oc-codex-multi-account 1.0.0

package/README.md

@@ -0,0 +1,321 @@
+# oc-codex-multi-account
+
+[![npm version](https://img.shields.io/npm/v/oc-codex-multi-account)](https://www.npmjs.com/package/oc-codex-multi-account)
+
+Multi-account OAuth rotation for OpenAI Codex with sticky threshold switching.
+
+> **Based on [opencode-openai-codex-auth](https://github.com/numman-ali/opencode-openai-codex-auth) by [@nummanali](https://x.com/nummanali)**. Forked and modified to add multi-account rotation support.
+
+## Patched Build (Codex Backend Compatible)
+
+This fork patches the plugin to talk to **ChatGPT Codex backend** (`chatgpt.com/backend-api`) with the same headers and request shape as the official Codex OAuth plugin.
+
+**Install from npm (recommended):**
+
+```bash
+bun add oc-codex-multi-account --cwd ~/.config/opencode
+```
+
+Then set the plugin entry in `~/.config/opencode/opencode.json`:
+
+```json
+{
+  "plugin": ["oc-codex-multi-account@latest"]
+}
+```
+
+If you already installed an older build, re-run the GitHub install command above to override it.
+
+## Installation
+
+### Via npm (Recommended)
+
+Add to your `~/.config/opencode/opencode.json`:
+
+```json
+{
+  "plugin": ["oc-codex-multi-account@latest"]
+}
+```
+
+OpenCode will auto-install on first run.
+
+### Manual Install
+
+If auto-install fails, install manually:
+
+```bash
+bun add oc-codex-multi-account --cwd ~/.config/opencode
+```
+
+### From Source
+
+```bash
+git clone https://github.com/gaboe/oc-codex-multi-account.git
+cd oc-codex-multi-account
+bun install
+bun run build
+bun link
+```
+
+## Add Your Accounts
+
+```bash
+# Add each account (opens browser for OAuth)
+opencode-multi-auth add personal
+opencode-multi-auth add work  
+opencode-multi-auth add backup
+
+# Each command opens your browser - log in with a different ChatGPT account each time
+```
+
+## Verify Setup
+
+```bash
+opencode-multi-auth status
+```
+
+Output:
+```
+[multi-auth] Account Status
+
+Strategy: round-robin
+Accounts: 3
+Active: personal
+
+  personal (active)
+    Email: you@personal.com
+    Uses: 12
+    Token expires: 12/25/2025, 3:00:00 PM
+
+  work
+    Email: you@work.com
+    Uses: 10
+    Token expires: 12/25/2025, 3:00:00 PM
+
+  backup
+    Email: you@backup.com
+    Uses: 8
+    Token expires: 12/25/2025, 3:00:00 PM
+```
+
+## Web Dashboard (Local Only)
+
+Launch the local dashboard:
+
+```bash
+opencode-multi-auth web --port 3434 --host 127.0.0.1
+```
+
+Or from the repo:
+
+```bash
+npm run web
+```
+
+Open `http://127.0.0.1:3434` to manage Codex CLI tokens from `~/.codex/auth.json`:
+- Sync current auth.json token into your local list
+- See which token is active on the device
+- Switch auth.json to a stored token
+- Refresh OAuth tokens (per-token or all)
+- Refresh 5-hour and weekly limits manually (probe-run per alias)
+- Search/filter by alias/email/tags/notes
+- Sort by remaining limits, expiry, or alias; recommended token badge
+- Tag and annotate tokens (notes)
+- Queue-based refresh with progress + stop
+- Limit history sparklines and trend rate
+- Built-in log view
+
+The dashboard watches `~/.codex/auth.json` and will add new tokens as you log in via Codex CLI.
+
+Limit refresh runs `codex exec` in a per-alias sandbox (`~/.codex-multi/<alias>`) so you can
+update limits for any stored token without switching the active device token.
+
+### Optional Store Encryption
+
+Set `CODEX_SOFT_STORE_PASSPHRASE` to encrypt `~/.config/opencode-multi-auth/accounts.json` at rest:
+
+```bash
+export CODEX_SOFT_STORE_PASSPHRASE="your-passphrase"
+```
+
+If the store is encrypted and the passphrase is missing, the UI will show a locked status and refuse to overwrite.
+
+### Systemd Autostart (user service)
+
+Install and enable the user service:
+
+```bash
+opencode-multi-auth service install --port 3434 --host 127.0.0.1
+```
+
+Check status or disable:
+
+```bash
+opencode-multi-auth service status
+opencode-multi-auth service disable
+```
+
+### Logs
+
+The dashboard writes logs to `~/.config/opencode-multi-auth/logs/codex-soft.log` by default.
+Override with `CODEX_SOFT_LOG_PATH` if you want a custom path.
+
+## Configure OpenCode
+
+Add to your `~/.config/opencode/opencode.json`:
+
+```json
+{
+  "plugin": ["oc-codex-multi-account@latest"]
+}
+```
+
+Or with other plugins:
+
+```json
+{
+  "plugin": [
+    "oh-my-opencode",
+    "oc-codex-multi-account@latest"
+  ]
+}
+```
+
+
+## Background Notifications (macOS)
+
+
+### iPhone notifications via ntfy (click to open session)
+
+If you want push notifications on iOS (with a clickable link to the OpenCode web session), use `ntfy`.
+
+1) Install the **ntfy** app on iPhone and subscribe to a topic.
+
+2) Set these env vars on the Mac where OpenCode runs:
+
+- `OPENCODE_MULTI_AUTH_NOTIFY_NTFY_URL`
+  Example: `https://ntfy.sh/<your-topic>` (or your self-hosted ntfy URL)
+- `OPENCODE_MULTI_AUTH_NOTIFY_UI_BASE_URL`
+  Base URL of your OpenCode web UI reachable from iPhone.
+  Example (Tailscale): `http://100.x.y.z:4096`
+- Optional: `OPENCODE_MULTI_AUTH_NOTIFY_NTFY_TOKEN` (Bearer token)
+
+The plugin sends notifications for:
+
+- `session.idle` (finished): priority `3`
+- `session.status` with `retry`: priority `4`
+- `session.error`: priority `5`
+
+When possible, the notification body includes `Project` + session `Title`, plus the `sessionID`.
+It also attaches a `Click:` URL like `<base>/session/<sessionID>` so tapping the push opens the session.
+
+This plugin can send a **macOS notification + sound** when a session finishes work.
+It listens for OpenCode events (`session.status` and `session.idle`).
+
+Defaults:
+- Enabled by default
+- Sound: `/System/Library/Sounds/Glass.aiff`
+
+Environment variables:
+- `OPENCODE_MULTI_AUTH_NOTIFY=0` disables notifications
+- `OPENCODE_MULTI_AUTH_NOTIFY_SOUND=/path/to/sound.aiff` overrides the sound
+- `OPENCODE_MULTI_AUTH_NOTIFY_MAC_OPEN=0` disables click-to-open on macOS (when available)
+
+Clickable macOS notifications require `terminal-notifier` (optional). If installed, clicking the banner opens the session URL.
+
+If OpenCode seems to only make progress when the window is focused, macOS may be throttling it.
+Try disabling App Nap for OpenCode.app (Finder -> Get Info -> Prevent App Nap),
+or run the server from a terminal under `caffeinate`.
+
+## Codex Latest Model Mapping
+
+OpenCode may not list the newest Codex model yet (it keeps an internal allowlist).
+This plugin can still use the newest model by **mapping** the selected Codex model
+to the latest backend model on ChatGPT.
+
+Default behavior:
+- If you select `openai/gpt-5.2-codex` (or `openai/gpt-5-codex`), the plugin will send requests as `gpt-5.3-codex`.
+
+Environment variables:
+- `OPENCODE_MULTI_AUTH_PREFER_CODEX_LATEST=0` disables the mapping (use exact model).
+- `OPENCODE_MULTI_AUTH_CODEX_LATEST_MODEL=gpt-5.3-codex` overrides the target model.
+- `OPENCODE_MULTI_AUTH_DEBUG=1` prints mapping logs like: `model map: gpt-5.2-codex -> gpt-5.3-codex`.
+
+## Troubleshooting
+
+### BunInstallFailedError (DependencyLoop)
+
+If OpenCode fails to boot with:
+
+```
+BunInstallFailedError
+{ "pkg": "oc-codex-multi-account", "version": "latest" }
+```
+
+It usually means an older `@a3fckx/opencode-multi-auth` dependency is still present.
+
+Fix:
+
+1) Remove the old dependency from `~/.config/opencode/package.json`:
+
+```json
+{
+  "dependencies": {
+    "@a3fckx/opencode-multi-auth": "^1.0.4"
+  }
+}
+```
+
+2) Reinstall:
+
+```bash
+bun add oc-codex-multi-account --cwd ~/.config/opencode
+```
+
+Optional fallback: use a file path plugin entry if installs are blocked:
+
+```json
+{
+  "plugin": [
+    "file:///Users/<you>/.config/opencode/node_modules/oc-codex-multi-account/dist/index.js"
+  ]
+}
+```
+
+## How It Works
+
+| Feature | Behavior |
+|---------|----------|
+| **Rotation** | Round-robin across all accounts per API call |
+| **Rate Limits** | Auto-skips rate-limited account for 5 min, uses next |
+| **Token Refresh** | Auto-refreshes tokens before expiry |
+| **Models** | Auto-discovers GPT-5.x models from OpenAI API |
+| **Storage** | `~/.config/opencode-multi-auth/accounts.json` |
+
+## CLI Commands
+
+| Command | Description |
+|---------|-------------|
+| `add <alias>` | Add new account via OAuth (opens browser) |
+| `remove <alias>` | Remove an account |
+| `list` | List all configured accounts |
+| `status` | Detailed status with usage counts |
+| `path` | Show config file location |
+| `web` | Launch local Codex auth.json dashboard |
+| `service` | Install/disable systemd user service |
+| `help` | Show help message |
+
+## Requirements
+
+- ChatGPT Plus/Pro subscription(s)
+- OpenCode CLI
+
+## Credits
+
+- Original OAuth implementation: [numman-ali/opencode-openai-codex-auth](https://github.com/numman-ali/opencode-openai-codex-auth)
+- Multi-account rotation: [@a3fckx](https://github.com/a3fckx)
+
+## License
+
+MIT

package/dist/auth-sync.d.ts

@@ -0,0 +1,3 @@
+import type { Auth } from '@opencode-ai/sdk';
+export declare function syncAuthFromOpenCode(getAuth: () => Promise<Auth>): Promise<void>;
+//# sourceMappingURL=auth-sync.d.ts.map

package/dist/auth-sync.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-sync.d.ts","sourceRoot":"","sources":["../src/auth-sync.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAA;AAkD5C,wBAAsB,oBAAoB,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAyDtF"}

package/dist/auth-sync.js

@@ -0,0 +1,105 @@
+import { addAccount, loadStore, updateAccount } from './store.js';
+import { decodeJwtPayload, getAccountIdFromClaims, getEmailFromClaims } from './codex-auth.js';
+const OPENAI_ISSUER = 'https://auth.openai.com';
+const AUTH_SYNC_COOLDOWN_MS = 10_000;
+let lastSyncedAccess = null;
+let lastSyncAt = 0;
+async function fetchEmail(accessToken) {
+    try {
+        const res = await fetch(`${OPENAI_ISSUER}/userinfo`, {
+            headers: { Authorization: `Bearer ${accessToken}` }
+        });
+        if (!res.ok)
+            return undefined;
+        const user = (await res.json());
+        return user.email;
+    }
+    catch {
+        return undefined;
+    }
+}
+function findAccountAliasByToken(access, refresh) {
+    const store = loadStore();
+    for (const account of Object.values(store.accounts)) {
+        if (account.accessToken === access)
+            return account.alias;
+        if (refresh && account.refreshToken === refresh)
+            return account.alias;
+    }
+    return null;
+}
+function findAccountAliasByEmail(email, store) {
+    for (const account of Object.values(store.accounts)) {
+        if (account.email && account.email === email)
+            return account.alias;
+    }
+    return null;
+}
+function buildAlias(email, existingAliases) {
+    const base = email ? email.split('@')[0] : 'account';
+    let candidate = base || 'account';
+    let suffix = 1;
+    while (existingAliases.has(candidate)) {
+        candidate = `${base}-${suffix}`;
+        suffix += 1;
+    }
+    return candidate;
+}
+export async function syncAuthFromOpenCode(getAuth) {
+    const now = Date.now();
+    if (now - lastSyncAt < AUTH_SYNC_COOLDOWN_MS)
+        return;
+    lastSyncAt = now;
+    let auth = null;
+    try {
+        auth = await getAuth();
+    }
+    catch {
+        return;
+    }
+    if (!auth || auth.type !== 'oauth')
+        return;
+    if (!auth.access)
+        return;
+    if (auth.access === lastSyncedAccess)
+        return;
+    lastSyncedAccess = auth.access;
+    const existingAlias = findAccountAliasByToken(auth.access, auth.refresh);
+    const accessClaims = decodeJwtPayload(auth.access);
+    const derivedEmail = getEmailFromClaims(accessClaims);
+    const derivedAccountId = getAccountIdFromClaims(accessClaims);
+    if (existingAlias) {
+        updateAccount(existingAlias, {
+            accessToken: auth.access,
+            refreshToken: auth.refresh,
+            expiresAt: auth.expires,
+            email: derivedEmail,
+            accountId: derivedAccountId
+        });
+        return;
+    }
+    const store = loadStore();
+    const email = (await fetchEmail(auth.access)) || derivedEmail;
+    if (email) {
+        const existingByEmail = findAccountAliasByEmail(email, store);
+        if (existingByEmail) {
+            updateAccount(existingByEmail, {
+                accessToken: auth.access,
+                refreshToken: auth.refresh,
+                expiresAt: auth.expires,
+                email
+            });
+            return;
+        }
+    }
+    const alias = buildAlias(email, new Set(Object.keys(store.accounts)));
+    addAccount(alias, {
+        accessToken: auth.access,
+        refreshToken: auth.refresh,
+        expiresAt: auth.expires,
+        email,
+        accountId: derivedAccountId,
+        source: 'opencode'
+    });
+}
+//# sourceMappingURL=auth-sync.js.map

package/dist/auth-sync.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-sync.js","sourceRoot":"","sources":["../src/auth-sync.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AACjE,OAAO,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AAE9F,MAAM,aAAa,GAAG,yBAAyB,CAAA;AAC/C,MAAM,qBAAqB,GAAG,MAAM,CAAA;AAEpC,IAAI,gBAAgB,GAAkB,IAAI,CAAA;AAC1C,IAAI,UAAU,GAAG,CAAC,CAAA;AAElB,KAAK,UAAU,UAAU,CAAC,WAAmB;IAC3C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,aAAa,WAAW,EAAE;YACnD,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;SACpD,CAAC,CAAA;QACF,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,SAAS,CAAA;QAC7B,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAA;QACrD,OAAO,IAAI,CAAC,KAAK,CAAA;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAA;IAClB,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAAC,MAAc,EAAE,OAAgB;IAC/D,MAAM,KAAK,GAAG,SAAS,EAAE,CAAA;IACzB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpD,IAAI,OAAO,CAAC,WAAW,KAAK,MAAM;YAAE,OAAO,OAAO,CAAC,KAAK,CAAA;QACxD,IAAI,OAAO,IAAI,OAAO,CAAC,YAAY,KAAK,OAAO;YAAE,OAAO,OAAO,CAAC,KAAK,CAAA;IACvE,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAa,EAAE,KAAmC;IACjF,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpD,IAAI,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,KAAK,KAAK;YAAE,OAAO,OAAO,CAAC,KAAK,CAAA;IACpE,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,UAAU,CAAC,KAAyB,EAAE,eAA4B;IACzE,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;IACpD,IAAI,SAAS,GAAG,IAAI,IAAI,SAAS,CAAA;IACjC,IAAI,MAAM,GAAG,CAAC,CAAA;IACd,OAAO,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,SAAS,GAAG,GAAG,IAAI,IAAI,MAAM,EAAE,CAAA;QAC/B,MAAM,IAAI,CAAC,CAAA;IACb,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,OAA4B;IACrE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IACtB,IAAI,GAAG,GAAG,UAAU,GAAG,qBAAqB;QAAE,OAAM;IACpD,UAAU,GAAG,GAAG,CAAA;IAEhB,IAAI,IAAI,GAAgB,IAAI,CAAA;IAC5B,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,OAAO,EAAE,CAAA;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAM;IACR,CAAC;IAED,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO;QAAE,OAAM;IAC1C,IAAI,CAAC,IAAI,CAAC,MAAM;QAAE,OAAM;IACxB,IAAI,IAAI,CAAC,MAAM,KAAK,gBAAgB;QAAE,OAAM;IAE5C,gBAAgB,GAAG,IAAI,CAAC,MAAM,CAAA;IAE9B,MAAM,aAAa,GAAG,uBAAuB,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,CAAA;IACxE,MAAM,YAAY,GAAG,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;IAClD,MAAM,YAAY,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAA;IACrD,MAAM,gBAAgB,GAAG,sBAAsB,CAAC,YAAY,CAAC,CAAA;IAC7D,IAAI,aAAa,EAAE,CAAC;QAClB,aAAa,CAAC,aAAa,EAAE;YAC3B,WAAW,EAAE,IAAI,CAAC,MAAM;YACxB,YAAY,EAAE,IAAI,CAAC,OAAO;YAC1B,SAAS,EAAE,IAAI,CAAC,OAAO;YACvB,KAAK,EAAE,YAAY;YACnB,SAAS,EAAE,gBAAgB;SAC5B,CAAC,CAAA;QACF,OAAM;IACR,CAAC;IAED,MAAM,KAAK,GAAG,SAAS,EAAE,CAAA;IACzB,MAAM,KAAK,GAAG,CAAC,MAAM,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,YAAY,CAAA;IAC7D,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,eAAe,GAAG,uBAAuB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAA;QAC7D,IAAI,eAAe,EAAE,CAAC;YACpB,aAAa,CAAC,eAAe,EAAE;gBAC7B,WAAW,EAAE,IAAI,CAAC,MAAM;gBACxB,YAAY,EAAE,IAAI,CAAC,OAAO;gBAC1B,SAAS,EAAE,IAAI,CAAC,OAAO;gBACvB,KAAK;aACN,CAAC,CAAA;YACF,OAAM;QACR,CAAC;IACH,CAAC;IACD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAA;IAErE,UAAU,CAAC,KAAK,EAAE;QAChB,WAAW,EAAE,IAAI,CAAC,MAAM;QACxB,YAAY,EAAE,IAAI,CAAC,OAAO;QAC1B,SAAS,EAAE,IAAI,CAAC,OAAO;QACvB,KAAK;QACL,SAAS,EAAE,gBAAgB;QAC3B,MAAM,EAAE,UAAU;KACnB,CAAC,CAAA;AACJ,CAAC"}

package/dist/auth.d.ts

@@ -0,0 +1,15 @@
+import type { AccountCredentials } from './types.js';
+interface AuthorizationFlow {
+    pkce: {
+        verifier: string;
+        challenge: string;
+    };
+    state: string;
+    url: string;
+}
+export declare function createAuthorizationFlow(): Promise<AuthorizationFlow>;
+export declare function loginAccount(alias: string, flow?: AuthorizationFlow): Promise<AccountCredentials>;
+export declare function refreshToken(alias: string): Promise<AccountCredentials | null>;
+export declare function ensureValidToken(alias: string): Promise<string | null>;
+export {};
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAA;AAsBpD,UAAU,iBAAiB;IACzB,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAA;IAC7C,KAAK,EAAE,MAAM,CAAA;IACb,GAAG,EAAE,MAAM,CAAA;CACZ;AAED,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,iBAAiB,CAAC,CAiB1E;AAED,wBAAsB,YAAY,CAChC,KAAK,EAAE,MAAM,EACb,IAAI,CAAC,EAAE,iBAAiB,GACvB,OAAO,CAAC,kBAAkB,CAAC,CA8I7B;AAED,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CA+DpF;AAED,wBAAsB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAe5E"}

package/dist/auth.js

@@ -0,0 +1,236 @@
+import { generatePKCE } from '@openauthjs/openauth/pkce';
+import { randomBytes } from 'node:crypto';
+import * as http from 'http';
+import * as url from 'url';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import { addAccount, updateAccount, loadStore } from './store.js';
+import { clearAuthInvalid } from './rotation.js';
+import { decodeJwtPayload, getAccountIdFromClaims, getEmailFromClaims, getExpiryFromClaims } from './codex-auth.js';
+// OpenAI OAuth endpoints (same as official Codex CLI)
+const OPENAI_ISSUER = 'https://auth.openai.com';
+const AUTHORIZE_URL = `${OPENAI_ISSUER}/oauth/authorize`;
+const TOKEN_URL = `${OPENAI_ISSUER}/oauth/token`;
+const CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';
+const REDIRECT_PORT = 1455;
+const REDIRECT_URI = `http://localhost:${REDIRECT_PORT}/auth/callback`;
+const SCOPES = ['openid', 'profile', 'email', 'offline_access'];
+const FLOW_FILE_DIR = path.join(os.homedir(), '.config', 'opencode-multi-auth');
+const FLOW_FILE = path.join(FLOW_FILE_DIR, 'pending-flow.json');
+export async function createAuthorizationFlow() {
+    const pkce = await generatePKCE();
+    const state = randomBytes(16).toString('hex');
+    const authUrl = new URL(AUTHORIZE_URL);
+    authUrl.searchParams.set('client_id', CLIENT_ID);
+    authUrl.searchParams.set('redirect_uri', REDIRECT_URI);
+    authUrl.searchParams.set('response_type', 'code');
+    authUrl.searchParams.set('scope', SCOPES.join(' '));
+    authUrl.searchParams.set('code_challenge', pkce.challenge);
+    authUrl.searchParams.set('code_challenge_method', 'S256');
+    authUrl.searchParams.set('state', state);
+    authUrl.searchParams.set('audience', 'https://api.openai.com/v1');
+    authUrl.searchParams.set('id_token_add_organizations', 'true');
+    authUrl.searchParams.set('codex_cli_simplified_flow', 'true');
+    authUrl.searchParams.set('originator', 'codex_cli_rs');
+    return { pkce, state, url: authUrl.toString() };
+}
+export async function loginAccount(alias, flow) {
+    const activeFlow = flow ?? await createAuthorizationFlow();
+    const { pkce, state } = activeFlow;
+    return new Promise((resolve, reject) => {
+        let server = null;
+        const cleanup = () => {
+            if (server) {
+                server.close();
+                server = null;
+            }
+        };
+        server = http.createServer(async (req, res) => {
+            if (!req.url?.startsWith('/auth/callback')) {
+                res.writeHead(404);
+                res.end('Not found');
+                return;
+            }
+            const parsedUrl = url.parse(req.url, true);
+            const code = parsedUrl.query.code;
+            const returnedState = parsedUrl.query.state;
+            if (!code) {
+                res.writeHead(400);
+                res.end('No authorization code received');
+                cleanup();
+                reject(new Error('No authorization code'));
+                return;
+            }
+            if (returnedState && returnedState !== state) {
+                res.writeHead(400);
+                res.end('Invalid state');
+                cleanup();
+                reject(new Error('Invalid state'));
+                return;
+            }
+            try {
+                // Exchange code for tokens
+                const tokenRes = await fetch(TOKEN_URL, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                    body: new URLSearchParams({
+                        grant_type: 'authorization_code',
+                        client_id: CLIENT_ID,
+                        code,
+                        code_verifier: pkce.verifier,
+                        redirect_uri: REDIRECT_URI
+                    })
+                });
+                if (!tokenRes.ok) {
+                    throw new Error(`Token exchange failed: ${tokenRes.status}`);
+                }
+                const tokens = (await tokenRes.json());
+                if (!tokens.refresh_token) {
+                    throw new Error('Token exchange did not return a refresh_token');
+                }
+                const now = Date.now();
+                const accessClaims = decodeJwtPayload(tokens.access_token);
+                const idClaims = tokens.id_token ? decodeJwtPayload(tokens.id_token) : null;
+                const expiresAt = getExpiryFromClaims(accessClaims) || getExpiryFromClaims(idClaims) || now + tokens.expires_in * 1000;
+                let email = getEmailFromClaims(idClaims) || getEmailFromClaims(accessClaims);
+                try {
+                    const userRes = await fetch(`${OPENAI_ISSUER}/userinfo`, {
+                        headers: { Authorization: `Bearer ${tokens.access_token}` }
+                    });
+                    if (userRes.ok) {
+                        const user = (await userRes.json());
+                        email = user.email || email;
+                    }
+                }
+                catch {
+                    /* user info fetch is non-critical */
+                }
+                const accountId = getAccountIdFromClaims(idClaims) ||
+                    getAccountIdFromClaims(accessClaims);
+                const store = addAccount(alias, {
+                    accessToken: tokens.access_token,
+                    refreshToken: tokens.refresh_token,
+                    idToken: tokens.id_token,
+                    accountId,
+                    expiresAt,
+                    email,
+                    lastRefresh: new Date(now).toISOString(),
+                    lastSeenAt: now,
+                    source: 'opencode',
+                    authInvalid: false,
+                    authInvalidatedAt: undefined
+                });
+                const account = store.accounts[alias];
+                res.writeHead(200, { 'Content-Type': 'text/html' });
+                res.end(`
+          <html>
+            <body style="font-family: system-ui; padding: 40px; text-align: center;">
+              <h1>Account "${alias}" authenticated!</h1>
+              <p>${email || 'Unknown email'}</p>
+              <p>You can close this window.</p>
+            </body>
+          </html>
+        `);
+                cleanup();
+                resolve(account);
+            }
+            catch (err) {
+                res.writeHead(500);
+                res.end('Authentication failed');
+                cleanup();
+                reject(err);
+            }
+        });
+        server.listen(REDIRECT_PORT, () => {
+            console.log(`\n[multi-auth] Login for account "${alias}"`);
+            console.log(`[multi-auth] Open this URL in your browser:\n`);
+            console.log(`  ${activeFlow.url}\n`);
+            console.log(`[multi-auth] Waiting for callback on port ${REDIRECT_PORT}...`);
+        });
+        server.on('error', (err) => {
+            if (err.code === 'EADDRINUSE') {
+                reject(new Error(`Port ${REDIRECT_PORT} is in use. Stop Codex CLI if running.`));
+            }
+            else {
+                reject(err);
+            }
+        });
+        // Timeout after 5 minutes
+        setTimeout(() => {
+            cleanup();
+            reject(new Error('Login timeout - no callback received'));
+        }, 5 * 60 * 1000);
+    });
+}
+export async function refreshToken(alias) {
+    const store = loadStore();
+    const account = store.accounts[alias];
+    if (!account?.refreshToken) {
+        console.error(`[multi-auth] No refresh token for ${alias}`);
+        return null;
+    }
+    try {
+        const tokenRes = await fetch(TOKEN_URL, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: new URLSearchParams({
+                grant_type: 'refresh_token',
+                client_id: CLIENT_ID,
+                refresh_token: account.refreshToken
+            })
+        });
+        if (!tokenRes.ok) {
+            console.error(`[multi-auth] Refresh failed for ${alias}: ${tokenRes.status}`);
+            // If the refresh token is invalid/expired, mark this account invalid so
+            // rotation can keep working without repeatedly selecting a broken account.
+            if (tokenRes.status === 401 || tokenRes.status === 403) {
+                try {
+                    updateAccount(alias, {
+                        authInvalid: true,
+                        authInvalidatedAt: Date.now()
+                    });
+                }
+                catch {
+                    // ignore
+                }
+            }
+            return null;
+        }
+        const tokens = (await tokenRes.json());
+        const accessClaims = decodeJwtPayload(tokens.access_token);
+        const idClaims = tokens.id_token ? decodeJwtPayload(tokens.id_token) : null;
+        const expiresAt = getExpiryFromClaims(accessClaims) || getExpiryFromClaims(idClaims) || Date.now() + tokens.expires_in * 1000;
+        const updates = {
+            accessToken: tokens.access_token,
+            refreshToken: tokens.refresh_token || account.refreshToken,
+            expiresAt,
+            lastRefresh: new Date().toISOString(),
+            idToken: tokens.id_token || account.idToken,
+            accountId: getAccountIdFromClaims(idClaims) ||
+                getAccountIdFromClaims(accessClaims) ||
+                account.accountId
+        };
+        const updatedStore = updateAccount(alias, updates);
+        clearAuthInvalid(alias);
+        return updatedStore.accounts[alias];
+    }
+    catch (err) {
+        console.error(`[multi-auth] Refresh error for ${alias}:`, err);
+        return null;
+    }
+}
+export async function ensureValidToken(alias) {
+    const store = loadStore();
+    const account = store.accounts[alias];
+    if (!account)
+        return null;
+    // Refresh if expiring within 5 minutes
+    const bufferMs = 5 * 60 * 1000;
+    if (account.expiresAt < Date.now() + bufferMs) {
+        console.log(`[multi-auth] Refreshing token for ${alias}`);
+        const refreshed = await refreshToken(alias);
+        return refreshed?.accessToken || null;
+    }
+    return account.accessToken;
+}
+//# sourceMappingURL=auth.js.map