license = legacySettings.license;
-      database.prepare(
-        `UPDATE app_settings
-         SET last_profile_name = @lastProfileName,
-             license_key = @licenseKey,
-             purchase_email = @purchaseEmail,
-             last_verified_at = @lastVerifiedAt,
-             next_check_at = @nextCheckAt,
-             last_verification_error = @lastVerificationError,
-             status = @status
-         WHERE id = 1`
-      ).run({
-        lastProfileName: typeof legacySettings.lastProfileName === "string" ? legacySettings.lastProfileName : null,
-        licenseKey: license && typeof license.licenseKey === "string" ? license.licenseKey : null,
-        purchaseEmail: license && typeof license.purchaseEmail === "string" ? license.purchaseEmail : null,
-        lastVerifiedAt: license && typeof license.lastVerifiedAt === "string" ? license.lastVerifiedAt : null,
-        nextCheckAt: license && typeof license.nextCheckAt === "string" ? license.nextCheckAt : null,
-        lastVerificationError: license && typeof license.lastVerificationError === "string" ? license.lastVerificationError : null,
-        status: license && typeof license.status === "string" ? license.status : null
-      });
-    }
-    database.exec(`PRAGMA user_version = 4;`);
-    userVersion = 4;
+  if (!Number.isFinite(merged.autoRoll.warningThreshold)) {
+    merged.autoRoll.warningThreshold = 85;
   }
-  if (userVersion < 5) {
-    database.exec(`
-      ALTER TABLE app_settings ADD COLUMN auto_roll_enabled INTEGER;
-      ALTER TABLE app_settings ADD COLUMN auto_roll_warning_threshold INTEGER;
-      ALTER TABLE app_settings ADD COLUMN auto_roll_switch_threshold INTEGER;
-
-      PRAGMA user_version = 5;
-    `);
-    userVersion = 5;
-  }
-  if (userVersion < 6) {
-    database.exec(`
-      CREATE TABLE IF NOT EXISTS app_kv (
-        key TEXT PRIMARY KEY,
-        value TEXT NOT NULL
-      );
-    `);
-    let appSettingsRow = null;
-    try {
-      const hasAppSettings = Boolean(
-        database.prepare(
-          "SELECT name FROM sqlite_master WHERE type = 'table' AND name = 'app_settings'"
-        ).get()
-      );
-      if (hasAppSettings) {
-        appSettingsRow = database.prepare(
-          `SELECT last_profile_name, license_key, purchase_email,
-                    last_verified_at, next_check_at, last_verification_error, status,
-                    auto_roll_enabled, auto_roll_warning_threshold, auto_roll_switch_threshold
-             FROM app_settings
-             WHERE id = 1`
-        ).get();
-      }
-    } catch (error) {
-      console.warn("Failed to read legacy app_settings row:", error);
-    }
-    try {
-      const upsertKv = database.prepare("INSERT OR REPLACE INTO app_kv (key, value) VALUES (@key, @value)");
-      if (appSettingsRow) {
-        const lastProfile = typeof appSettingsRow.last_profile_name === "string" ? appSettingsRow.last_profile_name.trim() : "";
-        if (lastProfile) {
-          upsertKv.run({ key: "last_profile_name", value: JSON.stringify(lastProfile) });
-        }
-        const license = {
-          licenseKey: typeof appSettingsRow.license_key === "string" ? appSettingsRow.license_key : null,
-          purchaseEmail: typeof appSettingsRow.purchase_email === "string" ? appSettingsRow.purchase_email : null,
-          lastVerifiedAt: typeof appSettingsRow.last_verified_at === "string" ? appSettingsRow.last_verified_at : null,
-          nextCheckAt: typeof appSettingsRow.next_check_at === "string" ? appSettingsRow.next_check_at : null,
-          lastVerificationError: typeof appSettingsRow.last_verification_error === "string" ? appSettingsRow.last_verification_error : null,
-          status: typeof appSettingsRow.status === "string" ? appSettingsRow.status : null
-        };
-        const hasLicenseData = Boolean(
-          license.licenseKey ?? license.purchaseEmail ?? license.lastVerifiedAt ?? license.nextCheckAt ?? license.lastVerificationError ?? license.status
-        );
-        if (hasLicenseData) {
-          upsertKv.run({ key: "license", value: JSON.stringify(license) });
-        }
-        const hasAutoRollData = typeof appSettingsRow.auto_roll_enabled === "number" || typeof appSettingsRow.auto_roll_warning_threshold === "number" || typeof appSettingsRow.auto_roll_switch_threshold === "number";
-        if (hasAutoRollData) {
-          const warning = typeof appSettingsRow.auto_roll_warning_threshold === "number" ? appSettingsRow.auto_roll_warning_threshold : DEFAULT_AUTO_ROLL_WARNING_THRESHOLD;
-          const switchThreshold = typeof appSettingsRow.auto_roll_switch_threshold === "number" ? appSettingsRow.auto_roll_switch_threshold : DEFAULT_AUTO_ROLL_SWITCH_THRESHOLD;
-          const autoRoll = {
-            enabled: Boolean(appSettingsRow.auto_roll_enabled ?? DEFAULT_AUTO_ROLL_ENABLED),
-            warningThreshold: warning,
-            switchThreshold
-          };
-          upsertKv.run({ key: "auto_roll", value: JSON.stringify(autoRoll) });
-        }
-      }
-      try {
-        database.exec("DROP TABLE IF EXISTS app_settings;");
-      } catch (error) {
-        console.warn("Failed to drop legacy app_settings table:", error);
-      }
-    } catch (error) {
-      console.warn("Failed to migrate app_settings to app_kv:", error);
-    }
-    database.exec(`PRAGMA user_version = 6;`);
-    userVersion = 6;
+  if (!Number.isFinite(merged.autoRoll.switchThreshold)) {
+    merged.autoRoll.switchThreshold = 95;
   }
-  if (userVersion < 7) {
-    try {
-      const columns = database.prepare("PRAGMA table_info(profiles)").all();
-      const hasWorkspaceId = Boolean(columns?.some((column) => column.name === "workspace_id"));
-      const hasWorkspaceName = Boolean(columns?.some((column) => column.name === "workspace_name"));
-      if (!hasWorkspaceId) {
-        database.exec(`ALTER TABLE profiles ADD COLUMN workspace_id TEXT;`);
-      }
-      if (!hasWorkspaceName) {
-        database.exec(`ALTER TABLE profiles ADD COLUMN workspace_name TEXT;`);
-      }
-    } catch (error) {
-      console.warn("Failed to add workspace columns during migration:", error);
-    }
-    database.exec(`
-      DROP INDEX IF EXISTS idx_profiles_account;
-      DROP INDEX IF EXISTS idx_profiles_account_workspace;
-
-      CREATE UNIQUE INDEX IF NOT EXISTS idx_profiles_account_workspace
-        ON profiles(account_id, workspace_id)
-        WHERE account_id IS NOT NULL;
-    `);
-    try {
-      const rows = database.prepare("SELECT name, workspace_id FROM profiles").all();
-      const update = database.prepare(
-        "UPDATE profiles SET workspace_id = @workspaceId WHERE name = @name AND (workspace_id IS NULL OR workspace_id = '')"
-      );
-      for (const row of rows) {
-        const name = typeof row.name === "string" ? row.name : null;
-        if (!name) {
-          continue;
-        }
-        const existingWorkspace = typeof row.workspace_id === "string" ? row.workspace_id.trim() : "";
-        if (existingWorkspace) {
-          continue;
-        }
-        update.run({ name, workspaceId: "__default__" });
-      }
-    } catch (error) {
-      console.warn("Failed to backfill workspace_id during migration:", error);
-    }
-    database.exec(`PRAGMA user_version = 7;`);
-    userVersion = 7;
+  if (merged.autoRoll.warningThreshold < 50 || merged.autoRoll.warningThreshold > 99) {
+    merged.autoRoll.warningThreshold = 85;
   }
-  if (userVersion < 8) {
-    ensureChatTables(database);
-    database.exec(`PRAGMA user_version = 8;`);
-    userVersion = 8;
+  if (merged.autoRoll.switchThreshold <= merged.autoRoll.warningThreshold || merged.autoRoll.switchThreshold > 100) {
+    merged.autoRoll.switchThreshold = Math.min(100, Math.max(merged.autoRoll.warningThreshold + 1, 95));
   }
-  if (userVersion < 9) {
-    ensureSessionTables(database);
-    database.exec(`PRAGMA user_version = 9;`);
-    userVersion = 9;
+  merged.app.cliChannel = merged.app.cliChannel === "alpha" ? "alpha" : "stable";
+  merged.app.lastAppVersion = asString(merged.app.lastAppVersion);
+  merged.app.pendingUpdateVersion = asString(merged.app.pendingUpdateVersion);
+  merged.app.lastProfileName = asString(merged.app.lastProfileName);
+  merged.license.licenseKey = asString(merged.license.licenseKey);
+  merged.license.purchaseEmail = asString(merged.license.purchaseEmail);
+  merged.license.lastVerifiedAt = asString(merged.license.lastVerifiedAt);
+  merged.license.nextCheckAt = asString(merged.license.nextCheckAt);
+  merged.license.lastVerificationError = asString(merged.license.lastVerificationError);
+  merged.license.signature = asString(merged.license.signature);
+  if (!["inactive", "active", "grace", "error"].includes(merged.license.status)) {
+    merged.license.status = "inactive";
   }
-  if (userVersion < 10) {
-    ensureUsageTables(database);
-    database.exec(`PRAGMA user_version = 10;`);
-    userVersion = 10;
+  if (!Array.isArray(merged.providers.list)) {
+    merged.providers.list = [];
   }
-  if (userVersion < 11) {
-    try {
-      database.exec(`ALTER TABLE usage ADD COLUMN model TEXT;`);
-    } catch {
-    }
-    database.exec(`PRAGMA user_version = 11;`);
-    userVersion = 11;
+  merged.providers.selectedProviderId = asString(merged.providers.selectedProviderId) ?? "openai";
+  merged.providers.defaultModel = asString(merged.providers.defaultModel);
+  if (!["minimal", "low", "medium", "high", "xhigh", "none"].includes(merged.providers.defaultReasoningEffort)) {
+    merged.providers.defaultReasoningEffort = "medium";
   }
-  try {
-    database.exec("PRAGMA foreign_keys = ON;");
-  } catch {
+  if (!isRecord(merged.providers.overridesByPath)) {
+    merged.providers.overridesByPath = {};
   }
-  ensureChatTables(database);
-  ensureSessionTables(database);
-  ensureUsageTables(database);
-}
-async function getDatabase() {
-  const dbPath = resolveDbPath();
-  if (!globalCache.cachedDbPromise || globalCache.cachedDbPath !== dbPath) {
-    if (globalCache.cachedDbPromise) {
-      try {
-        const previous = await globalCache.cachedDbPromise;
-        previous.close();
-      } catch {
-      }
-    }
-    globalCache.cachedDbPath = dbPath;
-    globalCache.cachedDbPromise = instantiateDatabase(dbPath);
+  if (!isRecord(merged.sandbox.overridesByPath)) {
+    merged.sandbox.overridesByPath = {};
   }
-  const db = await globalCache.cachedDbPromise;
-  try {
-    runMigrations(db);
-  } catch (error) {
-    console.warn("Failed to ensure migrations:", error);
+  if (!Array.isArray(merged.preferences.excludeFolders)) {
+    merged.preferences.excludeFolders = [];
   }
-  return db;
-}
-async function resetDatabaseConnection() {
-  if (globalCache.cachedDbPromise) {
-    try {
-      const db = await globalCache.cachedDbPromise;
-      db.close();
-    } catch {
-    }
+  if (!Array.isArray(merged.preferences.folderHistory)) {
+    merged.preferences.folderHistory = [];
   }
-  globalCache.cachedDbPromise = null;
-  globalCache.cachedDbPath = null;
-}
-function __debugResolveDbPath() {
-  return resolveDbPath();
-}
-var import_node_fs, import_node_path, import_node_module, import_sql, require2, wasmDir, sqlModulePromise, SqliteWasmDatabase, SqliteWasmStatement, STORAGE_DIRECTORY_NAME, STORAGE_FILENAME, GLOBAL_CACHE_KEY, globalCache;
-var init_sqlite_db = __esm({
-  "../../lib/sqlite-db.ts"() {
-    "use strict";
-    import_node_fs = require("fs");
-    import_node_path = __toESM(require("path"));
-    import_node_module = require("module");
-    import_sql = __toESM(require("sql.js"));
-    init_auto_roll_settings();
-    require2 = (0, import_node_module.createRequire)(__filename);
-    wasmDir = import_node_path.default.dirname(require2.resolve("sql.js/dist/sql-wasm.wasm"));
-    sqlModulePromise = (0, import_sql.default)({
-      locateFile: (file) => import_node_path.default.join(wasmDir, file)
-    });
-    SqliteWasmDatabase = class {
-      constructor(driver, dbPath) {
-        this.driver = driver;
-        this.dbPath = dbPath;
-        this.closed = false;
-        this.persistTimeout = null;
-      }
-      get open() {
-        return !this.closed;
-      }
-      prepare(sql) {
-        this.assertOpen();
-        return new SqliteWasmStatement(this, sql);
-      }
-      createStatement(sql) {
-        this.assertOpen();
-        return this.driver.prepare(sql);
-      }
-      exec(sql) {
-        this.assertOpen();
-        this.driver.exec(sql);
-      }
-      getRowsModified() {
-        this.assertOpen();
-        return this.driver.getRowsModified();
-      }
-      async persist() {
-        this.assertOpen();
-        ensureStorageDirExists(this.dbPath);
-        if (this.persistTimeout) {
-          clearTimeout(this.persistTimeout);
-        }
-        this.persistTimeout = setTimeout(async () => {
-          try {
-            const contents = Buffer.from(this.driver.export());
-            await import_node_fs.promises.writeFile(this.dbPath, contents);
-            this.persistTimeout = null;
-          } catch (error) {
-            console.error("Failed to persist database:", error);
-          }
-        }, 500);
-      }
-      close() {
-        if (!this.closed) {
-          if (this.persistTimeout) {
-            clearTimeout(this.persistTimeout);
-            this.persistTimeout = null;
-            try {
-              const contents = Buffer.from(this.driver.export());
-              (0, import_node_fs.writeFileSync)(this.dbPath, contents);
-            } catch (error) {
-              if (error.code !== "ENOENT") {
-                console.error("Failed to flush database on close:", error);
-              }
-            }
-          }
-          this.driver.close();
-          this.closed = true;
-        }
-      }
-      async flushPersistence() {
-        if (this.persistTimeout) {
-          clearTimeout(this.persistTimeout);
-          this.persistTimeout = null;
-          try {
-            const contents = Buffer.from(this.driver.export());
-            await import_node_fs.promises.writeFile(this.dbPath, contents);
-          } catch (error) {
-            console.error("Failed to flush database persistence:", error);
-          }
-        }
-      }
-      assertOpen() {
-        if (!this.open) {
-          throw new Error("SQLite database connection is closed.");
-        }
-      }
-    };
-    SqliteWasmStatement = class {
-      constructor(database, sql) {
-        this.database = database;
-        this.sql = sql;
-      }
-      get(...params) {
-        const statement = this.database.createStatement(this.sql);
-        try {
-          bindParameters(statement, params);
-          if (!statement.step()) {
-            return void 0;
-          }
-          return statement.getAsObject();
-        } finally {
-          statement.free();
-        }
-      }
-      all(...params) {
-        const rows = [];
-        const statement = this.database.createStatement(this.sql);
-        try {
-          bindParameters(statement, params);
-          while (statement.step()) {
-            rows.push(statement.getAsObject());
-          }
-        } finally {
-          statement.free();
-        }
-        return rows;
-      }
-      run(...params) {
-        const statement = this.database.createStatement(this.sql);
-        try {
-          bindParameters(statement, params);
-          statement.step();
-        } finally {
-          statement.free();
-        }
-        const changes = this.database.getRowsModified();
-        void this.database.persist();
-        return { changes };
-      }
-    };
-    STORAGE_DIRECTORY_NAME = ".f86eb5e712267207";
-    STORAGE_FILENAME = "state-d64ce728d7a20214.sqlite";
-    GLOBAL_CACHE_KEY = /* @__PURE__ */ Symbol.for("codex.sqliteCache");
-    globalCache = globalThis[GLOBAL_CACHE_KEY] ?? (globalThis[GLOBAL_CACHE_KEY] = {
-      cachedDbPath: null,
-      cachedDbPromise: null
-    });
+  if (!Array.isArray(merged.preferences.pinnedPaths)) {
+    merged.preferences.pinnedPaths = [];
   }
-});
-
-// ../../lib/profile-manager.ts
-var import_fs = require("fs");
-var import_path = __toESM(require("path"));
-var import_path2 = require("path");
-var import_toml = require("@iarna/toml");
-
-// ../../lib/codex-settings.ts
-var import_node_fs2 = require("fs");
-var import_node_path2 = __toESM(require("path"));
-
-// ../../lib/logger.ts
-var isTestEnv = process.env.NODE_ENV === "test" || process.env.VITEST === "true" || process.env.VITEST === "1";
-function isMocked(fn) {
-  return Boolean(fn && typeof fn === "function" && "mock" in fn);
-}
-function logWarn(...args) {
-  if (isTestEnv && !isMocked(console.warn)) {
-    return;
+  if (!isRecord(merged.projectSettingsByPath)) {
+    merged.projectSettingsByPath = {};
   }
-  console.warn(...args);
-}
-function logError(...args) {
-  if (isTestEnv && !isMocked(console.error)) {
-    return;
+  if (!isRecord(merged.conversationCategoriesByCwd)) {
+    merged.conversationCategoriesByCwd = {};
   }
-  console.error(...args);
-}
-
-// ../../lib/codex-settings.ts
-init_auto_roll_settings();
-
-// ../../lib/codex-cli-channel.ts
-var KNOWN_CHANNELS = /* @__PURE__ */ new Set(["stable", "alpha"]);
-function parseCodexCliChannel(value) {
-  if (typeof value !== "string") {
-    return null;
+  if (!isRecord(merged.conversationCategoryAssignmentsByCwd)) {
+    merged.conversationCategoryAssignmentsByCwd = {};
   }
-  const normalized = value.trim().toLowerCase();
-  if (!normalized) {
-    return null;
+  if (!isRecord(merged.skills)) {
+    merged.skills = clone(defaults.skills);
   }
-  return KNOWN_CHANNELS.has(normalized) ? normalized : null;
+  if (!Array.isArray(merged.skills.sources)) {
+    merged.skills.sources = [];
+  }
+  if (!isRecord(merged.skills.installsBySlug)) {
+    merged.skills.installsBySlug = {};
+  }
+  if (!isRecord(merged.sync)) {
+    merged.sync = clone(defaults.sync);
+  }
+  merged.sync.lastPushAt = asString(merged.sync.lastPushAt);
+  merged.sync.lastPullAt = asString(merged.sync.lastPullAt);
+  merged.sync.lastError = asString(merged.sync.lastError);
+  merged.sync.remoteUpdatedAt = asString(merged.sync.remoteUpdatedAt);
+  if (!isRecord(merged.telemetry)) {
+    merged.telemetry = clone(defaults.telemetry);
+  }
+  merged.telemetry.installId = asString(merged.telemetry.installId);
+  if (typeof merged.telemetry.enabled !== "boolean") {
+    merged.telemetry.enabled = true;
+  }
+  merged.telemetry.lastFlushAt = asString(merged.telemetry.lastFlushAt);
+  merged.telemetry.lastError = asString(merged.telemetry.lastError);
+  if (!isRecord(merged.profilesByName)) {
+    merged.profilesByName = {};
+  }
+  if (!isRecord(merged.migration)) {
+    merged.migration = clone(defaults.migration);
+  }
+  if (!["pending", "pending_local_storage", "complete"].includes(merged.migration.status)) {
+    merged.migration.status = "pending";
+  }
+  merged.migration.startedAt = asString(merged.migration.startedAt);
+  merged.migration.completedAt = asString(merged.migration.completedAt);
+  merged.migration.localStorageImportedAt = asString(merged.migration.localStorageImportedAt);
+  merged.migration.lastError = asString(merged.migration.lastError);
+  return merged;
 }
-function normalizeCodexCliChannel(value, fallback = "stable") {
-  return parseCodexCliChannel(value) ?? fallback;
+function deepMerge(base, patch) {
+  if (!isRecord(base) || !isRecord(patch)) {
+    return clone(patch ?? base);
+  }
+  const next = { ...base };
+  for (const [key, patchValue] of Object.entries(patch)) {
+    if (patchValue === void 0) {
+      continue;
+    }
+    const currentValue = next[key];
+    if (Array.isArray(patchValue)) {
+      next[key] = clone(patchValue);
+      continue;
+    }
+    if (isRecord(currentValue) && isRecord(patchValue)) {
+      next[key] = deepMerge(currentValue, patchValue);
+      continue;
+    }
+    next[key] = clone(patchValue);
+  }
+  return next;
 }
-
-// ../../lib/codex-settings.ts
-var KEY_LAST_PROFILE_NAME = "last_profile_name";
-var KEY_LICENSE = "license";
-var KEY_AUTO_ROLL = "auto_roll";
-var KEY_LAST_APP_VERSION = "last_app_version";
-var KEY_PENDING_UPDATE_VERSION = "pending_update_version";
-var KEY_CLI_CHANNEL = "cli_channel";
-var SETTINGS_FILE = "settings.json";
-var SETTINGS_BACKUP_FILE = "settings.json.bak";
-function resolveCodexDir() {
-  const homeDir = process.env.HOME || process.env.USERPROFILE || "";
-  return homeDir ? import_node_path2.default.join(homeDir, ".codex") : ".codex";
-}
-function resolveSettingsPath() {
-  return import_node_path2.default.join(resolveCodexDir(), SETTINGS_FILE);
-}
-function resolveBackupSettingsPath() {
-  return import_node_path2.default.join(resolveCodexDir(), SETTINGS_BACKUP_FILE);
-}
-async function ensureCodexDir() {
+async function writeAtomic(filePath, contents) {
+  const dir = import_node_path.default.dirname(filePath);
+  const base = import_node_path.default.basename(filePath);
+  const token = `${process.pid}.${Date.now()}.${Math.random().toString(16).slice(2)}`;
+  const tempPath = import_node_path.default.join(dir, `${base}.${token}.tmp`);
+  await import_node_fs.promises.mkdir(dir, { recursive: true });
+  await import_node_fs.promises.writeFile(tempPath, contents, "utf8");
   try {
-    await import_node_fs2.promises.mkdir(resolveCodexDir(), { recursive: true });
-  } catch (error) {
-    logWarn("Failed to ensure Codex directory exists:", error);
+    await import_node_fs.promises.rename(tempPath, filePath);
+  } finally {
+    await import_node_fs.promises.rm(tempPath, { force: true }).catch(() => void 0);
   }
 }
-async function writeAtomic(filePath, contents) {
-  const tempPath = `${filePath}.tmp`;
-  await import_node_fs2.promises.mkdir(import_node_path2.default.dirname(filePath), { recursive: true });
-  await import_node_fs2.promises.writeFile(tempPath, contents, "utf8");
+async function writeAppStateToDisk(state) {
+  const filePath = resolveAppStatePath();
+  await writeAtomic(filePath, `${JSON.stringify(state, null, 2)}
+`);
+}
+async function readAppStateFromDisk() {
+  const filePath = resolveAppStatePath();
   try {
-    await import_node_fs2.promises.rename(tempPath, filePath);
+    const raw = await import_node_fs.promises.readFile(filePath, "utf8");
+    return normalizeAppState(JSON.parse(raw));
   } catch (error) {
     const code = error.code;
     if (code === "ENOENT") {
-      await import_node_fs2.promises.writeFile(filePath, contents, "utf8");
-    } else {
-      throw error;
+      return null;
     }
+    throw error;
   }
+}
+async function ensureInitialized() {
+  if (appStateCache) {
+    return appStateCache;
+  }
+  const filePath = resolveAppStatePath();
+  await import_node_fs.promises.mkdir(import_node_path.default.dirname(filePath), { recursive: true });
+  const loaded = await readAppStateFromDisk();
+  const normalized = loaded ?? normalizeAppState(null);
+  appStateCache = normalized;
+  if (loaded === null) {
+    await writeAppStateToDisk(normalized);
+  }
+  return appStateCache;
+}
+async function withWriteLock(task) {
+  if (writeLockContext.getStore()) {
+    return task();
+  }
+  const previous = writeLock;
+  let release = null;
+  writeLock = new Promise((resolve) => {
+    release = resolve;
+  });
+  await previous;
   try {
-    await import_node_fs2.promises.rm(tempPath, { force: true });
-  } catch {
+    return await writeLockContext.run(true, task);
+  } finally {
+    release?.();
+  }
+}
+async function getAppState() {
+  const state = await ensureInitialized();
+  return clone(state);
+}
+async function updateAppState(transform, options = {}) {
+  const mode = options.mode ?? "patch";
+  const allowBeforeMigrationComplete = options.allowBeforeMigrationComplete === true;
+  return withWriteLock(async () => {
+    const current = await readAppStateFromDisk() ?? await ensureInitialized();
+    appStateCache = current;
+    if (!allowBeforeMigrationComplete && current.migration.status !== "complete") {
+      throw new Error("Storage migration is not complete yet.");
+    }
+    const transformed = transform(clone(current));
+    const nextState = mode === "replace" ? normalizeAppState(transformed) : normalizeAppState(deepMerge(current, transformed));
+    await writeAppStateToDisk(nextState);
+    appStateCache = nextState;
+    return clone(nextState);
+  });
+}
+async function patchAppState(patch) {
+  return updateAppState(() => patch, {
+    mode: "patch",
+    allowBeforeMigrationComplete: false
+  });
+}
+
+// ../../lib/codex-settings.ts
+function asString2(value) {
+  if (typeof value !== "string") {
+    return null;
   }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function isRecord2(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
-function normalizeStoredLicense(raw) {
-  if (!raw || typeof raw !== "object") {
+function parseStoredLicense(raw) {
+  if (!isRecord2(raw)) {
     return null;
   }
-  const source = raw;
-  const licenseKey = typeof source.licenseKey === "string" ? source.licenseKey : typeof source.license_key === "string" ? source.license_key : null;
-  const purchaseEmail = typeof source.purchaseEmail === "string" ? source.purchaseEmail : typeof source.purchase_email === "string" ? source.purchase_email : null;
-  const lastVerifiedAt = typeof source.lastVerifiedAt === "string" ? source.lastVerifiedAt : typeof source.last_verified_at === "string" ? source.last_verified_at : null;
-  const nextCheckAt = typeof source.nextCheckAt === "string" ? source.nextCheckAt : typeof source.next_check_at === "string" ? source.next_check_at : null;
-  const lastVerificationError = typeof source.lastVerificationError === "string" ? source.lastVerificationError : typeof source.last_verification_error === "string" ? source.last_verification_error : null;
-  const signature = typeof source.signature === "string" ? source.signature : null;
-  const statusCandidate = typeof source.status === "string" ? source.status : void 0;
+  const statusCandidate = asString2(raw.status);
+  const status = ["inactive", "active", "grace", "error"].includes(statusCandidate ?? "") ? statusCandidate : void 0;
   const license = {
-    licenseKey,
-    purchaseEmail,
-    lastVerifiedAt,
-    nextCheckAt,
-    lastVerificationError,
-    signature,
-    status: statusCandidate
+    licenseKey: asString2(raw.licenseKey ?? raw.license_key),
+    purchaseEmail: asString2(raw.purchaseEmail ?? raw.purchase_email),
+    lastVerifiedAt: asString2(raw.lastVerifiedAt ?? raw.last_verified_at),
+    nextCheckAt: asString2(raw.nextCheckAt ?? raw.next_check_at),
+    lastVerificationError: asString2(raw.lastVerificationError ?? raw.last_verification_error),
+    status,
+    signature: asString2(raw.signature)
   };
-  const hasLicenseData = Boolean(
-    license.licenseKey ?? license.purchaseEmail ?? license.lastVerifiedAt ?? license.nextCheckAt ?? license.lastVerificationError ?? license.status
+  const hasValue = Boolean(
+    license.licenseKey || license.purchaseEmail || license.lastVerifiedAt || license.nextCheckAt || license.lastVerificationError || license.status
   );
-  return hasLicenseData ? license : null;
+  return hasValue ? license : null;
 }
-function normalizeStoredAutoRoll(raw) {
+function parseAutoRoll(raw) {
   if (!raw) {
     return null;
   }
-  const parsed = typeof raw === "string" ? parseJsonValue(raw) : raw;
-  if (!parsed || typeof parsed !== "object") {
-    return null;
-  }
   try {
-    return normalizeAutoRollSettings(parsed);
+    return normalizeAutoRollSettings(raw);
   } catch {
     return null;
   }
 }
-function parseStoredProfileName(raw) {
-  if (raw === null || raw === void 0) {
-    return null;
-  }
-  if (typeof raw === "string" || typeof raw === "number") {
-    const normalized = String(raw).trim();
-    return normalized.length > 0 ? normalized : null;
-  }
-  const candidate = typeof raw === "string" ? parseJsonValue(raw) : parseJsonValue(raw);
-  if (typeof candidate === "string" || typeof candidate === "number") {
-    const normalized = String(candidate).trim();
-    return normalized.length > 0 ? normalized : null;
-  }
-  return null;
+async function getLastProfileName() {
+  const state = await getAppState();
+  return asString2(state.app.lastProfileName);
 }
-async function markSettingsCorrupt(settingsPath, raw) {
-  try {
-    const suffix = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-    const backupPath = `${settingsPath}.corrupt-${suffix}`;
-    await import_node_fs2.promises.writeFile(backupPath, raw, "utf8");
-  } catch {
-  }
-}
-async function tryRestoreSettings(fromPath, _targetPath) {
-  try {
-    const raw = await import_node_fs2.promises.readFile(fromPath, "utf8");
-    const parsed = JSON.parse(raw);
-    if (!parsed || typeof parsed !== "object") {
-      return null;
+async function persistLastProfileName(profileName) {
+  await patchAppState({
+    app: {
+      lastProfileName: asString2(profileName)
     }
-    const normalized = normalizeParsedSettings(parsed);
-    await writeSettingsFile(normalized);
-    return normalized;
-  } catch {
-    return null;
-  }
+  });
 }
-function normalizeParsedSettings(parsed) {
-  const license = normalizeStoredLicense(parsed.license ?? parsed[KEY_LICENSE]);
-  const autoRoll = normalizeStoredAutoRoll(parsed.autoRoll ?? parsed[KEY_AUTO_ROLL]);
-  const lastProfileName = parseStoredProfileName(
-    parsed.lastProfileName ?? parsed[KEY_LAST_PROFILE_NAME]
-  );
-  const lastAppVersion = typeof parsed.lastAppVersion === "string" ? parsed.lastAppVersion : typeof parsed[KEY_LAST_APP_VERSION] === "string" ? parsed[KEY_LAST_APP_VERSION] : null;
-  const pendingUpdateVersion = typeof parsed.pendingUpdateVersion === "string" ? parsed.pendingUpdateVersion : typeof parsed[KEY_PENDING_UPDATE_VERSION] === "string" ? parsed[KEY_PENDING_UPDATE_VERSION] : null;
-  const cliChannel = parseCodexCliChannel(
-    parsed.cliChannel ?? parsed[KEY_CLI_CHANNEL]
-  );
-  return {
-    ...license ? { license } : {},
-    ...autoRoll ? { autoRoll } : {},
-    ...lastProfileName ? { lastProfileName } : {},
-    ...lastAppVersion ? { lastAppVersion } : {},
-    ...pendingUpdateVersion ? { pendingUpdateVersion } : {},
-    ...cliChannel ? { cliChannel } : {}
-  };
+async function getStoredLicense() {
+  const state = await getAppState();
+  return parseStoredLicense(state.license);
 }
-async function readSettingsFromDisk() {
-  const settingsPath = resolveSettingsPath();
-  try {
-    const raw = await import_node_fs2.promises.readFile(settingsPath, "utf8");
-    const parsed = JSON.parse(raw);
-    if (!parsed || typeof parsed !== "object") {
-      return null;
-    }
-    return normalizeParsedSettings(parsed);
-  } catch (error) {
-    if (error.code === "ENOENT") {
-      return null;
-    }
-    if (error instanceof SyntaxError) {
-      try {
-        const raw = await import_node_fs2.promises.readFile(settingsPath, "utf8");
-        await markSettingsCorrupt(settingsPath, raw);
-        const restoredFromTemp = await tryRestoreSettings(`${settingsPath}.tmp`, settingsPath);
-        if (restoredFromTemp) {
-          return restoredFromTemp;
-        }
-        const restoredFromBackup = await tryRestoreSettings(resolveBackupSettingsPath(), settingsPath);
-        if (restoredFromBackup) {
-          return restoredFromBackup;
-        }
-        await import_node_fs2.promises.writeFile(settingsPath, "{}\n", "utf8");
-      } catch {
-      }
+async function persistLicense(license) {
+  const parsed = parseStoredLicense(license);
+  await patchAppState({
+    license: parsed ? {
+      licenseKey: parsed.licenseKey ?? null,
+      purchaseEmail: parsed.purchaseEmail ?? null,
+      lastVerifiedAt: parsed.lastVerifiedAt ?? null,
+      nextCheckAt: parsed.nextCheckAt ?? null,
+      lastVerificationError: parsed.lastVerificationError ?? null,
+      status: parsed.status ?? "inactive",
+      signature: parsed.signature ?? null
+    } : {
+      licenseKey: null,
+      purchaseEmail: null,
+      lastVerifiedAt: null,
+      nextCheckAt: null,
+      lastVerificationError: null,
+      status: "inactive",
+      signature: null
     }
-    logWarn("Failed to parse Codex settings file, using defaults:", error);
-    return null;
-  }
+  });
 }
-async function migrateSettingsFromDatabase() {
-  try {
-    const { __debugResolveDbPath: __debugResolveDbPath2, getDatabase: getDatabase2 } = await Promise.resolve().then(() => (init_sqlite_db(), sqlite_db_exports));
-    const dbPath = __debugResolveDbPath2();
-    try {
-      await import_node_fs2.promises.access(dbPath);
-    } catch {
-      return null;
-    }
-    const db = await getDatabase2();
-    const rows = db.prepare(
-      `SELECT key, value
-         FROM app_kv
-         WHERE key IN ('${KEY_LAST_PROFILE_NAME}', '${KEY_LICENSE}', '${KEY_AUTO_ROLL}', '${KEY_LAST_APP_VERSION}', '${KEY_PENDING_UPDATE_VERSION}', '${KEY_CLI_CHANNEL}')`
-    ).all();
-    if (!rows || rows.length === 0) {
-      return null;
-    }
-    const kv = /* @__PURE__ */ new Map();
-    for (const row of rows) {
-      if (!row.key) continue;
-      if (typeof row.value === "string") {
-        kv.set(row.key, parseJsonValue(row.value));
-      } else {
-        kv.set(row.key, row.value);
-      }
-    }
-    const license = normalizeStoredLicense(kv.get(KEY_LICENSE));
-    const autoRoll = normalizeStoredAutoRoll(kv.get(KEY_AUTO_ROLL));
-    const lastProfileName = parseStoredProfileName(kv.get(KEY_LAST_PROFILE_NAME));
-    const lastAppVersion = typeof kv.get(KEY_LAST_APP_VERSION) === "string" ? kv.get(KEY_LAST_APP_VERSION) : null;
-    const pendingUpdateVersion = typeof kv.get(KEY_PENDING_UPDATE_VERSION) === "string" ? kv.get(KEY_PENDING_UPDATE_VERSION) : null;
-    const cliChannel = parseCodexCliChannel(kv.get(KEY_CLI_CHANNEL));
-    const settings = {
-      ...license ? { license } : {},
-      ...autoRoll ? { autoRoll } : {},
-      ...lastProfileName ? { lastProfileName } : {},
-      ...lastAppVersion ? { lastAppVersion } : {},
-      ...pendingUpdateVersion ? { pendingUpdateVersion } : {},
-      ...cliChannel ? { cliChannel } : {}
-    };
-    if (Object.keys(settings).length === 0) {
-      return null;
-    }
-    await writeSettingsFile(settings);
-    return settings;
-  } catch (error) {
-    logWarn("Failed to migrate Codex settings from database:", error);
-    return null;
-  }
+async function getCodexCliChannel() {
+  const state = await getAppState();
+  return normalizeCodexCliChannel(state.app.cliChannel);
 }
-async function readSettingsFile() {
-  await ensureCodexDir();
-  const diskSettings = await readSettingsFromDisk();
-  if (diskSettings) {
-    return diskSettings;
-  }
-  const migrated = await migrateSettingsFromDatabase();
-  if (migrated) {
-    return migrated;
-  }
-  return {};
-}
-async function writeSettingsFile(settings) {
-  await ensureCodexDir();
-  const normalizedAutoRoll = settings.autoRoll ? normalizeAutoRollSettings(settings.autoRoll) : null;
-  const normalizedLicense = settings.license ? {
-    licenseKey: settings.license.licenseKey ?? null,
-    purchaseEmail: settings.license.purchaseEmail ?? null,
-    lastVerifiedAt: settings.license.lastVerifiedAt ?? null,
-    nextCheckAt: settings.license.nextCheckAt ?? null,
-    lastVerificationError: settings.license.lastVerificationError ?? null,
-    status: settings.license.status ?? void 0,
-    signature: settings.license.signature ?? null
-  } : null;
-  const payload = {
-    ...settings.lastProfileName ? { lastProfileName: settings.lastProfileName } : {},
-    ...normalizedLicense ? { license: normalizedLicense } : {},
-    ...normalizedAutoRoll ? { autoRoll: normalizedAutoRoll } : {},
-    ...settings.lastAppVersion ? { lastAppVersion: settings.lastAppVersion } : {},
-    ...settings.pendingUpdateVersion ? { pendingUpdateVersion: settings.pendingUpdateVersion } : {},
-    ...settings.cliChannel ? { cliChannel: settings.cliChannel } : {}
+async function readCodexSettingsJsonRaw() {
+  const state = await getAppState();
+  return {
+    lastProfileName: state.app.lastProfileName,
+    lastAppVersion: state.app.lastAppVersion,
+    pendingUpdateVersion: state.app.pendingUpdateVersion,
+    cliChannel: state.app.cliChannel,
+    autoRoll: state.autoRoll,
+    license: state.license,
+    providers: state.providers.list,
+    selectedProviderId: state.providers.selectedProviderId,
+    defaultModel: state.providers.defaultModel,
+    defaultReasoningEffort: state.providers.defaultReasoningEffort,
+    selectionsByCwd: state.providers.overridesByPath,
+    mode: state.sandbox.defaultMode,
+    approvalPolicy: state.sandbox.defaultApprovalPolicy,
+    sandboxSelectionsByCwd: state.sandbox.overridesByPath,
+    excludeFolders: state.preferences.excludeFolders,
+    enableTaskCompleteBeep: state.preferences.enableTaskCompleteBeep,
+    preventSleepDuringTasks: state.preferences.preventSleepDuringTasks,
+    folderHistory: state.preferences.folderHistory,
+    pinnedPaths: state.preferences.pinnedPaths,
+    projectSettingsByPath: state.projectSettingsByPath,
+    categoriesByCwd: state.conversationCategoriesByCwd,
+    conversationCategoryByCwd: state.conversationCategoryAssignmentsByCwd,
+    sync: state.sync
   };
-  const serialized = JSON.stringify(payload, null, 2);
-  const settingsPath = resolveSettingsPath();
-  const backupPath = resolveBackupSettingsPath();
-  const contents = `${serialized}
-`;
-  await writeAtomic(settingsPath, contents);
-  try {
-    await writeAtomic(backupPath, contents);
-  } catch (error) {
-    logWarn("Failed to write Codex settings backup:", error);
-  }
-}
-function parseJsonValue(value) {
-  if (typeof value !== "string") {
-    return null;
-  }
-  try {
-    return JSON.parse(value);
-  } catch {
-    return value;
-  }
-}
-async function getCodexSettings() {
-  return readSettingsFile();
-}
-async function setCodexSettings(settings) {
-  await writeSettingsFile(settings);
-}
-async function getLastProfileName() {
-  const settings = await getCodexSettings();
-  const candidate = settings.lastProfileName;
-  if (typeof candidate !== "string") {
-    return null;
-  }
-  const trimmed = candidate.trim();
-  return trimmed.length === 0 ? null : trimmed;
 }
-async function persistLastProfileName(profileName) {
-  const settings = await getCodexSettings();
-  if (profileName && profileName.trim().length > 0) {
-    settings.lastProfileName = profileName.trim();
-  } else if (settings.lastProfileName) {
-    delete settings.lastProfileName;
-  }
-  await setCodexSettings(settings);
-}
-async function getStoredLicense() {
-  const settings = await getCodexSettings();
-  if (!settings.license) {
-    return null;
+async function writeCodexSettingsJsonRaw(payload) {
+  if (!isRecord2(payload)) {
+    return;
   }
-  return settings.license;
-}
-async function persistLicense(license) {
-  const settings = await getCodexSettings();
-  if (license) {
-    settings.license = {
+  const autoRoll = parseAutoRoll(payload.autoRoll ?? payload.auto_roll);
+  const license = parseStoredLicense(payload.license);
+  const cliChannel = parseCodexCliChannel(payload.cliChannel ?? payload.cli_channel);
+  await patchAppState({
+    app: {
+      lastProfileName: asString2(payload.lastProfileName ?? payload.last_profile_name),
+      lastAppVersion: asString2(payload.lastAppVersion ?? payload.last_app_version),
+      pendingUpdateVersion: asString2(payload.pendingUpdateVersion ?? payload.pending_update_version),
+      cliChannel: cliChannel ?? void 0
+    },
+    autoRoll: autoRoll ? {
+      enabled: autoRoll.enabled,
+      warningThreshold: autoRoll.warningThreshold,
+      switchThreshold: autoRoll.switchThreshold
+    } : void 0,
+    license: license ? {
       licenseKey: license.licenseKey ?? null,
       purchaseEmail: license.purchaseEmail ?? null,
       lastVerifiedAt: license.lastVerifiedAt ?? null,
@@ -1073,15 +539,55 @@ async function persistLicense(license) {
       lastVerificationError: license.lastVerificationError ?? null,
       status: license.status ?? "inactive",
       signature: license.signature ?? null
-    };
-  } else if (settings.license) {
-    delete settings.license;
+    } : void 0,
+    providers: {
+      list: Array.isArray(payload.providers) ? payload.providers : void 0,
+      selectedProviderId: asString2(payload.selectedProviderId) ?? void 0,
+      defaultModel: asString2(payload.defaultModel ?? payload.selectedModel),
+      defaultReasoningEffort: typeof payload.defaultReasoningEffort === "string" ? payload.defaultReasoningEffort : typeof payload.reasoningEffort === "string" ? payload.reasoningEffort : void 0,
+      overridesByPath: isRecord2(payload.selectionsByCwd) ? payload.selectionsByCwd : void 0
+    },
+    sandbox: {
+      defaultMode: asString2(payload.mode ?? payload.defaultMode) ?? void 0,
+      defaultApprovalPolicy: asString2(payload.approvalPolicy ?? payload.defaultApprovalPolicy) ?? void 0,
+      overridesByPath: isRecord2(payload.sandboxSelectionsByCwd) ? payload.sandboxSelectionsByCwd : void 0
+    },
+    preferences: {
+      excludeFolders: Array.isArray(payload.excludeFolders) ? payload.excludeFolders : void 0,
+      enableTaskCompleteBeep: typeof payload.enableTaskCompleteBeep === "boolean" ? payload.enableTaskCompleteBeep : void 0,
+      preventSleepDuringTasks: typeof payload.preventSleepDuringTasks === "boolean" ? payload.preventSleepDuringTasks : void 0,
+      folderHistory: Array.isArray(payload.folderHistory) ? payload.folderHistory : void 0,
+      pinnedPaths: Array.isArray(payload.pinnedPaths) ? payload.pinnedPaths : void 0
+    },
+    projectSettingsByPath: isRecord2(payload.projectSettingsByPath) ? payload.projectSettingsByPath : void 0,
+    conversationCategoriesByCwd: isRecord2(payload.categoriesByCwd) ? payload.categoriesByCwd : void 0,
+    conversationCategoryAssignmentsByCwd: isRecord2(payload.conversationCategoryByCwd) ? payload.conversationCategoryByCwd : void 0,
+    sync: isRecord2(payload.sync) ? payload.sync : void 0
+  });
+}
+
+// ../../lib/logger.ts
+var isTestEnv = process.env.NODE_ENV === "test" || process.env.VITEST === "true" || process.env.VITEST === "1";
+function isMocked(fn) {
+  return Boolean(fn && typeof fn === "function" && "mock" in fn);
+}
+function logWarn(...args) {
+  if (isTestEnv && !isMocked(console.warn)) {
+    return;
   }
-  await setCodexSettings(settings);
+  console.warn(...args);
 }
-async function getCodexCliChannel() {
-  const settings = await getCodexSettings();
-  return normalizeCodexCliChannel(settings.cliChannel);
+function logError(...args) {
+  if (isTestEnv && !isMocked(console.error)) {
+    return;
+  }
+  console.error(...args);
+}
+function logInfo(...args) {
+  if (isTestEnv && !isMocked(console.warn)) {
+    return;
+  }
+  console.warn(...args);
 }
 
 // ../../lib/profile-manager.ts
@@ -1090,15 +596,11 @@ var REFRESH_TOKEN_REDEEMED_SNIPPET = "refresh token was already used";
 var REFRESH_TOKEN_REDEEMED_REASON = "Your access token could not be refreshed because your refresh token was already used. Please log out and sign in again.";
 var AUTH_BACKUP_MISSING_MARKER = "__codexuse_missing_auth__";
 var DEFAULT_WORKSPACE_ID = "__default__";
-var PROFILE_RECORD_FILENAME = "profile.json";
 var ProfileManager = class {
   constructor() {
     const homeDir = process.env.HOME || process.env.USERPROFILE || "";
     this.codexDir = (0, import_path2.join)(homeDir, ".codex");
-    this.profilesDir = (0, import_path2.join)(this.codexDir, "profiles");
-    this.profileHomesRoot = (0, import_path2.join)(this.codexDir, "profile-homes");
-    this.migrationsDir = (0, import_path2.join)(this.codexDir, "migrations");
-    this.profileMigrationMarker = (0, import_path2.join)(this.migrationsDir, "profiles-v1");
+    this.profileHomesRoot = (0, import_path2.join)(getUserDataDir(), "profile-homes");
     this.activeAuth = (0, import_path2.join)(this.codexDir, "auth.json");
     this.activeAuthBackup = `${this.activeAuth}.swap`;
     this.lastActiveAuthErrorSignature = null;
@@ -1162,183 +664,84 @@ var ProfileManager = class {
       logWarn("Failed to persist preferred profile name:", error);
     }
   }
-  getProfileRecordPath(profileName) {
-    return (0, import_path2.join)(this.getProfileHomePath(profileName), PROFILE_RECORD_FILENAME);
+  toStateRecord(record) {
+    return {
+      name: record.name,
+      displayName: record.displayName ?? null,
+      data: record.data,
+      metadata: record.metadata,
+      accountId: record.accountId ?? null,
+      workspaceId: record.workspaceId ?? null,
+      workspaceName: record.workspaceName ?? null,
+      email: record.email ?? null,
+      authMethod: record.authMethod ?? null,
+      createdAt: record.createdAt ?? null,
+      updatedAt: record.updatedAt ?? null
+    };
   }
-  parseProfileRecordPayload(profileName, parsed) {
-    if (!parsed || typeof parsed !== "object") {
+  fromStateRecord(profileName, raw) {
+    if (!raw || typeof raw !== "object") {
       return null;
     }
-    const dataRaw = parsed["data"];
-    let data = null;
-    if (dataRaw && typeof dataRaw === "object") {
-      data = dataRaw;
-    } else if (typeof dataRaw === "string") {
-      try {
-        data = JSON.parse(dataRaw);
-      } catch (error) {
-        logWarn(`Failed to parse data payload for profile '${profileName}':`, error);
-        return null;
-      }
-    } else {
+    const dataRaw = raw.data;
+    if (!dataRaw || typeof dataRaw !== "object") {
       return null;
     }
-    const createdAt = typeof parsed["createdAt"] === "string" ? parsed["createdAt"] : typeof parsed["created_at"] === "string" ? parsed["created_at"] : null;
-    const updatedAt = typeof parsed["updatedAt"] === "string" ? parsed["updatedAt"] : typeof parsed["updated_at"] === "string" ? parsed["updated_at"] : null;
-    const metadata = parsed["metadata"] && typeof parsed["metadata"] === "object" ? parsed["metadata"] : void 0;
-    const displayName = typeof parsed["displayName"] === "string" ? parsed["displayName"] : typeof parsed["display_name"] === "string" ? parsed["display_name"] : null;
     return {
       name: profileName,
-      displayName,
-      data,
-      metadata,
-      accountId: typeof parsed["accountId"] === "string" ? parsed["accountId"] : typeof parsed["account_id"] === "string" ? parsed["account_id"] : null,
-      workspaceId: typeof parsed["workspaceId"] === "string" ? parsed["workspaceId"] : typeof parsed["workspace_id"] === "string" ? parsed["workspace_id"] : null,
-      workspaceName: typeof parsed["workspaceName"] === "string" ? parsed["workspaceName"] : typeof parsed["workspace_name"] === "string" ? parsed["workspace_name"] : null,
-      email: typeof parsed["email"] === "string" ? parsed["email"] : typeof parsed["email"] === "boolean" ? null : null,
-      authMethod: typeof parsed["authMethod"] === "string" ? parsed["authMethod"] : typeof parsed["auth_method"] === "string" ? parsed["auth_method"] : null,
-      createdAt,
-      updatedAt
+      displayName: typeof raw.displayName === "string" ? raw.displayName : null,
+      data: dataRaw,
+      metadata: raw.metadata,
+      accountId: typeof raw.accountId === "string" ? raw.accountId : null,
+      workspaceId: typeof raw.workspaceId === "string" ? raw.workspaceId : null,
+      workspaceName: typeof raw.workspaceName === "string" ? raw.workspaceName : null,
+      email: typeof raw.email === "string" ? raw.email : null,
+      authMethod: typeof raw.authMethod === "string" ? raw.authMethod : null,
+      createdAt: typeof raw.createdAt === "string" ? raw.createdAt : null,
+      updatedAt: typeof raw.updatedAt === "string" ? raw.updatedAt : null
     };
   }
-  decodeProfileRecord(profileName, raw, sourceLabel) {
-    try {
-      const parsed = JSON.parse(raw);
-      return this.parseProfileRecordPayload(profileName, parsed);
-    } catch (error) {
-      logWarn(`Failed to parse profile record '${profileName}' from '${sourceLabel}':`, error);
-      return null;
-    }
+  async readProfilesStateMap() {
+    const state = await getAppState();
+    return { ...state.profilesByName ?? {} };
   }
-  async recoverProfileRecord(recordPath, profileName) {
-    const candidates = [`${recordPath}.bak`, `${recordPath}.tmp`];
-    for (const candidate of candidates) {
-      let raw;
-      try {
-        raw = await import_fs.promises.readFile(candidate, "utf8");
-      } catch (error) {
-        if (!this.isNotFoundError(error)) {
-          logWarn(`Failed to read backup for '${profileName}' from '${candidate}':`, error);
-        }
-        continue;
-      }
-      const decoded = this.decodeProfileRecord(profileName, raw, candidate);
-      if (!decoded) {
-        continue;
-      }
-      try {
-        await this.writeProfileRecord(decoded);
-      } catch (error) {
-        logWarn(`Failed to restore profile '${profileName}' from '${candidate}':`, error);
-      }
-      return decoded;
-    }
-    return null;
+  async writeProfilesStateMap(nextMap) {
+    await updateAppState((state) => ({
+      ...state,
+      profilesByName: nextMap
+    }), { mode: "replace" });
   }
   async readProfileRecord(profileName) {
-    const recordPath = this.getProfileRecordPath(profileName);
-    try {
-      const raw = await import_fs.promises.readFile(recordPath, "utf8");
-      const decoded = this.decodeProfileRecord(profileName, raw, recordPath);
-      if (decoded) {
-        return decoded;
-      }
-    } catch (error) {
-      if (!this.isNotFoundError(error)) {
-        logWarn(`Failed to read profile record '${profileName}':`, error);
-      }
+    const map = await this.readProfilesStateMap();
+    const raw = map[profileName];
+    if (!raw) {
+      return null;
     }
-    return this.recoverProfileRecord(recordPath, profileName);
+    return this.fromStateRecord(profileName, raw);
   }
   async listProfileRecords() {
+    const map = await this.readProfilesStateMap();
     const records = [];
-    let entries = [];
-    try {
-      entries = await import_fs.promises.readdir(this.profileHomesRoot);
-    } catch (error) {
-      if (!this.isNotFoundError(error)) {
-        logWarn("Failed to list profile homes:", error);
-      }
-      return records;
-    }
-    for (const entry of entries) {
-      const homePath = (0, import_path2.join)(this.profileHomesRoot, entry);
-      try {
-        const stat = await import_fs.promises.stat(homePath);
-        if (!stat.isDirectory()) {
-          continue;
-        }
-      } catch (error) {
-        if (!this.isNotFoundError(error)) {
-          logWarn(`Failed to inspect profile home '${entry}':`, error);
-        }
-        continue;
-      }
-      try {
-        const normalizedName = this.normalizeProfileName(entry);
-        const record = await this.readProfileRecord(normalizedName);
-        if (record) {
-          records.push(record);
-          continue;
-        }
-        const authPath = (0, import_path2.join)(homePath, "auth.json");
-        try {
-          const authRaw = await import_fs.promises.readFile(authPath, "utf8");
-          const authData = JSON.parse(authRaw);
-          const normalized = this.normalizeProfileData(authData);
-          const metadata = this.extractProfileMetadata(normalized);
-          await this.persistProfileRecord(normalizedName, normalized, metadata);
-          const restored = await this.readProfileRecord(normalizedName);
-          if (restored) {
-            records.push(restored);
-          }
-        } catch (error) {
-          if (!this.isNotFoundError(error)) {
-            logWarn(`Failed to restore profile record for '${normalizedName}' from auth.json:`, error);
-          }
-        }
-      } catch (error) {
-        logWarn(`Skipping invalid profile home '${entry}':`, error);
+    for (const [profileName, raw] of Object.entries(map)) {
+      const record = this.fromStateRecord(profileName, raw);
+      if (record) {
+        records.push(record);
       }
     }
     return records;
   }
-  async snapshotExistingProfileRecord(recordPath) {
-    try {
-      const existing = await import_fs.promises.readFile(recordPath, "utf8");
-      if (existing && existing.trim()) {
-        await this.writeAtomic(`${recordPath}.bak`, existing);
-      }
-    } catch (error) {
-      if (!this.isNotFoundError(error)) {
-        logWarn(`Failed to snapshot existing profile record '${recordPath}':`, error);
-      }
-    }
-  }
   async writeProfileRecord(record) {
-    const recordPath = this.getProfileRecordPath(record.name);
-    const payload = {
-      name: record.name,
-      display_name: record.displayName,
-      data: record.data,
-      metadata: record.metadata,
-      account_id: record.accountId,
-      workspace_id: record.workspaceId,
-      workspace_name: record.workspaceName,
-      email: record.email,
-      auth_method: record.authMethod,
-      created_at: record.createdAt,
-      updated_at: record.updatedAt
-    };
-    const serialized = `${JSON.stringify(payload, null, 2)}
-`;
-    await this.snapshotExistingProfileRecord(recordPath);
-    await this.writeAtomic(recordPath, serialized);
-    try {
-      await this.writeAtomic(`${recordPath}.bak`, serialized);
-    } catch (error) {
-      logWarn(`Failed to persist profile backup for '${record.name}':`, error);
+    const map = await this.readProfilesStateMap();
+    map[record.name] = this.toStateRecord(record);
+    await this.writeProfilesStateMap(map);
+  }
+  async deleteProfileRecord(name) {
+    const map = await this.readProfilesStateMap();
+    if (!Object.prototype.hasOwnProperty.call(map, name)) {
+      return;
     }
+    delete map[name];
+    await this.writeProfilesStateMap(map);
   }
   resolveAuthMethod(data) {
     const raw = typeof data?.auth_method === "string" ? data.auth_method.trim().toLowerCase() : "";
@@ -1629,6 +1032,7 @@ var ProfileManager = class {
    * Initialize the profile manager and create necessary directories
    */
   async initialize() {
+    this.profileHomesRoot = (0, import_path2.join)(getUserDataDir(), "profile-homes");
     try {
       await import_fs.promises.mkdir(this.codexDir, { recursive: true });
     } catch (error) {
@@ -1642,189 +1046,6 @@ var ProfileManager = class {
       throw new Error("Failed to initialize profile manager");
     }
     await this.recoverActiveAuthBackup();
-    const migrationsComplete = await this.hasCompletedMigrations();
-    if (!migrationsComplete) {
-      await this.migrateLegacyProfiles();
-      await this.migrateProfilesFromDatabase();
-      await this.removeLegacyArtifacts();
-      await this.markMigrationsComplete();
-    }
-  }
-  /**
-   * Remove deprecated files that previously tracked the current profile.
-   * These are now redundant since we infer the active profile from auth.json.
-   */
-  async removeLegacyArtifacts() {
-    const legacyTargets = [
-      (0, import_path2.join)(this.codexDir, "current-profile.json"),
-      (0, import_path2.join)(this.profilesDir, ".current"),
-      `${this.activeAuth}.backup`,
-      (0, import_path2.join)(this.codexDir, "cache", "rate-limits")
-    ];
-    for (const target of legacyTargets) {
-      try {
-        await import_fs.promises.rm(target, { recursive: true, force: true });
-      } catch (error) {
-        if (!this.isNotFoundError(error)) {
-          logWarn(`Failed to remove legacy artifact '${target}':`, error);
-        }
-      }
-    }
-    try {
-      await import_fs.promises.rm(this.profilesDir, { recursive: true, force: true });
-    } catch (error) {
-      if (!this.isNotFoundError(error)) {
-        logWarn(`Failed to remove legacy profiles directory '${this.profilesDir}':`, error);
-      }
-    }
-  }
-  async hasCompletedMigrations() {
-    try {
-      await import_fs.promises.access(this.profileMigrationMarker);
-      return true;
-    } catch (error) {
-      if (!this.isNotFoundError(error)) {
-        logWarn("Failed to read profile migration marker:", error);
-      }
-      return false;
-    }
-  }
-  async markMigrationsComplete() {
-    try {
-      await import_fs.promises.mkdir(this.migrationsDir, { recursive: true });
-      await import_fs.promises.writeFile(this.profileMigrationMarker, "ok");
-    } catch (error) {
-      logWarn("Failed to persist profile migration marker:", error);
-    }
-  }
-  async migrateLegacyProfiles() {
-    let files;
-    try {
-      files = await import_fs.promises.readdir(this.profilesDir);
-    } catch (error) {
-      if (!this.isNotFoundError(error)) {
-        logWarn("Failed to inspect legacy profiles directory:", error);
-      }
-      return;
-    }
-    if (files.length === 0) {
-      return;
-    }
-    const accountCandidates = /* @__PURE__ */ new Map();
-    const orphanCandidates = [];
-    const insertedNames = /* @__PURE__ */ new Set();
-    for (const file of files) {
-      if (!file.endsWith(".json")) {
-        continue;
-      }
-      const name = file.replace(/\.json$/, "");
-      const filePath = (0, import_path2.join)(this.profilesDir, file);
-      try {
-        const raw = await import_fs.promises.readFile(filePath, "utf8");
-        const data = JSON.parse(raw);
-        const normalizedName = this.normalizeProfileName(name);
-        const metadata = this.extractProfileMetadata(data);
-        const resolvedEmail = this.resolveProfileEmail(data, metadata);
-        if (resolvedEmail) {
-          data.email = resolvedEmail;
-        }
-        const accountId = this.getAccountIdFromData(data);
-        const candidate = {
-          name: normalizedName,
-          data,
-          profile: this.buildProfileFromData(normalizedName, data),
-          accountId
-        };
-        if (accountId) {
-          const existing = accountCandidates.get(accountId);
-          if (existing) {
-            const preferred = this.selectPreferredProfile([existing.profile, candidate.profile]);
-            if (preferred === candidate.profile) {
-              logWarn(
-                `Replacing legacy profile '${existing.name}' with '${normalizedName}' for account '${accountId}'.`
-              );
-              accountCandidates.set(accountId, candidate);
-            } else {
-              logWarn(
-                `Skipping legacy profile '${name}' because account '${accountId}' already exists as '${existing.name}'.`
-              );
-            }
-          } else {
-            accountCandidates.set(accountId, candidate);
-          }
-        } else {
-          orphanCandidates.push(candidate);
-        }
-        await import_fs.promises.rm(filePath, { force: true });
-      } catch (error) {
-        logWarn(`Failed to migrate legacy profile '${name}':`, error);
-      }
-    }
-    const persistQueue = [...accountCandidates.values(), ...orphanCandidates];
-    const existingRecords = await this.listProfileRecords();
-    for (const record of existingRecords) {
-      insertedNames.add(record.name);
-    }
-    for (const candidate of persistQueue) {
-      if (insertedNames.has(candidate.name)) {
-        logWarn(`Skipping legacy profile '${candidate.name}' because it was already imported.`);
-        continue;
-      }
-      try {
-        await this.persistProfileRecord(candidate.name, candidate.data, candidate.profile.metadata);
-        insertedNames.add(candidate.name);
-      } catch (error) {
-        logWarn(`Failed to persist migrated profile '${candidate.name}':`, error);
-      }
-    }
-  }
-  async migrateProfilesFromDatabase() {
-    let rows = [];
-    try {
-      const { getDatabase: getDatabase2 } = await Promise.resolve().then(() => (init_sqlite_db(), sqlite_db_exports));
-      const db = await getDatabase2();
-      rows = db.prepare(
-        "SELECT name, data, account_id, workspace_id, workspace_name, email, auth_method, created_at, updated_at FROM profiles"
-      ).all();
-    } catch (error) {
-      logWarn("Failed to read existing database profiles for migration:", error);
-      return;
-    }
-    if (!rows || rows.length === 0) {
-      return;
-    }
-    const existingNames = new Set((await this.listProfileRecords()).map((record) => record.name));
-    for (const row of rows) {
-      const name = typeof row?.name === "string" ? row.name : null;
-      const serialized = typeof row?.data === "string" ? row.data : null;
-      if (!name || !serialized) {
-        continue;
-      }
-      let data;
-      try {
-        data = JSON.parse(serialized);
-      } catch (error) {
-        logWarn(`Failed to parse database profile '${name}' during migration:`, error);
-        continue;
-      }
-      try {
-        const normalizedName = this.normalizeProfileName(name);
-        if (existingNames.has(normalizedName)) {
-          continue;
-        }
-        data.created_at = data.created_at ?? (typeof row?.created_at === "string" ? row.created_at : void 0);
-        data.email = data.email ?? (typeof row?.email === "string" ? row.email : void 0);
-        data.auth_method = data.auth_method ?? (typeof row?.auth_method === "string" ? row.auth_method : void 0);
-        data.workspace_id = data.workspace_id ?? (typeof row?.workspace_id === "string" ? row.workspace_id : void 0);
-        data.workspace_name = data.workspace_name ?? (typeof row?.workspace_name === "string" ? row.workspace_name : void 0);
-        data.updated_at = data.updated_at ?? (typeof row?.updated_at === "string" ? row.updated_at : void 0);
-        const metadata = this.extractProfileMetadata(data);
-        await this.persistProfileRecord(normalizedName, data, metadata);
-        existingNames.add(normalizedName);
-      } catch (error) {
-        logWarn(`Failed to migrate database profile '${name}':`, error);
-      }
-    }
   }
   enqueueAuthSwap(task) {
     const run = this.authSwapLock.then(task, task);
@@ -2552,6 +1773,7 @@ var ProfileManager = class {
         name: targetName
       };
       await this.writeProfileRecord(updatedRecord);
+      await this.deleteProfileRecord(sourceName);
     } catch (error) {
       logWarn(`Failed to rewrite profile record after renaming '${sourceName}' to '${targetName}':`, error);
     }
@@ -2596,6 +1818,7 @@ var ProfileManager = class {
         logWarn(`Failed to remove profile home for '${profileName}':`, error);
       }
     }
+    await this.deleteProfileRecord(profileName);
     return true;
   }
   /**
@@ -2626,6 +1849,7 @@ var ProfileManager = class {
     for (const name of deleteCandidates) {
       try {
         await import_fs.promises.rm(this.getProfileHomePath(name), { recursive: true, force: true });
+        await this.deleteProfileRecord(name);
         removed.push(name);
       } catch (error) {
         if (!this.isNotFoundError(error)) {
@@ -2719,62 +1943,139 @@ var ProfileManager = class {
     };
   }
   /**
-   * Export all profiles to a portable format.
+   * Export profiles for cloud sync (includes token-bearing auth data).
    */
-  async exportAllProfiles() {
+  async exportProfilesForCloudSync() {
     await this.initialize();
     const records = await this.listProfileRecords();
-    const exportedAt = (/* @__PURE__ */ new Date()).toISOString();
     return records.map((record) => ({
       name: record.name,
       displayName: record.displayName,
-      email: record.email,
+      data: record.data,
+      metadata: record.metadata,
       accountId: record.accountId,
       workspaceId: record.workspaceId,
       workspaceName: record.workspaceName,
+      email: record.email,
       authMethod: record.authMethod,
       createdAt: record.createdAt,
-      metadata: record.metadata,
-      exportedAt
+      updatedAt: record.updatedAt
     }));
   }
-};
-
+  /**
+   * Replace local profiles with a full snapshot from cloud sync.
+   */
+  async replaceProfilesFromCloudSync(records) {
+    await this.initialize();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const normalized = /* @__PURE__ */ new Map();
+    const existingMap = await this.readProfilesStateMap();
+    const existingNames = new Set(Object.keys(existingMap));
+    for (const candidate of records ?? []) {
+      try {
+        const name = this.normalizeProfileName(candidate?.name ?? "");
+        const data = candidate && typeof candidate.data === "object" && candidate.data !== null ? candidate.data : null;
+        if (!data) {
+          continue;
+        }
+        const metadata = candidate.metadata && typeof candidate.metadata === "object" ? candidate.metadata : void 0;
+        const record = {
+          name,
+          displayName: typeof candidate.displayName === "string" ? candidate.displayName : null,
+          data,
+          metadata,
+          accountId: typeof candidate.accountId === "string" ? candidate.accountId : null,
+          workspaceId: typeof candidate.workspaceId === "string" ? candidate.workspaceId : null,
+          workspaceName: typeof candidate.workspaceName === "string" ? candidate.workspaceName : null,
+          email: typeof candidate.email === "string" ? candidate.email : null,
+          authMethod: typeof candidate.authMethod === "string" ? candidate.authMethod : this.resolveAuthMethod(data),
+          createdAt: typeof candidate.createdAt === "string" ? candidate.createdAt : now,
+          updatedAt: typeof candidate.updatedAt === "string" ? candidate.updatedAt : now
+        };
+        normalized.set(name, record);
+      } catch {
+      }
+    }
+    const nextMap = {};
+    for (const record of normalized.values()) {
+      nextMap[record.name] = this.toStateRecord(record);
+    }
+    await this.writeProfilesStateMap(nextMap);
+    let removed = 0;
+    for (const name of existingNames) {
+      if (normalized.has(name)) {
+        continue;
+      }
+      try {
+        await import_fs.promises.rm(this.getProfileHomePath(name), { recursive: true, force: true });
+        removed += 1;
+      } catch (error) {
+        if (!this.isNotFoundError(error)) {
+          logWarn(`Failed to remove profile '${name}' during cloud sync replace:`, error);
+        }
+      }
+    }
+    const preferred = await this.readPreferredProfileName();
+    if (preferred) {
+      try {
+        const normalizedPreferred = this.normalizeProfileName(preferred);
+        if (!normalized.has(normalizedPreferred)) {
+          await this.persistPreferredProfileName(null);
+        }
+      } catch {
+        await this.persistPreferredProfileName(null);
+      }
+    }
+    return {
+      imported: normalized.size,
+      removed
+    };
+  }
+};
+
 // ../../lib/license-service.ts
 var import_node_crypto2 = __toESM(require("crypto"));
 
 // ../../lib/license-secret.ts
-var import_node_fs3 = require("fs");
-var import_node_path3 = __toESM(require("path"));
+var import_node_fs2 = require("fs");
+var import_node_path2 = __toESM(require("path"));
 var import_node_crypto = __toESM(require("crypto"));
 var SECRET_FILE = "license.secret";
-function resolveCodexDir2() {
-  const homeDir = process.env.HOME || process.env.USERPROFILE || "";
-  return homeDir ? import_node_path3.default.join(homeDir, ".codex") : ".codex";
-}
 function resolveSecretPath() {
-  return import_node_path3.default.join(resolveCodexDir2(), SECRET_FILE);
+  return import_node_path2.default.join(getUserDataDir(), SECRET_FILE);
 }
 async function generateSecret() {
   return import_node_crypto.default.randomBytes(32).toString("hex");
 }
-async function getLicenseSecret() {
-  const secretPath = resolveSecretPath();
+async function readSecretIfExists(secretPath) {
   try {
-    const existing = await import_node_fs3.promises.readFile(secretPath, "utf8");
+    const existing = await import_node_fs2.promises.readFile(secretPath, "utf8");
     const trimmed = existing.trim();
     if (trimmed.length > 0) {
       return trimmed;
     }
-  } catch {
-  }
-  const secret = await generateSecret();
-  try {
-    await import_node_fs3.promises.mkdir(import_node_path3.default.dirname(secretPath), { recursive: true });
-  } catch {
+    return null;
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return null;
+    }
+    throw error;
   }
-  await import_node_fs3.promises.writeFile(secretPath, `${secret}
+}
+async function writeSecret(secretPath, secret) {
+  await import_node_fs2.promises.mkdir(import_node_path2.default.dirname(secretPath), { recursive: true });
+  await import_node_fs2.promises.writeFile(secretPath, `${secret}
 `, { mode: 384 });
+  await import_node_fs2.promises.chmod(secretPath, 384).catch(() => void 0);
+}
+async function getLicenseSecret() {
+  const secretPath = resolveSecretPath();
+  const existing = await readSecretIfExists(secretPath);
+  if (existing) {
+    return existing;
+  }
+  const secret = await generateSecret();
+  await writeSecret(secretPath, secret);
   return secret;
 }
 
@@ -3062,63 +2363,1427 @@ var LicenseService = class {
         return fallback;
       }
     };
-    this.verificationPromise = verify();
+    this.verificationPromise = verify();
+    try {
+      return await this.verificationPromise;
+    } finally {
+      this.verificationPromise = null;
+    }
+  }
+  async activate(licenseKey) {
+    const trimmed = licenseKey.trim();
+    if (!trimmed) {
+      throw new Error("License key is required.");
+    }
+    const secret = await getLicenseSecret();
+    const digest = import_node_crypto2.default.createHash("sha256").update(trimmed).digest("hex");
+    const result = await requestGumroadVerify(trimmed, "activation");
+    ensureWithinUseLimit(result);
+    const normalized = normalizeVerificationResult(result);
+    const stored = {
+      licenseKey: trimmed,
+      purchaseEmail: normalized.email,
+      lastVerifiedAt: nowIso(),
+      nextCheckAt: new Date(Date.now() + LICENSE_REFRESH_INTERVAL_MS).toISOString(),
+      status: "active",
+      lastVerificationError: null
+    };
+    const signed = withSignature(stored, secret);
+    await persistLicense(signed);
+    const status = toLicenseStatus(signed, {
+      message: `License verified (${digest.slice(0, 8)}).`
+    });
+    this.cache = status;
+    return status;
+  }
+  applyProfileCount(status, profileCount) {
+    const profilesRemaining = resolveProfilesRemaining(status.profileLimit, profileCount);
+    return {
+      ...status,
+      profilesRemaining
+    };
+  }
+  refreshStatusInBackground(options = {}) {
+    if (this.refreshPromise) {
+      return;
+    }
+    const forceRefresh = Boolean(options.force);
+    this.refreshPromise = (async () => {
+      try {
+        await this.getStatus({ forceRefresh });
+      } catch (error) {
+        console.warn("Background license refresh failed:", error);
+      } finally {
+        this.refreshPromise = null;
+      }
+    })();
+  }
+};
+var licenseService = new LicenseService();
+
+// ../../lib/cloud-sync-service.ts
+var import_node_fs4 = require("fs");
+var import_node_path6 = __toESM(require("path"));
+
+// ../../lib/cloud-sync-types.ts
+var CLOUD_SYNC_SCHEMA_VERSION = 1;
+
+// ../../lib/type-guards.ts
+function isRecord3(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function toIsoOrNull(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const parsed = Date.parse(value);
+  return Number.isNaN(parsed) ? null : new Date(parsed).toISOString();
+}
+
+// ../../lib/cloud-sync-client.ts
+var DEFAULT_CLOUD_SYNC_API_BASE_URL = "https://api.codexuse.com";
+var CLOUD_SYNC_TIMEOUT_MS = 15e3;
+var CloudSyncClientError = class extends Error {
+  constructor(message, status = null) {
+    super(message);
+    this.name = "CloudSyncClientError";
+    this.status = status;
+  }
+};
+function normalizeBaseUrl(value) {
+  const trimmed = value.trim();
+  return trimmed.endsWith("/") ? trimmed.slice(0, -1) : trimmed;
+}
+function getCloudSyncApiBaseUrl() {
+  const fromEnv = typeof process.env.CODEXUSE_API_BASE_URL === "string" ? process.env.CODEXUSE_API_BASE_URL : "";
+  if (fromEnv.trim().length === 0) {
+    return DEFAULT_CLOUD_SYNC_API_BASE_URL;
+  }
+  return normalizeBaseUrl(fromEnv);
+}
+function buildSyncUrl(pathname) {
+  const baseUrl = getCloudSyncApiBaseUrl();
+  const normalizedPath = pathname.startsWith("/") ? pathname : `/${pathname}`;
+  return `${baseUrl}${normalizedPath}`;
+}
+function normalizeSnapshot(value) {
+  if (!isRecord3(value)) {
+    return null;
+  }
+  if (isRecord3(value.snapshot)) {
+    const nested = normalizeSnapshot(value.snapshot);
+    if (nested) {
+      return nested;
+    }
+  }
+  const updatedAt = toIsoOrNull(value.updatedAt);
+  if (!updatedAt) {
+    return null;
+  }
+  const schemaVersion = Number(value.schemaVersion);
+  if (!Number.isFinite(schemaVersion) || schemaVersion !== CLOUD_SYNC_SCHEMA_VERSION) {
+    return null;
+  }
+  const rawProfiles = Array.isArray(value.profiles) ? value.profiles : [];
+  const profiles = rawProfiles.map((entry) => isRecord3(entry) ? entry : null).filter((entry) => Boolean(entry)).map((entry) => {
+    const data = isRecord3(entry.data) ? entry.data : {};
+    const metadata = isRecord3(entry.metadata) ? entry.metadata : void 0;
+    return {
+      name: typeof entry.name === "string" ? entry.name : "",
+      displayName: typeof entry.displayName === "string" ? entry.displayName : null,
+      data,
+      metadata,
+      accountId: typeof entry.accountId === "string" ? entry.accountId : null,
+      workspaceId: typeof entry.workspaceId === "string" ? entry.workspaceId : null,
+      workspaceName: typeof entry.workspaceName === "string" ? entry.workspaceName : null,
+      email: typeof entry.email === "string" ? entry.email : null,
+      authMethod: typeof entry.authMethod === "string" ? entry.authMethod : null,
+      createdAt: typeof entry.createdAt === "string" ? entry.createdAt : null,
+      updatedAt: typeof entry.updatedAt === "string" ? entry.updatedAt : null
+    };
+  }).filter((entry) => entry.name.trim().length > 0);
+  const rawSettings = value.settingsJson;
+  const settingsJson = isRecord3(rawSettings) ? rawSettings : null;
+  return {
+    schemaVersion: CLOUD_SYNC_SCHEMA_VERSION,
+    updatedAt,
+    profiles,
+    configTomlContent: typeof value.configTomlContent === "string" ? value.configTomlContent : null,
+    settingsJson
+  };
+}
+async function requestJson(method, pathname, licenseKey, body, rawBody) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), CLOUD_SYNC_TIMEOUT_MS);
+  try {
+    const response = await fetch(buildSyncUrl(pathname), {
+      method,
+      headers: {
+        "Content-Type": "application/json",
+        "x-codexuse-license-key": licenseKey
+      },
+      body: typeof rawBody === "string" ? rawBody : body === void 0 ? void 0 : JSON.stringify(body),
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      const message = await response.text().catch(() => "");
+      throw new CloudSyncClientError(
+        message || `Cloud sync request failed (${response.status}).`,
+        response.status
+      );
+    }
+    return await response.json();
+  } catch (error) {
+    if (error instanceof CloudSyncClientError) {
+      throw error;
+    }
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new CloudSyncClientError("Cloud sync request timed out.");
+    }
+    throw new CloudSyncClientError(
+      error instanceof Error ? error.message : "Cloud sync request failed."
+    );
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function fetchRemoteSnapshot(licenseKey) {
+  const response = await requestJson("GET", "/v1/sync/snapshot", licenseKey);
+  return normalizeSnapshot(response.snapshot);
+}
+async function fetchRemoteSnapshotMeta(licenseKey) {
+  const response = await requestJson(
+    "GET",
+    "/v1/sync/snapshot/meta",
+    licenseKey
+  );
+  return toIsoOrNull(response.updatedAt);
+}
+async function pushRemoteSnapshot(licenseKey, snapshot, options) {
+  const serializedSnapshot = typeof options?.serializedSnapshot === "string" ? options.serializedSnapshot : JSON.stringify(snapshot);
+  const response = await requestJson(
+    "PUT",
+    "/v1/sync/snapshot",
+    licenseKey,
+    void 0,
+    `{"snapshot":${serializedSnapshot}}`
+  );
+  const normalized = normalizeSnapshot(response.snapshot);
+  if (!normalized) {
+    throw new CloudSyncClientError("Cloud sync server returned an invalid snapshot payload.");
+  }
+  const status = response.status === "stale" ? "stale" : "applied";
+  return {
+    status,
+    snapshot: normalized
+  };
+}
+
+// ../../lib/codex-config.ts
+var import_promises2 = require("fs/promises");
+var import_node_path5 = __toESM(require("path"));
+var import_toml2 = require("@iarna/toml");
+
+// ../../lib/codex-config-metadata.ts
+var import_node_child_process = require("child_process");
+var import_promises = require("fs/promises");
+var import_node_path4 = __toESM(require("path"));
+
+// ../../lib/codex-cli.ts
+var import_node_fs3 = require("fs");
+var import_node_path3 = __toESM(require("path"));
+var cachedStatus = null;
+var cachedChannel = null;
+function fileExists(candidate) {
+  if (!candidate) {
+    return null;
+  }
+  const normalized = import_node_path3.default.resolve(candidate);
+  try {
+    const stats = (0, import_node_fs3.statSync)(normalized);
+    if (stats.isFile()) {
+      return normalized;
+    }
+  } catch {
+  }
+  return null;
+}
+function resolveBundledCodexBinary(channel) {
+  const candidates = [];
+  const processWithResources = process;
+  const resourcesPath = processWithResources.resourcesPath;
+  const packageSegments = channel === "alpha" ? ["@openai", "codex-alpha"] : ["@openai", "codex"];
+  if (resourcesPath) {
+    candidates.push(
+      import_node_path3.default.join(resourcesPath, "app.asar.unpacked", "node_modules", ...packageSegments, "bin", "codex.js")
+    );
+    candidates.push(
+      import_node_path3.default.join(resourcesPath, "app.asar.unpacked", "node_modules", ...packageSegments, "bin", "codex")
+    );
+  }
+  const projectRoot = process.cwd();
+  candidates.push(import_node_path3.default.join(projectRoot, "node_modules", ...packageSegments, "bin", "codex.js"));
+  candidates.push(import_node_path3.default.join(projectRoot, "node_modules", ...packageSegments, "bin", "codex"));
+  for (const candidate of candidates) {
+    const resolved = fileExists(candidate);
+    if (resolved) {
+      return resolved;
+    }
+  }
+  return null;
+}
+function resolveBundledCodexBinaryWithFallback(requestedChannel) {
+  const direct = resolveBundledCodexBinary(requestedChannel);
+  if (direct) {
+    return { path: direct, resolvedChannel: requestedChannel, fallbackUsed: false };
+  }
+  if (requestedChannel === "alpha") {
+    const stable = resolveBundledCodexBinary("stable");
+    if (stable) {
+      return { path: stable, resolvedChannel: "stable", fallbackUsed: true };
+    }
+  }
+  return { path: null, resolvedChannel: null, fallbackUsed: false };
+}
+function buildUnavailableStatus(channel) {
+  const channelLabel = channel === "alpha" ? "alpha " : "";
+  const channelSuffix = channel === "alpha" ? " Switch to Stable in Settings or reinstall CodexUse to restore the CLI." : " Reinstall CodexUse to restore the CLI.";
+  return {
+    available: false,
+    path: null,
+    reason: `Bundled ${channelLabel}Codex CLI is missing.${channelSuffix}`,
+    source: null,
+    channel,
+    requestedChannel: channel,
+    fallbackUsed: false
+  };
+}
+function evaluateCodexCliStatus(requestedChannel) {
+  const resolved = resolveBundledCodexBinaryWithFallback(requestedChannel);
+  if (resolved.path && resolved.resolvedChannel) {
+    return {
+      available: true,
+      path: resolved.path,
+      reason: null,
+      source: "bundled",
+      channel: resolved.resolvedChannel,
+      requestedChannel,
+      fallbackUsed: resolved.fallbackUsed
+    };
+  }
+  return buildUnavailableStatus(requestedChannel);
+}
+async function refreshCodexStatus() {
+  const channel = await getCodexCliChannel();
+  cachedChannel = channel;
+  cachedStatus = evaluateCodexCliStatus(channel);
+  return { ...cachedStatus };
+}
+var CodexCliMissingError = class extends Error {
+  constructor(status, message) {
+    super(message ?? status.reason ?? "Codex CLI is not available");
+    Object.setPrototypeOf(this, new.target.prototype);
+    this.name = "CodexCliMissingError";
+    this.status = { ...status };
+  }
+};
+async function requireCodexCli() {
+  const status = await refreshCodexStatus();
+  if (!status.available || !status.path) {
+    throw new CodexCliMissingError(status);
+  }
+  return status.path;
+}
+
+// ../../lib/codex-config-metadata.ts
+var CONFIG_SCHEMA_URL = "https://raw.githubusercontent.com/openai/codex/main/codex-rs/core/config.schema.json";
+var METADATA_CACHE_TTL_MS = 6e4;
+var FALLBACK_SCHEMA_TOP_LEVEL_KEYS = [
+  "agents",
+  "analytics",
+  "approval_policy",
+  "apps",
+  "chatgpt_base_url",
+  "check_for_update_on_startup",
+  "cli_auth_credentials_store",
+  "compact_prompt",
+  "developer_instructions",
+  "disable_paste_burst",
+  "experimental_compact_prompt_file",
+  "experimental_use_freeform_apply_patch",
+  "experimental_use_unified_exec_tool",
+  "features",
+  "feedback",
+  "file_opener",
+  "forced_chatgpt_workspace_id",
+  "forced_login_method",
+  "ghost_snapshot",
+  "hide_agent_reasoning",
+  "history",
+  "instructions",
+  "log_dir",
+  "mcp_oauth_callback_port",
+  "mcp_oauth_credentials_store",
+  "mcp_servers",
+  "model",
+  "model_auto_compact_token_limit",
+  "model_context_window",
+  "model_instructions_file",
+  "model_provider",
+  "model_providers",
+  "model_reasoning_effort",
+  "model_reasoning_summary",
+  "model_supports_reasoning_summaries",
+  "model_verbosity",
+  "notice",
+  "notify",
+  "oss_provider",
+  "otel",
+  "personality",
+  "profile",
+  "profiles",
+  "project_doc_fallback_filenames",
+  "project_doc_max_bytes",
+  "project_root_markers",
+  "projects",
+  "review_model",
+  "sandbox_mode",
+  "sandbox_workspace_write",
+  "shell_environment_policy",
+  "show_raw_agent_reasoning",
+  "skills",
+  "suppress_unstable_features_warning",
+  "tool_output_token_limit",
+  "tools",
+  "tui",
+  "web_search",
+  "windows_wsl_setup_acknowledged"
+];
+var FALLBACK_FEATURE_KEYS = [
+  "apply_patch_freeform",
+  "apps",
+  "child_agents_md",
+  "collab",
+  "collaboration_modes",
+  "connectors",
+  "elevated_windows_sandbox",
+  "enable_experimental_windows_sandbox",
+  "enable_request_compression",
+  "experimental_use_freeform_apply_patch",
+  "experimental_use_unified_exec_tool",
+  "experimental_windows_sandbox",
+  "include_apply_patch_tool",
+  "memory_tool",
+  "personality",
+  "powershell_utf8",
+  "remote_models",
+  "request_rule",
+  "responses_websockets",
+  "responses_websockets_v2",
+  "runtime_metrics",
+  "search_tool",
+  "shell_snapshot",
+  "shell_tool",
+  "skill_env_var_dependency_prompt",
+  "skill_mcp_dependency_install",
+  "sqlite",
+  "steer",
+  "undo",
+  "unified_exec",
+  "use_linux_sandbox_bwrap",
+  "web_search",
+  "web_search_cached",
+  "web_search_request"
+];
+var metadataCache = null;
+var metadataCacheAt = 0;
+function isRecord4(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function uniqueSorted(values) {
+  return Array.from(new Set(values)).sort((a, b) => a.localeCompare(b));
+}
+async function runCommand(command, args, timeoutMs = 3e3) {
+  return new Promise((resolve, reject) => {
+    const child = (0, import_node_child_process.spawn)(command, args, {
+      stdio: ["ignore", "pipe", "pipe"],
+      env: process.env
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout?.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr?.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    const timeout = setTimeout(() => {
+      child.kill();
+      reject(new Error(`Command timed out: ${command} ${args.join(" ")}`));
+    }, timeoutMs);
+    child.on("error", (error) => {
+      clearTimeout(timeout);
+      reject(error);
+    });
+    child.on("close", (code) => {
+      clearTimeout(timeout);
+      if (code !== 0 && !stdout.trim() && stderr.trim()) {
+        resolve({ stdout: stderr, exitCode: code });
+        return;
+      }
+      resolve({ stdout, exitCode: code });
+    });
+  });
+}
+async function runCodexCommand(args) {
+  const codexPath = await requireCodexCli();
+  const isJsLauncher = codexPath.endsWith(".js");
+  const command = isJsLauncher ? process.execPath : codexPath;
+  const commandArgs = isJsLauncher ? [codexPath, ...args] : args;
+  return runCommand(command, commandArgs);
+}
+function parseFeatureCatalog(output) {
+  const entries = [];
+  const lines = output.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+  for (const line of lines) {
+    const match = line.match(/^(\S+)\s+(stable|experimental|deprecated|under development)\s+(true|false)$/i);
+    if (!match) {
+      continue;
+    }
+    const [, key, stageRaw, enabledRaw] = match;
+    const stage = stageRaw.toLowerCase();
+    entries.push({
+      key,
+      stage,
+      enabled: enabledRaw === "true"
+    });
+  }
+  return entries.sort((a, b) => a.key.localeCompare(b.key));
+}
+function parseSchemaKeys(schemaRaw) {
+  const parsed = JSON.parse(schemaRaw);
+  if (!isRecord4(parsed)) {
+    return {
+      topLevelKeys: FALLBACK_SCHEMA_TOP_LEVEL_KEYS,
+      featureKeys: FALLBACK_FEATURE_KEYS
+    };
+  }
+  const properties = isRecord4(parsed.properties) ? parsed.properties : {};
+  const topLevelKeys = uniqueSorted(Object.keys(properties));
+  const features = isRecord4(properties.features) ? properties.features : {};
+  const featureProperties = isRecord4(features.properties) ? features.properties : {};
+  const featureKeys = uniqueSorted(Object.keys(featureProperties));
+  return {
+    topLevelKeys: topLevelKeys.length > 0 ? topLevelKeys : FALLBACK_SCHEMA_TOP_LEVEL_KEYS,
+    featureKeys: featureKeys.length > 0 ? featureKeys : FALLBACK_FEATURE_KEYS
+  };
+}
+async function readSchemaFromLocal() {
+  const candidates = [
+    process.env.CODEX_CONFIG_SCHEMA_PATH,
+    import_node_path4.default.join(process.cwd(), "codex-rs", "core", "config.schema.json"),
+    import_node_path4.default.join(process.cwd(), "node_modules", "@openai", "codex", "codex-rs", "core", "config.schema.json"),
+    import_node_path4.default.join(process.cwd(), "node_modules", "@openai", "codex-alpha", "codex-rs", "core", "config.schema.json")
+  ].filter((candidate) => Boolean(candidate));
+  for (const candidate of candidates) {
+    try {
+      return await (0, import_promises.readFile)(candidate, "utf8");
+    } catch {
+    }
+  }
+  return null;
+}
+async function readSchemaFromRemote() {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), 2500);
+  try {
+    const response = await fetch(CONFIG_SCHEMA_URL, {
+      signal: controller.signal,
+      headers: {
+        "User-Agent": "codexuse-desktop"
+      }
+    });
+    if (!response.ok) {
+      return null;
+    }
+    return await response.text();
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function readSchemaKeys() {
+  const local = await readSchemaFromLocal();
+  if (local) {
+    try {
+      return parseSchemaKeys(local);
+    } catch {
+    }
+  }
+  const remote = await readSchemaFromRemote();
+  if (remote) {
+    try {
+      return parseSchemaKeys(remote);
+    } catch {
+    }
+  }
+  return {
+    topLevelKeys: FALLBACK_SCHEMA_TOP_LEVEL_KEYS,
+    featureKeys: FALLBACK_FEATURE_KEYS
+  };
+}
+async function readCodexVersion() {
+  try {
+    const { stdout } = await runCodexCommand(["--version"]);
+    const value = stdout.trim();
+    return value.length > 0 ? value : null;
+  } catch {
+    return null;
+  }
+}
+async function readFeatureCatalog() {
+  try {
+    const { stdout } = await runCodexCommand(["features", "list"]);
+    return parseFeatureCatalog(stdout);
+  } catch {
+    return [];
+  }
+}
+async function getCodexConfigMetadata(forceRefresh = false) {
+  const now = Date.now();
+  if (!forceRefresh && metadataCache && now - metadataCacheAt < METADATA_CACHE_TTL_MS) {
+    return metadataCache;
+  }
+  const [schemaKeys, featureCatalog, codexVersion] = await Promise.all([
+    readSchemaKeys(),
+    readFeatureCatalog(),
+    readCodexVersion()
+  ]);
+  const catalogMap = /* @__PURE__ */ new Map();
+  for (const entry of featureCatalog) {
+    catalogMap.set(entry.key, entry);
+  }
+  for (const featureKey of schemaKeys.featureKeys) {
+    if (!catalogMap.has(featureKey)) {
+      catalogMap.set(featureKey, {
+        key: featureKey,
+        stage: "unknown",
+        enabled: null
+      });
+    }
+  }
+  const mergedFeatureCatalog = Array.from(catalogMap.values()).sort((a, b) => a.key.localeCompare(b.key));
+  const metadata = {
+    schemaTopLevelKeys: uniqueSorted(schemaKeys.topLevelKeys),
+    schemaFeatureKeys: uniqueSorted(schemaKeys.featureKeys),
+    featureCatalog: mergedFeatureCatalog,
+    codexVersion,
+    fetchedAt: now
+  };
+  metadataCache = metadata;
+  metadataCacheAt = now;
+  return metadata;
+}
+
+// ../../lib/errors.ts
+var ANSI_PATTERN = /\u001B\[[0-9;]*m/g;
+function stripAnsi(value) {
+  return value.replace(ANSI_PATTERN, "");
+}
+function normalizeWhitespace(value) {
+  return value.replace(/\s+/g, " ").trim();
+}
+function formatUserFacingError(error, options = {}) {
+  const fallback = options.fallback ?? "Something went wrong. Please try again.";
+  if (error === null || typeof error === "undefined") {
+    return fallback;
+  }
+  const rawMessage = typeof error === "string" ? error : error instanceof Error ? error.message : String(error);
+  let cleaned = normalizeWhitespace(stripAnsi(rawMessage));
+  if (!cleaned) {
+    return fallback;
+  }
+  if (cleaned.startsWith("Error invoking remote method")) {
+    cleaned = cleaned.replace(/^Error invoking remote method '[^']+': Error: /, "");
+  }
+  const lower = cleaned.toLowerCase();
+  if (options.notFoundFallback && (lower.includes("enoent") || lower.includes("not found"))) {
+    return options.notFoundFallback;
+  }
+  if (lower.includes("rate limit") || lower.includes("quota exceeded") || lower.includes("too many requests") || lower.includes("429")) {
+    cleaned = "Rate limit exceeded. Please wait a moment or upgrade your plan.";
+  } else if (lower.includes("timeout") || lower.includes("timed out")) {
+    cleaned = "Request timed out. Check your connection and try again.";
+  } else if (lower.includes("network") || lower.includes("econn") || lower.includes("networkerror") || lower.includes("connection")) {
+    cleaned = "Network issue. Check your connection and retry.";
+  } else if (lower.includes("permission") || lower.includes("eacces")) {
+    cleaned = "Permission denied. Restart CodexUse and retry.";
+  } else if (lower.includes("openai codex") && lower.includes("workdir:")) {
+    if (lower.includes("error:")) {
+      const parts = cleaned.split(/error:/i);
+      if (parts.length > 1) {
+        cleaned = parts[parts.length - 1].trim();
+      }
+    } else {
+      cleaned = "Codex CLI failed to respond. Please try again.";
+    }
+  }
+  const maxLength = typeof options.maxLength === "number" ? options.maxLength : 220;
+  if (cleaned.length > maxLength) {
+    cleaned = `${cleaned.slice(0, maxLength).trimEnd()}\u2026`;
+  }
+  return cleaned;
+}
+
+// ../../lib/codex-config.ts
+var DEFAULT_CONFIG_TEMPLATE = [
+  "# ~/.codex/config.toml (managed by CodexUse)",
+  "# Safe defaults with prompts and sandboxed access.",
+  "# To enable full access, opt into the YOLO preset from settings.",
+  "",
+  'model = "gpt-5.3-codex"',
+  'review_model = "gpt-5.3-codex"',
+  'model_reasoning_effort = "medium"',
+  'model_reasoning_summary = "auto"',
+  'model_verbosity = "medium"',
+  'approval_policy = "on-request"',
+  'sandbox_mode = "read-only"',
+  'web_search = "cached"',
+  ""
+].join("\n");
+var YOLO_PRESET = {
+  model: "gpt-5.3-codex",
+  reviewModel: "gpt-5.3-codex",
+  modelReasoningEffort: "xhigh",
+  modelReasoningSummary: "detailed",
+  modelVerbosity: "high",
+  approvalPolicy: "never",
+  sandboxMode: "danger-full-access",
+  webSearch: "live",
+  personality: "pragmatic",
+  toolOutputTokenLimit: 25e3,
+  modelAutoCompactTokenLimit: 233e3,
+  features: {
+    unifiedExec: true,
+    shellSnapshot: true
+  },
+  notice: {
+    hideFullAccessWarning: true,
+    hideGpt51MigrationPrompt: true,
+    hideRateLimitModelNudge: true
+  }
+};
+function resolveHomeDir() {
+  const homeDir = process.env.HOME || process.env.USERPROFILE;
+  if (!homeDir) {
+    throw new Error("Unable to determine home directory for Codex config.");
+  }
+  return homeDir;
+}
+function getConfigPath() {
+  const homeDir = resolveHomeDir();
+  return import_node_path5.default.join(homeDir, ".codex", "config.toml");
+}
+async function ensureConfigDirExists(filePath) {
+  const dir = import_node_path5.default.dirname(filePath);
+  await (0, import_promises2.mkdir)(dir, { recursive: true });
+}
+function normalizeLineEndings(content) {
+  return content.replace(/\r\n/g, "\n");
+}
+function ensureTrailingNewline(content) {
+  return content.endsWith("\n") ? content : `${content}
+`;
+}
+function tryParseToml(content) {
+  try {
+    const parsed = (0, import_toml2.parse)(content);
+    return { data: parsed ?? {}, error: null };
+  } catch (error) {
+    const maybe = error;
+    const line = typeof maybe?.line === "number" ? maybe.line : null;
+    const column = typeof maybe?.column === "number" ? maybe.column : typeof maybe?.col === "number" ? maybe.col : null;
+    const location = line !== null ? `line ${line}${column !== null ? `, column ${column}` : ""}` : null;
+    const friendly = formatUserFacingError(error, {
+      fallback: "Invalid config.toml syntax. Fix it and try again.",
+      maxLength: 180
+    });
+    const message = location ? `${friendly} (near ${location}).` : friendly;
+    return { data: null, error: message };
+  }
+}
+function toStringOrNull(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function toBooleanOrNull(value) {
+  if (typeof value === "boolean") {
+    return value;
+  }
+  return null;
+}
+function toNumberOrNull(value) {
+  if (typeof value !== "number") {
+    return null;
+  }
+  return Number.isFinite(value) ? value : null;
+}
+function toStringArray(value) {
+  if (!Array.isArray(value)) {
+    return [];
+  }
+  return value.map((entry) => typeof entry === "string" ? entry.trim() : "").filter((entry) => entry.length > 0);
+}
+function toStringRecord(value) {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) {
+    return {};
+  }
+  const result = {};
+  for (const [key, raw] of Object.entries(value)) {
+    if (typeof raw !== "string") {
+      continue;
+    }
+    const normalizedKey = key.trim();
+    const normalizedValue = raw.trim();
+    if (!normalizedKey || !normalizedValue) {
+      continue;
+    }
+    result[normalizedKey] = normalizedValue;
+  }
+  return result;
+}
+function buildSettingsSummary(data) {
+  const noticeCandidate = data && typeof data["notice"] === "object" && data["notice"] !== null ? data["notice"] : null;
+  const featuresCandidate = data && typeof data["features"] === "object" && data["features"] !== null && !Array.isArray(data["features"]) ? data["features"] : null;
+  const toolsCandidate = data && typeof data["tools"] === "object" && data["tools"] !== null && !Array.isArray(data["tools"]) ? data["tools"] : null;
+  const featureValues = {};
+  if (featuresCandidate) {
+    for (const [key, value] of Object.entries(featuresCandidate)) {
+      featureValues[key] = toBooleanOrNull(value);
+    }
+  }
+  const modelMigrationsRaw = noticeCandidate ? toStringRecord(noticeCandidate["model_migrations"]) : {};
+  return {
+    model: data ? toStringOrNull(data["model"]) : null,
+    reviewModel: data ? toStringOrNull(data["review_model"]) : null,
+    modelReasoningEffort: data ? toStringOrNull(data["model_reasoning_effort"]) : null,
+    modelReasoningSummary: data ? toStringOrNull(data["model_reasoning_summary"]) : null,
+    modelVerbosity: data ? toStringOrNull(data["model_verbosity"]) : null,
+    approvalPolicy: data ? toStringOrNull(data["approval_policy"]) : null,
+    sandboxMode: data ? toStringOrNull(data["sandbox_mode"]) : null,
+    webSearch: data ? toStringOrNull(data["web_search"]) : null,
+    personality: data ? toStringOrNull(data["personality"]) : null,
+    toolOutputTokenLimit: data ? toNumberOrNull(data["tool_output_token_limit"]) : null,
+    modelAutoCompactTokenLimit: data ? toNumberOrNull(data["model_auto_compact_token_limit"]) : null,
+    modelContextWindow: data ? toNumberOrNull(data["model_context_window"]) : null,
+    features: {
+      unifiedExec: featuresCandidate ? toBooleanOrNull(featuresCandidate["unified_exec"]) : null,
+      shellSnapshot: featuresCandidate ? toBooleanOrNull(featuresCandidate["shell_snapshot"]) : null,
+      values: featureValues
+    },
+    tools: {
+      webSearch: toolsCandidate ? toBooleanOrNull(toolsCandidate["web_search"]) : null,
+      viewImage: toolsCandidate ? toBooleanOrNull(toolsCandidate["view_image"]) : null
+    },
+    notice: {
+      hideFullAccessWarning: noticeCandidate ? toBooleanOrNull(noticeCandidate["hide_full_access_warning"]) : null,
+      hideGpt51MigrationPrompt: noticeCandidate ? toBooleanOrNull(noticeCandidate["hide_gpt5_1_migration_prompt"]) : null,
+      hideLegacyGpt51CodexMaxMigrationPrompt: noticeCandidate ? toBooleanOrNull(noticeCandidate["hide_gpt-5.1-codex-max_migration_prompt"]) : null,
+      hideRateLimitModelNudge: noticeCandidate ? toBooleanOrNull(noticeCandidate["hide_rate_limit_model_nudge"]) : null,
+      modelMigrations: Object.keys(modelMigrationsRaw).length > 0 ? modelMigrationsRaw : null
+    }
+  };
+}
+function parseRmcpClientEnabled(data) {
+  const rawFeatures = data && typeof data["features"] === "object" && data["features"] !== null && !Array.isArray(data["features"]) ? data["features"] : null;
+  if (rawFeatures && typeof rawFeatures["rmcp_client"] === "boolean") {
+    return rawFeatures["rmcp_client"];
+  }
+  if (data && typeof data["experimental_use_rmcp_client"] === "boolean") {
+    return data["experimental_use_rmcp_client"];
+  }
+  return false;
+}
+function parseMcpServer(name, rawValue) {
+  if (typeof rawValue !== "object" || rawValue === null || Array.isArray(rawValue)) {
+    return null;
+  }
+  const raw = rawValue;
+  const typeValue = toStringOrNull(raw["type"]);
+  const command = toStringOrNull(raw["command"]);
+  const args = toStringArray(raw["args"]);
+  const env = toStringRecord(raw["env"]);
+  const envVars = toStringArray(raw["env_vars"]);
+  const cwd = toStringOrNull(raw["cwd"]);
+  const url = toStringOrNull(raw["url"]);
+  const bearerTokenEnvVar = toStringOrNull(raw["bearer_token_env_var"]);
+  const httpHeaders = toStringRecord(raw["http_headers"]);
+  const envHttpHeaders = toStringRecord(raw["env_http_headers"]);
+  const startupTimeoutSec = toNumberOrNull(raw["startup_timeout_sec"]);
+  const toolTimeoutSec = toNumberOrNull(raw["tool_timeout_sec"]);
+  const enabledTools = toStringArray(raw["enabled_tools"]);
+  const disabledTools = toStringArray(raw["disabled_tools"]);
+  const enabled = typeof raw["enabled"] === "boolean" ? raw["enabled"] : true;
+  const transport = typeValue === "stdio" || typeValue === "http" || typeValue === "sse" ? typeValue : url ? "http" : "stdio";
+  return {
+    name,
+    transport,
+    enabled,
+    command,
+    args: args.length > 0 ? args : null,
+    cwd,
+    env: Object.keys(env).length > 0 ? env : null,
+    envVars: envVars.length > 0 ? envVars : null,
+    url,
+    bearerTokenEnvVar,
+    httpHeaders: Object.keys(httpHeaders).length > 0 ? httpHeaders : null,
+    envHttpHeaders: Object.keys(envHttpHeaders).length > 0 ? envHttpHeaders : null,
+    startupTimeoutSec,
+    toolTimeoutSec,
+    enabledTools: enabledTools.length > 0 ? enabledTools : null,
+    disabledTools: disabledTools.length > 0 ? disabledTools : null
+  };
+}
+function buildMcpServersList(data) {
+  const rawServers = data?.["mcp_servers"];
+  if (typeof rawServers !== "object" || rawServers === null || Array.isArray(rawServers)) {
+    return [];
+  }
+  const servers = [];
+  for (const [name, rawValue] of Object.entries(rawServers)) {
+    const parsed = parseMcpServer(name, rawValue);
+    if (parsed) {
+      servers.push(parsed);
+    }
+  }
+  return servers;
+}
+function getFeatureStage(metadata, featureKey) {
+  const found = metadata.featureCatalog.find((entry) => entry.key === featureKey);
+  return found?.stage ?? "unknown";
+}
+function looksLikeSecretValue(value) {
+  const normalized = value.trim();
+  if (normalized.length < 12) {
+    return false;
+  }
+  if (/\s/.test(normalized)) {
+    return false;
+  }
+  if (!/^[A-Za-z0-9._:-]+$/.test(normalized)) {
+    return false;
+  }
+  const hasLetters = /[A-Za-z]/.test(normalized);
+  const hasNumbers = /\d/.test(normalized);
+  return hasLetters && hasNumbers;
+}
+function buildConfigDiagnostics(data, summary, mcpServers, metadata) {
+  const diagnostics = [];
+  const featureTable = data && typeof data["features"] === "object" && data["features"] !== null && !Array.isArray(data["features"]) ? data["features"] : null;
+  const knownTopLevelKeys = new Set(metadata.schemaTopLevelKeys);
+  if (data) {
+    for (const key of Object.keys(data)) {
+      if (knownTopLevelKeys.has(key)) {
+        continue;
+      }
+      diagnostics.push({
+        id: `unknown-top-level:${key}`,
+        category: "config",
+        severity: "warning",
+        title: `Unknown config key: ${key}`,
+        message: `This top-level key is not in the known Codex schema and may be ignored by Codex CLI.`,
+        fixId: null,
+        fixLabel: null
+      });
+    }
+  }
+  if (featureTable) {
+    const knownFeatureKeys = new Set(metadata.schemaFeatureKeys);
+    for (const [featureKey] of Object.entries(featureTable)) {
+      if (!knownFeatureKeys.has(featureKey)) {
+        diagnostics.push({
+          id: `unknown-feature:${featureKey}`,
+          category: "feature",
+          severity: "warning",
+          title: `Unknown feature flag: features.${featureKey}`,
+          message: "This feature is not recognized in the current schema. Keeping it is non-destructive, but it may do nothing.",
+          fixId: `remove-feature:${featureKey}`,
+          fixLabel: "Remove flag"
+        });
+        continue;
+      }
+      const stage = getFeatureStage(metadata, featureKey);
+      if (stage === "deprecated") {
+        diagnostics.push({
+          id: `deprecated-feature:${featureKey}`,
+          category: "feature",
+          severity: "warning",
+          title: `Deprecated feature flag: features.${featureKey}`,
+          message: "Codex marks this feature as deprecated. Prefer removing it.",
+          fixId: `remove-feature:${featureKey}`,
+          fixLabel: "Remove deprecated flag"
+        });
+      }
+    }
+  }
+  for (const server of mcpServers) {
+    if (server.transport === "stdio" && server.args) {
+      for (let index = 0; index < server.args.length; index += 1) {
+        const value = server.args[index] ?? "";
+        if (/(api[-_]?key|token|secret)\s*=\s*/i.test(value)) {
+          diagnostics.push({
+            id: `mcp-secret-arg:${server.name}:${index}`,
+            category: "security",
+            severity: "warning",
+            title: `Potential secret in MCP args (${server.name})`,
+            message: "Argument text appears to contain a literal token/API key. Move secrets to environment variables.",
+            fixId: null,
+            fixLabel: null
+          });
+        }
+      }
+    }
+    if (server.httpHeaders) {
+      for (const [header, headerValue] of Object.entries(server.httpHeaders)) {
+        if (!looksLikeSecretValue(headerValue)) {
+          continue;
+        }
+        diagnostics.push({
+          id: `mcp-secret-header:${server.name}:${header}`,
+          category: "security",
+          severity: "warning",
+          title: `Potential secret in MCP header (${server.name})`,
+          message: `HTTP header '${header}' appears to contain a literal secret. Prefer env_http_headers or bearer_token_env_var.`,
+          fixId: null,
+          fixLabel: null
+        });
+      }
+    }
+  }
+  if (summary.approvalPolicy === "never" && summary.sandboxMode === "danger-full-access") {
+    diagnostics.push({
+      id: "risk:yolo-combo",
+      category: "risk",
+      severity: "risk",
+      title: "High-risk execution mode enabled",
+      message: "approval_policy=never + sandbox_mode=danger-full-access removes approval and sandbox guardrails.",
+      fixId: null,
+      fixLabel: null
+    });
+  }
+  return diagnostics;
+}
+function isYoloApplied(summary) {
+  return summary.model === YOLO_PRESET.model && summary.reviewModel === YOLO_PRESET.reviewModel && summary.modelReasoningEffort === YOLO_PRESET.modelReasoningEffort && summary.modelReasoningSummary === YOLO_PRESET.modelReasoningSummary && summary.modelVerbosity === YOLO_PRESET.modelVerbosity && summary.approvalPolicy === YOLO_PRESET.approvalPolicy && summary.sandboxMode === YOLO_PRESET.sandboxMode && summary.webSearch === YOLO_PRESET.webSearch && summary.personality === YOLO_PRESET.personality && summary.toolOutputTokenLimit === YOLO_PRESET.toolOutputTokenLimit && summary.modelAutoCompactTokenLimit === YOLO_PRESET.modelAutoCompactTokenLimit && summary.features.unifiedExec === true && summary.features.shellSnapshot === true && summary.notice.hideFullAccessWarning === true && summary.notice.hideGpt51MigrationPrompt === true && summary.notice.hideRateLimitModelNudge === true;
+}
+async function readConfigContent() {
+  const configPath = getConfigPath();
+  try {
+    const content = await (0, import_promises2.readFile)(configPath, "utf8");
+    return {
+      exists: true,
+      content: normalizeLineEndings(content)
+    };
+  } catch (error) {
+    const nodeError = error;
+    if (nodeError.code === "ENOENT") {
+      return {
+        exists: false,
+        content: DEFAULT_CONFIG_TEMPLATE
+      };
+    }
+    throw error;
+  }
+}
+async function writeConfigContent(content) {
+  const configPath = getConfigPath();
+  await ensureConfigDirExists(configPath);
+  const normalized = ensureTrailingNewline(normalizeLineEndings(content));
+  await (0, import_promises2.writeFile)(configPath, normalized, "utf8");
+}
+async function getUpdatedAt(configPath, exists) {
+  if (!exists) {
+    return null;
+  }
+  try {
+    const stats = await (0, import_promises2.stat)(configPath);
+    return stats.mtimeMs;
+  } catch (error) {
+    const nodeError = error;
+    if (nodeError.code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+}
+async function buildSnapshot(content, exists) {
+  const configPath = getConfigPath();
+  const parsed = tryParseToml(content);
+  const summary = buildSettingsSummary(parsed.data);
+  const updatedAt = await getUpdatedAt(configPath, exists);
+  const mcpServers = buildMcpServersList(parsed.data);
+  const rmcpClientEnabled = parseRmcpClientEnabled(parsed.data);
+  const metadata = await getCodexConfigMetadata();
+  const diagnostics = parsed.error ? [] : buildConfigDiagnostics(parsed.data, summary, mcpServers, metadata);
+  return {
+    path: configPath,
+    exists,
+    content,
+    settings: summary,
+    mcpServers,
+    rmcpClientEnabled,
+    parseError: parsed.error,
+    isYoloPreset: parsed.error ? false : isYoloApplied(summary),
+    updatedAt,
+    metadata,
+    diagnostics
+  };
+}
+async function getCodexConfigSnapshot() {
+  const { content, exists } = await readConfigContent();
+  return buildSnapshot(content, exists);
+}
+async function saveCodexConfigContent(content) {
+  const normalized = ensureTrailingNewline(normalizeLineEndings(content));
+  const parsed = tryParseToml(normalized);
+  if (!parsed.data) {
+    throw new Error(parsed.error ?? "config.toml contains invalid TOML syntax.");
+  }
+  await writeConfigContent(normalized);
+  return buildSnapshot(normalized, true);
+}
+
+// ../../lib/cloud-sync-service.ts
+var SYNC_BACKUP_DIR = "sync-backups";
+var PRE_PULL_BACKUP_PREFIX = "pre-pull-";
+var PRE_PULL_BACKUP_SUFFIX = ".json";
+var PRE_PULL_BACKUP_KEEP_COUNT = 3;
+var SYNC_SIZE_WARN_BYTES = 1 * 1024 * 1024;
+var SYNC_SIZE_MAX_BYTES = 5 * 1024 * 1024;
+var MB_DIVISOR = 1024 * 1024;
+function mapProfilesFromAppState(raw) {
+  if (!isRecord3(raw)) {
+    return [];
+  }
+  const profiles = [];
+  for (const [name, value] of Object.entries(raw)) {
+    if (!isRecord3(value)) {
+      continue;
+    }
+    const data = isRecord3(value.data) ? value.data : null;
+    if (!data) {
+      continue;
+    }
+    const normalizedName = typeof name === "string" ? name.trim() : "";
+    if (!normalizedName) {
+      continue;
+    }
+    profiles.push({
+      name: normalizedName,
+      displayName: typeof value.displayName === "string" ? value.displayName : null,
+      data,
+      metadata: isRecord3(value.metadata) ? value.metadata : void 0,
+      accountId: typeof value.accountId === "string" ? value.accountId : null,
+      workspaceId: typeof value.workspaceId === "string" ? value.workspaceId : null,
+      workspaceName: typeof value.workspaceName === "string" ? value.workspaceName : null,
+      email: typeof value.email === "string" ? value.email : null,
+      authMethod: typeof value.authMethod === "string" ? value.authMethod : null,
+      createdAt: typeof value.createdAt === "string" ? value.createdAt : null,
+      updatedAt: typeof value.updatedAt === "string" ? value.updatedAt : null
+    });
+  }
+  return profiles;
+}
+function summarizeSnapshot(snapshot) {
+  const configBytes = typeof snapshot.configTomlContent === "string" ? snapshot.configTomlContent.length : 0;
+  const settingsKeys = isRecord3(snapshot.settingsJson) ? Object.keys(snapshot.settingsJson).length : 0;
+  return {
+    profiles: snapshot.profiles.length,
+    configBytes,
+    settingsKeys
+  };
+}
+async function readState() {
+  const state = await getAppState();
+  return {
+    lastPushAt: state.sync.lastPushAt ?? void 0,
+    lastPullAt: state.sync.lastPullAt ?? void 0,
+    lastError: state.sync.lastError ?? void 0,
+    remoteUpdatedAt: state.sync.remoteUpdatedAt ?? void 0
+  };
+}
+async function writeState(patch) {
+  await patchAppState({
+    sync: {
+      ...typeof patch.lastPushAt === "string" ? { lastPushAt: patch.lastPushAt } : {},
+      ...typeof patch.lastPullAt === "string" ? { lastPullAt: patch.lastPullAt } : {},
+      ...typeof patch.lastError === "string" ? { lastError: patch.lastError } : patch.lastError === void 0 ? { lastError: null } : {},
+      ...typeof patch.remoteUpdatedAt === "string" ? { remoteUpdatedAt: patch.remoteUpdatedAt } : {}
+    }
+  });
+}
+async function resolveEligibility() {
+  const stored = await getStoredLicense();
+  const licenseKey = typeof stored?.licenseKey === "string" ? stored.licenseKey.trim() : "";
+  if (!licenseKey) {
+    return {
+      canSync: false,
+      reason: "License key is required for cloud sync.",
+      licenseKey: null,
+      licenseState: null
+    };
+  }
+  const status = await licenseService.getStatus();
+  const active = status.state === "active" || status.state === "grace";
+  if (!active) {
+    return {
+      canSync: false,
+      reason: "Cloud sync requires an active Pro license.",
+      licenseKey,
+      licenseState: status.state
+    };
+  }
+  return {
+    canSync: true,
+    reason: null,
+    licenseKey,
+    licenseState: status.state
+  };
+}
+function formatMegabytes(bytes) {
+  return (bytes / MB_DIVISOR).toFixed(2);
+}
+function resolveSyncBackupsDir() {
+  return import_node_path6.default.join(getUserDataDir(), SYNC_BACKUP_DIR);
+}
+function toSafeIsoForFileName(iso) {
+  return iso.replace(/:/g, "-");
+}
+async function pruneOldPrePullBackups(backupsDir) {
+  const entries = await import_node_fs4.promises.readdir(backupsDir, { withFileTypes: true });
+  const files = entries.filter(
+    (entry) => entry.isFile() && entry.name.startsWith(PRE_PULL_BACKUP_PREFIX) && entry.name.endsWith(PRE_PULL_BACKUP_SUFFIX)
+  ).map((entry) => entry.name).sort((a, b) => b.localeCompare(a));
+  if (files.length <= PRE_PULL_BACKUP_KEEP_COUNT) {
+    return;
+  }
+  for (const stale of files.slice(PRE_PULL_BACKUP_KEEP_COUNT)) {
+    await import_node_fs4.promises.rm(import_node_path6.default.join(backupsDir, stale), { force: true });
+  }
+}
+async function createPrePullBackup(profileManager) {
+  const snapshot = await buildLocalSnapshot(profileManager, {
+    enforcePushGuards: false
+  });
+  const backupsDir = resolveSyncBackupsDir();
+  await import_node_fs4.promises.mkdir(backupsDir, { recursive: true });
+  const timestamp = toSafeIsoForFileName((/* @__PURE__ */ new Date()).toISOString());
+  const backupPath = import_node_path6.default.join(
+    backupsDir,
+    `${PRE_PULL_BACKUP_PREFIX}${timestamp}${PRE_PULL_BACKUP_SUFFIX}`
+  );
+  await import_node_fs4.promises.writeFile(backupPath, `${JSON.stringify(snapshot, null, 2)}
+`, "utf8");
+  await pruneOldPrePullBackups(backupsDir);
+  logInfo("[cloud-sync] created pre-pull backup", { backupPath });
+  return backupPath;
+}
+async function buildLocalSnapshot(profileManager, options = {}) {
+  const enforcePushGuards = options.enforcePushGuards !== false;
+  const profilesFromManager = await profileManager.exportProfilesForCloudSync();
+  const state = await getAppState();
+  const profilesFromState = mapProfilesFromAppState(state.profilesByName);
+  const profiles = profilesFromManager.length > 0 ? profilesFromManager : profilesFromState;
+  const config = await getCodexConfigSnapshot();
+  const settingsJson = await readCodexSettingsJsonRaw();
+  const hasProfiles = profiles.length > 0;
+  const hasConfig = typeof config.content === "string" && config.content.trim().length > 0;
+  const hasSettings = isRecord3(settingsJson) && Object.keys(settingsJson).length > 0;
+  if (enforcePushGuards && !hasProfiles && !hasConfig && !hasSettings) {
+    throw new Error("Refusing to push an empty cloud sync snapshot.");
+  }
+  const snapshot = {
+    schemaVersion: CLOUD_SYNC_SCHEMA_VERSION,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    profiles,
+    configTomlContent: config.exists ? config.content : null,
+    settingsJson
+  };
+  if (!enforcePushGuards) {
+    return snapshot;
+  }
+  return snapshot;
+}
+async function applyRemoteSnapshot(profileManager, snapshot) {
+  await profileManager.replaceProfilesFromCloudSync(snapshot.profiles ?? []);
+  if (typeof snapshot.configTomlContent === "string") {
+    await saveCodexConfigContent(snapshot.configTomlContent);
+  }
+  if (snapshot.settingsJson && isRecord3(snapshot.settingsJson)) {
+    await writeCodexSettingsJsonRaw(snapshot.settingsJson);
+  } else {
+    await writeCodexSettingsJsonRaw({});
+  }
+}
+function toRunError(mode, error) {
+  const message = formatUserFacingError(error, {
+    fallback: `Cloud sync ${mode} failed.`
+  });
+  return {
+    mode,
+    status: "error",
+    message,
+    localUpdatedAt: null,
+    remoteUpdatedAt: null
+  };
+}
+async function getCloudSyncStatus() {
+  const eligibility = await resolveEligibility();
+  const state = await readState();
+  let remoteUpdatedAt = state.remoteUpdatedAt ?? null;
+  if (eligibility.canSync && eligibility.licenseKey) {
     try {
-      return await this.verificationPromise;
-    } finally {
-      this.verificationPromise = null;
+      remoteUpdatedAt = await fetchRemoteSnapshotMeta(eligibility.licenseKey);
+    } catch (error) {
+      if (error instanceof CloudSyncClientError && error.status === 404) {
+        try {
+          const remote = await fetchRemoteSnapshot(eligibility.licenseKey);
+          remoteUpdatedAt = remote?.updatedAt ?? null;
+        } catch {
+        }
+      }
     }
   }
-  async activate(licenseKey) {
-    const trimmed = licenseKey.trim();
-    if (!trimmed) {
-      throw new Error("License key is required.");
-    }
-    const secret = await getLicenseSecret();
-    const digest = import_node_crypto2.default.createHash("sha256").update(trimmed).digest("hex");
-    const result = await requestGumroadVerify(trimmed, "activation");
-    ensureWithinUseLimit(result);
-    const normalized = normalizeVerificationResult(result);
-    const stored = {
-      licenseKey: trimmed,
-      purchaseEmail: normalized.email,
-      lastVerifiedAt: nowIso(),
-      nextCheckAt: new Date(Date.now() + LICENSE_REFRESH_INTERVAL_MS).toISOString(),
-      status: "active",
-      lastVerificationError: null
+  return {
+    endpoint: getCloudSyncApiBaseUrl(),
+    canSync: eligibility.canSync,
+    reason: eligibility.reason,
+    licenseState: eligibility.licenseState,
+    hasLicenseKey: Boolean(eligibility.licenseKey),
+    lastPushAt: state.lastPushAt ?? null,
+    lastPullAt: state.lastPullAt ?? null,
+    lastError: state.lastError ?? null,
+    remoteUpdatedAt
+  };
+}
+async function pushCloudSync() {
+  const eligibility = await resolveEligibility();
+  if (!eligibility.canSync || !eligibility.licenseKey) {
+    return {
+      mode: "push",
+      status: "skipped",
+      message: eligibility.reason ?? "Cloud sync unavailable.",
+      localUpdatedAt: null,
+      remoteUpdatedAt: null
     };
-    const signed = withSignature(stored, secret);
-    await persistLicense(signed);
-    const status = toLicenseStatus(signed, {
-      message: `License verified (${digest.slice(0, 8)}).`
+  }
+  const profileManager = new ProfileManager();
+  try {
+    await profileManager.initialize();
+    const localSnapshot = await buildLocalSnapshot(profileManager, { enforcePushGuards: true });
+    const serializedSnapshot = JSON.stringify(localSnapshot);
+    const snapshotBytes = Buffer.byteLength(serializedSnapshot, "utf8");
+    if (snapshotBytes > SYNC_SIZE_WARN_BYTES) {
+      logWarn("[cloud-sync] push snapshot is large", {
+        bytes: snapshotBytes,
+        megabytes: formatMegabytes(snapshotBytes)
+      });
+    }
+    if (snapshotBytes > SYNC_SIZE_MAX_BYTES) {
+      throw new Error(
+        `Snapshot too large to sync (${formatMegabytes(snapshotBytes)} MB). Reduce profiles or config size.`
+      );
+    }
+    if (process.env.NODE_ENV !== "production") {
+      logInfo("[cloud-sync] push snapshot summary", summarizeSnapshot(localSnapshot));
+    }
+    const remote = await pushRemoteSnapshot(eligibility.licenseKey, localSnapshot, {
+      serializedSnapshot
     });
-    this.cache = status;
-    return status;
+    await writeState({
+      lastPushAt: (/* @__PURE__ */ new Date()).toISOString(),
+      remoteUpdatedAt: remote.snapshot.updatedAt,
+      lastError: void 0
+    });
+    if (remote.status === "stale") {
+      return {
+        mode: "push",
+        status: "stale",
+        message: "Remote cloud snapshot is newer. Pull first.",
+        localUpdatedAt: localSnapshot.updatedAt,
+        remoteUpdatedAt: remote.snapshot.updatedAt
+      };
+    }
+    return {
+      mode: "push",
+      status: "applied",
+      message: "Cloud sync push completed.",
+      localUpdatedAt: localSnapshot.updatedAt,
+      remoteUpdatedAt: remote.snapshot.updatedAt
+    };
+  } catch (error) {
+    const result = toRunError("push", error);
+    const lastError = error instanceof CloudSyncClientError ? error.message : result.message;
+    await writeState({ lastError });
+    return result;
   }
-  applyProfileCount(status, profileCount) {
-    const profilesRemaining = resolveProfilesRemaining(status.profileLimit, profileCount);
+}
+async function pullCloudSync() {
+  const eligibility = await resolveEligibility();
+  if (!eligibility.canSync || !eligibility.licenseKey) {
     return {
-      ...status,
-      profilesRemaining
+      mode: "pull",
+      status: "skipped",
+      message: eligibility.reason ?? "Cloud sync unavailable.",
+      localUpdatedAt: null,
+      remoteUpdatedAt: null
     };
   }
-  refreshStatusInBackground(options = {}) {
-    if (this.refreshPromise) {
-      return;
+  const profileManager = new ProfileManager();
+  try {
+    await profileManager.initialize();
+    const remote = await fetchRemoteSnapshot(eligibility.licenseKey);
+    if (!remote) {
+      return {
+        mode: "pull",
+        status: "skipped",
+        message: "No cloud snapshot found.",
+        localUpdatedAt: null,
+        remoteUpdatedAt: null
+      };
     }
-    const forceRefresh = Boolean(options.force);
-    this.refreshPromise = (async () => {
-      try {
-        await this.getStatus({ forceRefresh });
-      } catch (error) {
-        console.warn("Background license refresh failed:", error);
-      } finally {
-        this.refreshPromise = null;
-      }
-    })();
+    let backupWarningSuffix = "";
+    try {
+      await createPrePullBackup(profileManager);
+    } catch (backupError) {
+      logWarn("[cloud-sync] pre-pull backup failed; continuing pull", backupError);
+      const reason = formatUserFacingError(backupError, { fallback: "unknown error" });
+      backupWarningSuffix = ` Warning: pre-pull backup failed (${reason}).`;
+    }
+    await applyRemoteSnapshot(profileManager, remote);
+    await writeState({
+      lastPullAt: (/* @__PURE__ */ new Date()).toISOString(),
+      remoteUpdatedAt: remote.updatedAt,
+      lastError: void 0
+    });
+    return {
+      mode: "pull",
+      status: "applied",
+      message: `Cloud sync pull completed.${backupWarningSuffix}`,
+      localUpdatedAt: remote.updatedAt,
+      remoteUpdatedAt: remote.updatedAt
+    };
+  } catch (error) {
+    const result = toRunError("pull", error);
+    const lastError = error instanceof CloudSyncClientError ? error.message : result.message;
+    await writeState({ lastError });
+    return result;
   }
-};
-var licenseService = new LicenseService();
+}
 
 // ../../lib/license-guard.ts
 async function assertProfileCreationAllowed(profileManager) {
@@ -3133,20 +3798,20 @@ async function assertProfileCreationAllowed(profileManager) {
 }
 
 // src/codex-cli.ts
-var import_node_child_process = require("child_process");
-var import_node_fs4 = require("fs");
-var import_node_path4 = __toESM(require("path"));
+var import_node_child_process2 = require("child_process");
+var import_node_fs5 = require("fs");
+var import_node_path7 = __toESM(require("path"));
 var ENV_HINTS = ["CODEX_BINARY", "CODEX_CLI_PATH", "CODEX_PATH"];
 var NODE_MODULE_CANDIDATES = [
   ["@openai", "codex"],
   ["@openai", "codex-alpha"]
 ];
-function fileExists(candidate) {
+function fileExists2(candidate) {
   if (!candidate) return null;
-  const resolved = import_node_path4.default.resolve(candidate);
+  const resolved = import_node_path7.default.resolve(candidate);
   try {
-    const stat = (0, import_node_fs4.statSync)(resolved);
-    if (stat.isFile()) return resolved;
+    const stat2 = (0, import_node_fs5.statSync)(resolved);
+    if (stat2.isFile()) return resolved;
   } catch {
     return null;
   }
@@ -3156,49 +3821,49 @@ function resolveFromEnv() {
   for (const key of ENV_HINTS) {
     const value = process.env[key];
     if (!value) continue;
-    const resolved = fileExists(value);
+    const resolved = fileExists2(value);
     if (resolved) return resolved;
   }
   return null;
 }
 function resolveFromAppResources() {
   const roots = [
-    import_node_path4.default.resolve(__dirname, ".."),
-    import_node_path4.default.resolve(__dirname, "..", "..")
+    import_node_path7.default.resolve(__dirname, ".."),
+    import_node_path7.default.resolve(__dirname, "..", "..")
   ];
   for (const root of roots) {
-    const base = import_node_path4.default.join(root, "app.asar.unpacked", "node_modules");
+    const base = import_node_path7.default.join(root, "app.asar.unpacked", "node_modules");
     for (const segments of NODE_MODULE_CANDIDATES) {
-      const candidate = fileExists(import_node_path4.default.join(base, ...segments, "bin", "codex"));
+      const candidate = fileExists2(import_node_path7.default.join(base, ...segments, "bin", "codex"));
       if (candidate) return candidate;
-      const jsCandidate = fileExists(import_node_path4.default.join(base, ...segments, "bin", "codex.js"));
+      const jsCandidate = fileExists2(import_node_path7.default.join(base, ...segments, "bin", "codex.js"));
       if (jsCandidate) return jsCandidate;
     }
   }
   return null;
 }
 function resolveFromNodeModules() {
-  let current = import_node_path4.default.resolve(__dirname, "..");
+  let current = import_node_path7.default.resolve(__dirname, "..");
   let last = "";
   while (current !== last) {
     for (const segments of NODE_MODULE_CANDIDATES) {
-      const candidate = fileExists(import_node_path4.default.join(current, "node_modules", ...segments, "bin", "codex"));
+      const candidate = fileExists2(import_node_path7.default.join(current, "node_modules", ...segments, "bin", "codex"));
       if (candidate) return candidate;
-      const jsCandidate = fileExists(import_node_path4.default.join(current, "node_modules", ...segments, "bin", "codex.js"));
+      const jsCandidate = fileExists2(import_node_path7.default.join(current, "node_modules", ...segments, "bin", "codex.js"));
       if (jsCandidate) return jsCandidate;
     }
     last = current;
-    current = import_node_path4.default.dirname(current);
+    current = import_node_path7.default.dirname(current);
   }
   return null;
 }
 function resolveFromPath() {
   const pathValue = process.env.PATH ?? "";
-  const entries = pathValue.split(import_node_path4.default.delimiter).filter(Boolean);
+  const entries = pathValue.split(import_node_path7.default.delimiter).filter(Boolean);
   const names = process.platform === "win32" ? ["codex.exe", "codex.cmd", "codex.bat", "codex"] : ["codex"];
   for (const entry of entries) {
     for (const name of names) {
-      const candidate = fileExists(import_node_path4.default.join(entry, name));
+      const candidate = fileExists2(import_node_path7.default.join(entry, name));
       if (candidate) return candidate;
     }
   }
@@ -3247,7 +3912,7 @@ async function runCodexLogin(mode) {
   const resolvedMode = resolveLoginMode(mode ?? null);
   const loginArgs = resolvedMode === "device" ? ["login", "--device-auth"] : ["login"];
   const { command, args, shell } = buildCodexCommand(codexPath, loginArgs);
-  const child = (0, import_node_child_process.spawn)(command, args, {
+  const child = (0, import_node_child_process2.spawn)(command, args, {
     stdio: "inherit",
     env: process.env,
     shell
@@ -3261,120 +3926,12 @@ async function runCodexLogin(mode) {
 }
 
 // ../../lib/codex-rpc.ts
-var import_node_child_process2 = require("child_process");
+var import_node_child_process3 = require("child_process");
 var import_node_readline = __toESM(require("readline"));
 var import_node_events = require("events");
 var import_node_fs6 = require("fs");
-var import_node_os = __toESM(require("os"));
-var import_node_path6 = __toESM(require("path"));
-
-// ../../lib/codex-cli.ts
-var import_node_fs5 = require("fs");
-var import_node_path5 = __toESM(require("path"));
-var cachedStatus = null;
-var cachedChannel = null;
-function fileExists2(candidate) {
-  if (!candidate) {
-    return null;
-  }
-  const normalized = import_node_path5.default.resolve(candidate);
-  try {
-    const stats = (0, import_node_fs5.statSync)(normalized);
-    if (stats.isFile()) {
-      return normalized;
-    }
-  } catch {
-  }
-  return null;
-}
-function resolveBundledCodexBinary(channel) {
-  const candidates = [];
-  const processWithResources = process;
-  const resourcesPath = processWithResources.resourcesPath;
-  const packageSegments = channel === "alpha" ? ["@openai", "codex-alpha"] : ["@openai", "codex"];
-  if (resourcesPath) {
-    candidates.push(
-      import_node_path5.default.join(resourcesPath, "app.asar.unpacked", "node_modules", ...packageSegments, "bin", "codex.js")
-    );
-    candidates.push(
-      import_node_path5.default.join(resourcesPath, "app.asar.unpacked", "node_modules", ...packageSegments, "bin", "codex")
-    );
-  }
-  const projectRoot = process.cwd();
-  candidates.push(import_node_path5.default.join(projectRoot, "node_modules", ...packageSegments, "bin", "codex.js"));
-  candidates.push(import_node_path5.default.join(projectRoot, "node_modules", ...packageSegments, "bin", "codex"));
-  for (const candidate of candidates) {
-    const resolved = fileExists2(candidate);
-    if (resolved) {
-      return resolved;
-    }
-  }
-  return null;
-}
-function resolveBundledCodexBinaryWithFallback(requestedChannel) {
-  const direct = resolveBundledCodexBinary(requestedChannel);
-  if (direct) {
-    return { path: direct, resolvedChannel: requestedChannel, fallbackUsed: false };
-  }
-  if (requestedChannel === "alpha") {
-    const stable = resolveBundledCodexBinary("stable");
-    if (stable) {
-      return { path: stable, resolvedChannel: "stable", fallbackUsed: true };
-    }
-  }
-  return { path: null, resolvedChannel: null, fallbackUsed: false };
-}
-function buildUnavailableStatus(channel) {
-  const channelLabel = channel === "alpha" ? "alpha " : "";
-  const channelSuffix = channel === "alpha" ? " Switch to Stable in Settings or reinstall CodexUse to restore the CLI." : " Reinstall CodexUse to restore the CLI.";
-  return {
-    available: false,
-    path: null,
-    reason: `Bundled ${channelLabel}Codex CLI is missing.${channelSuffix}`,
-    source: null,
-    channel,
-    requestedChannel: channel,
-    fallbackUsed: false
-  };
-}
-function evaluateCodexCliStatus(requestedChannel) {
-  const resolved = resolveBundledCodexBinaryWithFallback(requestedChannel);
-  if (resolved.path && resolved.resolvedChannel) {
-    return {
-      available: true,
-      path: resolved.path,
-      reason: null,
-      source: "bundled",
-      channel: resolved.resolvedChannel,
-      requestedChannel,
-      fallbackUsed: resolved.fallbackUsed
-    };
-  }
-  return buildUnavailableStatus(requestedChannel);
-}
-async function refreshCodexStatus() {
-  const channel = await getCodexCliChannel();
-  cachedChannel = channel;
-  cachedStatus = evaluateCodexCliStatus(channel);
-  return { ...cachedStatus };
-}
-var CodexCliMissingError = class extends Error {
-  constructor(status, message) {
-    super(message ?? status.reason ?? "Codex CLI is not available");
-    Object.setPrototypeOf(this, new.target.prototype);
-    this.name = "CodexCliMissingError";
-    this.status = { ...status };
-  }
-};
-async function requireCodexCli() {
-  const status = await refreshCodexStatus();
-  if (!status.available || !status.path) {
-    throw new CodexCliMissingError(status);
-  }
-  return status.path;
-}
-
-// ../../lib/codex-rpc.ts
+var import_node_os2 = __toESM(require("os"));
+var import_node_path8 = __toESM(require("path"));
 var RPC_TIMEOUT_MS = 1e4;
 async function sendPayload(child, payload) {
   child.stdin?.write(JSON.stringify(payload));
@@ -3426,9 +3983,9 @@ function toWindow(rpc) {
 }
 async function fetchRateLimitsViaRpc(envOverride, options = {}) {
   const binaryPath = options.codexPath ?? await requireCodexCli();
-  const tempHome = await import_node_fs6.promises.mkdtemp(import_node_path6.default.join(import_node_os.default.tmpdir(), "codex-rpc-"));
-  const sourceAuthPath = options.authPath ?? (envOverride?.CODEX_HOME ? import_node_path6.default.join(envOverride.CODEX_HOME, "auth.json") : import_node_path6.default.join(
-    envOverride?.HOME ?? process.env.HOME ?? process.env.USERPROFILE ?? import_node_os.default.homedir(),
+  const tempHome = await import_node_fs6.promises.mkdtemp(import_node_path8.default.join(import_node_os2.default.tmpdir(), "codex-rpc-"));
+  const sourceAuthPath = options.authPath ?? (envOverride?.CODEX_HOME ? import_node_path8.default.join(envOverride.CODEX_HOME, "auth.json") : import_node_path8.default.join(
+    envOverride?.HOME ?? process.env.HOME ?? process.env.USERPROFILE ?? import_node_os2.default.homedir(),
     ".codex",
     "auth.json"
   ));
@@ -3437,13 +3994,13 @@ async function fetchRateLimitsViaRpc(envOverride, options = {}) {
     if (!authContent) {
       return null;
     }
-    await import_node_fs6.promises.writeFile(import_node_path6.default.join(tempHome, "auth.json"), authContent, "utf8");
+    await import_node_fs6.promises.writeFile(import_node_path8.default.join(tempHome, "auth.json"), authContent, "utf8");
   } catch {
     await import_node_fs6.promises.rm(tempHome, { recursive: true, force: true }).catch(() => {
     });
     return null;
   }
-  const child = (0, import_node_child_process2.spawn)(process.execPath, [binaryPath, "-s", "read-only", "-a", "untrusted", "app-server"], {
+  const child = (0, import_node_child_process3.spawn)(process.execPath, [binaryPath, "-s", "read-only", "-a", "untrusted", "app-server"], {
     stdio: ["pipe", "pipe", "pipe"],
     env: {
       ...process.env,
@@ -3515,7 +4072,7 @@ function maxUsedPercent(snapshot) {
 }
 
 // src/index.ts
-var VERSION = true ? "2.3.1" : "0.0.0";
+var VERSION = true ? "2.4.1" : "0.0.0";
 function printHelp() {
   console.log(`CodexUse CLI v${VERSION}
 
@@ -3531,6 +4088,10 @@ Usage:
   codexuse license status [--refresh]
   codexuse license activate <license-key>
 
+  codexuse sync status
+  codexuse sync pull
+  codexuse sync push
+
 Flags:
   -h, --help       Show help
   -v, --version    Show version
@@ -3952,6 +4513,70 @@ async function handleLicense(args) {
       return;
   }
 }
+function printSyncResult(result) {
+  console.log(result.message);
+  if (result.localUpdatedAt) {
+    console.log(`Local snapshot: ${result.localUpdatedAt}`);
+  }
+  if (result.remoteUpdatedAt) {
+    console.log(`Remote snapshot: ${result.remoteUpdatedAt}`);
+  }
+}
+async function handleSync(args) {
+  const flags = args.filter((arg) => arg.startsWith("-"));
+  const params = stripFlags(args);
+  const sub = params[0];
+  if (!sub || hasFlag(flags, "--help") || hasFlag(flags, "-h")) {
+    printHelp();
+    return;
+  }
+  switch (sub) {
+    case "status": {
+      const status = await getCloudSyncStatus();
+      console.log(`Endpoint: ${status.endpoint}`);
+      console.log(`Can sync: ${status.canSync ? "yes" : "no"}`);
+      console.log(`Has key: ${status.hasLicenseKey ? "yes" : "no"}`);
+      if (status.licenseState) {
+        console.log(`License state: ${status.licenseState}`);
+      }
+      if (status.reason) {
+        console.log(`Reason: ${status.reason}`);
+      }
+      if (status.remoteUpdatedAt) {
+        console.log(`Remote snapshot: ${status.remoteUpdatedAt}`);
+      }
+      if (status.lastPushAt) {
+        console.log(`Last push: ${status.lastPushAt}`);
+      }
+      if (status.lastPullAt) {
+        console.log(`Last pull: ${status.lastPullAt}`);
+      }
+      if (status.lastError) {
+        console.log(`Last error: ${status.lastError}`);
+      }
+      return;
+    }
+    case "pull": {
+      const result = await pullCloudSync();
+      printSyncResult(result);
+      if (result.status === "error") {
+        process.exitCode = 1;
+      }
+      return;
+    }
+    case "push": {
+      const result = await pushCloudSync();
+      printSyncResult(result);
+      if (result.status === "error") {
+        process.exitCode = 1;
+      }
+      return;
+    }
+    default:
+      printHelp();
+      return;
+  }
+}
 async function main() {
   const args = process.argv.slice(2);
   if (args.length === 0 || hasFlag(args, "--help") || hasFlag(args, "-h")) {
@@ -3971,6 +4596,9 @@ async function main() {
     case "license":
       await handleLicense(rest);
       return;
+    case "sync":
+      await handleSync(rest);
+      return;
     default:
       printHelp();
       return;