copillm 0.2.9 → 0.3.0-beta.2

package/README.md

@@ -28,6 +28,18 @@ Alternatively, you can invoke it directly with `npx` without a global install:
 npx copillm --help
 ```
 
+### Preview (beta) releases
+
+Experimental builds are published to the `beta` channel ahead of a stable
+release. They let you try in-progress features early; expect rough edges. Stable
+installs are never affected unless you explicitly opt in:
+
+```bash
+npm install -g copillm@beta
+```
+
+To return to the stable channel, reinstall without the tag: `npm install -g copillm@latest`.
+
 ## Quick start
 
 ```bash
@@ -48,6 +60,62 @@ copillm claude --model opus
 copillm codex --help
 ```
 
+## Multiple accounts
+
+copillm can hold more than one GitHub account at once and serve them from the
+same daemon. If you only ever use one account, nothing changes — you never see
+any of this.
+
+```bash
+# Your first login is the default account (no naming needed).
+copillm auth login
+
+# Add another account under a name of your choice.
+copillm auth login --as work
+copillm auth login --as work --account-type business   # set its plan type
+
+# See every account; the default is marked with *.
+copillm auth status
+
+# Change which account is the default.
+copillm auth switch work
+
+# Log out of one account, or all of them.
+copillm auth logout --account work
+copillm auth logout --all
+```
+
+The **default account** is what every agent and the model endpoints use unless
+told otherwise. `copillm auth status` lists each account with its plan type and
+whether a credential is stored; tokens are never printed.
+
+Different accounts can be entitled to different models, so each account keeps
+its own model list.
+
+### Launching an agent against a specific account
+
+Point any agent at a non-default account for a single launch with `--account`,
+or set `COPILLM_ACCOUNT` in the environment:
+
+```bash
+copillm codex --account work
+COPILLM_ACCOUNT=work copillm claude
+```
+
+To make it automatic, pin an account to a profile in `~/.copillm/agent.toml`
+(or a project's `.copillm/agent.toml`):
+
+```toml
+[profiles.work]
+account = "work"
+```
+
+Then `copillm codex --profile work` always uses the `work` account. Precedence
+is `--account` > `COPILLM_ACCOUNT` > the profile's pinned account > the default
+account. copillm prints a short notice such as `using account "work" (from
+profile)` so you always know which account a launch is using, and refuses to
+launch with a clear error if the account isn't one you've logged into.
+
 ## Documentation
 
 Full documentation is published at **[jcjc-dev.github.io/copillm](https://jcjc-dev.github.io/copillm/)**.
@@ -63,7 +131,7 @@ Full documentation is published at **[jcjc-dev.github.io/copillm](https://jcjc-d
 
 ## Contributing
 
-Bug reports and pull requests are welcome. Please read the [development guide](https://jcjc-dev.github.io/copillm/development/) before opening a pull request.
+Bug reports and pull requests are welcome. Develop against an isolated dev daemon (`npm run dev:start`) so you don't disturb a running copillm, and run `npm run lint && npm test && npm run test:e2e:pr` before opening a pull request. See the [development guide](https://jcjc-dev.github.io/copillm/development/) for the full workflow.
 
 ## Disclaimer
 

package/dist/agentconfig/load.js

@@ -97,6 +97,14 @@ function mergeAndResolve(input) {
     const instructions = instructionsBody !== null && instructionsBody.trim().length > 0
         ? { body: instructionsBody }
         : null;
+    // Merge the pinned account: later layers (project over global, profile over
+    // defaults) win. Empty string is treated as unset.
+    let account = null;
+    for (const layer of layers) {
+        if (layer.account !== undefined && layer.account.trim().length > 0) {
+            account = layer.account.trim();
+        }
+    }
     // Merge mcp.servers map; later layers replace earlier same-named entries.
     // Defaults are always-on: a profile may override a default by name but
     // cannot remove it.
@@ -114,7 +122,7 @@ function mergeAndResolve(input) {
         permissions: mergeRecord(layers, "permissions")
     };
     const yolo = mergeYolo(layers);
-    return { instructions, mcpServers: servers, yolo, reserved };
+    return { instructions, mcpServers: servers, account, yolo, reserved };
 }
 /**
  * Layer yolo blocks across defaults + active profile. Later layers (project

package/dist/agentconfig/schema.js

@@ -69,6 +69,12 @@ const SectionSchema = z
     instructions: InstructionsSchema.optional(),
     mcp: McpSchema.optional(),
     yolo: YoloSchema.optional(),
+    /**
+     * Pin a copillm account for launches that use this profile. The launcher
+     * routes the agent at this account unless overridden by `--account` /
+     * `COPILLM_ACCOUNT`. Must name an account from `copillm auth status`.
+     */
+    account: z.string().min(1).optional(),
     // v1 reserved sections: validated as objects but not interpreted.
     skills: PassthroughRecord.optional(),
     agents: PassthroughRecord.optional(),

package/dist/auth/accountManager.js

@@ -0,0 +1,118 @@
+import { findAccount, readAccountsIndex, removeAccount, setDefaultAccountId, upsertAccount, assertValidAccountId } from "./accounts.js";
+import { clearStoredCredential, clearStoredCredentialForAccount, inspectStoredCredentialForAccount, saveStoredCredentialForAccount } from "./credentials.js";
+/**
+ * Add or update an explicitly-identified account, materializing/extending the
+ * accounts index, and store its credential.
+ *
+ * Storage scheme follows the credential-store invariant: the **first** account
+ * (no index yet) takes legacy storage so it keeps the original keychain entry /
+ * `credentials.json`; every account added afterwards is namespaced. An existing
+ * account keeps whatever storage it already has.
+ */
+export async function addAccount(input) {
+    assertValidAccountId(input.id);
+    const index = readAccountsIndex();
+    const existing = findAccount(input.id);
+    const storage = existing ? existing.storage : index ? "namespaced" : "legacy";
+    upsertAccount({
+        id: input.id,
+        accountType: input.accountType,
+        storage,
+        addedAt: existing?.addedAt ?? new Date().toISOString()
+    });
+    // saveStoredCredentialForAccount resolves storage from the index record we
+    // just wrote, so it lands in the right (legacy vs namespaced) location.
+    const backend = await saveStoredCredentialForAccount(input.id, input.token, input.accountType, {
+        mode: input.mode ?? "auto"
+    });
+    let isDefault = readAccountsIndex()?.defaultAccount === input.id;
+    if (input.makeDefault && !isDefault) {
+        setDefaultAccountId(input.id);
+        isDefault = true;
+    }
+    return { id: input.id, accountType: input.accountType, storage, backend, isDefault };
+}
+/**
+ * Detailed, token-free view of every registered account for `auth status`.
+ * Returns `hasIndex: false` for single-account installs so the caller can use
+ * the legacy single-account output unchanged.
+ */
+export async function listAccountsDetailed() {
+    const index = readAccountsIndex();
+    if (!index) {
+        return { hasIndex: false, defaultAccount: null, accounts: [] };
+    }
+    const accounts = [];
+    for (const record of index.accounts) {
+        const info = await inspectStoredCredentialForAccount(record.id);
+        accounts.push({
+            id: record.id,
+            accountType: record.accountType,
+            storage: record.storage,
+            isDefault: record.id === index.defaultAccount,
+            stored: info.stored,
+            backend: info.backend
+        });
+    }
+    return { hasIndex: true, defaultAccount: index.defaultAccount, accounts };
+}
+/**
+ * Remove one account: clear its credential first (while its index record still
+ * exists, so the correct storage location is targeted), then drop it from the
+ * index (which reassigns the default, or deletes the index when it was the
+ * last account). Clearing is best-effort — an absent credential is reported as
+ * `removed: false` rather than failing the removal.
+ */
+export async function removeAccountAndCredential(id) {
+    assertValidAccountId(id);
+    let removed = false;
+    let backend = "file";
+    try {
+        const cleared = await clearStoredCredentialForAccount(id);
+        removed = cleared.removed;
+        backend = cleared.backend;
+    }
+    catch {
+        // No backend available to clear (e.g. nothing was stored). The account is
+        // still removed from the index below.
+        removed = false;
+    }
+    const index = removeAccount(id);
+    return {
+        id,
+        removed,
+        backend,
+        newDefault: index?.defaultAccount ?? null,
+        indexDeleted: index === null
+    };
+}
+/**
+ * Remove every account and delete the index. For a single-account install (no
+ * index) this just clears the legacy credential.
+ */
+export async function removeAllAccounts() {
+    const index = readAccountsIndex();
+    if (!index) {
+        const cleared = await clearStoredCredential();
+        return { clearedCount: cleared.removed ? 1 : 0, removedAccountIds: [], indexDeleted: false };
+    }
+    const ids = index.accounts.map((account) => account.id);
+    let clearedCount = 0;
+    for (const id of ids) {
+        try {
+            const cleared = await clearStoredCredentialForAccount(id);
+            if (cleared.removed) {
+                clearedCount += 1;
+            }
+        }
+        catch {
+            // Best-effort: an account with nothing stored still gets removed.
+        }
+        removeAccount(id);
+    }
+    return { clearedCount, removedAccountIds: ids, indexDeleted: true };
+}
+/** Point the default at an existing account. Throws `UnknownAccountError`. */
+export function switchDefaultAccount(id) {
+    return setDefaultAccountId(id);
+}

package/dist/auth/accounts.js

@@ -0,0 +1,161 @@
+import fs from "node:fs";
+import { z } from "zod";
+import { ensureAppHome } from "../config/config.js";
+import { accountsIndexPath, accountsIndexReadPath } from "../config/home.js";
+import { writeFileSecureAtomic } from "../config/fsSecurity.js";
+import { ACCOUNT_ID_PATTERN, MAX_ACCOUNT_ID_LENGTH, assertValidAccountId, InvalidAccountIdError } from "../config/accountId.js";
+// Re-exported for callers that historically imported account-id validation
+// from this module (e.g. `credentials.ts`). The canonical definition now lives
+// in `config/accountId.ts` so the `models` layer can share it.
+export { assertValidAccountId, InvalidAccountIdError };
+// GitHub logins are `[A-Za-z0-9-]` and copillm allows `.` / `_` for synthetic
+// ids. The id is embedded in a filename (`credentials.<id>.json`) and a
+// keychain account string; the canonical validation lives in
+// `config/accountId.ts` (shared with the models layer).
+const AccountRecordSchema = z.object({
+    id: z.string().min(1).max(MAX_ACCOUNT_ID_LENGTH).regex(ACCOUNT_ID_PATTERN),
+    accountType: z.enum(["individual", "business", "enterprise"]),
+    storage: z.enum(["legacy", "namespaced"]),
+    addedAt: z.string().min(1)
+});
+const AccountsIndexSchema = z
+    .object({
+    version: z.literal(1),
+    defaultAccount: z.string().min(1),
+    accounts: z.array(AccountRecordSchema)
+})
+    .superRefine((value, ctx) => {
+    const ids = value.accounts.map((account) => account.id);
+    if (new Set(ids).size !== ids.length) {
+        ctx.addIssue({ code: z.ZodIssueCode.custom, message: "accounts.json contains duplicate account ids." });
+    }
+    if (!ids.includes(value.defaultAccount)) {
+        ctx.addIssue({
+            code: z.ZodIssueCode.custom,
+            message: `accounts.json defaultAccount "${value.defaultAccount}" is not present in accounts.`
+        });
+    }
+    if (value.accounts.filter((account) => account.storage === "legacy").length > 1) {
+        ctx.addIssue({ code: z.ZodIssueCode.custom, message: "accounts.json may declare at most one legacy-storage account." });
+    }
+});
+/**
+ * Read and validate the accounts index. Returns `null` when no index exists
+ * (the single-account / legacy case). Throws if the file exists but is
+ * corrupt, so a damaged index surfaces loudly rather than silently dropping
+ * accounts.
+ */
+export function readAccountsIndex() {
+    const path = accountsIndexReadPath();
+    if (!fs.existsSync(path)) {
+        return null;
+    }
+    let raw;
+    try {
+        raw = JSON.parse(fs.readFileSync(path, "utf8"));
+    }
+    catch (error) {
+        const detail = error instanceof Error ? error.message : "unknown error";
+        throw new Error(`Accounts index exists but contains invalid JSON at ${path}: ${detail}`);
+    }
+    const parsed = AccountsIndexSchema.safeParse(raw);
+    if (!parsed.success) {
+        throw new Error(`Accounts index exists but is invalid at ${path}: ${parsed.error.issues.map((i) => i.message).join("; ")}`);
+    }
+    return parsed.data;
+}
+export function writeAccountsIndex(index) {
+    const validated = AccountsIndexSchema.parse(index);
+    ensureAppHome();
+    writeFileSecureAtomic(accountsIndexPath(), JSON.stringify(validated, null, 2), 0o600);
+}
+export function listAccounts() {
+    return readAccountsIndex()?.accounts ?? [];
+}
+/**
+ * The default account id, or `null` when no index exists. A `null` return is
+ * the signal to callers to use the legacy single-account storage path.
+ */
+export function getDefaultAccountId() {
+    return readAccountsIndex()?.defaultAccount ?? null;
+}
+export function findAccount(accountId) {
+    return readAccountsIndex()?.accounts.find((account) => account.id === accountId) ?? null;
+}
+/**
+ * Insert or update an account record, then persist the index. When the index
+ * does not yet exist it is created with this account as the default. Returns
+ * the resulting index.
+ */
+export function upsertAccount(record) {
+    assertValidAccountId(record.id);
+    AccountRecordSchema.parse(record);
+    const existing = readAccountsIndex();
+    if (!existing) {
+        const index = { version: 1, defaultAccount: record.id, accounts: [record] };
+        writeAccountsIndex(index);
+        return index;
+    }
+    const accounts = existing.accounts.filter((account) => account.id !== record.id);
+    accounts.push(record);
+    const index = { ...existing, accounts };
+    writeAccountsIndex(index);
+    return index;
+}
+export class UnknownAccountError extends Error {
+    accountId;
+    constructor(accountId) {
+        super(`Unknown account "${accountId}".`);
+        this.accountId = accountId;
+        this.name = "UnknownAccountError";
+    }
+}
+/**
+ * Point the default at an existing account. Throws `UnknownAccountError` if the
+ * id isn't registered, so a typo can't silently orphan the default.
+ */
+export function setDefaultAccountId(accountId) {
+    const existing = readAccountsIndex();
+    if (!existing || !existing.accounts.some((account) => account.id === accountId)) {
+        throw new UnknownAccountError(accountId);
+    }
+    const index = { ...existing, defaultAccount: accountId };
+    writeAccountsIndex(index);
+    return index;
+}
+/**
+ * Remove an account from the index. Returns the updated index, or `null` if no
+ * index existed. When the removed account was the default, the default falls
+ * back to the first remaining account (or the index is deleted entirely if no
+ * accounts remain). Token removal is the caller's responsibility.
+ */
+export function removeAccount(accountId) {
+    const existing = readAccountsIndex();
+    if (!existing) {
+        return null;
+    }
+    const accounts = existing.accounts.filter((account) => account.id !== accountId);
+    if (accounts.length === existing.accounts.length) {
+        return existing;
+    }
+    if (accounts.length === 0) {
+        deleteAccountsIndex();
+        return null;
+    }
+    const defaultAccount = accounts.some((account) => account.id === existing.defaultAccount)
+        ? existing.defaultAccount
+        : accounts[0].id;
+    const index = { ...existing, defaultAccount, accounts };
+    writeAccountsIndex(index);
+    return index;
+}
+function deleteAccountsIndex() {
+    const canonical = accountsIndexPath();
+    if (fs.existsSync(canonical)) {
+        fs.unlinkSync(canonical);
+    }
+    const readable = accountsIndexReadPath();
+    if (readable !== canonical && fs.existsSync(readable)) {
+        fs.unlinkSync(readable);
+    }
+}