copillm 0.2.8 → 0.3.0-beta.1

package/dist/cli/auth/runAuth.js

@@ -1,26 +1,93 @@
-import { clearStoredCredential, saveStoredCredential } from "../../auth/credentials.js";
+import { clearStoredCredential, loadStoredCredential, loadStoredCredentialForAccount, registerExistingCredentialAsDefault, saveStoredCredential } from "../../auth/credentials.js";
+import { readAccountsIndex, assertValidAccountId, InvalidAccountIdError, UnknownAccountError } from "../../auth/accounts.js";
+import { addAccount, listAccountsDetailed, removeAccountAndCredential, removeAllAccounts, switchDefaultAccount } from "../../auth/accountManager.js";
 import { loginViaDeviceFlow } from "../../auth/deviceFlow.js";
+import { inspectGithubIdentity } from "../../auth/githubIdentity.js";
 import { loadConfig } from "../../config/config.js";
 import { inspectLock, releaseLock } from "../../server/lock.js";
 import { stopByPid } from "../daemon/lifecycle.js";
-import { describeBackend } from "../shared/backends.js";
+import { describeBackend, formatHumanAuthStatusLine } from "../shared/backends.js";
 import { writeCommandOutput } from "../shared/output.js";
+/**
+ * Derive a friendly, path-safe account id from the GitHub login behind a token.
+ * Returns null when the lookup fails or the login isn't a valid id.
+ */
+async function deriveAccountId(token) {
+    let identity;
+    try {
+        identity = await inspectGithubIdentity({ token });
+    }
+    catch {
+        return null;
+    }
+    const login = identity?.login;
+    if (!login) {
+        return null;
+    }
+    try {
+        assertValidAccountId(login);
+        return login;
+    }
+    catch {
+        return null;
+    }
+}
 export async function runAuthLogin(opts, options) {
     if (options.forceSession) {
         process.env.COPILLM_FORCE_SESSION_BACKEND = "1";
     }
     const config = loadConfig();
+    const accountType = opts.accountType ?? config.accountType;
+    const namedRequested = typeof opts.as === "string" && opts.as.trim().length > 0;
+    if (namedRequested) {
+        try {
+            assertValidAccountId(opts.as.trim());
+        }
+        catch (error) {
+            const message = error instanceof InvalidAccountIdError ? error.message : "invalid account id";
+            writeCommandOutput(opts, `Login failed: ${message}`, { status: "error", action: "login", error: message });
+            process.exitCode = 1;
+            return;
+        }
+    }
     const token = await loginViaDeviceFlow();
     const saveMode = options.forceSession ? "session" : "auto";
-    const backend = await saveStoredCredential(token, config.accountType, { mode: saveMode });
-    writeCommandOutput(opts, `Login succeeded. Credentials stored via ${describeBackend(backend)}.`, {
+    const index = readAccountsIndex();
+    // Pure single-account login: no index and no explicit name. Preserve the
+    // historical behaviour exactly — legacy storage, no accounts index created.
+    if (!index && !namedRequested) {
+        const backend = await saveStoredCredential(token, accountType, { mode: saveMode });
+        writeCommandOutput(opts, `Login succeeded. Credentials stored via ${describeBackend(backend)}.`, {
+            status: "ok",
+            action: "login",
+            credential_backend: backend
+        });
+        return;
+    }
+    const accountId = namedRequested ? opts.as.trim() : index.defaultAccount;
+    // First time we materialize the index via an explicit name: preserve any
+    // pre-existing single account as the default so its token isn't clobbered.
+    if (!index && namedRequested) {
+        const existing = await loadStoredCredential();
+        if (existing) {
+            const existingId = (await deriveAccountId(existing.token)) ?? "default";
+            if (existingId !== accountId) {
+                registerExistingCredentialAsDefault(existingId, existing.accountType);
+            }
+        }
+    }
+    const result = await addAccount({ id: accountId, accountType, token, mode: saveMode });
+    const defaultSuffix = result.isDefault ? " (default)" : "";
+    writeCommandOutput(opts, `Login succeeded for account "${result.id}"${defaultSuffix}. Credentials stored via ${describeBackend(result.backend)}.`, {
         status: "ok",
         action: "login",
-        credential_backend: backend
+        account: result.id,
+        account_type: result.accountType,
+        is_default: result.isDefault,
+        credential_backend: result.backend
     });
 }
-export async function runAuthLogout(opts) {
-    const result = await clearStoredCredential();
+async function stopRunningDaemon() {
     const lockState = inspectLock();
     if (lockState.state === "running") {
         await stopByPid(lockState.lock.pid);
@@ -28,11 +95,141 @@ export async function runAuthLogout(opts) {
     else if (lockState.state === "stale") {
         releaseLock();
     }
+}
+export async function runAuthLogout(opts) {
+    // Stopping the daemon is always part of logout — its in-memory bearers are
+    // derived from the credentials we're clearing.
+    if (opts.all) {
+        const result = await removeAllAccounts();
+        await stopRunningDaemon();
+        writeCommandOutput(opts, `Logged out of all accounts (${result.clearedCount} credential(s) cleared).`, {
+            status: "ok",
+            action: "logout",
+            scope: "all",
+            cleared_count: result.clearedCount,
+            removed_accounts: result.removedAccountIds
+        });
+        return;
+    }
+    const index = readAccountsIndex();
+    // Single-account install (no index) and no explicit target: preserve the
+    // historical single-account logout behaviour.
+    if (!index && !opts.account) {
+        const result = await clearStoredCredential();
+        await stopRunningDaemon();
+        const credentialStatus = result.removed ? "removed" : "not present";
+        writeCommandOutput(opts, `Logged out. Credentials ${credentialStatus} from ${describeBackend(result.backend)}.`, {
+            status: "ok",
+            action: "logout",
+            credential_backend: result.backend,
+            credential_removed: result.removed
+        });
+        return;
+    }
+    if (opts.account) {
+        try {
+            assertValidAccountId(opts.account);
+        }
+        catch (error) {
+            const message = error instanceof InvalidAccountIdError ? error.message : "invalid account id";
+            writeCommandOutput(opts, `Logout failed: ${message}`, { status: "error", action: "logout", error: message });
+            process.exitCode = 1;
+            return;
+        }
+    }
+    const targetId = opts.account ?? index.defaultAccount;
+    const result = await removeAccountAndCredential(targetId);
+    await stopRunningDaemon();
     const credentialStatus = result.removed ? "removed" : "not present";
-    writeCommandOutput(opts, `Logged out. Credentials ${credentialStatus} from ${describeBackend(result.backend)}.`, {
+    const tail = result.indexDeleted
+        ? " No accounts remain."
+        : result.newDefault
+            ? ` Default is now "${result.newDefault}".`
+            : "";
+    writeCommandOutput(opts, `Logged out of account "${result.id}". Credentials ${credentialStatus} from ${describeBackend(result.backend)}.${tail}`, {
         status: "ok",
         action: "logout",
+        account: result.id,
         credential_backend: result.backend,
-        credential_removed: result.removed
+        credential_removed: result.removed,
+        new_default: result.newDefault,
+        index_deleted: result.indexDeleted
     });
 }
+export async function runAuthSwitch(opts, accountId) {
+    try {
+        assertValidAccountId(accountId);
+        const index = switchDefaultAccount(accountId);
+        writeCommandOutput(opts, `Default account is now "${index.defaultAccount}".`, {
+            status: "ok",
+            action: "switch",
+            default_account: index.defaultAccount
+        });
+    }
+    catch (error) {
+        const message = error instanceof UnknownAccountError
+            ? `Unknown account "${accountId}". Run \`copillm auth status\` to list accounts.`
+            : error instanceof InvalidAccountIdError
+                ? error.message
+                : error instanceof Error
+                    ? error.message
+                    : "switch failed";
+        writeCommandOutput(opts, `Switch failed: ${message}`, { status: "error", action: "switch", error: message });
+        process.exitCode = 1;
+    }
+}
+/**
+ * Multi-account `auth status` listing (used when an accounts index exists).
+ * Returns whether any account has a stored credential so the caller can pick
+ * the process exit code. Never prints a token.
+ */
+export async function runAuthStatusList(opts) {
+    const wantUser = opts.user !== false;
+    const listing = await listAccountsDetailed();
+    const anyStored = listing.accounts.some((account) => account.stored);
+    const enriched = await Promise.all(listing.accounts.map(async (account) => {
+        let login = null;
+        let name = null;
+        if (wantUser && account.stored) {
+            try {
+                const credential = await loadStoredCredentialForAccount(account.id);
+                if (credential) {
+                    const identity = await inspectGithubIdentity({ token: credential.token });
+                    login = identity?.login ?? null;
+                    name = identity?.name ?? null;
+                }
+            }
+            catch {
+                login = null;
+                name = null;
+            }
+        }
+        return { ...account, login, name };
+    }));
+    if (opts.json) {
+        process.stdout.write(JSON.stringify({
+            status: anyStored ? "logged_in" : "logged_out",
+            default: listing.defaultAccount,
+            accounts: enriched.map((account) => ({
+                id: account.id,
+                account_type: account.accountType,
+                storage: account.storage,
+                default: account.isDefault,
+                stored: account.stored,
+                backend: account.backend,
+                user: account.login ? { login: account.login, name: account.name } : null
+            }))
+        }, null, 2) + "\n");
+        return { anyStored };
+    }
+    process.stdout.write(`copillm — ${enriched.length} account(s)\n`);
+    for (const account of enriched) {
+        const marker = account.isDefault ? "*" : " ";
+        const who = account.login ? ` @${account.login}` : "";
+        const state = account.stored
+            ? formatHumanAuthStatusLine(account.backend, account.login ? { login: account.login, name: account.name } : null)
+            : "no credential";
+        process.stdout.write(`${marker} ${account.id}  [${account.accountType}]${who}  — ${state}\n`);
+    }
+    return { anyStored };
+}

package/dist/cli/commands/agents/claude.js

@@ -5,7 +5,7 @@ import { ensureDaemonRunningForLauncher } from "../../daemon/ensureRunning.js";
 import { launchAgent } from "../../launchAgent.js";
 import { buildClaudeExportCommand } from "../../integrations/claudeExport.js";
 import { enableRuntimeDebug, resolveCopillmDebug } from "../../shared/debug.js";
-import { applyYoloForLaunch } from "./shared.js";
+import { applyYoloForLaunch, formatLaunchAccountNotice, resolveLaunchAccount } from "./shared.js";
 export function register(program) {
     program
         .command("claude")
@@ -16,9 +16,29 @@ export function register(program) {
         .action(async (forwardedArgs) => {
         const { opts, forwarded } = processCopillmArgs(forwardedArgs ?? []);
         const debug = resolveCopillmDebug(opts.copillmDebug);
+        let launchAccount;
+        try {
+            launchAccount = await resolveLaunchAccount({
+                flag: opts.copillmAccount,
+                envValue: process.env.COPILLM_ACCOUNT,
+                cwd: process.cwd(),
+                profileOverride: opts.copillmProfile ?? process.env.COPILLM_PROFILE ?? null
+            });
+        }
+        catch (error) {
+            process.stderr.write(`copillm: ${error instanceof Error ? error.message : String(error)}\n`);
+            process.exit(1);
+            return;
+        }
+        if (launchAccount) {
+            process.stderr.write(`${formatLaunchAccountNotice(launchAccount)}\n`);
+        }
         enableRuntimeDebug(debug);
         const lock = await ensureDaemonRunningForLauncher({ debug });
-        const claude = buildClaudeExportCommand(lock.port, null);
+        const claude = buildClaudeExportCommand(lock.port, null, {
+            pathPrefix: launchAccount?.pathPrefix,
+            cacheId: launchAccount?.cacheId
+        });
         const pinnedSpec = opts.copillmUse ?? process.env.COPILLM_CLAUDE_VERSION ?? undefined;
         const conflicts = detectClaudeSettingsConflicts(claude.bundle.env);
         for (const line of formatSettingsConflictWarning(conflicts)) {

package/dist/cli/commands/agents/codex.js

@@ -5,7 +5,7 @@ import { ensureDaemonRunningForLauncher } from "../../daemon/ensureRunning.js";
 import { launchAgent } from "../../launchAgent.js";
 import { refreshCodexHome } from "../../integrations/refreshCodex.js";
 import { enableRuntimeDebug, resolveCopillmDebug } from "../../shared/debug.js";
-import { applyYoloForLaunch } from "./shared.js";
+import { applyYoloForLaunch, formatLaunchAccountNotice, resolveLaunchAccount } from "./shared.js";
 export function register(program) {
     program
         .command("codex")
@@ -16,9 +16,29 @@ export function register(program) {
         .action(async (forwardedArgs) => {
         const { opts, forwarded } = processCopillmArgs(forwardedArgs ?? []);
         const debug = resolveCopillmDebug(opts.copillmDebug);
+        let launchAccount;
+        try {
+            launchAccount = await resolveLaunchAccount({
+                flag: opts.copillmAccount,
+                envValue: process.env.COPILLM_ACCOUNT,
+                cwd: process.cwd(),
+                profileOverride: opts.copillmProfile ?? process.env.COPILLM_PROFILE ?? null
+            });
+        }
+        catch (error) {
+            process.stderr.write(`copillm: ${error instanceof Error ? error.message : String(error)}\n`);
+            process.exit(1);
+            return;
+        }
+        if (launchAccount) {
+            process.stderr.write(`${formatLaunchAccountNotice(launchAccount)}\n`);
+        }
         enableRuntimeDebug(debug);
         const lock = await ensureDaemonRunningForLauncher({ debug });
-        const codex = await refreshCodexHome(lock.port, null);
+        const codex = await refreshCodexHome(lock.port, null, undefined, {
+            pathPrefix: launchAccount?.pathPrefix,
+            account: launchAccount?.account
+        });
         if (!codex) {
             throw new Error("Failed to prepare Codex home (see warning above).");
         }

package/dist/cli/commands/agents/copilot.js

@@ -2,7 +2,7 @@ import { applyAgentConfig, formatApplyNotes } from "../../../agentconfig/apply.j
 import { loadStoredCredential } from "../../../auth/credentials.js";
 import { processCopillmArgs } from "../../copillmFlags.js";
 import { launchAgent } from "../../launchAgent.js";
-import { applyYoloForLaunch } from "./shared.js";
+import { applyYoloForLaunch, formatLaunchAccountNotice, resolveLaunchAccount } from "./shared.js";
 export function register(program) {
     program
         .command("copilot")
@@ -12,8 +12,29 @@ export function register(program) {
         .argument("[args...]", "Args forwarded to copilot")
         .action(async (forwardedArgs) => {
         const { opts, forwarded } = processCopillmArgs(forwardedArgs ?? []);
-        const credential = await loadStoredCredential();
-        if (!credential) {
+        let launchAccount;
+        try {
+            launchAccount = await resolveLaunchAccount({
+                flag: opts.copillmAccount,
+                envValue: process.env.COPILLM_ACCOUNT,
+                cwd: process.cwd(),
+                profileOverride: opts.copillmProfile ?? process.env.COPILLM_PROFILE ?? null
+            });
+        }
+        catch (error) {
+            process.stderr.write(`copillm: ${error instanceof Error ? error.message : String(error)}\n`);
+            process.exit(1);
+            return;
+        }
+        if (launchAccount) {
+            process.stderr.write(`${formatLaunchAccountNotice(launchAccount)}\n`);
+        }
+        // Copilot CLI talks to GitHub directly with the account's OAuth token,
+        // so account selection picks which token to inject (not a URL prefix).
+        const githubToken = launchAccount
+            ? launchAccount.account.githubToken
+            : (await loadStoredCredential())?.token ?? null;
+        if (!githubToken) {
             process.stderr.write("copillm: no stored GitHub credential — run `copillm auth login` first.\n");
             process.exit(1);
             return;
@@ -34,7 +55,7 @@ export function register(program) {
         // short-circuits its device-flow login when copillm already has a token.
         const env = {
             ...applyResult.envOverlay,
-            COPILOT_GITHUB_TOKEN: credential.token
+            COPILOT_GITHUB_TOKEN: githubToken
         };
         const baseArgs = [...forwarded, ...applyResult.cliArgs];
         const args = applyYoloForLaunch({ agent: "copilot", flag: opts.yolo, applyResult, baseArgs });

package/dist/cli/commands/agents/pi.js

@@ -5,7 +5,7 @@ import { ensureDaemonRunningForLauncher } from "../../daemon/ensureRunning.js";
 import { launchAgent } from "../../launchAgent.js";
 import { refreshPiHome } from "../../integrations/refreshPi.js";
 import { enableRuntimeDebug, resolveCopillmDebug } from "../../shared/debug.js";
-import { applyYoloForLaunch } from "./shared.js";
+import { applyYoloForLaunch, formatLaunchAccountNotice, resolveLaunchAccount } from "./shared.js";
 export function register(program) {
     program
         .command("pi")
@@ -16,9 +16,29 @@ export function register(program) {
         .action(async (forwardedArgs) => {
         const { opts, forwarded } = processCopillmArgs(forwardedArgs ?? []);
         const debug = resolveCopillmDebug(opts.copillmDebug);
+        let launchAccount;
+        try {
+            launchAccount = await resolveLaunchAccount({
+                flag: opts.copillmAccount,
+                envValue: process.env.COPILLM_ACCOUNT,
+                cwd: process.cwd(),
+                profileOverride: opts.copillmProfile ?? process.env.COPILLM_PROFILE ?? null
+            });
+        }
+        catch (error) {
+            process.stderr.write(`copillm: ${error instanceof Error ? error.message : String(error)}\n`);
+            process.exit(1);
+            return;
+        }
+        if (launchAccount) {
+            process.stderr.write(`${formatLaunchAccountNotice(launchAccount)}\n`);
+        }
         enableRuntimeDebug(debug);
         const lock = await ensureDaemonRunningForLauncher({ debug });
-        const pi = await refreshPiHome(lock.port);
+        const pi = await refreshPiHome(lock.port, undefined, {
+            pathPrefix: launchAccount?.pathPrefix,
+            account: launchAccount?.account
+        });
         if (!pi) {
             throw new Error("Failed to prepare pi models.json (see warning above).");
         }

package/dist/cli/commands/agents/shared.js

@@ -1,4 +1,61 @@
 import { applyYolo, resolveYoloWithSource } from "../../../agents/registry.js";
+import { loadAgentConfig } from "../../../agentconfig/load.js";
+import { findAccount } from "../../../auth/accounts.js";
+import { assertValidAccountId } from "../../../config/accountId.js";
+import { loadStoredCredentialForAccount } from "../../../auth/credentials.js";
+/**
+ * Resolve which account a launch targets, applying precedence
+ * `--account` > `COPILLM_ACCOUNT` > the active profile's `account` > default.
+ * Returns null for the default account (no prefix — today's behaviour).
+ *
+ * Throws a user-facing Error when a requested account is malformed, not
+ * registered, or has no stored credential, so the launcher can fail fast
+ * before starting the daemon or the agent.
+ */
+export async function resolveLaunchAccount(input) {
+    let requested;
+    let source;
+    if (input.flag && input.flag.trim().length > 0) {
+        requested = input.flag.trim();
+        source = "flag";
+    }
+    else if (input.envValue && input.envValue.trim().length > 0) {
+        requested = input.envValue.trim();
+        source = "env";
+    }
+    else {
+        const config = loadAgentConfig({ cwd: input.cwd, profileOverride: input.profileOverride });
+        const pinned = config?.resolved.account ?? null;
+        if (pinned) {
+            requested = pinned;
+            source = "profile";
+        }
+    }
+    if (!requested) {
+        return null;
+    }
+    assertValidAccountId(requested);
+    const record = findAccount(requested);
+    if (!record) {
+        throw new Error(`Unknown account "${requested}". Run \`copillm auth status\` to list accounts.`);
+    }
+    const credential = await loadStoredCredentialForAccount(requested);
+    if (!credential) {
+        throw new Error(`No stored credential for account "${requested}". Run \`copillm auth login --as ${requested}\`.`);
+    }
+    const cacheId = record.storage === "legacy" ? undefined : requested;
+    return {
+        accountId: requested,
+        pathPrefix: `/${requested}`,
+        cacheId,
+        account: { accountType: credential.accountType, githubToken: credential.token, cacheId },
+        source: source
+    };
+}
+export function formatLaunchAccountNotice(resolved) {
+    const from = resolved.source === "flag" ? "--account" : resolved.source === "env" ? "COPILLM_ACCOUNT" : "profile";
+    return `copillm: using account "${resolved.accountId}" (from ${from})`;
+}
 /**
  * Shared yolo wiring for the four agent subcommands. Resolves precedence
  * (flag > env > profile > defaults > off), runs `applyYolo` with source

package/dist/cli/commands/auth.js

@@ -1,9 +1,17 @@
-import { inspectStoredCredential } from "../../auth/credentials.js";
+import { inspectStoredCredential, loadStoredCredentialForStatus } from "../../auth/credentials.js";
+import { readAccountsIndex } from "../../auth/accounts.js";
 import { inspectGithubIdentity } from "../../auth/githubIdentity.js";
 import { ensureAuthenticatedInteractive } from "../auth/ensure.js";
-import { runAuthLogin, runAuthLogout } from "../auth/runAuth.js";
+import { runAuthLogin, runAuthLogout, runAuthStatusList, runAuthSwitch } from "../auth/runAuth.js";
 import { formatHumanAuthStatusLine } from "../shared/backends.js";
 import { emitDeprecation } from "../shared/deprecation.js";
+const ACCOUNT_TYPES = ["individual", "business", "enterprise"];
+function parseAccountType(value) {
+    if (ACCOUNT_TYPES.includes(value)) {
+        return value;
+    }
+    throw new Error(`Invalid --account-type "${value}". Expected one of: ${ACCOUNT_TYPES.join(", ")}.`);
+}
 // Re-export for callers (e.g. start command) that need the interactive prompt.
 export { ensureAuthenticatedInteractive };
 export function register(program) {
@@ -28,6 +36,8 @@ export function register(program) {
         .command("login")
         .description("Authenticate with GitHub")
         .option("--json", "JSON output")
+        .option("--as <account>", "Name this account (enables multiple accounts)")
+        .option("--account-type <type>", "Account plan type: individual | business | enterprise", parseAccountType)
         // Undocumented test seam: force the session-only backend regardless of
         // whether the OS keychain is available. Equivalent to setting
         // COPILLM_FORCE_SESSION_BACKEND=1 for the duration of this command.
@@ -39,18 +49,61 @@ export function register(program) {
         .command("logout")
         .description("Clear credentials and stop running daemon")
         .option("--json", "JSON output")
+        .option("--account <account>", "Log out a specific account (default: the default account)")
+        .option("--all", "Log out of every account")
         .action(async (opts) => {
         await runAuthLogout(opts);
     });
+    auth
+        .command("switch")
+        .argument("<account>", "Account id to make the default")
+        .description("Set the default account")
+        .option("--json", "JSON output")
+        .action(async (account, opts) => {
+        await runAuthSwitch(opts, account);
+    });
     auth
         .command("status")
         .description("Report whether a credential is stored (token is never printed)")
         .option("--json", "JSON output")
         .option("--no-user", "Skip the GitHub /user lookup that fetches the login name")
         .action(async (opts) => {
+        // commander's --no-user toggles opts.user to false; when the flag is
+        // omitted opts.user is undefined and we treat that as "fetch by default".
+        const wantUserLookup = opts.user !== false;
+        // Multi-account installs (an accounts index exists) get the per-account
+        // listing. Single-account installs keep the exact original output below.
+        if (readAccountsIndex()) {
+            const { anyStored } = await runAuthStatusList(opts);
+            process.exit(anyStored ? 0 : 2);
+        }
+        // Two paths to minimize keychain probes:
+        //   - With user lookup (default): `loadStoredCredentialForStatus()`
+        //     does ONE keychain read that yields backend + token. Pass the
+        //     token into `inspectGithubIdentity({ token })` so it doesn't
+        //     re-read the keychain.
+        //   - Without user lookup (--no-user): `inspectStoredCredential()`
+        //     does ONE keychain probe and never sees the token. Preserves
+        //     the no-token invariant for the surface where it matters most.
+        //
+        // Previously, the user-lookup path made TWO keychain reads — one in
+        // `inspectStoredCredential` then another in `inspectGithubIdentity` →
+        // `loadStoredCredential`. That doubled macOS keychain audit-log
+        // entries and doubled permission-prompt exposure on misconfigured
+        // systems.
         let info;
+        let token;
         try {
-            info = await inspectStoredCredential();
+            if (wantUserLookup) {
+                const loaded = await loadStoredCredentialForStatus();
+                info = { stored: loaded.stored, backend: loaded.backend };
+                if (loaded.stored) {
+                    token = loaded.token;
+                }
+            }
+            else {
+                info = await inspectStoredCredential();
+            }
         }
         catch (error) {
             const message = error instanceof Error ? error.message : "unknown_error";
@@ -62,9 +115,7 @@ export function register(program) {
             }
             process.exit(1);
         }
-        // commander's --no-user toggles opts.user to false; when the flag is
-        // omitted opts.user is undefined and we treat that as "fetch by default".
-        const userLookupEnabled = info.stored && opts.user !== false;
+        const userLookupEnabled = info.stored && wantUserLookup;
         let identity = null;
         if (userLookupEnabled) {
             // inspectGithubIdentity is designed to return null on any failure, but
@@ -74,7 +125,7 @@ export function register(program) {
             // must never break the auth-status command. Status output should always
             // succeed even when the network is broken.
             try {
-                identity = await inspectGithubIdentity();
+                identity = await inspectGithubIdentity({ token });
             }
             catch {
                 identity = null;