copillm 0.2.9 → 0.3.0-beta.1

package/dist/auth/credentials.js

@@ -2,19 +2,72 @@ import fs from "node:fs";
 import { readFileSync } from "node:fs";
 import { z } from "zod";
 import { ensureAppHome } from "../config/config.js";
-import { credentialsPath, credentialsReadPath } from "../config/home.js";
+import { accountCredentialsPath, accountCredentialsReadPath, credentialsPath, credentialsReadPath } from "../config/home.js";
 import { writeFileSecureAtomic } from "../config/fsSecurity.js";
+import { assertValidAccountId, findAccount, readAccountsIndex, upsertAccount } from "./accounts.js";
 const SERVICE = "copillm";
-const ACCOUNT = "github-oauth-token";
+// The legacy keychain account string. Single-account installs (and the default
+// account on multi-account installs) keep using this exact key so upgrading to
+// a multi-account-aware build never invalidates an existing login. Additional
+// accounts are namespaced as `${LEGACY_ACCOUNT}:<id>`.
+const LEGACY_ACCOUNT = "github-oauth-token";
+// Map key for the default account's in-memory session credential. Chosen so it
+// can't collide with a real account id (those can't contain ':').
+const DEFAULT_SESSION_KEY = "::default::";
+function legacyStorage() {
+    return {
+        keychainAccount: LEGACY_ACCOUNT,
+        filePath: credentialsPath(),
+        fileReadPath: credentialsReadPath(),
+        sessionKey: DEFAULT_SESSION_KEY
+    };
+}
+function namespacedStorage(accountId) {
+    assertValidAccountId(accountId);
+    return {
+        keychainAccount: `${LEGACY_ACCOUNT}:${accountId}`,
+        filePath: accountCredentialsPath(accountId),
+        fileReadPath: accountCredentialsReadPath(accountId),
+        sessionKey: accountId
+    };
+}
+function storageForScheme(accountId, scheme) {
+    return scheme === "legacy" ? legacyStorage() : namespacedStorage(accountId);
+}
+/**
+ * Resolve the storage for a specific account id. A registered account uses the
+ * scheme recorded in its index entry (so the default/legacy account keeps the
+ * legacy keys even when addressed by id). An unregistered id is assumed to be a
+ * not-yet-persisted named account and gets namespaced storage.
+ */
+function storageForAccountId(accountId) {
+    const record = findAccount(accountId);
+    return record ? storageForScheme(record.id, record.storage) : namespacedStorage(accountId);
+}
+/**
+ * Storage for the *default* account. With no accounts index this is the legacy
+ * single-account storage — the path every existing install takes — so the
+ * exported `loadStoredCredential` / `saveStoredCredential` / etc. behave
+ * identically to the pre-multi-account build.
+ */
+function defaultAccountStorage() {
+    const index = readAccountsIndex();
+    if (!index) {
+        return legacyStorage();
+    }
+    const record = index.accounts.find((account) => account.id === index.defaultAccount);
+    return record ? storageForScheme(record.id, record.storage) : legacyStorage();
+}
 const FileCredentialSchema = z.object({
     version: z.literal(1),
     github_token: z.string().min(1),
     account_type: z.enum(["individual", "business", "enterprise"]),
     saved_at: z.string().min(1)
 });
-// Module-level in-memory credential. Only populated when SaveMode === "session".
-// Never persisted; cleared on clearStoredCredential() and on process exit.
-let sessionCredential = null;
+// Module-level in-memory credentials, keyed by account session key. Only
+// populated when SaveMode === "session". Never persisted; cleared on
+// clearStoredCredential() and on process exit.
+const sessionCredentials = new Map();
 function forceSessionBackend() {
     return process.env.COPILLM_FORCE_SESSION_BACKEND === "1";
 }
@@ -97,18 +150,17 @@ async function resolveKeyring() {
     }
     return { keyring: null, reason: "keyring module is unavailable on this machine" };
 }
-function parseCredentialFile() {
-    const path = credentialsReadPath();
-    const raw = readFileSync(path, "utf8");
+function parseCredentialFile(readPath) {
+    const raw = readFileSync(readPath, "utf8");
     let parsedJson;
     try {
         parsedJson = JSON.parse(raw);
     }
     catch (error) {
         if (error instanceof Error) {
-            throw new Error(`Credential file exists but contains invalid JSON at ${path}: ${error.message}`);
+            throw new Error(`Credential file exists but contains invalid JSON at ${readPath}: ${error.message}`);
         }
-        throw new Error(`Credential file exists but contains invalid JSON at ${path}.`);
+        throw new Error(`Credential file exists but contains invalid JSON at ${readPath}.`);
     }
     try {
         const parsed = FileCredentialSchema.parse(parsedJson);
@@ -116,12 +168,12 @@ function parseCredentialFile() {
     }
     catch (error) {
         if (error instanceof Error) {
-            throw new Error(`Credential file exists but is invalid at ${path}: ${error.message}`);
+            throw new Error(`Credential file exists but is invalid at ${readPath}: ${error.message}`);
         }
-        throw new Error(`Credential file exists but is invalid at ${path}.`);
+        throw new Error(`Credential file exists but is invalid at ${readPath}.`);
     }
 }
-function writeCredentialFile(token, accountType) {
+function writeCredentialFile(writePath, token, accountType) {
     ensureAppHome();
     const payload = {
         version: 1,
@@ -129,7 +181,7 @@ function writeCredentialFile(token, accountType) {
         account_type: accountType,
         saved_at: new Date().toISOString()
     };
-    writeFileSecureAtomic(credentialsPath(), JSON.stringify(payload, null, 2), 0o600);
+    writeFileSecureAtomic(writePath, JSON.stringify(payload, null, 2), 0o600);
 }
 function canUsePlaintextFallback() {
     if (forceSessionBackend()) {
@@ -152,11 +204,11 @@ function isMissingKeyringError(error) {
  * this helper to avoid accidentally pulling the secret into a code path that
  * might log or print it.
  */
-export async function inspectStoredCredential() {
-    if (sessionCredential) {
+async function inspectStorage(storage) {
+    if (sessionCredentials.has(storage.sessionKey)) {
         return { stored: true, backend: "session" };
     }
-    if (fs.existsSync(credentialsReadPath())) {
+    if (fs.existsSync(storage.fileReadPath)) {
         return { stored: true, backend: "file" };
     }
     const { keyring } = await resolveKeyring();
@@ -164,7 +216,7 @@ export async function inspectStoredCredential() {
         return { stored: false, backend: null };
     }
     try {
-        const token = await keyring.getPassword(SERVICE, ACCOUNT);
+        const token = await keyring.getPassword(SERVICE, storage.keychainAccount);
         if (token) {
             return { stored: true, backend: "keyring" };
         }
@@ -177,12 +229,13 @@ export async function inspectStoredCredential() {
         throw new Error("Failed to read token from OS keychain.");
     }
 }
-export async function loadStoredCredential() {
-    if (sessionCredential) {
-        return { token: sessionCredential.token, accountType: sessionCredential.accountType, source: "session" };
+async function loadStorage(storage) {
+    const session = sessionCredentials.get(storage.sessionKey);
+    if (session) {
+        return { token: session.token, accountType: session.accountType, source: "session" };
     }
-    if (fs.existsSync(credentialsReadPath())) {
-        const parsed = parseCredentialFile();
+    if (fs.existsSync(storage.fileReadPath)) {
+        const parsed = parseCredentialFile(storage.fileReadPath);
         return { token: parsed.token, accountType: parsed.accountType, source: "file" };
     }
     const { keyring } = await resolveKeyring();
@@ -191,7 +244,7 @@ export async function loadStoredCredential() {
     }
     let token;
     try {
-        token = await keyring.getPassword(SERVICE, ACCOUNT);
+        token = await keyring.getPassword(SERVICE, storage.keychainAccount);
     }
     catch (error) {
         if (error instanceof Error) {
@@ -204,33 +257,13 @@ export async function loadStoredCredential() {
     }
     return { token, accountType: "individual", source: "keyring" };
 }
-/**
- * Coalesced inspect + load for status surfaces. Returns the same fields
- * `inspectStoredCredential` exposes (`stored` + `backend`) AND the
- * `token` — but performs only ONE backend probe.
- *
- * Previously, `auth status` with user-lookup enabled did:
- *   1. `inspectStoredCredential` → one `keyring.getPassword` (backend probe)
- *   2. `loadStoredCredential` (inside `inspectGithubIdentity`) → another
- *      `keyring.getPassword` (full token read)
- *
- * On macOS, each call is its own keychain audit-log entry and (on a
- * misconfigured system) its own permission prompt. This helper folds both
- * into a single backend probe + single read.
- *
- * SECURITY: callers MUST treat the `token` field as sensitive — do not log,
- * print, or persist it. The status JSON output and `formatHumanAuthStatusLine`
- * only consume `backend` (and the upstream identity summary returned by
- * `inspectGithubIdentity`), never `token` directly. Enforced at the call
- * site (`tests/integration/authStatusCli.test.ts` runs a substring-leak
- * guard on the printed output).
- */
-export async function loadStoredCredentialForStatus() {
-    if (sessionCredential) {
-        return { stored: true, backend: "session", token: sessionCredential.token };
+async function loadStorageForStatus(storage) {
+    const session = sessionCredentials.get(storage.sessionKey);
+    if (session) {
+        return { stored: true, backend: "session", token: session.token };
     }
-    if (fs.existsSync(credentialsReadPath())) {
-        const parsed = parseCredentialFile();
+    if (fs.existsSync(storage.fileReadPath)) {
+        const parsed = parseCredentialFile(storage.fileReadPath);
         return { stored: true, backend: "file", token: parsed.token };
     }
     const { keyring } = await resolveKeyring();
@@ -238,7 +271,7 @@ export async function loadStoredCredentialForStatus() {
         return { stored: false, backend: null, token: null };
     }
     try {
-        const token = await keyring.getPassword(SERVICE, ACCOUNT);
+        const token = await keyring.getPassword(SERVICE, storage.keychainAccount);
         if (token) {
             return { stored: true, backend: "keyring", token };
         }
@@ -251,21 +284,20 @@ export async function loadStoredCredentialForStatus() {
         throw new Error("Failed to read token from OS keychain.");
     }
 }
-export async function saveStoredCredential(token, accountType, options = {}) {
-    const mode = options.mode ?? "auto";
+async function saveStorage(storage, token, accountType, mode) {
     if (mode === "session") {
-        sessionCredential = { token, accountType };
+        sessionCredentials.set(storage.sessionKey, { token, accountType });
         return "session";
     }
-    if (fs.existsSync(credentialsReadPath())) {
-        parseCredentialFile();
-        writeCredentialFile(token, accountType);
+    if (fs.existsSync(storage.fileReadPath)) {
+        parseCredentialFile(storage.fileReadPath);
+        writeCredentialFile(storage.filePath, token, accountType);
         return "file";
     }
     const { keyring, reason } = await resolveKeyring();
     if (keyring) {
         try {
-            await keyring.setPassword(SERVICE, ACCOUNT, token);
+            await keyring.setPassword(SERVICE, storage.keychainAccount, token);
             return "keyring";
         }
         catch (error) {
@@ -278,15 +310,14 @@ export async function saveStoredCredential(token, accountType, options = {}) {
     if (!canUsePlaintextFallback()) {
         throw new Error(`OS keychain backend unavailable (${reason ?? "unknown reason"}). Plaintext fallback is disabled in non-interactive mode; set COPILLM_ALLOW_PLAINTEXT_CREDENTIALS=1 to allow it.`);
     }
-    writeCredentialFile(token, accountType);
+    writeCredentialFile(storage.filePath, token, accountType);
     return "file";
 }
-export async function clearStoredCredential() {
+async function clearStorage(storage) {
     // Always clear in-memory session token first; it shadows other backends.
-    const hadSession = sessionCredential !== null;
-    sessionCredential = null;
-    const readablePath = credentialsReadPath();
-    const canonicalPath = credentialsPath();
+    const hadSession = sessionCredentials.delete(storage.sessionKey);
+    const readablePath = storage.fileReadPath;
+    const canonicalPath = storage.filePath;
     if (fs.existsSync(readablePath)) {
         fs.unlinkSync(readablePath);
         if (readablePath !== canonicalPath && fs.existsSync(canonicalPath)) {
@@ -297,7 +328,7 @@ export async function clearStoredCredential() {
     const { keyring, reason } = await resolveKeyring();
     if (keyring) {
         try {
-            const removed = await keyring.deletePassword(SERVICE, ACCOUNT);
+            const removed = await keyring.deletePassword(SERVICE, storage.keychainAccount);
             return { backend: "keyring", removed: removed || hadSession };
         }
         catch (error) {
@@ -312,8 +343,106 @@ export async function clearStoredCredential() {
     }
     throw new Error(`No credential backend available to clear credentials (${reason ?? "unknown reason"}).`);
 }
-// Test seam: forcibly clear the in-memory session credential. Not exported via
+// ---------------------------------------------------------------------------
+// Default-account surface. With no accounts index these operate on the legacy
+// single-account storage, so behaviour is identical to the pre-multi-account
+// build. With an index they target whichever account is currently the default.
+// ---------------------------------------------------------------------------
+export async function inspectStoredCredential() {
+    return inspectStorage(defaultAccountStorage());
+}
+export async function loadStoredCredential() {
+    return loadStorage(defaultAccountStorage());
+}
+/**
+ * Coalesced inspect + load for status surfaces. Returns the same fields
+ * `inspectStoredCredential` exposes (`stored` + `backend`) AND the
+ * `token` — but performs only ONE backend probe.
+ *
+ * Previously, `auth status` with user-lookup enabled did:
+ *   1. `inspectStoredCredential` → one `keyring.getPassword` (backend probe)
+ *   2. `loadStoredCredential` (inside `inspectGithubIdentity`) → another
+ *      `keyring.getPassword` (full token read)
+ *
+ * On macOS, each call is its own keychain audit-log entry and (on a
+ * misconfigured system) its own permission prompt. This helper folds both
+ * into a single backend probe + single read.
+ *
+ * SECURITY: callers MUST treat the `token` field as sensitive — do not log,
+ * print, or persist it. The status JSON output and `formatHumanAuthStatusLine`
+ * only consume `backend` (and the upstream identity summary returned by
+ * `inspectGithubIdentity`), never `token` directly. Enforced at the call
+ * site (`tests/integration/authStatusCli.test.ts` runs a substring-leak
+ * guard on the printed output).
+ */
+export async function loadStoredCredentialForStatus() {
+    return loadStorageForStatus(defaultAccountStorage());
+}
+export async function saveStoredCredential(token, accountType, options = {}) {
+    return saveStorage(defaultAccountStorage(), token, accountType, options.mode ?? "auto");
+}
+export async function clearStoredCredential() {
+    return clearStorage(defaultAccountStorage());
+}
+// ---------------------------------------------------------------------------
+// Account-scoped surface. These address a specific account by id regardless of
+// which one is the default. A registered account uses the storage scheme from
+// its index entry (so the legacy/default account keeps the legacy keys); an
+// unregistered id is treated as a not-yet-persisted namespaced account.
+// ---------------------------------------------------------------------------
+export async function inspectStoredCredentialForAccount(accountId) {
+    return inspectStorage(storageForAccountId(accountId));
+}
+export async function loadStoredCredentialForAccount(accountId) {
+    const loaded = await loadStorage(storageForAccountId(accountId));
+    if (!loaded) {
+        return loaded;
+    }
+    // The keychain backend can't store the account type, so `loadStorage`
+    // defaults it to "individual". The index records the real type per account —
+    // prefer it so model-discovery base-URL selection stays correct.
+    if (loaded.source === "keyring") {
+        const record = findAccount(accountId);
+        if (record) {
+            return { ...loaded, accountType: record.accountType };
+        }
+    }
+    return loaded;
+}
+export async function saveStoredCredentialForAccount(accountId, token, accountType, options = {}) {
+    return saveStorage(storageForAccountId(accountId), token, accountType, options.mode ?? "auto");
+}
+export async function clearStoredCredentialForAccount(accountId) {
+    return clearStorage(storageForAccountId(accountId));
+}
+/**
+ * Materialize the accounts index from a pre-existing single-account install.
+ * Registers the current legacy credential as the default account with
+ * `storage: "legacy"` so its token is **not moved** — the keychain entry and
+ * `credentials.json` stay exactly where they are. Idempotent: if the index
+ * already exists it is returned unchanged. Use this before adding a second
+ * account so the original login is represented without any invalidation risk.
+ */
+export function registerExistingCredentialAsDefault(accountId, accountType) {
+    assertValidAccountId(accountId);
+    const existing = readAccountsIndex();
+    if (existing) {
+        const current = existing.accounts.find((account) => account.id === existing.defaultAccount);
+        if (current) {
+            return current;
+        }
+    }
+    const record = {
+        id: accountId,
+        accountType,
+        storage: "legacy",
+        addedAt: new Date().toISOString()
+    };
+    upsertAccount(record);
+    return record;
+}
+// Test seam: forcibly clear all in-memory session credentials. Not exported via
 // the package surface for end users — only used by unit tests.
 export function __resetSessionCredentialForTests() {
-    sessionCredential = null;
+    sessionCredentials.clear();
 }

package/dist/cli/agentEnv.js

@@ -3,8 +3,9 @@ import { claudeConfigDir, piAgentDir } from "../config/home.js";
 export function buildClaudeEnvBundle(input) {
     const defaults = input.defaults ?? computeAnthropicDefaults(readModelIdsFromCache());
     const enableGateway = input.enableGatewayDiscovery !== false;
+    const prefix = input.pathPrefix ?? "";
     const env = {
-        ANTHROPIC_BASE_URL: `http://127.0.0.1:${input.port}/anthropic`,
+        ANTHROPIC_BASE_URL: `http://127.0.0.1:${input.port}${prefix}/anthropic`,
         ANTHROPIC_AUTH_TOKEN: input.callerSecret ?? "copillm-local",
         // Point Claude at a copillm-owned config home so copillm-launched Claude
         // never reads/writes the user's real ~/.claude (and dev mode isolates it).

package/dist/cli/auth/runAuth.js

@@ -1,26 +1,93 @@
-import { clearStoredCredential, saveStoredCredential } from "../../auth/credentials.js";
+import { clearStoredCredential, loadStoredCredential, loadStoredCredentialForAccount, registerExistingCredentialAsDefault, saveStoredCredential } from "../../auth/credentials.js";
+import { readAccountsIndex, assertValidAccountId, InvalidAccountIdError, UnknownAccountError } from "../../auth/accounts.js";
+import { addAccount, listAccountsDetailed, removeAccountAndCredential, removeAllAccounts, switchDefaultAccount } from "../../auth/accountManager.js";
 import { loginViaDeviceFlow } from "../../auth/deviceFlow.js";
+import { inspectGithubIdentity } from "../../auth/githubIdentity.js";
 import { loadConfig } from "../../config/config.js";
 import { inspectLock, releaseLock } from "../../server/lock.js";
 import { stopByPid } from "../daemon/lifecycle.js";
-import { describeBackend } from "../shared/backends.js";
+import { describeBackend, formatHumanAuthStatusLine } from "../shared/backends.js";
 import { writeCommandOutput } from "../shared/output.js";
+/**
+ * Derive a friendly, path-safe account id from the GitHub login behind a token.
+ * Returns null when the lookup fails or the login isn't a valid id.
+ */
+async function deriveAccountId(token) {
+    let identity;
+    try {
+        identity = await inspectGithubIdentity({ token });
+    }
+    catch {
+        return null;
+    }
+    const login = identity?.login;
+    if (!login) {
+        return null;
+    }
+    try {
+        assertValidAccountId(login);
+        return login;
+    }
+    catch {
+        return null;
+    }
+}
 export async function runAuthLogin(opts, options) {
     if (options.forceSession) {
         process.env.COPILLM_FORCE_SESSION_BACKEND = "1";
     }
     const config = loadConfig();
+    const accountType = opts.accountType ?? config.accountType;
+    const namedRequested = typeof opts.as === "string" && opts.as.trim().length > 0;
+    if (namedRequested) {
+        try {
+            assertValidAccountId(opts.as.trim());
+        }
+        catch (error) {
+            const message = error instanceof InvalidAccountIdError ? error.message : "invalid account id";
+            writeCommandOutput(opts, `Login failed: ${message}`, { status: "error", action: "login", error: message });
+            process.exitCode = 1;
+            return;
+        }
+    }
     const token = await loginViaDeviceFlow();
     const saveMode = options.forceSession ? "session" : "auto";
-    const backend = await saveStoredCredential(token, config.accountType, { mode: saveMode });
-    writeCommandOutput(opts, `Login succeeded. Credentials stored via ${describeBackend(backend)}.`, {
+    const index = readAccountsIndex();
+    // Pure single-account login: no index and no explicit name. Preserve the
+    // historical behaviour exactly — legacy storage, no accounts index created.
+    if (!index && !namedRequested) {
+        const backend = await saveStoredCredential(token, accountType, { mode: saveMode });
+        writeCommandOutput(opts, `Login succeeded. Credentials stored via ${describeBackend(backend)}.`, {
+            status: "ok",
+            action: "login",
+            credential_backend: backend
+        });
+        return;
+    }
+    const accountId = namedRequested ? opts.as.trim() : index.defaultAccount;
+    // First time we materialize the index via an explicit name: preserve any
+    // pre-existing single account as the default so its token isn't clobbered.
+    if (!index && namedRequested) {
+        const existing = await loadStoredCredential();
+        if (existing) {
+            const existingId = (await deriveAccountId(existing.token)) ?? "default";
+            if (existingId !== accountId) {
+                registerExistingCredentialAsDefault(existingId, existing.accountType);
+            }
+        }
+    }
+    const result = await addAccount({ id: accountId, accountType, token, mode: saveMode });
+    const defaultSuffix = result.isDefault ? " (default)" : "";
+    writeCommandOutput(opts, `Login succeeded for account "${result.id}"${defaultSuffix}. Credentials stored via ${describeBackend(result.backend)}.`, {
         status: "ok",
         action: "login",
-        credential_backend: backend
+        account: result.id,
+        account_type: result.accountType,
+        is_default: result.isDefault,
+        credential_backend: result.backend
     });
 }
-export async function runAuthLogout(opts) {
-    const result = await clearStoredCredential();
+async function stopRunningDaemon() {
     const lockState = inspectLock();
     if (lockState.state === "running") {
         await stopByPid(lockState.lock.pid);
@@ -28,11 +95,141 @@ export async function runAuthLogout(opts) {
     else if (lockState.state === "stale") {
         releaseLock();
     }
+}
+export async function runAuthLogout(opts) {
+    // Stopping the daemon is always part of logout — its in-memory bearers are
+    // derived from the credentials we're clearing.
+    if (opts.all) {
+        const result = await removeAllAccounts();
+        await stopRunningDaemon();
+        writeCommandOutput(opts, `Logged out of all accounts (${result.clearedCount} credential(s) cleared).`, {
+            status: "ok",
+            action: "logout",
+            scope: "all",
+            cleared_count: result.clearedCount,
+            removed_accounts: result.removedAccountIds
+        });
+        return;
+    }
+    const index = readAccountsIndex();
+    // Single-account install (no index) and no explicit target: preserve the
+    // historical single-account logout behaviour.
+    if (!index && !opts.account) {
+        const result = await clearStoredCredential();
+        await stopRunningDaemon();
+        const credentialStatus = result.removed ? "removed" : "not present";
+        writeCommandOutput(opts, `Logged out. Credentials ${credentialStatus} from ${describeBackend(result.backend)}.`, {
+            status: "ok",
+            action: "logout",
+            credential_backend: result.backend,
+            credential_removed: result.removed
+        });
+        return;
+    }
+    if (opts.account) {
+        try {
+            assertValidAccountId(opts.account);
+        }
+        catch (error) {
+            const message = error instanceof InvalidAccountIdError ? error.message : "invalid account id";
+            writeCommandOutput(opts, `Logout failed: ${message}`, { status: "error", action: "logout", error: message });
+            process.exitCode = 1;
+            return;
+        }
+    }
+    const targetId = opts.account ?? index.defaultAccount;
+    const result = await removeAccountAndCredential(targetId);
+    await stopRunningDaemon();
     const credentialStatus = result.removed ? "removed" : "not present";
-    writeCommandOutput(opts, `Logged out. Credentials ${credentialStatus} from ${describeBackend(result.backend)}.`, {
+    const tail = result.indexDeleted
+        ? " No accounts remain."
+        : result.newDefault
+            ? ` Default is now "${result.newDefault}".`
+            : "";
+    writeCommandOutput(opts, `Logged out of account "${result.id}". Credentials ${credentialStatus} from ${describeBackend(result.backend)}.${tail}`, {
         status: "ok",
         action: "logout",
+        account: result.id,
         credential_backend: result.backend,
-        credential_removed: result.removed
+        credential_removed: result.removed,
+        new_default: result.newDefault,
+        index_deleted: result.indexDeleted
     });
 }
+export async function runAuthSwitch(opts, accountId) {
+    try {
+        assertValidAccountId(accountId);
+        const index = switchDefaultAccount(accountId);
+        writeCommandOutput(opts, `Default account is now "${index.defaultAccount}".`, {
+            status: "ok",
+            action: "switch",
+            default_account: index.defaultAccount
+        });
+    }
+    catch (error) {
+        const message = error instanceof UnknownAccountError
+            ? `Unknown account "${accountId}". Run \`copillm auth status\` to list accounts.`
+            : error instanceof InvalidAccountIdError
+                ? error.message
+                : error instanceof Error
+                    ? error.message
+                    : "switch failed";
+        writeCommandOutput(opts, `Switch failed: ${message}`, { status: "error", action: "switch", error: message });
+        process.exitCode = 1;
+    }
+}
+/**
+ * Multi-account `auth status` listing (used when an accounts index exists).
+ * Returns whether any account has a stored credential so the caller can pick
+ * the process exit code. Never prints a token.
+ */
+export async function runAuthStatusList(opts) {
+    const wantUser = opts.user !== false;
+    const listing = await listAccountsDetailed();
+    const anyStored = listing.accounts.some((account) => account.stored);
+    const enriched = await Promise.all(listing.accounts.map(async (account) => {
+        let login = null;
+        let name = null;
+        if (wantUser && account.stored) {
+            try {
+                const credential = await loadStoredCredentialForAccount(account.id);
+                if (credential) {
+                    const identity = await inspectGithubIdentity({ token: credential.token });
+                    login = identity?.login ?? null;
+                    name = identity?.name ?? null;
+                }
+            }
+            catch {
+                login = null;
+                name = null;
+            }
+        }
+        return { ...account, login, name };
+    }));
+    if (opts.json) {
+        process.stdout.write(JSON.stringify({
+            status: anyStored ? "logged_in" : "logged_out",
+            default: listing.defaultAccount,
+            accounts: enriched.map((account) => ({
+                id: account.id,
+                account_type: account.accountType,
+                storage: account.storage,
+                default: account.isDefault,
+                stored: account.stored,
+                backend: account.backend,
+                user: account.login ? { login: account.login, name: account.name } : null
+            }))
+        }, null, 2) + "\n");
+        return { anyStored };
+    }
+    process.stdout.write(`copillm — ${enriched.length} account(s)\n`);
+    for (const account of enriched) {
+        const marker = account.isDefault ? "*" : " ";
+        const who = account.login ? ` @${account.login}` : "";
+        const state = account.stored
+            ? formatHumanAuthStatusLine(account.backend, account.login ? { login: account.login, name: account.name } : null)
+            : "no credential";
+        process.stdout.write(`${marker} ${account.id}  [${account.accountType}]${who}  — ${state}\n`);
+    }
+    return { anyStored };
+}