codexuse-cli 3.1.5 → 3.6.0

package/dist/index.js

@@ -2021,428 +2021,143 @@ var require_toml = __commonJS({
   }
 });
 
-// src/commands/daemon.ts
-var import_node_child_process2 = require("child_process");
-var import_node_crypto = require("crypto");
-var import_node_fs = __toESM(require("fs"));
-var import_node_net = __toESM(require("net"));
-var import_node_os = __toESM(require("os"));
-var import_node_path2 = __toESM(require("path"));
+// src/commands/accountPool.ts
+var import_node_crypto4 = require("crypto");
+var import_node_os3 = __toESM(require("os"));
+var import_node_path7 = __toESM(require("path"));
 
-// ../../packages/shared/src/core/internal-js-runtime.ts
-var import_node_child_process = require("child_process");
-var import_node_path = __toESM(require("path"), 1);
-var cachedBunBinary = null;
-function hasBunRuntime() {
-  return typeof process.versions.bun === "string" && process.versions.bun.length > 0;
-}
-function buildRuntimePath(env) {
-  const homeDir = env.HOME ?? env.USERPROFILE ?? "";
-  const pathHints = (env.CODEX_PATH_HINTS ?? "").split(import_node_path.default.delimiter).map((entry) => entry.trim()).filter(Boolean);
-  const entries = [
-    env.PATH ?? "",
-    import_node_path.default.join(homeDir, ".bun", "bin"),
-    "/opt/homebrew/bin",
-    "/usr/local/bin",
-    import_node_path.default.join(homeDir, ".local", "bin"),
-    import_node_path.default.join(homeDir, ".fnm", "aliases", "default", "bin"),
-    import_node_path.default.join(homeDir, ".fnm", "current", "bin"),
-    ...pathHints
-  ];
-  return Array.from(
-    new Set(
-      entries.flatMap((entry) => entry.split(import_node_path.default.delimiter)).map((entry) => entry.trim()).filter(Boolean)
-    )
-  ).join(import_node_path.default.delimiter);
-}
-function resolveConfiguredBunBinary(env) {
-  const candidates = [
-    env.CODEXUSE_INTERNAL_BUN_BIN,
-    env.BUN_BIN,
-    process.env.CODEXUSE_INTERNAL_BUN_BIN,
-    process.env.BUN_BIN
-  ];
-  for (const candidate of candidates) {
-    const normalized = candidate?.trim() ?? "";
-    if (normalized.length > 0) {
-      return normalized;
-    }
+// ../../packages/contracts/src/settings/types.ts
+var DEFAULT_ACCOUNT_POOL_EXPOSED_MODELS = [
+  "gpt-5.4",
+  "gpt-5.4-mini",
+  "gpt-5.4-nano"
+];
+var DEFAULT_ACCOUNT_POOL_EXPOSED_REASONING_EFFORTS = [
+  "none",
+  "minimal",
+  "low",
+  "medium",
+  "high",
+  "xhigh"
+];
+var DEFAULT_ACCOUNT_POOL_EXPOSED_FAST_MODE_REASONING_EFFORTS = [
+  "xhigh"
+];
+
+// ../../packages/runtime-app-state/src/app/state.ts
+var import_node_fs2 = require("fs");
+var import_node_async_hooks = require("async_hooks");
+var import_node_path2 = __toESM(require("path"), 1);
+var import_node_os = __toESM(require("os"), 1);
+
+// ../../packages/contracts/src/settings/chat-scrollback.ts
+var CHAT_SCROLLBACK_DEFAULT = 200;
+var CHAT_SCROLLBACK_MIN = 50;
+var CHAT_SCROLLBACK_MAX = 5e3;
+function clampChatScrollbackItems(value) {
+  if (!Number.isFinite(value)) {
+    return CHAT_SCROLLBACK_DEFAULT;
   }
-  return null;
+  const rounded = Math.round(value);
+  return Math.max(CHAT_SCROLLBACK_MIN, Math.min(CHAT_SCROLLBACK_MAX, rounded));
 }
-function probeBunBinary(env) {
-  if (hasBunRuntime()) {
-    return process.execPath;
+function normalizeChatHistoryScrollbackItems(value) {
+  if (value === null) {
+    return null;
   }
-  if (cachedBunBinary) {
-    return cachedBunBinary;
+  if (typeof value === "number" && Number.isFinite(value)) {
+    return clampChatScrollbackItems(value);
   }
-  const homeDir = env.HOME ?? env.USERPROFILE ?? "";
-  const candidates = Array.from(
-    new Set(
-      [
-        env.CODEXUSE_INTERNAL_BUN_BIN?.trim(),
-        env.BUN_BIN?.trim(),
-        import_node_path.default.join(homeDir, ".bun", "bin", "bun"),
-        "/opt/homebrew/bin/bun",
-        "/usr/local/bin/bun",
-        "bun"
-      ].filter((candidate) => typeof candidate === "string" && candidate.length > 0)
-    )
-  );
-  for (const candidate of candidates) {
-    const probe = (0, import_node_child_process.spawnSync)(candidate, ["--version"], {
-      env,
-      stdio: "ignore"
-    });
-    if (!probe.error && probe.status === 0) {
-      cachedBunBinary = candidate;
-      return candidate;
+  if (typeof value === "string") {
+    const parsed = Number(value);
+    if (Number.isFinite(parsed)) {
+      return clampChatScrollbackItems(parsed);
     }
   }
-  return null;
+  return CHAT_SCROLLBACK_DEFAULT;
 }
-function resolveInternalBunRuntime(overrides = {}) {
-  const env = {
-    ...process.env,
-    ...overrides
-  };
-  env.PATH = buildRuntimePath(env);
-  const runtimeBin = hasBunRuntime() ? process.execPath : resolveConfiguredBunBinary(env) ?? probeBunBinary(env);
-  if (!runtimeBin) {
-    throw new Error(
-      "CodexUse desktop requires a Bun runtime to launch internal services. Install Bun or set CODEXUSE_INTERNAL_BUN_BIN."
-    );
+
+// ../../packages/contracts/src/settings/commit-message-prompt.ts
+var DEFAULT_COMMIT_MESSAGE_PROMPT = `Generate a concise git commit message for the following changes. Follow conventional commit format (e.g., feat:, fix:, refactor:, docs:, etc.). Keep the summary line under 72 characters. Only output the commit message, nothing else.
+
+Changes:
+{diff}`;
+function normalizeLineEndings(value) {
+  return value.replace(/\r\n/g, "\n");
+}
+function normalizeCommitMessagePrompt(value) {
+  if (typeof value !== "string") {
+    return null;
   }
-  delete env.ELECTRON_RUN_AS_NODE;
-  return {
-    bin: runtimeBin,
-    env
-  };
+  const normalized = normalizeLineEndings(value).trim();
+  return normalized.length > 0 ? normalized : null;
 }
 
-// src/commands/daemon.ts
-function normalizeTelegramBotToken(value) {
-  const trimmed = value?.trim() ?? "";
-  return trimmed.length > 0 ? trimmed : null;
-}
-function hasFlag(args, flag) {
-  return args.includes(flag);
+// ../../packages/runtime-app-state/src/storage/documents.ts
+var import_node_fs = require("fs");
+var import_node_path = __toESM(require("path"), 1);
+var APP_STORAGE_TABLE = "app_storage_documents";
+var APP_STORAGE_DB_DIR = "t3-projects";
+var APP_STORAGE_DB_NAME = "state.sqlite";
+var SQLITE_BUSY_TIMEOUT_MS = 5e3;
+var SQLITE_BUSY_MAX_ATTEMPTS = 3;
+var SQLITE_BUSY_RETRY_DELAY_MS = 100;
+var writeQueueByDbPath = /* @__PURE__ */ new Map();
+var initializedDbPaths = /* @__PURE__ */ new Set();
+function isRecord(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
-function stripFlags(args) {
-  return args.filter((arg) => !arg.startsWith("-"));
+function clone(value) {
+  return JSON.parse(JSON.stringify(value));
 }
-function parseStringFlag(flags, name) {
-  const explicit = flags.find((flag) => flag.startsWith(`${name}=`));
-  if (!explicit) {
+function safeParseJson(raw) {
+  if (typeof raw !== "string" || raw.trim().length === 0) {
+    return null;
+  }
+  try {
+    return JSON.parse(raw);
+  } catch {
     return null;
   }
-  const value = explicit.slice(`${name}=`.length).trim();
-  return value.length > 0 ? value : "";
 }
-function printDaemonHelp(version) {
-  console.log(`CodexUse CLI v${version}
-
-Usage:
-  codexuse daemon start [--telegram-bot-token=<token>] [--project-path=/abs/path]
-
-Notes:
-  - Runs the T3 Projects/chat server in headless mode.
-  - Requires Bun on PATH because the bundled Projects server runs on Bun.
-  - Pass --telegram-bot-token or set CODEXUSE_TELEGRAM_BOT_TOKEN to enable Telegram remote control.
-  - --project-path bootstraps that folder as the default project/thread.
-  - Stop with Ctrl+C or SIGTERM.
-`);
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
 }
-function resolveServerEntry() {
-  const candidates = [
-    import_node_path2.default.resolve(__dirname, "server", "index.mjs"),
-    import_node_path2.default.resolve(__dirname, "../../../server/dist/index.mjs")
-  ];
-  for (const candidate of candidates) {
-    if (import_node_fs.default.existsSync(candidate)) {
-      return candidate;
-    }
+function isSqliteBusyError(error) {
+  if (!error || typeof error !== "object") {
+    return false;
   }
-  return candidates[0];
+  const sqliteError = error;
+  const message = typeof sqliteError.message === "string" ? sqliteError.message.toLowerCase() : "";
+  return sqliteError.code === "SQLITE_BUSY" || sqliteError.errno === 5 || message.includes("sqlite_busy") || message.includes("database is locked");
 }
-function resolveStateDir() {
-  return import_node_path2.default.join(import_node_os.default.homedir(), ".codexuse", "t3-daemon");
+function beginImmediate(db) {
+  db.exec("BEGIN IMMEDIATE");
 }
-function reserveLoopbackPort() {
-  return new Promise((resolve, reject) => {
-    const server = import_node_net.default.createServer();
-    server.unref();
-    server.once("error", reject);
-    server.listen(0, "127.0.0.1", () => {
-      const address = server.address();
-      const port = typeof address === "object" && address ? address.port : null;
-      server.close((error) => {
-        if (error) {
-          reject(error);
-          return;
-        }
-        if (typeof port !== "number") {
-          reject(new Error("Failed to reserve a loopback port for the Projects server."));
-          return;
-        }
-        resolve(port);
-      });
-    });
-  });
+function commit(db) {
+  db.exec("COMMIT");
 }
-async function runDaemonStart(options) {
-  const entry = resolveServerEntry();
-  if (!import_node_fs.default.existsSync(entry)) {
-    throw new Error(
-      `Missing bundled T3 server build output at ${entry}. Rebuild the CLI package with \`bun run build:cli\`.`
-    );
+function rollback(db) {
+  try {
+    db.exec("ROLLBACK");
+  } catch {
   }
-  const port = await reserveLoopbackPort();
-  const authToken = (0, import_node_crypto.randomBytes)(24).toString("hex");
-  const stateDir = resolveStateDir();
-  const projectPath = options.projectPath ? import_node_path2.default.resolve(options.projectPath) : null;
-  const childCwd = projectPath ?? process.cwd();
-  const telegramBotToken = options.telegramBotToken?.trim() || null;
-  const runtime = resolveInternalBunRuntime({
-    T3CODE_MODE: "desktop",
-    T3CODE_HOST: "127.0.0.1",
-    T3CODE_PORT: String(port),
-    T3CODE_NO_BROWSER: "1",
-    T3CODE_AUTH_TOKEN: authToken,
-    T3CODE_STATE_DIR: stateDir,
-    T3CODE_AUTO_BOOTSTRAP_PROJECT_FROM_CWD: projectPath ? "1" : "0",
-    CODEXUSE_TELEGRAM_RUNTIME_OWNER: "daemon",
-    ...telegramBotToken ? {
-      CODEXUSE_TELEGRAM_BOT_TOKEN: telegramBotToken,
-      CODEXUSE_TELEGRAM_BRIDGE_ENABLED: "1"
-    } : {}
-  });
-  const child = (0, import_node_child_process2.spawn)(runtime.bin, [entry], {
-    cwd: childCwd,
-    env: runtime.env,
-    stdio: "inherit"
+}
+async function withWriteQueue(dbPath, task) {
+  const previous = writeQueueByDbPath.get(dbPath) ?? Promise.resolve();
+  let release;
+  const current = new Promise((resolve) => {
+    release = resolve;
   });
-  console.log(`Daemon started. Projects server listening on 127.0.0.1:${port}`);
-  console.log(`State dir: ${stateDir}`);
-  if (projectPath) {
-    console.log(`Bootstrapped project path: ${projectPath}`);
-  }
-  if (telegramBotToken) {
-    console.log("Telegram remote control enabled for this daemon session.");
-  }
-  console.log("Running until SIGINT/SIGTERM...");
-  await waitForChild(child);
-}
-function waitForChild(child) {
-  return new Promise((resolve, reject) => {
-    let stopping = false;
-    const stop = (signal) => {
-      if (stopping) {
-        return;
-      }
-      stopping = true;
-      child.kill(signal);
-    };
-    const onSigInt = () => stop("SIGINT");
-    const onSigTerm = () => stop("SIGTERM");
-    process.once("SIGINT", onSigInt);
-    process.once("SIGTERM", onSigTerm);
-    child.once("exit", (code, signal) => {
-      process.off("SIGINT", onSigInt);
-      process.off("SIGTERM", onSigTerm);
-      if (code === 0 || stopping) {
-        resolve();
-        return;
-      }
-      reject(
-        new Error(
-          `Projects server exited unexpectedly (code=${code ?? "null"}, signal=${signal ?? "null"}).`
-        )
-      );
-    });
-    child.once("error", (error) => {
-      process.off("SIGINT", onSigInt);
-      process.off("SIGTERM", onSigTerm);
-      reject(error);
-    });
-  });
-}
-async function handleDaemonCommand(args, version) {
-  const flags = args.filter((arg) => arg.startsWith("-"));
-  const params = stripFlags(args);
-  const sub = params[0];
-  if (!sub || hasFlag(flags, "--help") || hasFlag(flags, "-h")) {
-    printDaemonHelp(version);
-    return;
-  }
-  switch (sub) {
-    case "start": {
-      const projectPath = parseStringFlag(flags, "--project-path") ?? parseStringFlag(flags, "--project") ?? null;
-      const telegramBotToken = parseStringFlag(flags, "--telegram-bot-token") ?? normalizeTelegramBotToken(process.env.CODEXUSE_TELEGRAM_BOT_TOKEN) ?? null;
-      await runDaemonStart({
-        projectPath,
-        telegramBotToken,
-        version
-      });
-      return;
-    }
-    default:
-      printDaemonHelp(version);
-      return;
-  }
-}
-
-// ../../packages/runtime-profiles/src/license/service.ts
-var import_node_crypto3 = __toESM(require("crypto"), 1);
-
-// ../../packages/contracts/src/settings/auto-roll.ts
-var DEFAULT_AUTO_ROLL_ENABLED = false;
-var DEFAULT_AUTO_ROLL_WARNING_THRESHOLD = 85;
-var DEFAULT_AUTO_ROLL_SWITCH_THRESHOLD = 95;
-var AUTO_ROLL_WARNING_MIN = 50;
-var AUTO_ROLL_WARNING_MAX = 99;
-var AUTO_ROLL_SWITCH_MAX = 100;
-function clampNumber(value, min, max) {
-  return Math.min(max, Math.max(min, value));
-}
-function resolveFiniteNumber(value, fallback) {
-  return Number.isFinite(value) ? value : fallback;
-}
-function sanitizeAutoRollWarningThreshold(value) {
-  const numeric = resolveFiniteNumber(value, DEFAULT_AUTO_ROLL_WARNING_THRESHOLD);
-  return clampNumber(numeric, AUTO_ROLL_WARNING_MIN, AUTO_ROLL_WARNING_MAX);
-}
-function sanitizeAutoRollSwitchThreshold(value, warningThreshold) {
-  const sanitizedWarning = sanitizeAutoRollWarningThreshold(warningThreshold);
-  const numeric = resolveFiniteNumber(value, DEFAULT_AUTO_ROLL_SWITCH_THRESHOLD);
-  return clampNumber(numeric, sanitizedWarning + 1, AUTO_ROLL_SWITCH_MAX);
-}
-function sanitizeAutoRollThresholds(warningThreshold, switchThreshold) {
-  const sanitizedWarning = sanitizeAutoRollWarningThreshold(warningThreshold);
-  const sanitizedSwitch = sanitizeAutoRollSwitchThreshold(switchThreshold, sanitizedWarning);
-  return {
-    warningThreshold: sanitizedWarning,
-    switchThreshold: sanitizedSwitch
-  };
-}
-function normalizeAutoRollSettings(raw) {
-  const enabled = typeof raw?.enabled === "boolean" ? raw.enabled : DEFAULT_AUTO_ROLL_ENABLED;
-  const rawWarning = resolveFiniteNumber(
-    typeof raw?.warningThreshold === "number" ? raw.warningThreshold : Number.NaN,
-    DEFAULT_AUTO_ROLL_WARNING_THRESHOLD
-  );
-  const rawSwitch = resolveFiniteNumber(
-    typeof raw?.switchThreshold === "number" ? raw.switchThreshold : Number.NaN,
-    DEFAULT_AUTO_ROLL_SWITCH_THRESHOLD
-  );
-  const {
-    warningThreshold: normalizedWarning,
-    switchThreshold: normalizedSwitch
-  } = sanitizeAutoRollThresholds(rawWarning, rawSwitch);
-  return {
-    enabled,
-    warningThreshold: normalizedWarning,
-    switchThreshold: normalizedSwitch
-  };
-}
-
-// ../../packages/runtime-app-state/src/app/state.ts
-var import_node_fs3 = require("fs");
-var import_node_async_hooks = require("async_hooks");
-var import_node_path4 = __toESM(require("path"), 1);
-var import_node_os2 = __toESM(require("os"), 1);
-
-// ../../packages/contracts/src/settings/chat-scrollback.ts
-var CHAT_SCROLLBACK_DEFAULT = 200;
-var CHAT_SCROLLBACK_MIN = 50;
-var CHAT_SCROLLBACK_MAX = 5e3;
-function clampChatScrollbackItems(value) {
-  if (!Number.isFinite(value)) {
-    return CHAT_SCROLLBACK_DEFAULT;
-  }
-  const rounded = Math.round(value);
-  return Math.max(CHAT_SCROLLBACK_MIN, Math.min(CHAT_SCROLLBACK_MAX, rounded));
-}
-function normalizeChatHistoryScrollbackItems(value) {
-  if (value === null) {
-    return null;
-  }
-  if (typeof value === "number" && Number.isFinite(value)) {
-    return clampChatScrollbackItems(value);
-  }
-  if (typeof value === "string") {
-    const parsed = Number(value);
-    if (Number.isFinite(parsed)) {
-      return clampChatScrollbackItems(parsed);
-    }
-  }
-  return CHAT_SCROLLBACK_DEFAULT;
-}
-
-// ../../packages/contracts/src/settings/commit-message-prompt.ts
-var DEFAULT_COMMIT_MESSAGE_PROMPT = `Generate a concise git commit message for the following changes. Follow conventional commit format (e.g., feat:, fix:, refactor:, docs:, etc.). Keep the summary line under 72 characters. Only output the commit message, nothing else.
-
-Changes:
-{diff}`;
-function normalizeLineEndings(value) {
-  return value.replace(/\r\n/g, "\n");
-}
-function normalizeCommitMessagePrompt(value) {
-  if (typeof value !== "string") {
-    return null;
-  }
-  const normalized = normalizeLineEndings(value).trim();
-  return normalized.length > 0 ? normalized : null;
-}
-
-// ../../packages/runtime-app-state/src/storage/documents.ts
-var import_node_fs2 = require("fs");
-var import_node_path3 = __toESM(require("path"), 1);
-var APP_STORAGE_TABLE = "app_storage_documents";
-var APP_STORAGE_DB_DIR = "t3-projects";
-var APP_STORAGE_DB_NAME = "state.sqlite";
-var SQLITE_BUSY_TIMEOUT_MS = 5e3;
-var SQLITE_BUSY_MAX_ATTEMPTS = 3;
-var SQLITE_BUSY_RETRY_DELAY_MS = 100;
-var initializedDbPaths = /* @__PURE__ */ new Set();
-function isRecord(value) {
-  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
-}
-function clone(value) {
-  return JSON.parse(JSON.stringify(value));
-}
-function safeParseJson(raw) {
-  if (typeof raw !== "string" || raw.trim().length === 0) {
-    return null;
-  }
-  try {
-    return JSON.parse(raw);
-  } catch {
-    return null;
-  }
-}
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-function isSqliteBusyError(error) {
-  if (!error || typeof error !== "object") {
-    return false;
-  }
-  const sqliteError = error;
-  const message = typeof sqliteError.message === "string" ? sqliteError.message.toLowerCase() : "";
-  return sqliteError.code === "SQLITE_BUSY" || sqliteError.errno === 5 || message.includes("sqlite_busy") || message.includes("database is locked");
-}
-function beginImmediate(db) {
-  db.exec("BEGIN IMMEDIATE");
-}
-function commit(db) {
-  db.exec("COMMIT");
-}
-function rollback(db) {
-  try {
-    db.exec("ROLLBACK");
-  } catch {
+  writeQueueByDbPath.set(dbPath, current);
+  await previous;
+  try {
+    return await task();
+  } finally {
+    release?.();
+    if (writeQueueByDbPath.get(dbPath) === current) {
+      writeQueueByDbPath.delete(dbPath);
+    }
   }
 }
 function applyConnectionPragmas(db) {
@@ -2464,7 +2179,7 @@ function ensureSchema(db, dbPath) {
   initializedDbPaths.add(dbPath);
 }
 async function openDatabase(dbPath) {
-  await import_node_fs2.promises.mkdir(import_node_path3.default.dirname(dbPath), { recursive: true });
+  await import_node_fs.promises.mkdir(import_node_path.default.dirname(dbPath), { recursive: true });
   if (process.versions.bun !== void 0) {
     const sqlite2 = await Function("return import('bun:sqlite')")();
     const database2 = new sqlite2.Database(dbPath);
@@ -2501,7 +2216,7 @@ async function withDatabase(dbPath, task) {
   throw new Error("App storage database remained busy after retrying.");
 }
 function resolveAppStorageDbPath(userDataDir) {
-  return import_node_path3.default.join(userDataDir, APP_STORAGE_DB_DIR, APP_STORAGE_DB_NAME);
+  return import_node_path.default.join(userDataDir, APP_STORAGE_DB_DIR, APP_STORAGE_DB_NAME);
 }
 async function readDocument(dbPath, namespace, normalize) {
   return withDatabase(dbPath, (db) => {
@@ -2516,56 +2231,62 @@ async function readDocument(dbPath, namespace, normalize) {
   });
 }
 async function writeDocument(dbPath, namespace, value) {
-  return withDatabase(dbPath, (db) => {
-    const normalizedValue = clone(value);
-    beginImmediate(db);
-    try {
-      db.prepare(
-        `
-          INSERT INTO ${APP_STORAGE_TABLE} (namespace, value_json, updated_at)
-          VALUES (?, ?, ?)
-          ON CONFLICT(namespace)
-          DO UPDATE SET
-            value_json = excluded.value_json,
-            updated_at = excluded.updated_at
-        `
-      ).run(namespace, JSON.stringify(normalizedValue), (/* @__PURE__ */ new Date()).toISOString());
-      commit(db);
-      return normalizedValue;
-    } catch (error) {
-      rollback(db);
-      throw error;
-    }
-  });
+  return withWriteQueue(
+    dbPath,
+    async () => withDatabase(dbPath, (db) => {
+      const normalizedValue = clone(value);
+      beginImmediate(db);
+      try {
+        db.prepare(
+          `
+              INSERT INTO ${APP_STORAGE_TABLE} (namespace, value_json, updated_at)
+              VALUES (?, ?, ?)
+              ON CONFLICT(namespace)
+              DO UPDATE SET
+                value_json = excluded.value_json,
+                updated_at = excluded.updated_at
+            `
+        ).run(namespace, JSON.stringify(normalizedValue), (/* @__PURE__ */ new Date()).toISOString());
+        commit(db);
+        return normalizedValue;
+      } catch (error) {
+        rollback(db);
+        throw error;
+      }
+    })
+  );
 }
 async function updateDocument(input) {
-  return withDatabase(input.dbPath, (db) => {
-    beginImmediate(db);
-    try {
-      const row = db.prepare(
-        `SELECT value_json AS valueJson FROM ${APP_STORAGE_TABLE} WHERE namespace = ?`
-      ).get(input.namespace);
-      const current = isRecord(row) ? input.normalize(
-        safeParseJson(row.valueJson) ?? input.fallback()
-      ) : input.fallback();
-      const next = input.normalize(input.transform(clone(current)));
-      db.prepare(
-        `
-          INSERT INTO ${APP_STORAGE_TABLE} (namespace, value_json, updated_at)
-          VALUES (?, ?, ?)
-          ON CONFLICT(namespace)
-          DO UPDATE SET
-            value_json = excluded.value_json,
-            updated_at = excluded.updated_at
-        `
-      ).run(input.namespace, JSON.stringify(next), (/* @__PURE__ */ new Date()).toISOString());
-      commit(db);
-      return clone(next);
-    } catch (error) {
-      rollback(db);
-      throw error;
-    }
-  });
+  return withWriteQueue(
+    input.dbPath,
+    async () => withDatabase(input.dbPath, (db) => {
+      beginImmediate(db);
+      try {
+        const row = db.prepare(
+          `SELECT value_json AS valueJson FROM ${APP_STORAGE_TABLE} WHERE namespace = ?`
+        ).get(input.namespace);
+        const current = isRecord(row) ? input.normalize(
+          safeParseJson(row.valueJson) ?? input.fallback()
+        ) : input.fallback();
+        const next = input.normalize(input.transform(clone(current)));
+        db.prepare(
+          `
+              INSERT INTO ${APP_STORAGE_TABLE} (namespace, value_json, updated_at)
+              VALUES (?, ?, ?)
+              ON CONFLICT(namespace)
+              DO UPDATE SET
+                value_json = excluded.value_json,
+                updated_at = excluded.updated_at
+            `
+        ).run(input.namespace, JSON.stringify(next), (/* @__PURE__ */ new Date()).toISOString());
+        commit(db);
+        return clone(next);
+      } catch (error) {
+        rollback(db);
+        throw error;
+      }
+    })
+  );
 }
 
 // ../../packages/runtime-app-state/src/app/state.ts
@@ -2583,27 +2304,27 @@ function clone2(value) {
   return JSON.parse(JSON.stringify(value));
 }
 function resolveDefaultUserDataDir() {
-  const home = process.env.HOME || process.env.USERPROFILE || import_node_os2.default.homedir();
+  const home = process.env.HOME || process.env.USERPROFILE || import_node_os.default.homedir();
   if (!home) {
     throw new Error("Unable to resolve home directory for app state.");
   }
   if (process.platform === "darwin") {
-    return import_node_path4.default.join(home, "Library", "Application Support", APP_NAME);
+    return import_node_path2.default.join(home, "Library", "Application Support", APP_NAME);
   }
   if (process.platform === "win32") {
     const appData = process.env.APPDATA;
     if (appData) {
-      return import_node_path4.default.join(appData, APP_NAME);
+      return import_node_path2.default.join(appData, APP_NAME);
     }
-    return import_node_path4.default.join(home, "AppData", "Roaming", APP_NAME);
+    return import_node_path2.default.join(home, "AppData", "Roaming", APP_NAME);
   }
-  return import_node_path4.default.join(home, ".config", APP_NAME);
+  return import_node_path2.default.join(home, ".config", APP_NAME);
 }
 function getUserDataDir() {
   return configuredUserDataDir ?? resolveDefaultUserDataDir();
 }
 function resolveLegacyAppStatePath() {
-  return import_node_path4.default.join(getUserDataDir(), LEGACY_APP_STATE_FILE);
+  return import_node_path2.default.join(getUserDataDir(), LEGACY_APP_STATE_FILE);
 }
 function resolveStorageDbPath() {
   return resolveAppStorageDbPath(getUserDataDir());
@@ -2693,8 +2414,8 @@ function createDefaultAppState() {
       lastError: null,
       remoteUpdatedAt: null
     },
-    telemetry: {
-      installId: null,
+    analytics: {
+      anonymousId: null,
       enabled: true,
       lastFlushAt: null,
       lastError: null
@@ -2992,15 +2713,22 @@ function normalizeAppState(raw) {
   merged.sync.lastPullAt = asString(merged.sync.lastPullAt);
   merged.sync.lastError = asString(merged.sync.lastError);
   merged.sync.remoteUpdatedAt = asString(merged.sync.remoteUpdatedAt);
-  if (!isRecord2(merged.telemetry)) {
-    merged.telemetry = clone2(defaults.telemetry);
+  if (!isRecord2(merged.analytics)) {
+    merged.analytics = isRecord2(merged.telemetry) ? clone2(merged.telemetry) : clone2(defaults.analytics);
+  }
+  merged.analytics.anonymousId = asString(merged.analytics.anonymousId);
+  if (!merged.analytics.anonymousId) {
+    const legacyInstallId = asString(merged.telemetry?.installId);
+    merged.analytics.anonymousId = legacyInstallId;
   }
-  merged.telemetry.installId = asString(merged.telemetry.installId);
-  if (typeof merged.telemetry.enabled !== "boolean") {
-    merged.telemetry.enabled = true;
+  if (typeof merged.analytics.enabled !== "boolean") {
+    merged.analytics.enabled = true;
+  }
+  merged.analytics.lastFlushAt = asString(merged.analytics.lastFlushAt);
+  merged.analytics.lastError = asString(merged.analytics.lastError);
+  if ("telemetry" in merged) {
+    delete merged.telemetry;
   }
-  merged.telemetry.lastFlushAt = asString(merged.telemetry.lastFlushAt);
-  merged.telemetry.lastError = asString(merged.telemetry.lastError);
   if (!isRecord2(merged.profilesByName)) {
     merged.profilesByName = {};
   }
@@ -3050,7 +2778,7 @@ function deepMerge(base, patch) {
 async function readLegacyAppStateFromDisk() {
   const filePath = resolveLegacyAppStatePath();
   try {
-    const raw = await import_node_fs3.promises.readFile(filePath, "utf8");
+    const raw = await import_node_fs2.promises.readFile(filePath, "utf8");
     return normalizeAppState(JSON.parse(raw));
   } catch (error) {
     const code = error.code;
@@ -3130,38 +2858,146 @@ async function patchAppState(patch) {
   });
 }
 
-// ../../packages/runtime-codex/src/codex/settings.ts
-function asString2(value) {
-  if (typeof value !== "string") {
-    return null;
+// ../../packages/runtime-app-state/src/app/runtimeSettings.ts
+var LEGACY_APP_SETTINGS_KEYS = /* @__PURE__ */ new Set([
+  "backendMode",
+  "theme",
+  "commitMessageModelId",
+  "usageShowRemaining",
+  "remoteBackendProvider",
+  "remoteBackendHost",
+  "remoteBackendToken",
+  "remoteBackends",
+  "activeRemoteBackendId",
+  "keepDaemonRunningAfterAppClose"
+]);
+function asRecord(value) {
+  return value && typeof value === "object" ? value : {};
+}
+function stripLegacyAppSettingsKeys(settings) {
+  let changed = false;
+  const next = { ...settings };
+  for (const key of LEGACY_APP_SETTINGS_KEYS) {
+    if (!(key in next)) {
+      continue;
+    }
+    changed = true;
+    delete next[key];
   }
-  const trimmed = value.trim();
-  return trimmed.length > 0 ? trimmed : null;
+  return changed ? next : settings;
 }
-function isRecord3(value) {
-  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+async function readAppSettings() {
+  const appState = await getAppState();
+  return stripLegacyAppSettingsKeys(asRecord(appState.runtimeSettings));
 }
-function parseAutoRoll(raw) {
-  if (!raw) {
-    return null;
-  }
-  try {
-    return normalizeAutoRollSettings(raw);
-  } catch {
-    return null;
+async function writeAppSettings(settings, onUpdated) {
+  const nextSettings = stripLegacyAppSettingsKeys(asRecord(settings));
+  await updateAppState(
+    (current) => ({
+      ...current,
+      runtimeSettings: nextSettings
+    }),
+    {
+      mode: "replace",
+      allowBeforeMigrationComplete: false
+    }
+  );
+  if (onUpdated) {
+    try {
+      await onUpdated(nextSettings);
+    } catch (error) {
+      console.warn("Failed to apply runtime settings update hook:", error);
+    }
   }
+  return nextSettings;
 }
-function parseStoredLicense(raw) {
-  if (!isRecord3(raw)) {
-    return null;
-  }
-  const statusCandidate = asString2(raw.status);
-  const status = ["inactive", "active", "grace", "error"].includes(statusCandidate ?? "") ? statusCandidate : void 0;
-  const license = {
-    licenseKey: asString2(raw.licenseKey ?? raw.license_key),
-    purchaseEmail: asString2(raw.purchaseEmail ?? raw.purchase_email),
-    lastVerifiedAt: asString2(raw.lastVerifiedAt ?? raw.last_verified_at),
-    nextCheckAt: asString2(raw.nextCheckAt ?? raw.next_check_at),
+
+// ../../packages/runtime-profiles/src/license/service.ts
+var import_node_crypto2 = __toESM(require("crypto"), 1);
+
+// ../../packages/contracts/src/settings/auto-roll.ts
+var DEFAULT_AUTO_ROLL_ENABLED = false;
+var DEFAULT_AUTO_ROLL_WARNING_THRESHOLD = 85;
+var DEFAULT_AUTO_ROLL_SWITCH_THRESHOLD = 95;
+var AUTO_ROLL_WARNING_MIN = 50;
+var AUTO_ROLL_WARNING_MAX = 99;
+var AUTO_ROLL_SWITCH_MAX = 100;
+function clampNumber(value, min, max) {
+  return Math.min(max, Math.max(min, value));
+}
+function resolveFiniteNumber(value, fallback) {
+  return Number.isFinite(value) ? value : fallback;
+}
+function sanitizeAutoRollWarningThreshold(value) {
+  const numeric = resolveFiniteNumber(value, DEFAULT_AUTO_ROLL_WARNING_THRESHOLD);
+  return clampNumber(numeric, AUTO_ROLL_WARNING_MIN, AUTO_ROLL_WARNING_MAX);
+}
+function sanitizeAutoRollSwitchThreshold(value, warningThreshold) {
+  const sanitizedWarning = sanitizeAutoRollWarningThreshold(warningThreshold);
+  const numeric = resolveFiniteNumber(value, DEFAULT_AUTO_ROLL_SWITCH_THRESHOLD);
+  return clampNumber(numeric, sanitizedWarning + 1, AUTO_ROLL_SWITCH_MAX);
+}
+function sanitizeAutoRollThresholds(warningThreshold, switchThreshold) {
+  const sanitizedWarning = sanitizeAutoRollWarningThreshold(warningThreshold);
+  const sanitizedSwitch = sanitizeAutoRollSwitchThreshold(switchThreshold, sanitizedWarning);
+  return {
+    warningThreshold: sanitizedWarning,
+    switchThreshold: sanitizedSwitch
+  };
+}
+function normalizeAutoRollSettings(raw) {
+  const enabled = typeof raw?.enabled === "boolean" ? raw.enabled : DEFAULT_AUTO_ROLL_ENABLED;
+  const rawWarning = resolveFiniteNumber(
+    typeof raw?.warningThreshold === "number" ? raw.warningThreshold : Number.NaN,
+    DEFAULT_AUTO_ROLL_WARNING_THRESHOLD
+  );
+  const rawSwitch = resolveFiniteNumber(
+    typeof raw?.switchThreshold === "number" ? raw.switchThreshold : Number.NaN,
+    DEFAULT_AUTO_ROLL_SWITCH_THRESHOLD
+  );
+  const {
+    warningThreshold: normalizedWarning,
+    switchThreshold: normalizedSwitch
+  } = sanitizeAutoRollThresholds(rawWarning, rawSwitch);
+  return {
+    enabled,
+    warningThreshold: normalizedWarning,
+    switchThreshold: normalizedSwitch
+  };
+}
+
+// ../../packages/runtime-codex/src/codex/settings.ts
+function asString2(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function isRecord3(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function parseAutoRoll(raw) {
+  if (!raw) {
+    return null;
+  }
+  try {
+    return normalizeAutoRollSettings(raw);
+  } catch {
+    return null;
+  }
+}
+function parseStoredLicense(raw) {
+  if (!isRecord3(raw)) {
+    return null;
+  }
+  const statusCandidate = asString2(raw.status);
+  const status = ["inactive", "active", "grace", "error"].includes(statusCandidate ?? "") ? statusCandidate : void 0;
+  const license = {
+    licenseKey: asString2(raw.licenseKey ?? raw.license_key),
+    purchaseEmail: asString2(raw.purchaseEmail ?? raw.purchase_email),
+    lastVerifiedAt: asString2(raw.lastVerifiedAt ?? raw.last_verified_at),
+    nextCheckAt: asString2(raw.nextCheckAt ?? raw.next_check_at),
     lastVerificationError: asString2(raw.lastVerificationError ?? raw.last_verification_error),
     status,
     signature: asString2(raw.signature)
@@ -3280,25 +3116,45 @@ async function writeCodexSettingsJsonRaw(payload) {
 }
 
 // ../../packages/runtime-profiles/src/license/secret.ts
-var import_node_crypto2 = __toESM(require("crypto"), 1);
+var import_node_fs3 = require("fs");
+var import_node_crypto = __toESM(require("crypto"), 1);
+var import_node_path3 = __toESM(require("path"), 1);
 var LICENSE_SECRET_DOCUMENT = "desktop.license-secret";
+var LEGACY_LICENSE_SECRET_FILE = "license.secret";
 async function generateSecret() {
-  return import_node_crypto2.default.randomBytes(32).toString("hex");
+  return import_node_crypto.default.randomBytes(32).toString("hex");
+}
+function normalizeSecret(value) {
+  return typeof value === "string" ? value.trim() : "";
+}
+async function readLegacyLicenseSecret() {
+  const legacyPath = import_node_path3.default.join(getUserDataDir(), LEGACY_LICENSE_SECRET_FILE);
+  try {
+    return normalizeSecret(await import_node_fs3.promises.readFile(legacyPath, "utf8"));
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return "";
+    }
+    throw error;
+  }
+}
+async function persistLicenseSecret(dbPath, secret) {
+  await writeDocument(dbPath, LICENSE_SECRET_DOCUMENT, secret);
+  return secret;
 }
 async function getLicenseSecret() {
   const dbPath = resolveAppStorageDbPath(getUserDataDir());
-  const existing = await readDocument(
-    dbPath,
-    LICENSE_SECRET_DOCUMENT,
-    (value) => typeof value === "string" ? value.trim() : ""
-  );
-  const normalizedExisting = typeof existing === "string" ? existing.trim() : "";
+  const existing = await readDocument(dbPath, LICENSE_SECRET_DOCUMENT, normalizeSecret);
+  const normalizedExisting = normalizeSecret(existing);
   if (normalizedExisting.length > 0) {
     return normalizedExisting;
   }
+  const legacySecret = await readLegacyLicenseSecret();
+  if (legacySecret.length > 0) {
+    return persistLicenseSecret(dbPath, legacySecret);
+  }
   const secret = await generateSecret();
-  await writeDocument(dbPath, LICENSE_SECRET_DOCUMENT, secret);
-  return secret;
+  return persistLicenseSecret(dbPath, secret);
 }
 
 // ../../packages/contracts/src/license/offer-config.ts
@@ -3403,7 +3259,7 @@ function licenseSignaturePayload(license) {
   return JSON.stringify(payload);
 }
 function signLicense(license, secret) {
-  return import_node_crypto3.default.createHmac("sha256", secret).update(licenseSignaturePayload(license)).digest("hex");
+  return import_node_crypto2.default.createHmac("sha256", secret).update(licenseSignaturePayload(license)).digest("hex");
 }
 function withSignature(license, secret) {
   return {
@@ -3629,7 +3485,7 @@ var LicenseService = class {
       throw new Error("License key is required.");
     }
     const secret = await getLicenseSecret();
-    const digest = import_node_crypto3.default.createHash("sha256").update(trimmed).digest("hex");
+    const digest = import_node_crypto2.default.createHash("sha256").update(trimmed).digest("hex");
     const result = await requestGumroadVerify(trimmed, "activation");
     ensureWithinUseLimit(result);
     const normalized = normalizeVerificationResult(result);
@@ -3672,149 +3528,80 @@ var LicenseService = class {
 };
 var licenseService = new LicenseService();
 
-// src/app/help.ts
-function printHelp(version) {
-  console.log(`CodexUse CLI v${version}
-
-Usage:
-  codexuse profile list [--no-usage] [--compact]
-  codexuse profile current
-  codexuse profile add <name> [--skip-login] [--device-auth] [--login=browser|device]
-  codexuse profile refresh <name> [--skip-login] [--device-auth] [--login=browser|device]
-  codexuse profile switch <name>
-  codexuse profile autoroll [--threshold=50-100] [--dry-run] [--watch] [--interval=seconds]
-  codexuse profile delete <name>
-  codexuse profile rename <old> <new>
-
-  codexuse license status [--refresh]
-  codexuse license activate <license-key>
-
-  codexuse sync status
-  codexuse sync pull
-  codexuse sync push
-
-  codexuse daemon start [--telegram-bot-token=<token>] [--project-path=/abs/path]
+// ../../packages/runtime-profiles/src/profiles/profile-manager.ts
+var import_node_crypto3 = require("crypto");
+var import_fs = require("fs");
+var import_path = __toESM(require("path"), 1);
+var import_path2 = require("path");
+var import_toml = __toESM(require_toml(), 1);
 
-Flags:
-  -h, --help       Show help
-  -v, --version    Show version
-  --no-usage       Skip rate-limit usage fetch
-  --compact        Names only
-  --device-auth    Use device auth for Codex login
-  --login=MODE     Login mode: browser | device
-  --threshold=NN   Auto-roll switch threshold percent (50-100)
-  --watch          Keep checking and auto-switch when threshold is reached
-  --interval=SEC   Watch interval in seconds (default: 30)
-  --dry-run        Print planned switch without changing active profile
-  --telegram-bot-token=TOKEN   Enable Telegram remote control for daemon mode
-  --project-path=PATH          Optional path to bootstrap as the default Projects root in daemon mode
-`);
+// ../../packages/contracts/src/profiles/identity.ts
+function normalizeValue(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
 }
-
-// src/platform/args.ts
-var DEFAULT_AUTOROLL_INTERVAL_SECONDS = 30;
-var DEFAULT_AUTOROLL_THRESHOLD = 95;
-function hasFlag2(args, flag) {
-  return args.includes(flag);
+function normalizeEmail(value) {
+  const normalized = normalizeValue(value);
+  return normalized ? normalized.toLowerCase() : null;
 }
-function stripFlags2(args) {
-  return args.filter((arg) => !arg.startsWith("-"));
+function encodeIdentityPart(value) {
+  return encodeURIComponent(value);
 }
-function parseLoginMode(flags) {
-  if (flags.includes("--device-auth")) return "device";
-  const explicit = flags.find((flag) => flag.startsWith("--login="));
-  if (!explicit) return null;
-  const value = explicit.split("=")[1];
-  if (value === "browser" || value === "device") {
-    return value;
+function resolveLegacyProfileAccountKey(profile) {
+  const accountId = normalizeValue(profile.accountId);
+  if (accountId) {
+    return accountId;
   }
-  return null;
-}
-function parseNumericFlag(flags, name) {
-  const explicit = flags.find((flag) => flag.startsWith(`${name}=`));
-  if (!explicit) {
-    return null;
+  const email = normalizeValue(profile.email ?? profile.metadata?.email);
+  if (email) {
+    return email;
   }
-  const raw = explicit.slice(`${name}=`.length);
-  const value = Number.parseFloat(raw);
-  return Number.isFinite(value) ? value : Number.NaN;
+  const profileName = normalizeValue(profile.name);
+  return profileName ? `profile:${profileName}` : null;
 }
-function parseIntegerFlag(flags, name) {
-  const explicit = flags.find((flag) => flag.startsWith(`${name}=`));
-  if (!explicit) {
-    return null;
+function resolveProfileIdentityKey(profile) {
+  const workspaceId = normalizeValue(profile.workspaceId);
+  const accountUserId = normalizeValue(profile.metadata?.chatgptAccountUserId);
+  if (accountUserId) {
+    return `seat:${encodeIdentityPart(accountUserId)}`;
   }
-  const raw = explicit.slice(`${name}=`.length);
-  const value = Number.parseInt(raw, 10);
-  return Number.isFinite(value) ? value : Number.NaN;
-}
-
-// src/commands/license.ts
-async function handleLicense(args, version) {
-  const flags = args.filter((arg) => arg.startsWith("-"));
-  const params = stripFlags2(args);
-  const sub = params[0];
-  if (!sub || hasFlag2(flags, "--help") || hasFlag2(flags, "-h")) {
-    printHelp(version);
-    return;
+  const userId = normalizeValue(profile.metadata?.userId) ?? normalizeValue(profile.metadata?.chatgptUserId);
+  if (workspaceId && userId) {
+    return `workspace-user:${encodeIdentityPart(workspaceId)}|${encodeIdentityPart(userId)}`;
   }
-  switch (sub) {
-    case "status": {
-      const forceRefresh = hasFlag2(flags, "--refresh");
-      const status = await licenseService.getStatus({ forceRefresh });
-      console.log(`Tier: ${status.tier}`);
-      console.log(`State: ${status.state}`);
-      if (status.profileLimit !== null) {
-        console.log(`Profile limit: ${status.profileLimit}`);
-      }
-      if (status.profilesRemaining !== null) {
-        console.log(`Profiles remaining: ${status.profilesRemaining}`);
-      }
-      if (status.purchaseEmail) {
-        console.log(`Email: ${status.purchaseEmail}`);
-      }
-      if (status.maskedLicenseKey) {
-        console.log(`License: ${status.maskedLicenseKey}`);
-      }
-      if (status.message) {
-        console.log(`Message: ${status.message}`);
-      }
-      if (status.error) {
-        console.log(`Error: ${status.error}`);
-      }
-      return;
-    }
-    case "activate": {
-      const key = params[1];
-      if (!key) {
-        throw new Error("License key is required.");
-      }
-      const status = await licenseService.activate(key);
-      console.log(status.message ?? "License activated.");
-      return;
-    }
-    default:
-      printHelp(version);
+  const accountId = normalizeValue(profile.accountId);
+  if (accountId) {
+    return accountId;
+  }
+  const email = normalizeEmail(profile.email ?? profile.metadata?.email);
+  if (workspaceId && email) {
+    return `workspace-email:${encodeIdentityPart(workspaceId)}|${encodeIdentityPart(email)}`;
+  }
+  if (userId) {
+    return `user:${encodeIdentityPart(userId)}`;
+  }
+  if (email) {
+    return `email:${encodeIdentityPart(email)}`;
   }
+  return resolveLegacyProfileAccountKey(profile);
+}
+function resolveProfileIdentityKeyFromProfile(profile) {
+  return resolveProfileIdentityKey(profile) ?? `profile:${profile.name}`;
 }
-
-// ../../packages/runtime-profiles/src/profiles/profile-manager.ts
-var import_node_crypto4 = require("crypto");
-var import_fs = require("fs");
-var import_path = __toESM(require("path"), 1);
-var import_path2 = require("path");
-var import_toml = __toESM(require_toml(), 1);
 
 // ../../packages/runtime-codex/src/codex/rpc.ts
-var import_node_child_process3 = require("child_process");
+var import_node_child_process2 = require("child_process");
 var import_node_readline = __toESM(require("readline"), 1);
 var import_node_fs5 = require("fs");
-var import_node_os3 = __toESM(require("os"), 1);
+var import_node_os2 = __toESM(require("os"), 1);
 var import_node_path6 = __toESM(require("path"), 1);
 
 // ../../packages/runtime-codex/src/codex/cli.ts
 var import_node_fs4 = require("fs");
-var import_node_path5 = __toESM(require("path"), 1);
+var import_node_path4 = __toESM(require("path"), 1);
 var STABLE_CHANNEL = "stable";
 var ENV_HINTS = ["CODEX_BINARY", "CODEX_CLI_PATH", "CODEX_PATH"];
 var cachedStatus = null;
@@ -3822,7 +3609,7 @@ function fileExists(candidate) {
   if (!candidate) {
     return null;
   }
-  const normalized = import_node_path5.default.resolve(candidate);
+  const normalized = import_node_path4.default.resolve(candidate);
   try {
     const stats = (0, import_node_fs4.statSync)(normalized);
     if (stats.isFile()) {
@@ -3850,11 +3637,11 @@ function resolveCodexFromPath() {
   if (!pathValue) {
     return null;
   }
-  const entries = pathValue.split(import_node_path5.default.delimiter).map((entry) => entry.trim()).filter(Boolean);
+  const entries = pathValue.split(import_node_path4.default.delimiter).map((entry) => entry.trim()).filter(Boolean);
   const names = process.platform === "win32" ? ["codex.exe", "codex.cmd", "codex.bat", "codex"] : ["codex"];
   for (const entry of entries) {
     for (const name of names) {
-      const candidate = fileExists(import_node_path5.default.join(entry, name));
+      const candidate = fileExists(import_node_path4.default.join(entry, name));
       if (candidate) {
         return candidate;
       }
@@ -3917,21 +3704,89 @@ async function requireCodexCli() {
   return status.path;
 }
 
-// ../../packages/shared/src/core/logger.ts
-var isTestEnv = process.env.NODE_ENV === "test" || process.env.VITEST === "true" || process.env.VITEST === "1";
-function isMocked(fn) {
-  return Boolean(fn && typeof fn === "function" && "mock" in fn);
-}
-function logWarn(...args) {
-  if (isTestEnv && !isMocked(console.warn)) {
-    return;
-  }
-  console.warn(...args);
-}
-function logError(...args) {
-  if (isTestEnv && !isMocked(console.error)) {
-    return;
-  }
+// ../../packages/runtime-codex/src/codex/command.ts
+var import_node_child_process = require("child_process");
+var import_node_path5 = __toESM(require("path"), 1);
+var cachedNodeRuntime = null;
+function isJavaScriptEntrypoint(binaryPath) {
+  const normalized = binaryPath.trim().toLowerCase();
+  return normalized.endsWith(".js") || normalized.endsWith(".mjs") || normalized.endsWith(".cjs");
+}
+function resolveNodeRuntime(env) {
+  const override = env?.CODEX_NODE_RUNTIME?.trim() || env?.CODEX_NODE_BIN?.trim() || env?.CODEX_NODE?.trim() || process.env.CODEX_NODE_RUNTIME?.trim() || process.env.CODEX_NODE_BIN?.trim() || process.env.CODEX_NODE?.trim() || null;
+  if (override) {
+    return override;
+  }
+  if (cachedNodeRuntime) {
+    return cachedNodeRuntime;
+  }
+  const runtimeEnv = { ...process.env, ...env };
+  const homeDir = runtimeEnv.HOME ?? runtimeEnv.USERPROFILE ?? "";
+  const pathHints = (runtimeEnv.CODEX_PATH_HINTS ?? process.env.CODEX_PATH_HINTS ?? "").split(import_node_path5.default.delimiter).map((entry) => entry.trim()).filter(Boolean);
+  const extraPathEntries = [
+    "/usr/local/bin",
+    "/opt/homebrew/bin",
+    import_node_path5.default.join(homeDir, ".local", "bin"),
+    import_node_path5.default.join(homeDir, ".fnm", "aliases", "default", "bin"),
+    import_node_path5.default.join(homeDir, ".fnm", "current", "bin"),
+    ...pathHints
+  ].filter(Boolean);
+  const currentPath = runtimeEnv.PATH ?? "";
+  runtimeEnv.PATH = Array.from(
+    /* @__PURE__ */ new Set([...extraPathEntries, ...currentPath.split(import_node_path5.default.delimiter).filter(Boolean)])
+  ).join(import_node_path5.default.delimiter);
+  const candidates = Array.from(
+    new Set(
+      [
+        runtimeEnv.CODEX_NODE_RUNTIME?.trim(),
+        runtimeEnv.CODEX_NODE_BIN?.trim(),
+        runtimeEnv.CODEX_NODE?.trim(),
+        "/opt/homebrew/bin/node",
+        "/usr/local/bin/node",
+        "node"
+      ].filter((candidate) => typeof candidate === "string" && candidate.length > 0)
+    )
+  );
+  for (const candidate of candidates) {
+    const probe = (0, import_node_child_process.spawnSync)(candidate, ["-v"], { env: runtimeEnv, stdio: "ignore" });
+    if (!probe.error && probe.status === 0) {
+      cachedNodeRuntime = candidate;
+      return candidate;
+    }
+  }
+  cachedNodeRuntime = process.execPath;
+  return process.execPath;
+}
+function buildCodexCommand(binaryPath, args, env) {
+  if (isJavaScriptEntrypoint(binaryPath)) {
+    return {
+      command: resolveNodeRuntime(env),
+      args: [binaryPath, ...args],
+      shell: false
+    };
+  }
+  return {
+    command: binaryPath,
+    args: [...args],
+    shell: process.platform === "win32"
+  };
+}
+
+// ../../packages/shared/src/core/logger.ts
+var isTestEnv = process.env.NODE_ENV === "test" || process.env.VITEST === "true" || process.env.VITEST === "1";
+function isMocked(fn) {
+  return Boolean(fn && typeof fn === "function" && "mock" in fn);
+}
+function logWarn(...args) {
+  if (isTestEnv && !isMocked(console.warn)) {
+    return;
+  }
+  console.warn(...args);
+}
+function logError(...args) {
+  if (isTestEnv && !isMocked(console.error)) {
+    return;
+  }
   console.error(...args);
 }
 function logInfo(...args) {
@@ -4138,11 +3993,11 @@ function parseRateLimitSnapshotFromRpcMessage(message) {
 }
 async function fetchRateLimitsViaRpc(envOverride, options = {}) {
   const binaryPath = options.codexPath ?? await requireCodexCli();
-  const tempHome = await import_node_fs5.promises.mkdtemp(import_node_path6.default.join(import_node_os3.default.tmpdir(), "codex-rpc-"));
+  const tempHome = await import_node_fs5.promises.mkdtemp(import_node_path6.default.join(import_node_os2.default.tmpdir(), "codex-rpc-"));
   const tempAuthPath = import_node_path6.default.join(tempHome, "auth.json");
   let initialSourceAuth = null;
   const sourceAuthPath = options.authPath ?? (envOverride?.CODEX_HOME ? import_node_path6.default.join(envOverride.CODEX_HOME, "auth.json") : import_node_path6.default.join(
-    envOverride?.HOME ?? process.env.HOME ?? process.env.USERPROFILE ?? import_node_os3.default.homedir(),
+    envOverride?.HOME ?? process.env.HOME ?? process.env.USERPROFILE ?? import_node_os2.default.homedir(),
     ".codex",
     "auth.json"
   ));
@@ -4157,17 +4012,24 @@ async function fetchRateLimitsViaRpc(envOverride, options = {}) {
     });
     return null;
   }
-  const child = (0, import_node_child_process3.spawn)(process.execPath, [binaryPath, "-s", "read-only", "-a", "untrusted", "app-server"], {
+  const childEnv = {
+    ...process.env,
+    ...envOverride ?? {},
+    HOME: tempHome,
+    USERPROFILE: tempHome,
+    CODEX_HOME: tempHome,
+    CODEX_TELEMETRY_LABEL: "codex-rpc",
+    ELECTRON_RUN_AS_NODE: "1"
+  };
+  const command = buildCodexCommand(
+    binaryPath,
+    ["-s", "read-only", "-a", "untrusted", "app-server"],
+    childEnv
+  );
+  const child = (0, import_node_child_process2.spawn)(command.command, command.args, {
     stdio: ["pipe", "pipe", "pipe"],
-    env: {
-      ...process.env,
-      ...envOverride ?? {},
-      HOME: tempHome,
-      USERPROFILE: tempHome,
-      CODEX_HOME: tempHome,
-      CODEX_TELEMETRY_LABEL: "codex-rpc",
-      ELECTRON_RUN_AS_NODE: "1"
-    }
+    env: childEnv,
+    shell: command.shell
   });
   const rl = import_node_readline.default.createInterface({
     input: child.stdout,
@@ -4467,7 +4329,7 @@ var ProfileManager = class {
         workspaceId: null
       };
     }
-    const fingerprint = (0, import_node_crypto4.createHash)("sha256").update(trimmed).digest("hex");
+    const fingerprint = (0, import_node_crypto3.createHash)("sha256").update(trimmed).digest("hex");
     try {
       const parsed = JSON.parse(trimmed);
       const normalized = this.normalizeProfileData(parsed);
@@ -4735,6 +4597,7 @@ var ProfileManager = class {
       groups,
       userId,
       chatgptUserId,
+      chatgptAccountUserId,
       emailVerified,
       tokenExpiresAt: this.toIsoStringFromSeconds(exp),
       tokenIssuedAt: this.toIsoStringFromSeconds(iat),
@@ -4742,7 +4605,7 @@ var ProfileManager = class {
     };
     const hasMeaningfulData = Boolean(metadata.planType) || Boolean(
       metadata.subscription && (metadata.subscription.activeStart || metadata.subscription.activeUntil || metadata.subscription.lastChecked)
-    ) || Boolean(metadata.organizations && metadata.organizations.length > 0) || Boolean(metadata.groups && metadata.groups.length > 0) || Boolean(metadata.userId) || Boolean(metadata.chatgptUserId) || Boolean(metadata.email) || typeof metadata.emailVerified === "boolean" || Boolean(metadata.tokenExpiresAt) || Boolean(metadata.tokenIssuedAt) || Boolean(metadata.tokenAuthTime);
+    ) || Boolean(metadata.organizations && metadata.organizations.length > 0) || Boolean(metadata.groups && metadata.groups.length > 0) || Boolean(metadata.userId) || Boolean(metadata.chatgptUserId) || Boolean(metadata.chatgptAccountUserId) || Boolean(metadata.email) || typeof metadata.emailVerified === "boolean" || Boolean(metadata.tokenExpiresAt) || Boolean(metadata.tokenIssuedAt) || Boolean(metadata.tokenAuthTime);
     return hasMeaningfulData ? metadata : void 0;
   }
   /**
@@ -4858,13 +4721,35 @@ var ProfileManager = class {
         return accountId.trim();
       }
     }
-    const projectId = "project_id" in data && typeof data.project_id === "string" ? data.project_id?.trim() : void 0;
-    if (projectId) {
-      return projectId;
-    }
     const email = "email" in data && typeof data.email === "string" ? data.email?.trim() : void 0;
     return email || void 0;
   }
+  resolveProfileIdentityKey(args) {
+    return resolveProfileIdentityKey(args);
+  }
+  resolveLegacyAccountKey(args) {
+    return resolveLegacyProfileAccountKey(args);
+  }
+  resolveProfileIdentityFromData(name, data, metadata) {
+    const resolvedMetadata = metadata ?? this.extractProfileMetadata(data);
+    const workspace = this.resolveWorkspaceIdentity(data, resolvedMetadata);
+    const email = this.resolveProfileEmail(data, resolvedMetadata) ?? null;
+    return this.resolveProfileIdentityKey({
+      name,
+      accountId: this.getAccountIdFromData(data) ?? null,
+      workspaceId: workspace.id ?? null,
+      email,
+      metadata: resolvedMetadata
+    });
+  }
+  resolveProfileIdentityFromRecord(record) {
+    return this.resolveProfileIdentityFromData(record.name, record.data, record.metadata) ?? this.resolveLegacyAccountKey({
+      name: record.name,
+      accountId: record.accountId,
+      email: record.email,
+      metadata: record.metadata
+    }) ?? resolveFallbackAccountKey(record.name);
+  }
   resolveWorkspaceIdentity(data, metadata) {
     const directId = "workspace_id" in data && typeof data.workspace_id === "string" ? data.workspace_id.trim() : void 0;
     const directName = "workspace_name" in data && typeof data.workspace_name === "string" ? data.workspace_name.trim() : void 0;
@@ -4885,12 +4770,9 @@ var ProfileManager = class {
     const record = await this.readProfileRecord(normalized);
     return record ?? void 0;
   }
-  async getProfileRowByAccountId(accountId, options) {
+  async getProfileRowByIdentityKey(identityKey, options) {
     const records = await this.listProfileRecords();
-    const matches = records.filter((record) => {
-      const storedAccountId = record.accountId ?? this.getAccountIdFromData(record.data);
-      return storedAccountId === accountId;
-    });
+    const matches = records.filter((record) => this.resolveProfileIdentityFromRecord(record) === identityKey);
     if (matches.length === 0) {
       return void 0;
     }
@@ -4904,12 +4786,11 @@ var ProfileManager = class {
     }
     return matches[0];
   }
-  async getProfileRowByAccountAndWorkspace(accountId, workspaceId, options) {
+  async getProfileRowByIdentityAndWorkspace(identityKey, workspaceId, options) {
     const workspaceKey = workspaceId && workspaceId.trim().length > 0 ? workspaceId.trim() : DEFAULT_WORKSPACE_ID;
     const records = await this.listProfileRecords();
     const matches = records.filter((record) => {
-      const storedAccountId = record.accountId ?? this.getAccountIdFromData(record.data);
-      if (storedAccountId !== accountId) {
+      if (this.resolveProfileIdentityFromRecord(record) !== identityKey) {
         return false;
       }
       const storedWorkspace = record.workspaceId ?? record.data.workspace_id ?? DEFAULT_WORKSPACE_ID;
@@ -5187,11 +5068,17 @@ var ProfileManager = class {
     if (latestRow) {
       existing = latestRow.data;
     }
-    const existingAccountId = this.getAccountIdFromData(existing);
-    const newAccountId = this.getAccountIdFromData(normalized);
-    if (existingAccountId && newAccountId && existingAccountId !== newAccountId) {
+    const existingMetadata = this.extractProfileMetadata(existing);
+    const existingWorkspace = this.resolveWorkspaceIdentity(existing, existingMetadata);
+    existing.workspace_id = existing.workspace_id ?? existingWorkspace.id ?? DEFAULT_WORKSPACE_ID;
+    if (existingWorkspace.name) {
+      existing.workspace_name = existing.workspace_name ?? existingWorkspace.name;
+    }
+    const existingIdentity = this.resolveProfileIdentityFromData(profileName, existing, existingMetadata);
+    const nextIdentity = this.resolveProfileIdentityFromData(profileName, normalized, metadata);
+    if (existingIdentity && nextIdentity && existingIdentity !== nextIdentity) {
       logWarn(
-        `Skipped syncing tokens for profile '${profileName}' because Codex auth switched to account '${newAccountId}'.`
+        `Skipped syncing tokens for profile '${profileName}' because Codex auth switched to a different OpenAI identity.`
       );
       return;
     }
@@ -5338,6 +5225,66 @@ var ProfileManager = class {
       }
     }
   }
+  async prepareProfileRuntime(name) {
+    return this.enqueueProfileOperation(
+      name,
+      () => this.enqueueAuthSwap(async () => {
+        await this.initialize();
+        const profileName = this.normalizeProfileName(name);
+        const record = await this.getProfileRowByName(profileName);
+        if (!record) {
+          throw new Error(`Profile '${profileName}' not found!`);
+        }
+        let profileData = record.data;
+        await this.syncProfileTokensFromActiveAuth(profileName, profileData);
+        const updatedRecord = await this.getProfileRowByName(profileName);
+        if (updatedRecord) {
+          profileData = updatedRecord.data;
+        }
+        if (profileData.auth_method && profileData.auth_method !== "codex-cli") {
+          throw new Error("Unsupported auth method. Codex CLI profiles only.");
+        }
+        const codexFormat = this.convertToCodexFormat(profileData);
+        const profileHome = await this.prepareProfileHome(profileName, codexFormat);
+        return {
+          profileHome,
+          env: {
+            ...process.env,
+            HOME: profileHome,
+            USERPROFILE: profileHome,
+            CODEX_HOME: profileHome
+          }
+        };
+      })
+    );
+  }
+  async syncProfileRuntime(name, profileHome) {
+    return this.enqueueProfileOperation(
+      name,
+      () => this.enqueueAuthSwap(async () => {
+        await this.initialize();
+        const profileName = this.normalizeProfileName(name);
+        const record = await this.getProfileRowByName(profileName);
+        if (!record) {
+          throw new Error(`Profile '${profileName}' not found!`);
+        }
+        const authPath = import_path.default.join(profileHome ?? this.getProfileHomePath(profileName), "auth.json");
+        let finalAuthContent = null;
+        try {
+          finalAuthContent = await import_fs.promises.readFile(authPath, "utf8");
+        } catch (error) {
+          if (!this.isNotFoundError(error)) {
+            logWarn(`Failed to read isolated auth for '${profileName}' while syncing runtime:`, error);
+          }
+        }
+        if (finalAuthContent) {
+          await this.syncProfileTokensFromAuthContent(profileName, record.data, finalAuthContent);
+          return;
+        }
+        await this.syncProfileTokensFromActiveAuth(profileName, record.data, authPath);
+      })
+    );
+  }
   /**
    * Create a new profile by running codex login
    */
@@ -5367,15 +5314,6 @@ var ProfileManager = class {
     if (workspace.name) {
       normalizedProfile.workspace_name = normalizedProfile.workspace_name ?? workspace.name;
     }
-    const accountId = this.getAccountIdFromData(normalizedProfile);
-    if (accountId) {
-      const requestedWorkspace = normalizedProfile.workspace_id ?? DEFAULT_WORKSPACE_ID;
-      const duplicate = await this.getProfileRowByAccountAndWorkspace(accountId, requestedWorkspace, { authMethod: "codex-cli" });
-      if (duplicate) {
-        normalizedProfile.workspace_id = `${requestedWorkspace}:${profileName}`;
-        normalizedProfile.workspace_name = normalizedProfile.workspace_name ?? profileName;
-      }
-    }
     const resolvedEmail = this.resolveProfileEmail(normalizedProfile, metadata);
     if (resolvedEmail) {
       normalizedProfile.email = resolvedEmail;
@@ -5430,25 +5368,30 @@ var ProfileManager = class {
       throw new Error("Failed to read Codex auth file. Complete the login and try again.");
     }
     const normalized = this.normalizeProfileData(activeAuth);
-    const existingAccountId = this.getAccountIdFromData(existing);
-    const newAccountId = this.getAccountIdFromData(normalized);
+    const existingMetadata = record.metadata ?? this.extractProfileMetadata(existing);
+    const currentWorkspace = this.resolveWorkspaceIdentity(existing, existingMetadata);
+    existing.workspace_id = existing.workspace_id ?? currentWorkspace.id ?? DEFAULT_WORKSPACE_ID;
+    if (currentWorkspace.name) {
+      existing.workspace_name = existing.workspace_name ?? currentWorkspace.name;
+    }
     const normalizedMetadata = this.extractProfileMetadata(normalized);
     const normalizedWorkspace = this.resolveWorkspaceIdentity(normalized, normalizedMetadata);
     normalized.workspace_id = normalized.workspace_id ?? normalizedWorkspace.id ?? DEFAULT_WORKSPACE_ID;
     if (normalizedWorkspace.name) {
       normalized.workspace_name = normalized.workspace_name ?? normalizedWorkspace.name;
     }
-    if (existingAccountId && newAccountId && existingAccountId !== newAccountId) {
+    const existingIdentity = this.resolveProfileIdentityFromData(profileName, existing, existingMetadata);
+    const newIdentity = this.resolveProfileIdentityFromData(profileName, normalized, normalizedMetadata);
+    if (existingIdentity && newIdentity && existingIdentity !== newIdentity) {
       throw new Error(
-        `Active Codex login is for account '${newAccountId}', but profile '${profileName}' is tied to '${existingAccountId}'. Create a new profile for the new account instead.`
+        `Active Codex login is for a different OpenAI identity than profile '${profileName}'. Create a new profile for that login instead.`
       );
     }
-    if (existingAccountId && normalized.workspace_id) {
-      const currentWorkspace = this.resolveWorkspaceIdentity(existing, this.extractProfileMetadata(existing));
+    if (existingIdentity && normalized.workspace_id) {
       const targetWorkspaceId = normalized.workspace_id;
       const currentWorkspaceId = currentWorkspace.id ?? DEFAULT_WORKSPACE_ID;
       if (targetWorkspaceId !== currentWorkspaceId) {
-        const duplicate = await this.getProfileRowByAccountAndWorkspace(existingAccountId, targetWorkspaceId, {
+        const duplicate = await this.getProfileRowByIdentityAndWorkspace(existingIdentity, targetWorkspaceId, {
           authMethod: this.resolveAuthMethod(existing)
         });
         if (duplicate && duplicate.name !== profileName) {
@@ -5665,9 +5608,9 @@ var ProfileManager = class {
       const normalizedAuth = this.normalizeProfileData(activeAuth);
       const authMetadata = this.extractProfileMetadata(normalizedAuth);
       const workspace = this.resolveWorkspaceIdentity(normalizedAuth, authMetadata);
-      const activeAccountId = this.getAccountIdFromData(normalizedAuth);
-      if (activeAccountId) {
-        const scoped = await this.getProfileRowByAccountAndWorkspace(activeAccountId, workspace.id ?? DEFAULT_WORKSPACE_ID, {
+      const activeIdentityKey = this.resolveProfileIdentityFromData(null, normalizedAuth, authMetadata);
+      if (activeIdentityKey) {
+        const scoped = await this.getProfileRowByIdentityAndWorkspace(activeIdentityKey, workspace.id ?? DEFAULT_WORKSPACE_ID, {
           preferAuthMethod: "codex-cli"
         });
         if (scoped) {
@@ -5675,7 +5618,7 @@ var ProfileManager = class {
           await this.persistPreferredProfileName(normalized);
           return { name: normalized, trusted: true };
         }
-        const matching = await this.getProfileRowByAccountId(activeAccountId, { preferAuthMethod: "codex-cli" });
+        const matching = await this.getProfileRowByIdentityKey(activeIdentityKey, { preferAuthMethod: "codex-cli" });
         if (matching) {
           const normalized = this.normalizeProfileName(matching.name);
           await this.persistPreferredProfileName(normalized);
@@ -5699,120 +5642,1555 @@ var ProfileManager = class {
     }
     return { name: null, trusted: false };
   }
-  /**
-   * Export a profile to a portable format.
-   * Sensitive tokens are included but should be handled securely.
-   */
-  async exportProfile(name) {
-    await this.initialize();
-    const profileName = this.normalizeProfileName(name);
-    const record = await this.getProfileRowByName(profileName);
-    if (!record) {
-      throw new Error(`Profile '${profileName}' not found!`);
+  /**
+   * Export a profile to a portable format.
+   * Sensitive tokens are included but should be handled securely.
+   */
+  async exportProfile(name) {
+    await this.initialize();
+    const profileName = this.normalizeProfileName(name);
+    const record = await this.getProfileRowByName(profileName);
+    if (!record) {
+      throw new Error(`Profile '${profileName}' not found!`);
+    }
+    return {
+      name: record.name,
+      displayName: record.displayName,
+      email: record.email,
+      accountId: record.accountId,
+      workspaceId: record.workspaceId,
+      workspaceName: record.workspaceName,
+      authMethod: record.authMethod,
+      createdAt: record.createdAt,
+      metadata: record.metadata,
+      exportedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Export profiles for cloud sync (includes token-bearing auth data).
+   */
+  async exportProfilesForCloudSync() {
+    await this.initialize();
+    const records = await this.listProfileRecords();
+    return records.map((record) => ({
+      name: record.name,
+      displayName: record.displayName,
+      data: record.data,
+      metadata: record.metadata,
+      accountId: record.accountId,
+      workspaceId: record.workspaceId,
+      workspaceName: record.workspaceName,
+      email: record.email,
+      authMethod: record.authMethod,
+      createdAt: record.createdAt,
+      updatedAt: record.updatedAt
+    }));
+  }
+  /**
+   * Replace local profiles with a full snapshot from cloud sync.
+   */
+  async replaceProfilesFromCloudSync(records) {
+    await this.initialize();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const normalized = /* @__PURE__ */ new Map();
+    const existingMap = await this.readProfilesStateMap();
+    const existingNames = new Set(Object.keys(existingMap));
+    for (const candidate of records ?? []) {
+      try {
+        const name = this.normalizeProfileName(candidate?.name ?? "");
+        const data = candidate && typeof candidate.data === "object" && candidate.data !== null ? candidate.data : null;
+        if (!data) {
+          continue;
+        }
+        const metadata = candidate.metadata && typeof candidate.metadata === "object" ? candidate.metadata : void 0;
+        const record = {
+          name,
+          displayName: typeof candidate.displayName === "string" ? candidate.displayName : null,
+          data,
+          metadata,
+          accountId: typeof candidate.accountId === "string" ? candidate.accountId : null,
+          workspaceId: typeof candidate.workspaceId === "string" ? candidate.workspaceId : null,
+          workspaceName: typeof candidate.workspaceName === "string" ? candidate.workspaceName : null,
+          email: typeof candidate.email === "string" ? candidate.email : null,
+          authMethod: typeof candidate.authMethod === "string" ? candidate.authMethod : this.resolveAuthMethod(data),
+          createdAt: typeof candidate.createdAt === "string" ? candidate.createdAt : now,
+          updatedAt: typeof candidate.updatedAt === "string" ? candidate.updatedAt : now
+        };
+        normalized.set(name, record);
+      } catch {
+      }
+    }
+    const nextMap = {};
+    for (const record of normalized.values()) {
+      nextMap[record.name] = this.toStateRecord(record);
+    }
+    await this.writeProfilesStateMap(nextMap);
+    let removed = 0;
+    for (const name of existingNames) {
+      if (normalized.has(name)) {
+        continue;
+      }
+      try {
+        await import_fs.promises.rm(this.getProfileHomePath(name), { recursive: true, force: true });
+        removed += 1;
+      } catch (error) {
+        if (!this.isNotFoundError(error)) {
+          logWarn(`Failed to remove profile '${name}' during cloud sync replace:`, error);
+        }
+      }
+    }
+    const preferred = await this.readPreferredProfileName();
+    if (preferred) {
+      try {
+        const normalizedPreferred = this.normalizeProfileName(preferred);
+        if (!normalized.has(normalizedPreferred)) {
+          await this.persistPreferredProfileName(null);
+        }
+      } catch {
+        await this.persistPreferredProfileName(null);
+      }
+    }
+    return {
+      imported: normalized.size,
+      removed
+    };
+  }
+};
+
+// src/app/help.ts
+function printHelp(version) {
+  console.log(`CodexUse CLI v${version}
+
+Usage:
+  codexuse account-pool status [--runtime=desktop|daemon] [--state-dir=/abs/path] [--port=NNNN]
+  codexuse account-pool enable
+  codexuse account-pool disable
+  codexuse account-pool routing <least-used|round-robin>
+  codexuse account-pool profiles list
+  codexuse account-pool profiles set <name> [more...]
+  codexuse account-pool models list
+  codexuse account-pool keys list [--runtime=desktop|daemon]
+  codexuse account-pool keys create [--runtime=desktop|daemon]
+  codexuse account-pool sessions list [--runtime=desktop|daemon]
+
+  codexuse profile list [--no-usage] [--compact]
+  codexuse profile current
+  codexuse profile add <name> [--skip-login] [--device-auth] [--login=browser|device]
+  codexuse profile refresh <name> [--skip-login] [--device-auth] [--login=browser|device]
+  codexuse profile switch <name>
+  codexuse profile autoroll [--threshold=50-100] [--dry-run] [--watch] [--interval=seconds]
+  codexuse profile delete <name>
+  codexuse profile rename <old> <new>
+
+  codexuse license status [--refresh]
+  codexuse license activate <license-key>
+
+  codexuse sync status
+  codexuse sync pull
+  codexuse sync push
+
+  codexuse daemon start [--port=NNNN] [--telegram-bot-token=<token>] [--project-path=/abs/path]
+
+Flags:
+  -h, --help       Show help
+  -v, --version    Show version
+  --no-usage       Skip rate-limit usage fetch
+  --compact        Names only
+  --device-auth    Use device auth for Codex login
+  --login=MODE     Login mode: browser | device
+  --threshold=NN   Auto-roll switch threshold percent (50-100)
+  --watch          Keep checking and auto-switch when threshold is reached
+  --interval=SEC   Watch interval in seconds (default: 30)
+  --dry-run        Print planned switch without changing active profile
+  --runtime=NAME   Accounts Pool runtime store: desktop | daemon
+  --state-dir=PATH Override the runtime state dir for Accounts Pool inspection
+  --port=NNNN      Stable daemon/API port (or use with account-pool status for daemon base URL)
+  --telegram-bot-token=TOKEN   Enable Telegram remote control for daemon mode
+  --project-path=PATH          Optional path to bootstrap as the default Projects root in daemon mode
+`);
+}
+
+// src/platform/args.ts
+var DEFAULT_AUTOROLL_INTERVAL_SECONDS = 30;
+var DEFAULT_AUTOROLL_THRESHOLD = 95;
+function hasFlag(args, flag) {
+  return args.includes(flag);
+}
+function stripFlags(args) {
+  return args.filter((arg) => !arg.startsWith("-"));
+}
+function parseLoginMode(flags) {
+  if (flags.includes("--device-auth")) return "device";
+  const explicit = flags.find((flag) => flag.startsWith("--login="));
+  if (!explicit) return null;
+  const value = explicit.split("=")[1];
+  if (value === "browser" || value === "device") {
+    return value;
+  }
+  return null;
+}
+function parseNumericFlag(flags, name) {
+  const explicit = flags.find((flag) => flag.startsWith(`${name}=`));
+  if (!explicit) {
+    return null;
+  }
+  const raw = explicit.slice(`${name}=`.length);
+  const value = Number.parseFloat(raw);
+  return Number.isFinite(value) ? value : Number.NaN;
+}
+function parseIntegerFlag(flags, name) {
+  const explicit = flags.find((flag) => flag.startsWith(`${name}=`));
+  if (!explicit) {
+    return null;
+  }
+  const raw = explicit.slice(`${name}=`.length);
+  const value = Number.parseInt(raw, 10);
+  return Number.isFinite(value) ? value : Number.NaN;
+}
+function parseStringFlag(flags, name) {
+  const explicit = flags.find((flag) => flag.startsWith(`${name}=`));
+  if (!explicit) {
+    return null;
+  }
+  const value = explicit.slice(`${name}=`.length).trim();
+  return value.length > 0 ? value : "";
+}
+
+// src/commands/accountPool.ts
+var ACCOUNT_POOL_DOCUMENT = "desktop.account-pool.v2";
+var LEGACY_BROKER_DOCUMENT = "desktop.broker.v1";
+var ACCOUNT_POOL_PRO_REQUIRED_MESSAGE = "Accounts Pool requires a Pro license.";
+var DEFAULT_DAEMON_STATE_DIR = import_node_path7.default.join(import_node_os3.default.homedir(), ".codexuse", "t3-daemon");
+var ACCOUNT_POOL_STORE_VERSION = 3;
+var MAX_RESPONSE_IDS_PER_SESSION = 64;
+var MODEL_SLUG_ALIASES = {
+  "5.4": "gpt-5.4",
+  "5.3": "gpt-5.3-codex",
+  "gpt-5.3": "gpt-5.3-codex",
+  "5.3-spark": "gpt-5.3-codex-spark",
+  "gpt-5.3-spark": "gpt-5.3-codex-spark"
+};
+function asRecord2(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : {};
+}
+function asString3(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function asNumber(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : null;
+}
+function normalizeIsoString(value) {
+  const normalized = asString3(value);
+  if (!normalized) {
+    return null;
+  }
+  const parsed = Date.parse(normalized);
+  return Number.isNaN(parsed) ? null : new Date(parsed).toISOString();
+}
+function normalizeStringArray(value) {
+  const input = Array.isArray(value) ? value : [];
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const entry of input) {
+    const normalized = asString3(entry);
+    if (!normalized || seen.has(normalized)) {
+      continue;
+    }
+    seen.add(normalized);
+    result.push(normalized);
+  }
+  return result;
+}
+function normalizeReasoningEffort(value) {
+  const normalized = asString3(value)?.toLowerCase() ?? null;
+  return normalized && normalized.length > 0 ? normalized : null;
+}
+function normalizeRoutingStrategy(value) {
+  return value === "round_robin" ? "round_robin" : "least_used";
+}
+function normalizeCodexModelSlug(value) {
+  const trimmed = value?.trim();
+  if (!trimmed) {
+    return null;
+  }
+  return MODEL_SLUG_ALIASES[trimmed] ?? trimmed;
+}
+function formatRoutingStrategy(value) {
+  return value === "round_robin" ? "round-robin" : "least-used";
+}
+function parseRoutingStrategy(value) {
+  const normalized = value?.trim().toLowerCase();
+  if (!normalized) {
+    return null;
+  }
+  if (normalized === "round-robin" || normalized === "round_robin" || normalized === "roundrobin") {
+    return "round_robin";
+  }
+  if (normalized === "least-used" || normalized === "least_used" || normalized === "leastused") {
+    return "least_used";
+  }
+  return null;
+}
+function normalizeAccountPoolExposedModels(value, fallbackToDefault) {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  const input = Array.isArray(value) ? value : [];
+  for (const entry of input) {
+    const raw = asString3(entry);
+    const normalized = normalizeCodexModelSlug(raw) ?? raw;
+    if (!normalized || seen.has(normalized)) {
+      continue;
+    }
+    seen.add(normalized);
+    result.push(normalized);
+  }
+  if (result.length > 0) {
+    return result;
+  }
+  return fallbackToDefault ? [...DEFAULT_ACCOUNT_POOL_EXPOSED_MODELS] : [];
+}
+function normalizeAccountPoolReasoningEfforts(value, fallback) {
+  const input = Array.isArray(value) ? value : [];
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const entry of input) {
+    const normalized = normalizeReasoningEffort(entry);
+    if (!normalized || seen.has(normalized)) {
+      continue;
+    }
+    seen.add(normalized);
+    result.push(normalized);
+  }
+  if (result.length > 0 || Array.isArray(value)) {
+    return result;
+  }
+  return fallback ? [...fallback] : [];
+}
+function normalizeAccountPoolSettings(settings) {
+  const accountPoolProfilePool = normalizeStringArray(settings.accountPoolProfilePool);
+  return {
+    accountPoolEnabled: settings.accountPoolEnabled === true || settings.brokerEnabled === true,
+    accountPoolRoutingStrategy: normalizeRoutingStrategy(
+      settings.accountPoolRoutingStrategy ?? settings.brokerRoutingStrategy
+    ),
+    accountPoolProfilePool: accountPoolProfilePool.length > 0 ? accountPoolProfilePool : normalizeStringArray(settings.brokerProfilePool),
+    accountPoolExposedModels: normalizeAccountPoolExposedModels(
+      settings.accountPoolExposedModels,
+      true
+    ),
+    accountPoolExposedReasoningEfforts: normalizeAccountPoolReasoningEfforts(
+      settings.accountPoolExposedReasoningEfforts,
+      DEFAULT_ACCOUNT_POOL_EXPOSED_REASONING_EFFORTS
+    ),
+    accountPoolExposedFastModeReasoningEfforts: normalizeAccountPoolReasoningEfforts(
+      settings.accountPoolExposedFastModeReasoningEfforts,
+      DEFAULT_ACCOUNT_POOL_EXPOSED_FAST_MODE_REASONING_EFFORTS
+    )
+  };
+}
+function applyAccountPoolSettings(settings, nextAccountPoolSettings) {
+  const next = {
+    ...settings,
+    accountPoolEnabled: nextAccountPoolSettings.accountPoolEnabled,
+    accountPoolRoutingStrategy: nextAccountPoolSettings.accountPoolRoutingStrategy,
+    accountPoolProfilePool: nextAccountPoolSettings.accountPoolProfilePool.slice(),
+    accountPoolExposedModels: nextAccountPoolSettings.accountPoolExposedModels.slice(),
+    accountPoolExposedReasoningEfforts: nextAccountPoolSettings.accountPoolExposedReasoningEfforts.slice(),
+    accountPoolExposedFastModeReasoningEfforts: nextAccountPoolSettings.accountPoolExposedFastModeReasoningEfforts.slice()
+  };
+  delete next.brokerEnabled;
+  delete next.brokerRoutingStrategy;
+  delete next.brokerProfilePool;
+  return next;
+}
+function printAccountPoolHelp(version) {
+  console.log(`CodexUse CLI v${version}
+
+Usage:
+  codexuse account-pool status [--runtime=desktop|daemon] [--state-dir=/abs/path] [--port=NNNN]
+  codexuse account-pool enable
+  codexuse account-pool disable
+  codexuse account-pool routing <least-used|round-robin>
+
+  codexuse account-pool profiles list
+  codexuse account-pool profiles set <name> [more...]
+  codexuse account-pool profiles add <name> [more...]
+  codexuse account-pool profiles remove <name> [more...]
+  codexuse account-pool profiles reset
+
+  codexuse account-pool models list
+  codexuse account-pool models add <model> [more...]
+  codexuse account-pool models remove <model> [more...]
+  codexuse account-pool models reset
+
+  codexuse account-pool reasoning list
+  codexuse account-pool reasoning add <effort> [more...]
+  codexuse account-pool reasoning remove <effort> [more...]
+  codexuse account-pool reasoning reset
+
+  codexuse account-pool fast-mode list
+  codexuse account-pool fast-mode add <effort> [more...]
+  codexuse account-pool fast-mode remove <effort> [more...]
+  codexuse account-pool fast-mode reset
+
+  codexuse account-pool keys list [--runtime=desktop|daemon] [--state-dir=/abs/path]
+  codexuse account-pool keys create [--runtime=desktop|daemon] [--state-dir=/abs/path]
+  codexuse account-pool keys revoke <id> [--runtime=desktop|daemon] [--state-dir=/abs/path]
+
+  codexuse account-pool sessions list [--runtime=desktop|daemon] [--state-dir=/abs/path]
+
+Notes:
+  - Settings are shared with the desktop app.
+  - Keys and sessions are runtime-specific: desktop and daemon each keep their own pool store.
+  - Session inspection is read-only here on purpose; pooled sessions are live runtime state.
+  - Use --runtime=daemon plus --state-dir or --port when you want to inspect a headless daemon.
+`);
+}
+function normalizeSessionStatus(value) {
+  return value === "running" || value === "error" || value === "rollover_pending" ? value : "idle";
+}
+function normalizeApiKeyRecord(id, value) {
+  const record = asRecord2(value);
+  const tokenHash = asString3(record.tokenHash);
+  const tokenPreview = asString3(record.tokenPreview);
+  const createdAt = normalizeIsoString(record.createdAt);
+  if (!tokenHash || !tokenPreview || !createdAt) {
+    return null;
+  }
+  return {
+    id,
+    tokenHash,
+    tokenPreview,
+    createdAt,
+    lastUsedAt: normalizeIsoString(record.lastUsedAt),
+    revokedAt: normalizeIsoString(record.revokedAt)
+  };
+}
+function normalizeLegacySessionRecord(id, value) {
+  const record = asRecord2(value);
+  const profileName = asString3(record.profileName);
+  const createdAt = normalizeIsoString(record.createdAt);
+  const lastUsedAt = normalizeIsoString(record.lastUsedAt);
+  if (!profileName || !createdAt || !lastUsedAt) {
+    return null;
+  }
+  const affinityKind = record.affinityKind === "broker_session" || record.affinityKind === "prompt_cache" ? record.affinityKind : "ephemeral";
+  return {
+    id,
+    affinityKind,
+    affinityKey: asString3(record.affinityKey),
+    profileName,
+    threadId: asString3(record.threadId) ?? id,
+    model: asString3(record.model),
+    status: normalizeSessionStatus(record.status),
+    lastError: asString3(record.lastError),
+    createdAt,
+    lastUsedAt,
+    expiresAt: normalizeIsoString(record.expiresAt),
+    lastResponseId: asString3(record.lastResponseId),
+    responseIds: normalizeStringArray(record.responseIds).slice(0, MAX_RESPONSE_IDS_PER_SESSION)
+  };
+}
+function normalizeLegacyStore(value) {
+  const record = asRecord2(value);
+  const apiKeysById = {};
+  for (const [id, apiKeyValue] of Object.entries(asRecord2(record.apiKeysById))) {
+    const normalized = normalizeApiKeyRecord(id, apiKeyValue);
+    if (normalized) {
+      apiKeysById[id] = normalized;
+    }
+  }
+  const sessionsById = {};
+  for (const [id, sessionValue] of Object.entries(asRecord2(record.sessionsById))) {
+    const normalized = normalizeLegacySessionRecord(id, sessionValue);
+    if (normalized) {
+      sessionsById[id] = normalized;
+    }
+  }
+  const responseIndex = {};
+  for (const [responseId, sessionId] of Object.entries(asRecord2(record.responseIndex))) {
+    const normalizedSessionId = asString3(sessionId);
+    if (normalizedSessionId) {
+      responseIndex[responseId] = normalizedSessionId;
+    }
+  }
+  return {
+    version: asNumber(record.version) ?? 1,
+    roundRobinCursor: asNumber(record.roundRobinCursor) ?? 0,
+    apiKeysById,
+    sessionsById,
+    responseIndex
+  };
+}
+function normalizeSessionRecord(id, value) {
+  const record = asRecord2(value);
+  const activeSegmentId = asString3(record.activeSegmentId);
+  const createdAt = normalizeIsoString(record.createdAt);
+  const lastUsedAt = normalizeIsoString(record.lastUsedAt);
+  if (!activeSegmentId || !createdAt || !lastUsedAt) {
+    return null;
+  }
+  const affinityKind = record.affinityKind === "pool_session" || record.affinityKind === "prompt_cache" ? record.affinityKind : "ephemeral";
+  return {
+    id,
+    affinityKind,
+    affinityKey: asString3(record.affinityKey),
+    activeSegmentId,
+    segmentIds: normalizeStringArray(record.segmentIds),
+    model: asString3(record.model),
+    status: normalizeSessionStatus(record.status),
+    lastError: asString3(record.lastError),
+    createdAt,
+    lastUsedAt,
+    expiresAt: normalizeIsoString(record.expiresAt),
+    lastResponseId: asString3(record.lastResponseId),
+    responseIds: normalizeStringArray(record.responseIds).slice(0, MAX_RESPONSE_IDS_PER_SESSION),
+    rolloverCount: asNumber(record.rolloverCount) ?? 0,
+    lastRolloverReason: asString3(record.lastRolloverReason)
+  };
+}
+function normalizeSegmentRecord(id, value) {
+  const record = asRecord2(value);
+  const sessionId = asString3(record.sessionId);
+  const profileName = asString3(record.profileName);
+  const createdAt = normalizeIsoString(record.createdAt);
+  const lastUsedAt = normalizeIsoString(record.lastUsedAt);
+  if (!sessionId || !profileName || !createdAt || !lastUsedAt) {
+    return null;
+  }
+  return {
+    id,
+    sessionId,
+    profileName,
+    createdAt,
+    lastUsedAt
+  };
+}
+function normalizeResponseIndexRecord(value) {
+  const record = asRecord2(value);
+  const sessionId = asString3(record.sessionId);
+  const segmentId = asString3(record.segmentId);
+  const createdAt = normalizeIsoString(record.createdAt) ?? (/* @__PURE__ */ new Date(0)).toISOString();
+  if (!sessionId || !segmentId) {
+    return null;
+  }
+  return { sessionId, segmentId, createdAt };
+}
+function normalizeAccountPoolStore(value) {
+  const record = asRecord2(value);
+  const apiKeysById = {};
+  for (const [id, apiKeyValue] of Object.entries(asRecord2(record.apiKeysById))) {
+    const normalized = normalizeApiKeyRecord(id, apiKeyValue);
+    if (normalized) {
+      apiKeysById[id] = normalized;
+    }
+  }
+  const sessionsById = {};
+  for (const [id, sessionValue] of Object.entries(asRecord2(record.sessionsById))) {
+    const normalized = normalizeSessionRecord(id, sessionValue);
+    if (normalized) {
+      sessionsById[id] = normalized;
+    }
+  }
+  const segmentsById = {};
+  for (const [id, segmentValue] of Object.entries(asRecord2(record.segmentsById))) {
+    const normalized = normalizeSegmentRecord(id, segmentValue);
+    if (normalized) {
+      segmentsById[id] = normalized;
+    }
+  }
+  const responseIndex = {};
+  for (const [responseId, responseValue] of Object.entries(asRecord2(record.responseIndex))) {
+    const normalized = normalizeResponseIndexRecord(responseValue);
+    if (normalized) {
+      responseIndex[responseId] = normalized;
+    }
+  }
+  return {
+    version: asNumber(record.version) ?? ACCOUNT_POOL_STORE_VERSION,
+    roundRobinCursor: asNumber(record.roundRobinCursor) ?? 0,
+    apiKeysById,
+    sessionsById,
+    segmentsById,
+    responseIndex
+  };
+}
+function createDefaultStore() {
+  return {
+    version: ACCOUNT_POOL_STORE_VERSION,
+    roundRobinCursor: 0,
+    apiKeysById: {},
+    sessionsById: {},
+    segmentsById: {},
+    responseIndex: {}
+  };
+}
+function migrateLegacyStore(legacyStore) {
+  const store = createDefaultStore();
+  store.roundRobinCursor = legacyStore.roundRobinCursor;
+  store.apiKeysById = { ...legacyStore.apiKeysById };
+  for (const session of Object.values(legacyStore.sessionsById)) {
+    const segmentId = `segment_${session.id}`;
+    store.segmentsById[segmentId] = {
+      id: segmentId,
+      sessionId: session.id,
+      profileName: session.profileName,
+      createdAt: session.createdAt,
+      lastUsedAt: session.lastUsedAt
+    };
+    store.sessionsById[session.id] = {
+      id: session.id,
+      affinityKind: session.affinityKind === "broker_session" ? "pool_session" : session.affinityKind,
+      affinityKey: session.affinityKey,
+      activeSegmentId: segmentId,
+      segmentIds: [segmentId],
+      model: session.model,
+      status: session.status,
+      lastError: session.lastError,
+      createdAt: session.createdAt,
+      lastUsedAt: session.lastUsedAt,
+      expiresAt: session.expiresAt,
+      lastResponseId: session.lastResponseId,
+      responseIds: session.responseIds.slice(0, MAX_RESPONSE_IDS_PER_SESSION),
+      rolloverCount: 0,
+      lastRolloverReason: null
+    };
+  }
+  for (const [responseId, sessionId] of Object.entries(legacyStore.responseIndex)) {
+    const session = store.sessionsById[sessionId];
+    if (!session) {
+      continue;
+    }
+    store.responseIndex[responseId] = {
+      sessionId,
+      segmentId: session.activeSegmentId,
+      createdAt: session.lastUsedAt
+    };
+  }
+  return store;
+}
+function deleteSessionFromStore(store, sessionId) {
+  const session = store.sessionsById[sessionId];
+  if (!session) {
+    return;
+  }
+  for (const segmentId of session.segmentIds) {
+    delete store.segmentsById[segmentId];
+  }
+  for (const [responseId, response] of Object.entries(store.responseIndex)) {
+    if (response.sessionId === sessionId) {
+      delete store.responseIndex[responseId];
+    }
+  }
+  delete store.sessionsById[sessionId];
+}
+function pruneStore(store) {
+  const now = Date.now();
+  for (const [sessionId, session] of Object.entries(store.sessionsById)) {
+    const expiresAtMs = session.expiresAt ? Date.parse(session.expiresAt) : Number.NaN;
+    if (Number.isFinite(expiresAtMs) && expiresAtMs < now) {
+      deleteSessionFromStore(store, sessionId);
+    }
+  }
+  for (const [segmentId, segment] of Object.entries(store.segmentsById)) {
+    if (!store.sessionsById[segment.sessionId]) {
+      delete store.segmentsById[segmentId];
+    }
+  }
+  for (const [responseId, response] of Object.entries(store.responseIndex)) {
+    if (!store.sessionsById[response.sessionId] || !store.segmentsById[response.segmentId]) {
+      delete store.responseIndex[responseId];
+    }
+  }
+  return store;
+}
+function resolveAccountPoolDbPath(stateDir) {
+  return import_node_path7.default.join(stateDir, "state.sqlite");
+}
+async function readLegacyStore(dbPath) {
+  return readDocument(dbPath, LEGACY_BROKER_DOCUMENT, normalizeLegacyStore);
+}
+async function readStore(stateDir) {
+  const dbPath = resolveAccountPoolDbPath(stateDir);
+  const store = await readDocument(
+    dbPath,
+    ACCOUNT_POOL_DOCUMENT,
+    normalizeAccountPoolStore
+  );
+  if (store) {
+    return pruneStore(store);
+  }
+  const legacyStore = await readLegacyStore(dbPath);
+  if (!legacyStore) {
+    return createDefaultStore();
+  }
+  return pruneStore(migrateLegacyStore(legacyStore));
+}
+async function updateStore(stateDir, mutate) {
+  const dbPath = resolveAccountPoolDbPath(stateDir);
+  const legacyStore = await readLegacyStore(dbPath);
+  return updateDocument({
+    dbPath,
+    namespace: ACCOUNT_POOL_DOCUMENT,
+    normalize: normalizeAccountPoolStore,
+    fallback: () => legacyStore ? migrateLegacyStore(legacyStore) : createDefaultStore(),
+    transform: (current) => {
+      const next = pruneStore(current);
+      mutate(next);
+      return pruneStore(next);
+    }
+  });
+}
+function accountPoolApiKeyView(record) {
+  return {
+    id: record.id,
+    tokenPreview: record.tokenPreview,
+    createdAt: record.createdAt,
+    lastUsedAt: record.lastUsedAt,
+    revokedAt: record.revokedAt
+  };
+}
+async function listApiKeys(stateDir) {
+  const store = await readStore(stateDir);
+  return Object.values(store.apiKeysById).filter((key) => key.revokedAt === null).sort((left, right) => right.createdAt.localeCompare(left.createdAt)).map(accountPoolApiKeyView);
+}
+function hashToken(token) {
+  return (0, import_node_crypto4.createHash)("sha256").update(token).digest("hex");
+}
+async function createApiKey(stateDir) {
+  const plaintextToken = `cux_pool_${(0, import_node_crypto4.randomBytes)(24).toString("hex")}`;
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const keyRecord = {
+    id: (0, import_node_crypto4.randomUUID)(),
+    tokenHash: hashToken(plaintextToken),
+    tokenPreview: `${plaintextToken.slice(0, 8)}...${plaintextToken.slice(-6)}`,
+    createdAt: now,
+    lastUsedAt: null,
+    revokedAt: null
+  };
+  await updateStore(stateDir, (store) => {
+    store.apiKeysById[keyRecord.id] = keyRecord;
+  });
+  return {
+    key: accountPoolApiKeyView(keyRecord),
+    plaintextToken
+  };
+}
+async function revokeApiKey(stateDir, id) {
+  let revoked = false;
+  await updateStore(stateDir, (store) => {
+    const existing = store.apiKeysById[id];
+    if (!existing || existing.revokedAt !== null) {
+      return;
+    }
+    existing.revokedAt = (/* @__PURE__ */ new Date()).toISOString();
+    revoked = true;
+  });
+  return revoked;
+}
+async function listSessions(stateDir) {
+  const store = await readStore(stateDir);
+  return Object.values(store.sessionsById).sort((left, right) => right.lastUsedAt.localeCompare(left.lastUsedAt)).flatMap((session) => {
+    const activeSegment = store.segmentsById[session.activeSegmentId];
+    if (!activeSegment) {
+      return [];
+    }
+    return [{
+      id: session.id,
+      affinityKind: session.affinityKind,
+      affinityKey: session.affinityKey,
+      activeProfileName: activeSegment.profileName,
+      model: session.model,
+      status: session.status,
+      lastError: session.lastError,
+      createdAt: session.createdAt,
+      lastUsedAt: session.lastUsedAt,
+      expiresAt: session.expiresAt,
+      lastResponseId: session.lastResponseId,
+      responseCount: session.responseIds.length,
+      segmentCount: session.segmentIds.length,
+      rolloverCount: session.rolloverCount,
+      lastRolloverReason: session.lastRolloverReason
+    }];
+  });
+}
+function resolveRuntimeStateDir(runtime, explicitStateDir) {
+  if (explicitStateDir) {
+    return import_node_path7.default.resolve(explicitStateDir);
+  }
+  if (runtime === "daemon") {
+    return DEFAULT_DAEMON_STATE_DIR;
+  }
+  return import_node_path7.default.join(getUserDataDir(), "t3-projects");
+}
+function resolveStateDir(flags) {
+  const runtimeFlag = parseStringFlag(flags, "--runtime")?.trim().toLowerCase();
+  const runtime = runtimeFlag === "daemon" ? "daemon" : "desktop";
+  const explicitStateDir = parseStringFlag(flags, "--state-dir") ?? parseStringFlag(flags, "--state") ?? null;
+  return {
+    runtime,
+    stateDir: resolveRuntimeStateDir(runtime, explicitStateDir)
+  };
+}
+function resolveBaseUrlFromPort(runtime, port) {
+  if (runtime === "desktop") {
+    return null;
+  }
+  if (port === null) {
+    return null;
+  }
+  if (!Number.isFinite(port) || port < 1 || port > 65535) {
+    throw new Error("Daemon port must be an integer between 1 and 65535.");
+  }
+  return `http://127.0.0.1:${port}`;
+}
+function resolveBaseUrl(runtime, flags) {
+  return resolveBaseUrlFromPort(runtime, parseIntegerFlag(flags, "--port"));
+}
+async function readAccountPoolRuntimeSummary(input = {}) {
+  const runtime = input.runtime ?? "desktop";
+  const stateDir = resolveRuntimeStateDir(runtime, input.stateDir ?? null);
+  const [license, { normalized }, apiKeys, sessions] = await Promise.all([
+    licenseService.getStatus().catch(() => null),
+    readSettingsSnapshot(),
+    listApiKeys(stateDir),
+    listSessions(stateDir)
+  ]);
+  return {
+    runtime,
+    stateDir,
+    baseUrl: resolveBaseUrlFromPort(runtime, input.port ?? null),
+    enabled: normalized.accountPoolEnabled,
+    hasProLicense: license?.isPro === true,
+    routingStrategy: normalized.accountPoolRoutingStrategy,
+    activeApiKeyCount: apiKeys.length,
+    activeSessionCount: sessions.length
+  };
+}
+async function readSettingsSnapshot() {
+  const raw = asRecord2(await readAppSettings());
+  return {
+    raw,
+    normalized: normalizeAccountPoolSettings(raw)
+  };
+}
+async function updateSettings(transform) {
+  const { raw, normalized } = await readSettingsSnapshot();
+  const nextSettings = transform(normalized);
+  const license = await licenseService.getStatus().catch(() => null);
+  const forcedDisabledByLicense = !license?.isPro && nextSettings.accountPoolEnabled === true;
+  const sanitizedSettings = {
+    ...nextSettings,
+    accountPoolEnabled: forcedDisabledByLicense ? false : nextSettings.accountPoolEnabled,
+    accountPoolRoutingStrategy: normalizeRoutingStrategy(nextSettings.accountPoolRoutingStrategy),
+    accountPoolProfilePool: normalizeStringArray(nextSettings.accountPoolProfilePool),
+    accountPoolExposedModels: normalizeAccountPoolExposedModels(
+      nextSettings.accountPoolExposedModels,
+      true
+    ),
+    accountPoolExposedReasoningEfforts: normalizeAccountPoolReasoningEfforts(
+      nextSettings.accountPoolExposedReasoningEfforts,
+      null
+    ),
+    accountPoolExposedFastModeReasoningEfforts: normalizeAccountPoolReasoningEfforts(
+      nextSettings.accountPoolExposedFastModeReasoningEfforts,
+      null
+    )
+  };
+  await writeAppSettings(applyAccountPoolSettings(raw, sanitizedSettings));
+  return {
+    settings: sanitizedSettings,
+    forcedDisabledByLicense
+  };
+}
+async function requireProAccess() {
+  const license = await licenseService.getStatus();
+  if (!license.isPro) {
+    throw new Error(ACCOUNT_POOL_PRO_REQUIRED_MESSAGE);
+  }
+}
+async function listSavedProfiles() {
+  const manager = new ProfileManager();
+  return manager.listProfiles();
+}
+function printStringList(label, values) {
+  console.log(`${label}: ${values.length > 0 ? values.join(", ") : "(none)"}`);
+}
+function printSessionRow(session) {
+  const fields = [
+    `id=${session.id}`,
+    `profile=${session.activeProfileName}`,
+    `status=${session.status}`,
+    `model=${session.model ?? "-"}`,
+    `responses=${session.responseCount}`,
+    `segments=${session.segmentCount}`
+  ];
+  if (session.lastResponseId) {
+    fields.push(`lastResponse=${session.lastResponseId}`);
+  }
+  if (session.lastRolloverReason) {
+    fields.push(`rollover=${session.lastRolloverReason}`);
+  }
+  console.log(fields.join("  "));
+}
+function printApiKeyRow(apiKey) {
+  const fields = [
+    `id=${apiKey.id}`,
+    `preview=${apiKey.tokenPreview}`,
+    `created=${apiKey.createdAt}`
+  ];
+  if (apiKey.lastUsedAt) {
+    fields.push(`lastUsed=${apiKey.lastUsedAt}`);
+  }
+  console.log(fields.join("  "));
+}
+function getArrayValues(params, startIndex) {
+  return params.slice(startIndex).map((value) => value.trim()).filter(Boolean);
+}
+async function handleStatus(flags) {
+  const license = await licenseService.getStatus().catch(() => null);
+  const { raw, normalized } = await readSettingsSnapshot();
+  const { runtime, stateDir } = resolveStateDir(flags);
+  const baseUrl = resolveBaseUrl(runtime, flags);
+  const [profiles, apiKeys, sessions] = await Promise.all([
+    listSavedProfiles(),
+    listApiKeys(stateDir),
+    listSessions(stateDir)
+  ]);
+  const explicitSelection = normalized.accountPoolProfilePool;
+  const selectedProfiles = explicitSelection.length > 0 ? explicitSelection : profiles.map((profile) => profile.name);
+  const missingSelectedProfiles = explicitSelection.filter(
+    (profileName) => !profiles.some((profile) => profile.name === profileName)
+  );
+  console.log(`License: ${license ? `${license.tier} (${license.state})` : "unknown"}`);
+  console.log(`Enabled: ${normalized.accountPoolEnabled ? "yes" : "no"}`);
+  console.log(`Runtime: ${runtime}`);
+  console.log(`State dir: ${stateDir}`);
+  console.log(`Routing: ${formatRoutingStrategy(normalized.accountPoolRoutingStrategy)}`);
+  console.log(`Public API ready: ${normalized.accountPoolEnabled && license?.isPro === true && apiKeys.length > 0 ? "yes" : "no"}`);
+  console.log(`API keys: ${apiKeys.length}`);
+  console.log(`Sessions: ${sessions.length}`);
+  console.log(`Selection mode: ${explicitSelection.length > 0 ? "explicit" : "all saved profiles"}`);
+  if (baseUrl) {
+    console.log(`Base URL: ${baseUrl}`);
+  } else {
+    console.log(
+      runtime === "desktop" ? "Base URL: check the running desktop app for the current Accounts Pool URL." : "Base URL: daemon port not specified here; use the URL printed by `codexuse daemon start` or pass --port=NNNN."
+    );
+  }
+  printStringList("Selected profiles", selectedProfiles);
+  if (missingSelectedProfiles.length > 0) {
+    printStringList("Missing configured profiles", missingSelectedProfiles);
+  }
+  printStringList("Published models", normalized.accountPoolExposedModels);
+  printStringList("Reasoning aliases", normalized.accountPoolExposedReasoningEfforts);
+  printStringList("Fast-mode aliases", normalized.accountPoolExposedFastModeReasoningEfforts);
+  if (raw.accountPoolEnabled !== true && raw.brokerEnabled === true) {
+    console.log("Legacy broker setting detected: runtime is reading it through the new Accounts Pool surface.");
+  }
+  if (normalized.accountPoolEnabled && license?.isPro !== true) {
+    console.log(ACCOUNT_POOL_PRO_REQUIRED_MESSAGE);
+  }
+}
+async function handleEnable() {
+  await requireProAccess();
+  const result = await updateSettings((current) => ({
+    ...current,
+    accountPoolEnabled: true
+  }));
+  console.log(result.settings.accountPoolEnabled ? "Accounts Pool enabled." : "Accounts Pool is disabled.");
+}
+async function handleDisable() {
+  const result = await updateSettings((current) => ({
+    ...current,
+    accountPoolEnabled: false
+  }));
+  console.log(result.settings.accountPoolEnabled ? "Accounts Pool is enabled." : "Accounts Pool disabled.");
+}
+async function handleRouting(params) {
+  const value = parseRoutingStrategy(params[1]);
+  if (!value) {
+    throw new Error("Routing strategy must be `least-used` or `round-robin`.");
+  }
+  const result = await updateSettings((current) => ({
+    ...current,
+    accountPoolRoutingStrategy: value
+  }));
+  console.log(`Accounts Pool routing set to ${formatRoutingStrategy(result.settings.accountPoolRoutingStrategy)}.`);
+}
+async function handleProfiles(params) {
+  const action = params[1];
+  const profiles = await listSavedProfiles();
+  const availableProfileNames = profiles.map((profile) => profile.name);
+  const availableSet = new Set(availableProfileNames);
+  const { normalized } = await readSettingsSnapshot();
+  if (!action || action === "list") {
+    const explicitSelection = normalized.accountPoolProfilePool;
+    if (explicitSelection.length === 0) {
+      console.log("Selection: all saved profiles");
+    } else {
+      printStringList("Explicitly selected profiles", explicitSelection);
+    }
+    for (const profile of profiles) {
+      const selected = explicitSelection.length === 0 || explicitSelection.includes(profile.name);
+      const invalidSuffix = profile.isValid ? "" : " [needs re-auth]";
+      console.log(`${selected ? "*" : "-"} ${profile.name}${invalidSuffix}`);
+    }
+    const missing = explicitSelection.filter((name) => !availableSet.has(name));
+    if (missing.length > 0) {
+      printStringList("Missing configured profiles", missing);
+    }
+    return;
+  }
+  const names = getArrayValues(params, 2);
+  if ((action === "set" || action === "add" || action === "remove") && names.length === 0) {
+    throw new Error(`Profile names are required for \`${action}\`.`);
+  }
+  for (const name of names) {
+    if (!availableSet.has(name)) {
+      throw new Error(`Unknown profile: ${name}`);
+    }
+  }
+  const result = await updateSettings((current) => {
+    const currentSelection = current.accountPoolProfilePool.length > 0 ? current.accountPoolProfilePool.slice() : availableProfileNames.slice();
+    let nextSelection = currentSelection;
+    switch (action) {
+      case "set":
+        nextSelection = names.slice();
+        break;
+      case "add":
+        nextSelection = Array.from(/* @__PURE__ */ new Set([...currentSelection, ...names]));
+        break;
+      case "remove":
+        nextSelection = currentSelection.filter((name) => !names.includes(name));
+        break;
+      case "reset":
+        nextSelection = [];
+        break;
+      default:
+        throw new Error("Unknown profiles action.");
+    }
+    return {
+      ...current,
+      accountPoolProfilePool: action === "reset" || nextSelection.length === availableProfileNames.length ? [] : nextSelection
+    };
+  });
+  if (result.settings.accountPoolProfilePool.length === 0) {
+    console.log("Accounts Pool now uses all saved profiles.");
+    return;
+  }
+  printStringList("Accounts Pool selected profiles", result.settings.accountPoolProfilePool);
+}
+async function handleArraySetting(input) {
+  const action = input.params[1];
+  const { normalized } = await readSettingsSnapshot();
+  const currentValues = normalized[input.key];
+  if (!action || action === "list") {
+    printStringList(input.label, currentValues);
+    return;
+  }
+  const rawValues = getArrayValues(input.params, 2);
+  if ((action === "add" || action === "remove") && rawValues.length === 0) {
+    throw new Error(`Values are required for \`${input.actionName} ${action}\`.`);
+  }
+  const normalizedValues = rawValues.map(input.normalizeValue).filter((value) => Boolean(value));
+  if ((action === "add" || action === "remove") && normalizedValues.length === 0) {
+    throw new Error("No valid values were provided.");
+  }
+  const result = await updateSettings((current) => {
+    const existing = current[input.key];
+    switch (action) {
+      case "add":
+        return {
+          ...current,
+          [input.key]: Array.from(/* @__PURE__ */ new Set([...existing, ...normalizedValues]))
+        };
+      case "remove":
+        return {
+          ...current,
+          [input.key]: existing.filter((value) => !normalizedValues.includes(value))
+        };
+      case "reset":
+        return {
+          ...current,
+          [input.key]: [...input.defaultValues]
+        };
+      default:
+        throw new Error(`Unknown ${input.actionName} action.`);
+    }
+  });
+  printStringList(input.label, result.settings[input.key]);
+}
+async function handleKeys(params, flags) {
+  const action = params[1];
+  const { runtime, stateDir } = resolveStateDir(flags);
+  const baseUrl = resolveBaseUrl(runtime, flags);
+  if (!action || action === "list") {
+    const apiKeys = await listApiKeys(stateDir);
+    if (apiKeys.length === 0) {
+      console.log("No active Accounts Pool API keys.");
+      return;
+    }
+    for (const apiKey of apiKeys) {
+      printApiKeyRow(apiKey);
+    }
+    return;
+  }
+  switch (action) {
+    case "create": {
+      await requireProAccess();
+      const created = await createApiKey(stateDir);
+      console.log(`Created key: ${created.key.id}`);
+      console.log(`Preview: ${created.key.tokenPreview}`);
+      console.log(`Token: ${created.plaintextToken}`);
+      console.log(`Runtime: ${runtime}`);
+      console.log(`State dir: ${stateDir}`);
+      if (baseUrl) {
+        console.log(`Base URL: ${baseUrl}`);
+      } else if (runtime === "desktop") {
+        console.log("Base URL: use the current Accounts Pool URL shown by the running desktop app.");
+      } else if (runtime === "daemon") {
+        console.log("Base URL: pass --port=NNNN here or use the URL printed by `codexuse daemon start`.");
+      }
+      console.log("This key only works for the selected runtime state dir.");
+      console.log("Store this token now. The plaintext value is only shown once.");
+      return;
+    }
+    case "revoke": {
+      const id = params[2]?.trim();
+      if (!id) {
+        throw new Error("API key id is required.");
+      }
+      const removed = await revokeApiKey(stateDir, id);
+      if (!removed) {
+        throw new Error(`No Accounts Pool API key found for id ${id}.`);
+      }
+      console.log(`Revoked key: ${id}`);
+      return;
+    }
+    default:
+      throw new Error("Unknown keys action.");
+  }
+}
+async function handleSessions(params, flags) {
+  const action = params[1];
+  if (action && action !== "list") {
+    throw new Error("Only `sessions list` is supported here. Session mutation stays runtime-owned.");
+  }
+  const { stateDir } = resolveStateDir(flags);
+  const sessions = await listSessions(stateDir);
+  if (sessions.length === 0) {
+    console.log("No pooled sessions in this runtime store.");
+    return;
+  }
+  for (const session of sessions) {
+    printSessionRow(session);
+  }
+  console.log("Session mutation is intentionally not exposed here; pooled sessions belong to the live runtime owner.");
+}
+async function handleAccountPoolCommand(args, version) {
+  const flags = args.filter((arg) => arg.startsWith("-"));
+  const params = stripFlags(args);
+  const sub = params[0];
+  if (!sub || hasFlag(flags, "--help") || hasFlag(flags, "-h")) {
+    printAccountPoolHelp(version);
+    return;
+  }
+  switch (sub) {
+    case "status":
+      await handleStatus(flags);
+      return;
+    case "enable":
+      await handleEnable();
+      return;
+    case "disable":
+      await handleDisable();
+      return;
+    case "routing":
+      await handleRouting(params);
+      return;
+    case "profiles":
+      await handleProfiles(params);
+      return;
+    case "models":
+      await handleArraySetting({
+        label: "Published models",
+        actionName: "models",
+        params,
+        key: "accountPoolExposedModels",
+        defaultValues: DEFAULT_ACCOUNT_POOL_EXPOSED_MODELS,
+        normalizeValue: (value) => normalizeCodexModelSlug(value) ?? asString3(value)
+      });
+      return;
+    case "reasoning":
+      await handleArraySetting({
+        label: "Reasoning aliases",
+        actionName: "reasoning",
+        params,
+        key: "accountPoolExposedReasoningEfforts",
+        defaultValues: DEFAULT_ACCOUNT_POOL_EXPOSED_REASONING_EFFORTS,
+        normalizeValue: (value) => normalizeReasoningEffort(value)
+      });
+      return;
+    case "fast-mode":
+      await handleArraySetting({
+        label: "Fast-mode aliases",
+        actionName: "fast-mode",
+        params,
+        key: "accountPoolExposedFastModeReasoningEfforts",
+        defaultValues: DEFAULT_ACCOUNT_POOL_EXPOSED_FAST_MODE_REASONING_EFFORTS,
+        normalizeValue: (value) => normalizeReasoningEffort(value)
+      });
+      return;
+    case "keys":
+      await handleKeys(params, flags);
+      return;
+    case "sessions":
+      await handleSessions(params, flags);
+      return;
+    default:
+      printHelp(version);
+      return;
+  }
+}
+
+// src/commands/daemon.ts
+var import_node_child_process4 = require("child_process");
+var import_node_crypto5 = require("crypto");
+var import_node_fs6 = __toESM(require("fs"));
+var import_node_net = __toESM(require("net"));
+var import_node_os4 = __toESM(require("os"));
+var import_node_path9 = __toESM(require("path"));
+
+// ../../packages/shared/src/core/internal-js-runtime.ts
+var import_node_child_process3 = require("child_process");
+var import_node_path8 = __toESM(require("path"), 1);
+var cachedBunBinary = null;
+function hasBunRuntime() {
+  return typeof process.versions.bun === "string" && process.versions.bun.length > 0;
+}
+function buildRuntimePath(env) {
+  const homeDir = env.HOME ?? env.USERPROFILE ?? "";
+  const pathHints = (env.CODEX_PATH_HINTS ?? "").split(import_node_path8.default.delimiter).map((entry) => entry.trim()).filter(Boolean);
+  const entries = [
+    env.PATH ?? "",
+    import_node_path8.default.join(homeDir, ".bun", "bin"),
+    "/opt/homebrew/bin",
+    "/usr/local/bin",
+    import_node_path8.default.join(homeDir, ".local", "bin"),
+    import_node_path8.default.join(homeDir, ".fnm", "aliases", "default", "bin"),
+    import_node_path8.default.join(homeDir, ".fnm", "current", "bin"),
+    ...pathHints
+  ];
+  return Array.from(
+    new Set(
+      entries.flatMap((entry) => entry.split(import_node_path8.default.delimiter)).map((entry) => entry.trim()).filter(Boolean)
+    )
+  ).join(import_node_path8.default.delimiter);
+}
+function resolveConfiguredBunBinary(env) {
+  const candidates = [
+    env.CODEXUSE_INTERNAL_BUN_BIN,
+    env.BUN_BIN,
+    process.env.CODEXUSE_INTERNAL_BUN_BIN,
+    process.env.BUN_BIN
+  ];
+  for (const candidate of candidates) {
+    const normalized = candidate?.trim() ?? "";
+    if (normalized.length > 0) {
+      return normalized;
+    }
+  }
+  return null;
+}
+function probeBunBinary(env) {
+  if (hasBunRuntime()) {
+    return process.execPath;
+  }
+  if (cachedBunBinary) {
+    return cachedBunBinary;
+  }
+  const homeDir = env.HOME ?? env.USERPROFILE ?? "";
+  const candidates = Array.from(
+    new Set(
+      [
+        env.CODEXUSE_INTERNAL_BUN_BIN?.trim(),
+        env.BUN_BIN?.trim(),
+        import_node_path8.default.join(homeDir, ".bun", "bin", "bun"),
+        "/opt/homebrew/bin/bun",
+        "/usr/local/bin/bun",
+        "bun"
+      ].filter((candidate) => typeof candidate === "string" && candidate.length > 0)
+    )
+  );
+  for (const candidate of candidates) {
+    const probe = (0, import_node_child_process3.spawnSync)(candidate, ["--version"], {
+      env,
+      stdio: "ignore"
+    });
+    if (!probe.error && probe.status === 0) {
+      cachedBunBinary = candidate;
+      return candidate;
+    }
+  }
+  return null;
+}
+function resolveInternalBunRuntime(overrides = {}) {
+  const env = {
+    ...process.env,
+    ...overrides
+  };
+  env.PATH = buildRuntimePath(env);
+  const runtimeBin = hasBunRuntime() ? process.execPath : resolveConfiguredBunBinary(env) ?? probeBunBinary(env);
+  if (!runtimeBin) {
+    throw new Error(
+      "CodexUse desktop requires a Bun runtime to launch internal services. Install Bun or set CODEXUSE_INTERNAL_BUN_BIN."
+    );
+  }
+  delete env.ELECTRON_RUN_AS_NODE;
+  return {
+    bin: runtimeBin,
+    env
+  };
+}
+
+// src/commands/daemon.ts
+function normalizeTelegramBotToken(value) {
+  const trimmed = value?.trim() ?? "";
+  return trimmed.length > 0 ? trimmed : null;
+}
+function printDaemonHelp(version) {
+  console.log(`CodexUse CLI v${version}
+
+Usage:
+  codexuse daemon start [--port=NNNN] [--telegram-bot-token=<token>] [--project-path=/abs/path]
+
+Notes:
+  - Runs the T3 Projects/chat server in headless mode.
+  - The same daemon can serve Accounts Pool and Telegram remote control.
+  - Requires Bun on PATH because the bundled Projects server runs on Bun.
+  - Pass --port to keep a stable local API URL for Accounts Pool or other local clients.
+  - Pass --telegram-bot-token or set CODEXUSE_TELEGRAM_BOT_TOKEN to enable Telegram remote control.
+  - --project-path bootstraps that folder as the default project/thread.
+  - Stop with Ctrl+C or SIGTERM.
+`);
+}
+function resolveServerEntry() {
+  const candidates = [
+    import_node_path9.default.resolve(__dirname, "server", "index.mjs"),
+    import_node_path9.default.resolve(__dirname, "../../../server/dist/index.mjs")
+  ];
+  for (const candidate of candidates) {
+    if (import_node_fs6.default.existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  return candidates[0];
+}
+function resolveStateDir2() {
+  return import_node_path9.default.join(import_node_os4.default.homedir(), ".codexuse", "t3-daemon");
+}
+function reserveLoopbackPort(port = 0) {
+  return new Promise((resolve, reject) => {
+    const server = import_node_net.default.createServer();
+    server.unref();
+    server.once("error", reject);
+    server.listen(port, "127.0.0.1", () => {
+      const address = server.address();
+      const port2 = typeof address === "object" && address ? address.port : null;
+      server.close((error) => {
+        if (error) {
+          reject(error);
+          return;
+        }
+        if (typeof port2 !== "number") {
+          reject(new Error("Failed to reserve a loopback port for the Projects server."));
+          return;
+        }
+        resolve(port2);
+      });
+    });
+  });
+}
+async function runDaemonStart(options) {
+  const entry = resolveServerEntry();
+  if (!import_node_fs6.default.existsSync(entry)) {
+    throw new Error(
+      `Missing bundled T3 server build output at ${entry}. Rebuild the CLI package with \`bun run build:cli\`.`
+    );
+  }
+  if (options.port !== null && (!Number.isFinite(options.port) || options.port < 1 || options.port > 65535)) {
+    throw new Error("Daemon port must be an integer between 1 and 65535.");
+  }
+  const port = await reserveLoopbackPort(options.port ?? 0);
+  const authToken = (0, import_node_crypto5.randomBytes)(24).toString("hex");
+  const stateDir = resolveStateDir2();
+  const projectPath = options.projectPath ? import_node_path9.default.resolve(options.projectPath) : null;
+  const childCwd = projectPath ?? process.cwd();
+  const telegramBotToken = options.telegramBotToken?.trim() || null;
+  const runtime = resolveInternalBunRuntime({
+    T3CODE_MODE: "desktop",
+    T3CODE_HOST: "127.0.0.1",
+    T3CODE_PORT: String(port),
+    T3CODE_NO_BROWSER: "1",
+    T3CODE_AUTH_TOKEN: authToken,
+    T3CODE_STATE_DIR: stateDir,
+    T3CODE_AUTO_BOOTSTRAP_PROJECT_FROM_CWD: projectPath ? "1" : "0",
+    CODEXUSE_TELEGRAM_RUNTIME_OWNER: "daemon",
+    ...telegramBotToken ? {
+      CODEXUSE_TELEGRAM_BOT_TOKEN: telegramBotToken,
+      CODEXUSE_TELEGRAM_BRIDGE_ENABLED: "1"
+    } : {}
+  });
+  const child = (0, import_node_child_process4.spawn)(runtime.bin, [entry], {
+    cwd: childCwd,
+    env: runtime.env,
+    stdio: "inherit"
+  });
+  console.log(`Daemon started. Projects server listening on http://127.0.0.1:${port}`);
+  console.log(`State dir: ${stateDir}`);
+  if (projectPath) {
+    console.log(`Bootstrapped project path: ${projectPath}`);
+  }
+  if (telegramBotToken) {
+    console.log("Telegram remote control enabled for this daemon session.");
+  }
+  const accountPool = await readAccountPoolRuntimeSummary({
+    runtime: "daemon",
+    stateDir,
+    port
+  });
+  if (accountPool.enabled && accountPool.hasProLicense) {
+    console.log(`Accounts Pool base URL: ${accountPool.baseUrl ?? `http://127.0.0.1:${port}`}`);
+    if (accountPool.activeApiKeyCount > 0) {
+      console.log(`Accounts Pool active keys: ${accountPool.activeApiKeyCount}`);
+    } else {
+      console.log("Accounts Pool is enabled, but this daemon has no runtime key yet. Create one with `codexuse account-pool keys create --runtime=daemon`.");
+    }
+  } else if (accountPool.enabled) {
+    console.log("Accounts Pool is configured, but Pro is required before this daemon can serve it.");
+  } else {
+    console.log("Accounts Pool is disabled for this daemon. Enable it with `codexuse account-pool enable`.");
+  }
+  if (options.port === null) {
+    console.log("Tip: pass --port=3773 (or another fixed port) if another local client should keep one stable base URL.");
+  }
+  console.log("Running until SIGINT/SIGTERM...");
+  await waitForChild(child);
+}
+function waitForChild(child) {
+  return new Promise((resolve, reject) => {
+    let stopping = false;
+    const stop = (signal) => {
+      if (stopping) {
+        return;
+      }
+      stopping = true;
+      child.kill(signal);
+    };
+    const onSigInt = () => stop("SIGINT");
+    const onSigTerm = () => stop("SIGTERM");
+    process.once("SIGINT", onSigInt);
+    process.once("SIGTERM", onSigTerm);
+    child.once("exit", (code, signal) => {
+      process.off("SIGINT", onSigInt);
+      process.off("SIGTERM", onSigTerm);
+      if (code === 0 || stopping) {
+        resolve();
+        return;
+      }
+      reject(
+        new Error(
+          `Projects server exited unexpectedly (code=${code ?? "null"}, signal=${signal ?? "null"}).`
+        )
+      );
+    });
+    child.once("error", (error) => {
+      process.off("SIGINT", onSigInt);
+      process.off("SIGTERM", onSigTerm);
+      reject(error);
+    });
+  });
+}
+async function handleDaemonCommand(args, version) {
+  const flags = args.filter((arg) => arg.startsWith("-"));
+  const params = stripFlags(args);
+  const sub = params[0];
+  if (!sub || hasFlag(flags, "--help") || hasFlag(flags, "-h")) {
+    printDaemonHelp(version);
+    return;
+  }
+  switch (sub) {
+    case "start": {
+      const port = parseIntegerFlag(flags, "--port");
+      const projectPath = parseStringFlag(flags, "--project-path") ?? parseStringFlag(flags, "--project") ?? null;
+      const telegramBotToken = parseStringFlag(flags, "--telegram-bot-token") ?? normalizeTelegramBotToken(process.env.CODEXUSE_TELEGRAM_BOT_TOKEN) ?? null;
+      await runDaemonStart({
+        projectPath,
+        port,
+        telegramBotToken,
+        version
+      });
+      return;
     }
-    return {
-      name: record.name,
-      displayName: record.displayName,
-      email: record.email,
-      accountId: record.accountId,
-      workspaceId: record.workspaceId,
-      workspaceName: record.workspaceName,
-      authMethod: record.authMethod,
-      createdAt: record.createdAt,
-      metadata: record.metadata,
-      exportedAt: (/* @__PURE__ */ new Date()).toISOString()
-    };
+    default:
+      printDaemonHelp(version);
+      return;
   }
-  /**
-   * Export profiles for cloud sync (includes token-bearing auth data).
-   */
-  async exportProfilesForCloudSync() {
-    await this.initialize();
-    const records = await this.listProfileRecords();
-    return records.map((record) => ({
-      name: record.name,
-      displayName: record.displayName,
-      data: record.data,
-      metadata: record.metadata,
-      accountId: record.accountId,
-      workspaceId: record.workspaceId,
-      workspaceName: record.workspaceName,
-      email: record.email,
-      authMethod: record.authMethod,
-      createdAt: record.createdAt,
-      updatedAt: record.updatedAt
-    }));
+}
+
+// src/commands/license.ts
+async function handleLicense(args, version) {
+  const flags = args.filter((arg) => arg.startsWith("-"));
+  const params = stripFlags(args);
+  const sub = params[0];
+  if (!sub || hasFlag(flags, "--help") || hasFlag(flags, "-h")) {
+    printHelp(version);
+    return;
   }
-  /**
-   * Replace local profiles with a full snapshot from cloud sync.
-   */
-  async replaceProfilesFromCloudSync(records) {
-    await this.initialize();
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const normalized = /* @__PURE__ */ new Map();
-    const existingMap = await this.readProfilesStateMap();
-    const existingNames = new Set(Object.keys(existingMap));
-    for (const candidate of records ?? []) {
-      try {
-        const name = this.normalizeProfileName(candidate?.name ?? "");
-        const data = candidate && typeof candidate.data === "object" && candidate.data !== null ? candidate.data : null;
-        if (!data) {
-          continue;
-        }
-        const metadata = candidate.metadata && typeof candidate.metadata === "object" ? candidate.metadata : void 0;
-        const record = {
-          name,
-          displayName: typeof candidate.displayName === "string" ? candidate.displayName : null,
-          data,
-          metadata,
-          accountId: typeof candidate.accountId === "string" ? candidate.accountId : null,
-          workspaceId: typeof candidate.workspaceId === "string" ? candidate.workspaceId : null,
-          workspaceName: typeof candidate.workspaceName === "string" ? candidate.workspaceName : null,
-          email: typeof candidate.email === "string" ? candidate.email : null,
-          authMethod: typeof candidate.authMethod === "string" ? candidate.authMethod : this.resolveAuthMethod(data),
-          createdAt: typeof candidate.createdAt === "string" ? candidate.createdAt : now,
-          updatedAt: typeof candidate.updatedAt === "string" ? candidate.updatedAt : now
-        };
-        normalized.set(name, record);
-      } catch {
+  switch (sub) {
+    case "status": {
+      const forceRefresh = hasFlag(flags, "--refresh");
+      const status = await licenseService.getStatus({ forceRefresh });
+      console.log(`Tier: ${status.tier}`);
+      console.log(`State: ${status.state}`);
+      if (status.profileLimit !== null) {
+        console.log(`Profile limit: ${status.profileLimit}`);
       }
-    }
-    const nextMap = {};
-    for (const record of normalized.values()) {
-      nextMap[record.name] = this.toStateRecord(record);
-    }
-    await this.writeProfilesStateMap(nextMap);
-    let removed = 0;
-    for (const name of existingNames) {
-      if (normalized.has(name)) {
-        continue;
+      if (status.profilesRemaining !== null) {
+        console.log(`Profiles remaining: ${status.profilesRemaining}`);
       }
-      try {
-        await import_fs.promises.rm(this.getProfileHomePath(name), { recursive: true, force: true });
-        removed += 1;
-      } catch (error) {
-        if (!this.isNotFoundError(error)) {
-          logWarn(`Failed to remove profile '${name}' during cloud sync replace:`, error);
-        }
+      if (status.purchaseEmail) {
+        console.log(`Email: ${status.purchaseEmail}`);
+      }
+      if (status.maskedLicenseKey) {
+        console.log(`License: ${status.maskedLicenseKey}`);
+      }
+      if (status.message) {
+        console.log(`Message: ${status.message}`);
+      }
+      if (status.error) {
+        console.log(`Error: ${status.error}`);
       }
+      return;
     }
-    const preferred = await this.readPreferredProfileName();
-    if (preferred) {
-      try {
-        const normalizedPreferred = this.normalizeProfileName(preferred);
-        if (!normalized.has(normalizedPreferred)) {
-          await this.persistPreferredProfileName(null);
-        }
-      } catch {
-        await this.persistPreferredProfileName(null);
+    case "activate": {
+      const key = params[1];
+      if (!key) {
+        throw new Error("License key is required.");
       }
+      const status = await licenseService.activate(key);
+      console.log(status.message ?? "License activated.");
+      return;
     }
-    return {
-      imported: normalized.size,
-      removed
-    };
+    default:
+      printHelp(version);
   }
-};
+}
 
 // ../../packages/runtime-profiles/src/license/guard.ts
 async function assertProfileCreationAllowed(profileManager) {
@@ -5842,15 +7220,15 @@ function maxUsedPercent(snapshot) {
 }
 
 // src/platform/codexCli.ts
-var import_node_child_process4 = require("child_process");
-var import_node_fs6 = require("fs");
-var import_node_path7 = __toESM(require("path"));
+var import_node_child_process5 = require("child_process");
+var import_node_fs7 = require("fs");
+var import_node_path10 = __toESM(require("path"));
 var ENV_HINTS2 = ["CODEX_BINARY", "CODEX_CLI_PATH", "CODEX_PATH"];
 function fileExists2(candidate) {
   if (!candidate) return null;
-  const resolved = import_node_path7.default.resolve(candidate);
+  const resolved = import_node_path10.default.resolve(candidate);
   try {
-    const stat2 = (0, import_node_fs6.statSync)(resolved);
+    const stat2 = (0, import_node_fs7.statSync)(resolved);
     if (stat2.isFile()) return resolved;
   } catch {
     return null;
@@ -5868,11 +7246,11 @@ function resolveFromEnv() {
 }
 function resolveFromPath() {
   const pathValue = process.env.PATH ?? "";
-  const entries = pathValue.split(import_node_path7.default.delimiter).filter(Boolean);
+  const entries = pathValue.split(import_node_path10.default.delimiter).filter(Boolean);
   const names = process.platform === "win32" ? ["codex.exe", "codex.cmd", "codex.bat", "codex"] : ["codex"];
   for (const entry of entries) {
     for (const name of names) {
-      const candidate = fileExists2(import_node_path7.default.join(entry, name));
+      const candidate = fileExists2(import_node_path10.default.join(entry, name));
       if (candidate) return candidate;
     }
   }
@@ -5888,7 +7266,7 @@ function requireCodexBinary(context) {
   const message = context ? `${context} ${hint}` : hint;
   throw new Error(message);
 }
-function buildCodexCommand(codexPath, args) {
+function buildCodexCommand2(codexPath, args) {
   const normalized = codexPath.toLowerCase();
   const isJs = normalized.endsWith(".js");
   if (isJs) {
@@ -5920,8 +7298,8 @@ async function runCodexLogin(mode) {
   const codexPath = requireCodexBinary("Codex CLI is required to login.");
   const resolvedMode = resolveLoginMode(mode ?? null);
   const loginArgs = resolvedMode === "device" ? ["login", "--device-auth"] : ["login"];
-  const { command, args, shell } = buildCodexCommand(codexPath, loginArgs);
-  const child = (0, import_node_child_process4.spawn)(command, args, {
+  const { command, args, shell } = buildCodexCommand2(codexPath, loginArgs);
+  const child = (0, import_node_child_process5.spawn)(command, args, {
     stdio: "inherit",
     env: process.env,
     shell
@@ -5942,7 +7320,7 @@ function formatProfileLabel(name, displayName) {
   return name;
 }
 function profileRateLimitKey(profile) {
-  return profile.accountId ?? `profile:${profile.name}`;
+  return resolveProfileIdentityKeyFromProfile(profile);
 }
 function toTitleCase(value) {
   return value.replace(/\w\S*/g, (word) => word.charAt(0).toUpperCase() + word.slice(1).toLowerCase());
@@ -6429,9 +7807,9 @@ function delay(ms) {
 }
 async function handleProfileCommand(args, version) {
   const flags = args.filter((arg) => arg.startsWith("-"));
-  const params = stripFlags2(args);
+  const params = stripFlags(args);
   const sub = params[0];
-  if (!sub || hasFlag2(flags, "--help") || hasFlag2(flags, "-h")) {
+  if (!sub || hasFlag(flags, "--help") || hasFlag(flags, "-h")) {
     printHelp(version);
     return;
   }
@@ -6444,8 +7822,8 @@ async function handleProfileCommand(args, version) {
         console.log("No profiles found.");
         return;
       }
-      const compact = hasFlag2(flags, "--compact");
-      const withUsage = !hasFlag2(flags, "--no-usage");
+      const compact = hasFlag(flags, "--compact");
+      const withUsage = !hasFlag(flags, "--no-usage");
       let usageMap = null;
       if (withUsage) {
         const codexPath = resolveCodexBinary();
@@ -6491,7 +7869,7 @@ async function handleProfileCommand(args, version) {
         throw new Error("Profile name is required.");
       }
       await assertProfileCreationAllowed(manager);
-      if (!hasFlag2(flags, "--skip-login")) {
+      if (!hasFlag(flags, "--skip-login")) {
         const loginMode = resolveLoginMode(parseLoginMode(flags));
         await runCodexLogin(loginMode);
       }
@@ -6505,7 +7883,7 @@ async function handleProfileCommand(args, version) {
       if (!name) {
         throw new Error("Profile name is required.");
       }
-      if (!hasFlag2(flags, "--skip-login")) {
+      if (!hasFlag(flags, "--skip-login")) {
         const loginMode = resolveLoginMode(parseLoginMode(flags));
         await runCodexLogin(loginMode);
       }
@@ -6525,8 +7903,8 @@ async function handleProfileCommand(args, version) {
     }
     case "autoroll":
     case "auto-roll": {
-      const watch = hasFlag2(flags, "--watch");
-      const dryRun = hasFlag2(flags, "--dry-run");
+      const watch = hasFlag(flags, "--watch");
+      const dryRun = hasFlag(flags, "--dry-run");
       const settings = await getStoredAutoRollSettings().catch(() => null);
       const fallbackThreshold = typeof settings?.switchThreshold === "number" && Number.isFinite(settings.switchThreshold) ? Math.round(settings.switchThreshold) : DEFAULT_AUTOROLL_THRESHOLD;
       const threshold = parseAutoRollThreshold(flags, fallbackThreshold);
@@ -6581,8 +7959,8 @@ async function handleProfileCommand(args, version) {
 }
 
 // ../../packages/runtime-profiles/src/cloud-sync/service.ts
-var import_node_fs7 = require("fs");
-var import_node_path11 = __toESM(require("path"), 1);
+var import_node_fs8 = require("fs");
+var import_node_path14 = __toESM(require("path"), 1);
 
 // ../../packages/contracts/src/cloud-sync/types.ts
 var CLOUD_SYNC_SCHEMA_VERSION = 1;
@@ -6742,9 +8120,9 @@ async function pushRemoteSnapshot(licenseKey, snapshot, options) {
 var import_toml2 = __toESM(require_toml(), 1);
 
 // ../../packages/runtime-codex/src/codex/config-metadata.ts
-var import_node_child_process5 = require("child_process");
+var import_node_child_process6 = require("child_process");
 var import_promises = require("fs/promises");
-var import_node_path8 = __toESM(require("path"), 1);
+var import_node_path11 = __toESM(require("path"), 1);
 var CONFIG_SCHEMA_URL = "https://raw.githubusercontent.com/openai/codex/main/codex-rs/core/config.schema.json";
 var METADATA_CACHE_TTL_MS = 6e4;
 var FALLBACK_SCHEMA_TOP_LEVEL_KEYS = [
@@ -6854,7 +8232,7 @@ function uniqueSorted(values) {
 }
 async function runCommand(command, args, timeoutMs = 3e3) {
   return new Promise((resolve, reject) => {
-    const child = (0, import_node_child_process5.spawn)(command, args, {
+    const child = (0, import_node_child_process6.spawn)(command, args, {
       stdio: ["ignore", "pipe", "pipe"],
       env: process.env
     });
@@ -6930,8 +8308,8 @@ function parseSchemaKeys(schemaRaw) {
 async function readSchemaFromLocal() {
   const candidates = [
     process.env.CODEX_CONFIG_SCHEMA_PATH,
-    import_node_path8.default.join(process.cwd(), "codex-rs", "core", "config.schema.json"),
-    import_node_path8.default.join(process.cwd(), "node_modules", "@openai", "codex", "codex-rs", "core", "config.schema.json")
+    import_node_path11.default.join(process.cwd(), "codex-rs", "core", "config.schema.json"),
+    import_node_path11.default.join(process.cwd(), "node_modules", "@openai", "codex", "codex-rs", "core", "config.schema.json")
   ].filter((candidate) => Boolean(candidate));
   for (const candidate of candidates) {
     try {
@@ -7036,20 +8414,20 @@ async function getCodexConfigMetadata(forceRefresh = false) {
 
 // ../../packages/runtime-codex/src/codex/config-io.ts
 var import_promises2 = require("fs/promises");
-var import_node_path10 = __toESM(require("path"), 1);
+var import_node_path13 = __toESM(require("path"), 1);
 
 // ../../packages/runtime-codex/src/codex/home.ts
-var import_node_os4 = __toESM(require("os"), 1);
-var import_node_path9 = __toESM(require("path"), 1);
+var import_node_os5 = __toESM(require("os"), 1);
+var import_node_path12 = __toESM(require("path"), 1);
 function resolveHomeDir() {
-  return process.env.HOME || process.env.USERPROFILE || import_node_os4.default.homedir();
+  return process.env.HOME || process.env.USERPROFILE || import_node_os5.default.homedir();
 }
 function expandHomePrefix(input, homeDir) {
   if (input === "~") {
     return homeDir;
   }
   if (input.startsWith("~/") || input.startsWith("~\\")) {
-    return import_node_path9.default.join(homeDir, input.slice(2));
+    return import_node_path12.default.join(homeDir, input.slice(2));
   }
   return input;
 }
@@ -7065,13 +8443,13 @@ function normalizeCodexHomePath(input) {
   if (!configured) {
     return null;
   }
-  return import_node_path9.default.resolve(expandHomePrefix(configured, resolveHomeDir()));
+  return import_node_path12.default.resolve(expandHomePrefix(configured, resolveHomeDir()));
 }
 function resolveDefaultCodexHomeDir() {
-  return import_node_path9.default.join(resolveHomeDir(), ".codex");
+  return import_node_path12.default.join(resolveHomeDir(), ".codex");
 }
 function resolveProfileCodexHomeDir(profileName) {
-  return import_node_path9.default.join(getUserDataDir(), "profile-homes", profileName);
+  return import_node_path12.default.join(getUserDataDir(), "profile-homes", profileName);
 }
 function resolveCodexHomeDir(options) {
   return normalizeCodexHomePath(options?.codexHomePath) ?? resolveDefaultCodexHomeDir();
@@ -7152,10 +8530,10 @@ var YOLO_PRESET = {
 
 // ../../packages/runtime-codex/src/codex/config-io.ts
 function getConfigPath(options) {
-  return import_node_path10.default.join(resolveCodexHomeDir(options), "config.toml");
+  return import_node_path13.default.join(resolveCodexHomeDir(options), "config.toml");
 }
 async function ensureConfigDirExists(filePath) {
-  const dir = import_node_path10.default.dirname(filePath);
+  const dir = import_node_path13.default.dirname(filePath);
   await (0, import_promises2.mkdir)(dir, { recursive: true });
 }
 function normalizeLineEndings2(content) {
@@ -7214,41 +8592,171 @@ function stripAnsi(value) {
 function normalizeWhitespace(value) {
   return value.replace(/\s+/g, " ").trim();
 }
-function formatUserFacingError(error, options = {}) {
-  const fallback = options.fallback ?? "Something went wrong. Please try again.";
+function compactErrorText(value, maxLength = 220) {
+  if (!value) {
+    return "";
+  }
+  const cleaned = normalizeWhitespace(stripAnsi(String(value)));
+  if (!cleaned) {
+    return "";
+  }
+  if (cleaned.length <= maxLength) {
+    return cleaned;
+  }
+  return `${cleaned.slice(0, maxLength).trimEnd()}\u2026`;
+}
+function createErrorReferenceId() {
+  return `${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 6)}`.toUpperCase();
+}
+function serializeUnknownError(value) {
+  if (typeof value === "string") {
+    return value;
+  }
+  if (value instanceof Error) {
+    return value.stack ?? value.message;
+  }
+  try {
+    return JSON.stringify(value, null, 2);
+  } catch {
+    return String(value);
+  }
+}
+function extractRawMessage(error) {
   if (error === null || typeof error === "undefined") {
-    return fallback;
+    return "";
+  }
+  if (typeof error === "string") {
+    return error;
   }
-  const rawMessage = typeof error === "string" ? error : error instanceof Error ? error.message : String(error);
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return String(error);
+}
+function normalizeRawMessage(rawMessage) {
   let cleaned = normalizeWhitespace(stripAnsi(rawMessage));
   if (!cleaned) {
-    return fallback;
+    return "";
   }
   if (cleaned.startsWith("Error invoking remote method")) {
     cleaned = cleaned.replace(/^Error invoking remote method '[^']+': Error: /, "");
   }
+  if (cleaned.toLowerCase().includes("openai codex") && cleaned.toLowerCase().includes("workdir:")) {
+    const parts = cleaned.split(/error:/i);
+    if (parts.length > 1) {
+      return parts[parts.length - 1]?.trim() ?? cleaned;
+    }
+  }
+  return cleaned;
+}
+function resolveCategory(cleaned, options) {
   const lower = cleaned.toLowerCase();
   if (options.notFoundFallback && (lower.includes("enoent") || lower.includes("not found"))) {
-    return options.notFoundFallback;
+    return {
+      code: "ERR_NOT_FOUND",
+      title: "We couldn't find that item",
+      message: options.notFoundFallback,
+      recovery: "Check the path or selection, then try again.",
+      retryable: true
+    };
   }
   if (lower.includes("rate limit") || lower.includes("quota exceeded") || lower.includes("too many requests") || lower.includes("429")) {
-    cleaned = "Rate limit exceeded. Please wait a moment or upgrade your plan.";
-  } else if (lower.includes("timeout") || lower.includes("timed out")) {
-    cleaned = "Request timed out. Check your connection and try again.";
-  } else if (lower.includes("network") || lower.includes("econn") || lower.includes("networkerror") || lower.includes("connection")) {
-    cleaned = "Network issue. Check your connection and retry.";
-  } else if (lower.includes("permission") || lower.includes("eacces")) {
-    cleaned = "Permission denied. Restart CodexUse and retry.";
-  } else if (lower.includes("openai codex") && lower.includes("workdir:")) {
-    if (lower.includes("error:")) {
-      const parts = cleaned.split(/error:/i);
-      if (parts.length > 1) {
-        cleaned = parts[parts.length - 1].trim();
-      }
-    } else {
-      cleaned = "Codex CLI failed to respond. Please try again.";
-    }
+    return {
+      code: "ERR_RATE_LIMIT",
+      title: "Rate limit reached",
+      message: "The provider is rate limited right now.",
+      recovery: "Wait a moment, switch profiles, or try again.",
+      retryable: true
+    };
+  }
+  if (lower.includes("timeout") || lower.includes("timed out")) {
+    return {
+      code: "ERR_TIMEOUT",
+      title: "Request timed out",
+      message: "The operation took too long to finish.",
+      recovery: "Check the connection and try again.",
+      retryable: true
+    };
+  }
+  if (lower.includes("network") || lower.includes("econn") || lower.includes("networkerror") || lower.includes("connection refused") || lower.includes("socket hang up")) {
+    return {
+      code: "ERR_NETWORK",
+      title: "Can't reach the service",
+      message: "CodexUse couldn't connect to the required service.",
+      recovery: "Check your internet or local server connection, then retry.",
+      retryable: true
+    };
+  }
+  if (lower.includes("token_invalidated") || lower.includes("session invalidated") || lower.includes("session expired") || lower.includes("refresh token") || lower.includes("unauthorized") || lower.includes("401")) {
+    return {
+      code: "ERR_AUTH",
+      title: "Sign-in expired",
+      message: "This account needs to sign in again.",
+      recovery: "Reconnect the profile, then retry the action.",
+      retryable: true
+    };
+  }
+  if (lower.includes("permission") || lower.includes("eacces") || lower.includes("operation not permitted")) {
+    return {
+      code: "ERR_PERMISSION",
+      title: "Permission denied",
+      message: "CodexUse doesn't have permission to do that.",
+      recovery: "Check the file permissions or restart the app and try again.",
+      retryable: true
+    };
+  }
+  if (lower.includes("enospc") || lower.includes("disk full") || lower.includes("no space left")) {
+    return {
+      code: "ERR_DISK_FULL",
+      title: "Disk is full",
+      message: "CodexUse couldn't save data because the disk is full.",
+      recovery: "Free up disk space, then try again.",
+      retryable: true
+    };
   }
+  if (lower.includes("codex cli") || lower.includes("command not found") || lower.includes("spawn codex") || lower.includes("could not find codex")) {
+    return {
+      code: "ERR_CLI_UNAVAILABLE",
+      title: "Codex CLI unavailable",
+      message: "CodexUse couldn't start the Codex CLI.",
+      recovery: "Check Runtime > Codex and confirm the CLI is installed correctly.",
+      retryable: true
+    };
+  }
+  if (lower.includes("provider") || lower.includes("model") || lower.includes("openai") || lower.includes("anthropic")) {
+    return {
+      code: "ERR_PROVIDER",
+      title: "Provider request failed",
+      message: "The AI provider rejected or failed the request.",
+      recovery: "Try again, or switch the active profile or model.",
+      retryable: true
+    };
+  }
+  return {
+    code: "ERR_UNKNOWN",
+    title: "Something went wrong",
+    message: options.fallback,
+    recovery: "Try again. If it keeps happening, report the error with the reference below.",
+    retryable: true
+  };
+}
+function resolveUserFacingError(error, options = {}) {
+  const fallback = options.fallback ?? "Something went wrong. Please try again.";
+  const rawMessage = extractRawMessage(error);
+  const cleaned = normalizeRawMessage(rawMessage);
+  const category = resolveCategory(cleaned, {
+    fallback,
+    ...options.notFoundFallback ? { notFoundFallback: options.notFoundFallback } : {}
+  });
+  return {
+    ...category,
+    referenceId: createErrorReferenceId(),
+    technicalMessage: compactErrorText(cleaned || rawMessage || fallback, 400),
+    technicalDetails: compactErrorText(serializeUnknownError(error), 4e3)
+  };
+}
+function formatUserFacingError(error, options = {}) {
+  let cleaned = resolveUserFacingError(error, options).message;
   const maxLength = typeof options.maxLength === "number" ? options.maxLength : 220;
   if (cleaned.length > maxLength) {
     cleaned = `${cleaned.slice(0, maxLength).trimEnd()}\u2026`;
@@ -7679,13 +9187,13 @@ function formatMegabytes(bytes) {
   return (bytes / MB_DIVISOR).toFixed(2);
 }
 function resolveSyncBackupsDir() {
-  return import_node_path11.default.join(getUserDataDir(), SYNC_BACKUP_DIR);
+  return import_node_path14.default.join(getUserDataDir(), SYNC_BACKUP_DIR);
 }
 function toSafeIsoForFileName(iso) {
   return iso.replace(/:/g, "-");
 }
 async function pruneOldPrePullBackups(backupsDir) {
-  const entries = await import_node_fs7.promises.readdir(backupsDir, { withFileTypes: true });
+  const entries = await import_node_fs8.promises.readdir(backupsDir, { withFileTypes: true });
   const files = entries.filter(
     (entry) => entry.isFile() && entry.name.startsWith(PRE_PULL_BACKUP_PREFIX) && entry.name.endsWith(PRE_PULL_BACKUP_SUFFIX)
   ).map((entry) => entry.name).sort((a, b) => b.localeCompare(a));
@@ -7693,7 +9201,7 @@ async function pruneOldPrePullBackups(backupsDir) {
     return;
   }
   for (const stale of files.slice(PRE_PULL_BACKUP_KEEP_COUNT)) {
-    await import_node_fs7.promises.rm(import_node_path11.default.join(backupsDir, stale), { force: true });
+    await import_node_fs8.promises.rm(import_node_path14.default.join(backupsDir, stale), { force: true });
   }
 }
 async function createPrePullBackup(profileManager) {
@@ -7701,13 +9209,13 @@ async function createPrePullBackup(profileManager) {
     enforcePushGuards: false
   });
   const backupsDir = resolveSyncBackupsDir();
-  await import_node_fs7.promises.mkdir(backupsDir, { recursive: true });
+  await import_node_fs8.promises.mkdir(backupsDir, { recursive: true });
   const timestamp = toSafeIsoForFileName((/* @__PURE__ */ new Date()).toISOString());
-  const backupPath = import_node_path11.default.join(
+  const backupPath = import_node_path14.default.join(
     backupsDir,
     `${PRE_PULL_BACKUP_PREFIX}${timestamp}${PRE_PULL_BACKUP_SUFFIX}`
   );
-  await import_node_fs7.promises.writeFile(backupPath, `${JSON.stringify(snapshot, null, 2)}
+  await import_node_fs8.promises.writeFile(backupPath, `${JSON.stringify(snapshot, null, 2)}
 `, "utf8");
   await pruneOldPrePullBackups(backupsDir);
   logInfo("[cloud-sync] created pre-pull backup", { backupPath });
@@ -7923,9 +9431,9 @@ function printSyncResult(result) {
 }
 async function handleSync(args, version) {
   const flags = args.filter((arg) => arg.startsWith("-"));
-  const params = stripFlags2(args);
+  const params = stripFlags(args);
   const sub = params[0];
-  if (!sub || hasFlag2(flags, "--help") || hasFlag2(flags, "-h")) {
+  if (!sub || hasFlag(flags, "--help") || hasFlag(flags, "-h")) {
     printHelp(version);
     return;
   }
@@ -7976,9 +9484,9 @@ async function handleSync(args, version) {
 }
 
 // ../../packages/runtime-app-state/src/storage/migrations/v1.ts
-var import_node_fs8 = require("fs");
-var import_node_path12 = __toESM(require("path"), 1);
-var import_node_os5 = __toESM(require("os"), 1);
+var import_node_fs9 = require("fs");
+var import_node_path15 = __toESM(require("path"), 1);
+var import_node_os6 = __toESM(require("os"), 1);
 
 // ../../packages/contracts/src/settings/legacy-localstorage-keys.ts
 var LEGACY_LOCALSTORAGE_KEYS = [
@@ -8002,11 +9510,11 @@ var LEGACY_SKILLS_DIR = "skills";
 var LEGACY_SKILL_CACHE_DIR = "skill-cache";
 var LEGACY_SKILLS_REPOS_FILE = "repos.json";
 var LEGACY_SKILL_MANIFEST = ".codexuse-skill.json";
-var LEGACY_LICENSE_SECRET_FILE = "license.secret";
+var LEGACY_LICENSE_SECRET_FILE2 = "license.secret";
 function isRecord6(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
-function asString3(value) {
+function asString4(value) {
   if (typeof value !== "string") {
     return null;
   }
@@ -8017,20 +9525,20 @@ function isMissingPathError(error) {
   return error.code === "ENOENT";
 }
 function resolveHomeDir2() {
-  const home = process.env.HOME || process.env.USERPROFILE || import_node_os5.default.homedir();
+  const home = process.env.HOME || process.env.USERPROFILE || import_node_os6.default.homedir();
   if (!home) {
     throw new Error("HOME is not set.");
   }
   return home;
 }
 function resolveCodexDir() {
-  return import_node_path12.default.join(resolveHomeDir2(), ".codex");
+  return import_node_path15.default.join(resolveHomeDir2(), ".codex");
 }
 function resolveLegacyPath(...segments) {
-  return import_node_path12.default.join(resolveCodexDir(), ...segments);
+  return import_node_path15.default.join(resolveCodexDir(), ...segments);
 }
 async function readJsonFile(filePath) {
-  const raw = await import_node_fs8.promises.readFile(filePath, "utf8");
+  const raw = await import_node_fs9.promises.readFile(filePath, "utf8");
   return JSON.parse(raw);
 }
 async function readJsonFileIfExists(filePath) {
@@ -8045,14 +9553,14 @@ async function readJsonFileIfExists(filePath) {
   }
 }
 async function copyDirectoryManual(source, destination) {
-  await import_node_fs8.promises.mkdir(destination, { recursive: true });
-  const entries = await import_node_fs8.promises.readdir(source, { withFileTypes: true });
+  await import_node_fs9.promises.mkdir(destination, { recursive: true });
+  const entries = await import_node_fs9.promises.readdir(source, { withFileTypes: true });
   for (const entry of entries) {
-    const srcPath = import_node_path12.default.join(source, entry.name);
-    const destPath = import_node_path12.default.join(destination, entry.name);
+    const srcPath = import_node_path15.default.join(source, entry.name);
+    const destPath = import_node_path15.default.join(destination, entry.name);
     if (entry.isSymbolicLink()) {
-      const linkTarget = await import_node_fs8.promises.readlink(srcPath);
-      await import_node_fs8.promises.symlink(linkTarget, destPath).catch((error) => {
+      const linkTarget = await import_node_fs9.promises.readlink(srcPath);
+      await import_node_fs9.promises.symlink(linkTarget, destPath).catch((error) => {
         if (error.code !== "EEXIST") {
           throw error;
         }
@@ -8064,14 +9572,14 @@ async function copyDirectoryManual(source, destination) {
       continue;
     }
     if (entry.isFile()) {
-      await import_node_fs8.promises.copyFile(srcPath, destPath);
+      await import_node_fs9.promises.copyFile(srcPath, destPath);
     }
   }
 }
 async function copyDirIfExists(source, destination) {
   let stats = null;
   try {
-    stats = await import_node_fs8.promises.stat(source);
+    stats = await import_node_fs9.promises.stat(source);
   } catch (error) {
     if (error.code === "ENOENT") {
       return;
@@ -8081,10 +9589,10 @@ async function copyDirIfExists(source, destination) {
   if (!stats.isDirectory()) {
     return;
   }
-  await import_node_fs8.promises.rm(destination, { recursive: true, force: true });
-  await import_node_fs8.promises.mkdir(import_node_path12.default.dirname(destination), { recursive: true });
+  await import_node_fs9.promises.rm(destination, { recursive: true, force: true });
+  await import_node_fs9.promises.mkdir(import_node_path15.default.dirname(destination), { recursive: true });
   try {
-    await import_node_fs8.promises.cp(source, destination, {
+    await import_node_fs9.promises.cp(source, destination, {
       recursive: true,
       errorOnExist: false,
       force: true,
@@ -8101,7 +9609,7 @@ async function copyDirIfExists(source, destination) {
 }
 async function copyFileIfExists(source, destination, options) {
   try {
-    const sourceStat = await import_node_fs8.promises.stat(source);
+    const sourceStat = await import_node_fs9.promises.stat(source);
     if (!sourceStat.isFile()) {
       return;
     }
@@ -8112,7 +9620,7 @@ async function copyFileIfExists(source, destination, options) {
     throw error;
   }
   try {
-    const destinationStat = await import_node_fs8.promises.stat(destination);
+    const destinationStat = await import_node_fs9.promises.stat(destination);
     if (destinationStat.isFile()) {
       return;
     }
@@ -8121,17 +9629,17 @@ async function copyFileIfExists(source, destination, options) {
       throw error;
     }
   }
-  await import_node_fs8.promises.mkdir(import_node_path12.default.dirname(destination), { recursive: true });
-  await import_node_fs8.promises.copyFile(source, destination);
+  await import_node_fs9.promises.mkdir(import_node_path15.default.dirname(destination), { recursive: true });
+  await import_node_fs9.promises.copyFile(source, destination);
   if (typeof options?.mode === "number") {
-    await import_node_fs8.promises.chmod(destination, options.mode).catch(() => void 0);
+    await import_node_fs9.promises.chmod(destination, options.mode).catch(() => void 0);
   }
 }
 async function cleanupCopiedSkillsMetadata(skillsDir) {
-  await removeIfExists(import_node_path12.default.join(skillsDir, LEGACY_SKILLS_REPOS_FILE));
+  await removeIfExists(import_node_path15.default.join(skillsDir, LEGACY_SKILLS_REPOS_FILE));
   let entries = [];
   try {
-    entries = await import_node_fs8.promises.readdir(skillsDir, { withFileTypes: true });
+    entries = await import_node_fs9.promises.readdir(skillsDir, { withFileTypes: true });
   } catch {
     return;
   }
@@ -8139,30 +9647,30 @@ async function cleanupCopiedSkillsMetadata(skillsDir) {
     if (!entry.isDirectory() || entry.name.startsWith(".")) {
       continue;
     }
-    await removeIfExists(import_node_path12.default.join(skillsDir, entry.name, LEGACY_SKILL_MANIFEST));
+    await removeIfExists(import_node_path15.default.join(skillsDir, entry.name, LEGACY_SKILL_MANIFEST));
   }
 }
 async function migrateLegacyDirectoriesToUserData() {
   const userDataDir = getUserDataDir();
   const legacyCodexDir = resolveCodexDir();
   await copyDirIfExists(
-    import_node_path12.default.join(legacyCodexDir, LEGACY_PROFILE_HOMES_DIR),
-    import_node_path12.default.join(userDataDir, LEGACY_PROFILE_HOMES_DIR)
+    import_node_path15.default.join(legacyCodexDir, LEGACY_PROFILE_HOMES_DIR),
+    import_node_path15.default.join(userDataDir, LEGACY_PROFILE_HOMES_DIR)
   );
   await copyDirIfExists(
-    import_node_path12.default.join(legacyCodexDir, LEGACY_SKILLS_DIR),
-    import_node_path12.default.join(userDataDir, LEGACY_SKILLS_DIR)
+    import_node_path15.default.join(legacyCodexDir, LEGACY_SKILLS_DIR),
+    import_node_path15.default.join(userDataDir, LEGACY_SKILLS_DIR)
   );
   await copyDirIfExists(
-    import_node_path12.default.join(legacyCodexDir, LEGACY_SKILL_CACHE_DIR),
-    import_node_path12.default.join(userDataDir, LEGACY_SKILL_CACHE_DIR)
+    import_node_path15.default.join(legacyCodexDir, LEGACY_SKILL_CACHE_DIR),
+    import_node_path15.default.join(userDataDir, LEGACY_SKILL_CACHE_DIR)
   );
   await copyFileIfExists(
-    import_node_path12.default.join(legacyCodexDir, LEGACY_LICENSE_SECRET_FILE),
-    import_node_path12.default.join(userDataDir, LEGACY_LICENSE_SECRET_FILE),
+    import_node_path15.default.join(legacyCodexDir, LEGACY_LICENSE_SECRET_FILE2),
+    import_node_path15.default.join(userDataDir, LEGACY_LICENSE_SECRET_FILE2),
     { mode: 384 }
   );
-  await cleanupCopiedSkillsMetadata(import_node_path12.default.join(userDataDir, LEGACY_SKILLS_DIR));
+  await cleanupCopiedSkillsMetadata(import_node_path15.default.join(userDataDir, LEGACY_SKILLS_DIR));
 }
 function pickAutoRoll(raw) {
   if (!raw) {
@@ -8186,16 +9694,16 @@ function parseLegacyLicense(raw) {
       signature: null
     };
   }
-  const statusCandidate = asString3(raw.status);
+  const statusCandidate = asString4(raw.status);
   const status = ["inactive", "active", "grace", "error"].includes(statusCandidate ?? "") ? statusCandidate : "inactive";
   return {
-    licenseKey: asString3(raw.licenseKey ?? raw.license_key),
-    purchaseEmail: asString3(raw.purchaseEmail ?? raw.purchase_email),
-    lastVerifiedAt: asString3(raw.lastVerifiedAt ?? raw.last_verified_at),
-    nextCheckAt: asString3(raw.nextCheckAt ?? raw.next_check_at),
-    lastVerificationError: asString3(raw.lastVerificationError ?? raw.last_verification_error),
+    licenseKey: asString4(raw.licenseKey ?? raw.license_key),
+    purchaseEmail: asString4(raw.purchaseEmail ?? raw.purchase_email),
+    lastVerifiedAt: asString4(raw.lastVerifiedAt ?? raw.last_verified_at),
+    nextCheckAt: asString4(raw.nextCheckAt ?? raw.next_check_at),
+    lastVerificationError: asString4(raw.lastVerificationError ?? raw.last_verification_error),
     status,
-    signature: asString3(raw.signature)
+    signature: asString4(raw.signature)
   };
 }
 function parseLegacyProfileRecord(name, raw) {
@@ -8218,16 +9726,16 @@ function parseLegacyProfileRecord(name, raw) {
   }
   return {
     name,
-    displayName: asString3(raw.displayName ?? raw.display_name) ?? name,
+    displayName: asString4(raw.displayName ?? raw.display_name) ?? name,
     data,
     metadata: isRecord6(raw.metadata) ? raw.metadata : void 0,
-    accountId: asString3(raw.accountId ?? raw.account_id),
-    workspaceId: asString3(raw.workspaceId ?? raw.workspace_id),
-    workspaceName: asString3(raw.workspaceName ?? raw.workspace_name),
-    email: asString3(raw.email),
-    authMethod: asString3(raw.authMethod ?? raw.auth_method),
-    createdAt: asString3(raw.createdAt ?? raw.created_at),
-    updatedAt: asString3(raw.updatedAt ?? raw.updated_at)
+    accountId: asString4(raw.accountId ?? raw.account_id),
+    workspaceId: asString4(raw.workspaceId ?? raw.workspace_id),
+    workspaceName: asString4(raw.workspaceName ?? raw.workspace_name),
+    email: asString4(raw.email),
+    authMethod: asString4(raw.authMethod ?? raw.auth_method),
+    createdAt: asString4(raw.createdAt ?? raw.created_at),
+    updatedAt: asString4(raw.updatedAt ?? raw.updated_at)
   };
 }
 async function loadLegacySettingsPatch() {
@@ -8240,9 +9748,9 @@ async function loadLegacySettingsPatch() {
   const license = parseLegacyLicense(raw.license ?? raw.license_data ?? raw.license_state);
   return {
     app: {
-      lastAppVersion: asString3(raw.lastAppVersion ?? raw.last_app_version),
-      pendingUpdateVersion: asString3(raw.pendingUpdateVersion ?? raw.pending_update_version),
-      lastProfileName: asString3(raw.lastProfileName ?? raw.last_profile_name)
+      lastAppVersion: asString4(raw.lastAppVersion ?? raw.last_app_version),
+      pendingUpdateVersion: asString4(raw.pendingUpdateVersion ?? raw.pending_update_version),
+      lastProfileName: asString4(raw.lastProfileName ?? raw.last_profile_name)
     },
     license,
     autoRoll: autoRoll ? {
@@ -8260,15 +9768,15 @@ async function loadLegacySyncPatch() {
   }
   return {
     sync: {
-      lastPushAt: asString3(raw.lastPushAt),
-      lastPullAt: asString3(raw.lastPullAt),
-      lastError: asString3(raw.lastError),
-      remoteUpdatedAt: asString3(raw.remoteUpdatedAt)
+      lastPushAt: asString4(raw.lastPushAt),
+      lastPullAt: asString4(raw.lastPullAt),
+      lastError: asString4(raw.lastError),
+      remoteUpdatedAt: asString4(raw.remoteUpdatedAt)
     }
   };
 }
 async function loadLegacyAppSettingsParityPatch() {
-  const filePath = import_node_path12.default.join(getUserDataDir(), LEGACY_APP_SETTINGS_PARITY_FILE);
+  const filePath = import_node_path15.default.join(getUserDataDir(), LEGACY_APP_SETTINGS_PARITY_FILE);
   const raw = await readJsonFileIfExists(filePath);
   if (!isRecord6(raw)) {
     return {};
@@ -8281,7 +9789,7 @@ async function loadLegacyProfilesPatch() {
   const root = resolveLegacyPath(LEGACY_PROFILE_HOMES_DIR);
   let entries = [];
   try {
-    entries = await import_node_fs8.promises.readdir(root, { withFileTypes: true });
+    entries = await import_node_fs9.promises.readdir(root, { withFileTypes: true });
   } catch (error) {
     if (error.code === "ENOENT") {
       return {};
@@ -8293,7 +9801,7 @@ async function loadLegacyProfilesPatch() {
     if (!entry.isDirectory() || entry.name.startsWith(".")) {
       continue;
     }
-    const profileFile = import_node_path12.default.join(root, entry.name, "profile.json");
+    const profileFile = import_node_path15.default.join(root, entry.name, "profile.json");
     const raw = await readJsonFileIfExists(profileFile);
     if (!raw) {
       continue;
@@ -8313,28 +9821,28 @@ function parseSkillInstallMetadata(raw) {
   if (!isRecord6(raw)) {
     return null;
   }
-  const id = asString3(raw.id);
+  const id = asString4(raw.id);
   if (!id) {
     return null;
   }
   return {
     id,
-    repo: asString3(raw.repo),
-    repoPath: asString3(raw.repoPath),
-    sourceLabel: asString3(raw.sourceLabel),
+    repo: asString4(raw.repo),
+    repoPath: asString4(raw.repoPath),
+    sourceLabel: asString4(raw.sourceLabel),
     sourceType: raw.sourceType === "official" || raw.sourceType === "community" || raw.sourceType === "local" ? raw.sourceType : void 0,
-    viewUrl: asString3(raw.viewUrl),
-    createdAt: asString3(raw.createdAt)
+    viewUrl: asString4(raw.viewUrl),
+    createdAt: asString4(raw.createdAt)
   };
 }
 async function loadLegacySkillsPatch() {
   const skillsRoot = resolveLegacyPath(LEGACY_SKILLS_DIR);
-  const reposPath = import_node_path12.default.join(skillsRoot, LEGACY_SKILLS_REPOS_FILE);
+  const reposPath = import_node_path15.default.join(skillsRoot, LEGACY_SKILLS_REPOS_FILE);
   const reposRaw = await readJsonFileIfExists(reposPath);
   const installsBySlug = {};
   let dirEntries = [];
   try {
-    dirEntries = await import_node_fs8.promises.readdir(skillsRoot, { withFileTypes: true });
+    dirEntries = await import_node_fs9.promises.readdir(skillsRoot, { withFileTypes: true });
   } catch (error) {
     if (error.code !== "ENOENT") {
       throw error;
@@ -8347,7 +9855,7 @@ async function loadLegacySkillsPatch() {
     if (entry.name.startsWith(".")) {
       continue;
     }
-    const manifestPath = import_node_path12.default.join(skillsRoot, entry.name, LEGACY_SKILL_MANIFEST);
+    const manifestPath = import_node_path15.default.join(skillsRoot, entry.name, LEGACY_SKILL_MANIFEST);
     const manifestRaw = await readJsonFileIfExists(manifestPath);
     const parsed = parseSkillInstallMetadata(manifestRaw);
     if (!parsed) {
@@ -8457,29 +9965,29 @@ function mergeLegacyLocalStoragePatch(payload) {
   };
 }
 async function removeIfExists(target) {
-  await import_node_fs8.promises.rm(target, { recursive: true, force: true });
+  await import_node_fs9.promises.rm(target, { recursive: true, force: true });
 }
 async function cleanupLegacyCanonicalSources() {
   const homeDir = resolveHomeDir2();
   await removeIfExists(resolveLegacyAppStatePath());
-  await removeIfExists(import_node_path12.default.join(getUserDataDir(), LEGACY_APP_SETTINGS_PARITY_FILE));
-  await removeIfExists(import_node_path12.default.join(homeDir, SQLITE_STORAGE_DIR));
+  await removeIfExists(import_node_path15.default.join(getUserDataDir(), LEGACY_APP_SETTINGS_PARITY_FILE));
+  await removeIfExists(import_node_path15.default.join(homeDir, SQLITE_STORAGE_DIR));
   await removeIfExists(resolveLegacyPath(LEGACY_SETTINGS_FILE));
   await removeIfExists(resolveLegacyPath(LEGACY_SETTINGS_BACKUP_FILE));
   await removeIfExists(resolveLegacyPath(LEGACY_SYNC_STATE_FILE));
-  await removeIfExists(resolveLegacyPath(LEGACY_LICENSE_SECRET_FILE));
+  await removeIfExists(resolveLegacyPath(LEGACY_LICENSE_SECRET_FILE2));
   await removeIfExists(resolveLegacyPath(LEGACY_SKILLS_DIR, LEGACY_SKILLS_REPOS_FILE));
   const profileHomesRoot = resolveLegacyPath(LEGACY_PROFILE_HOMES_DIR);
   try {
-    const profileHomes = await import_node_fs8.promises.readdir(profileHomesRoot, { withFileTypes: true });
+    const profileHomes = await import_node_fs9.promises.readdir(profileHomesRoot, { withFileTypes: true });
     for (const profileHome of profileHomes) {
       if (!profileHome.isDirectory()) {
         continue;
       }
-      const profileDir = import_node_path12.default.join(profileHomesRoot, profileHome.name);
+      const profileDir = import_node_path15.default.join(profileHomesRoot, profileHome.name);
       let files = [];
       try {
-        files = await import_node_fs8.promises.readdir(profileDir);
+        files = await import_node_fs9.promises.readdir(profileDir);
       } catch {
         continue;
       }
@@ -8487,7 +9995,7 @@ async function cleanupLegacyCanonicalSources() {
         if (!file.startsWith("profile.json")) {
           continue;
         }
-        await removeIfExists(import_node_path12.default.join(profileDir, file));
+        await removeIfExists(import_node_path15.default.join(profileDir, file));
       }
     }
   } catch (error) {
@@ -8500,12 +10008,12 @@ async function cleanupLegacyCanonicalSources() {
   }
   const skillsRoot = resolveLegacyPath(LEGACY_SKILLS_DIR);
   try {
-    const skillDirs = await import_node_fs8.promises.readdir(skillsRoot, { withFileTypes: true });
+    const skillDirs = await import_node_fs9.promises.readdir(skillsRoot, { withFileTypes: true });
     for (const entry of skillDirs) {
       if (!entry.isDirectory() || entry.name.startsWith(".")) {
         continue;
       }
-      await removeIfExists(import_node_path12.default.join(skillsRoot, entry.name, LEGACY_SKILL_MANIFEST));
+      await removeIfExists(import_node_path15.default.join(skillsRoot, entry.name, LEGACY_SKILL_MANIFEST));
     }
   } catch (error) {
     if (!isMissingPathError(error)) {
@@ -8718,24 +10226,29 @@ async function ensureCliStorageReady() {
 }
 
 // src/app/main.ts
-var VERSION = true ? "3.1.5" : "0.0.0";
+var VERSION = true ? "3.6.0" : "0.0.0";
 async function runCli() {
   const args = process.argv.slice(2);
   if (args.length === 0) {
     printHelp(VERSION);
     return;
   }
-  if (args[0]?.startsWith("-") && (hasFlag2(args, "--help") || hasFlag2(args, "-h"))) {
+  if (args[0]?.startsWith("-") && (hasFlag(args, "--help") || hasFlag(args, "-h"))) {
     printHelp(VERSION);
     return;
   }
-  if (args[0]?.startsWith("-") && (hasFlag2(args, "--version") || hasFlag2(args, "-v"))) {
+  if (args[0]?.startsWith("-") && (hasFlag(args, "--version") || hasFlag(args, "-v"))) {
     console.log(VERSION);
     return;
   }
   const command = args[0];
   const rest = args.slice(1);
   switch (command) {
+    case "account-pool":
+    case "accounts-pool":
+      await ensureCliStorageReady();
+      await handleAccountPoolCommand(rest, VERSION);
+      return;
     case "profile":
       await ensureCliStorageReady();
       await handleProfileCommand(rest, VERSION);