opencode-codex-multi-account 0.1.0

package/dist/index.js

@@ -0,0 +1,3233 @@
+// src/index.ts
+import { tool } from "@opencode-ai/plugin";
+
+// ../multi-account-core/src/account-manager.ts
+import { randomUUID } from "node:crypto";
+
+// ../multi-account-core/src/claims.ts
+import { promises as fs2 } from "node:fs";
+import { randomBytes as randomBytes2 } from "node:crypto";
+import { dirname as dirname2, join as join3 } from "node:path";
+
+// ../multi-account-core/src/utils.ts
+import { join as join2 } from "node:path";
+import { homedir as homedir2 } from "node:os";
+
+// ../multi-account-core/src/config.ts
+import { promises as fs } from "node:fs";
+import { randomBytes } from "node:crypto";
+import { dirname, join } from "node:path";
+import { homedir } from "node:os";
+import * as v2 from "valibot";
+
+// ../multi-account-core/src/types.ts
+import * as v from "valibot";
+var OAuthCredentialsSchema = v.object({
+  type: v.literal("oauth"),
+  refresh: v.string(),
+  access: v.string(),
+  expires: v.number()
+});
+var UsageLimitEntrySchema = v.object({
+  utilization: v.number(),
+  resets_at: v.nullable(v.string())
+});
+var UsageLimitsSchema = v.object({
+  five_hour: v.optional(v.nullable(UsageLimitEntrySchema), null),
+  seven_day: v.optional(v.nullable(UsageLimitEntrySchema), null),
+  seven_day_sonnet: v.optional(v.nullable(UsageLimitEntrySchema), null)
+});
+var CredentialRefreshPatchSchema = v.object({
+  accessToken: v.string(),
+  expiresAt: v.number(),
+  refreshToken: v.optional(v.string()),
+  uuid: v.optional(v.string()),
+  accountId: v.optional(v.string()),
+  email: v.optional(v.string())
+});
+var StoredAccountSchema = v.object({
+  uuid: v.optional(v.string()),
+  accountId: v.optional(v.string()),
+  label: v.optional(v.string()),
+  email: v.optional(v.string()),
+  planTier: v.optional(v.string(), ""),
+  refreshToken: v.string(),
+  accessToken: v.optional(v.string()),
+  expiresAt: v.optional(v.number()),
+  addedAt: v.number(),
+  lastUsed: v.number(),
+  enabled: v.optional(v.boolean(), true),
+  rateLimitResetAt: v.optional(v.number()),
+  cachedUsage: v.optional(UsageLimitsSchema),
+  cachedUsageAt: v.optional(v.number()),
+  consecutiveAuthFailures: v.optional(v.number(), 0),
+  isAuthDisabled: v.optional(v.boolean(), false),
+  authDisabledReason: v.optional(v.string())
+});
+var AccountStorageSchema = v.object({
+  version: v.literal(1),
+  accounts: v.optional(v.array(StoredAccountSchema), []),
+  activeAccountUuid: v.optional(v.string())
+});
+var AccountSelectionStrategySchema = v.picklist(["sticky", "round-robin", "hybrid"]);
+var PluginConfigSchema = v.object({
+  account_selection_strategy: v.optional(AccountSelectionStrategySchema, "sticky"),
+  cross_process_claims: v.optional(v.boolean(), true),
+  soft_quota_threshold_percent: v.optional(v.pipe(v.number(), v.minValue(0), v.maxValue(100)), 100),
+  rate_limit_min_backoff_ms: v.optional(v.pipe(v.number(), v.minValue(0)), 3e4),
+  default_retry_after_ms: v.optional(v.pipe(v.number(), v.minValue(0)), 6e4),
+  max_consecutive_auth_failures: v.optional(v.pipe(v.number(), v.integer(), v.minValue(1)), 3),
+  token_failure_backoff_ms: v.optional(v.pipe(v.number(), v.minValue(0)), 3e4),
+  proactive_refresh: v.optional(v.boolean(), true),
+  proactive_refresh_buffer_seconds: v.optional(v.pipe(v.number(), v.minValue(60)), 1800),
+  proactive_refresh_interval_seconds: v.optional(v.pipe(v.number(), v.minValue(30)), 300),
+  quiet_mode: v.optional(v.boolean(), false),
+  debug: v.optional(v.boolean(), false)
+});
+
+// ../multi-account-core/src/config.ts
+var DEFAULT_CONFIG_FILENAME = "multiauth-config.json";
+var DEFAULT_CONFIG = v2.parse(PluginConfigSchema, {});
+var configFilename = DEFAULT_CONFIG_FILENAME;
+var cachedConfig = null;
+var externalConfigGetter = null;
+function getConfigDir() {
+  return process.env.OPENCODE_CONFIG_DIR || join(process.env.XDG_CONFIG_HOME || join(homedir(), ".config"), "opencode");
+}
+function getConfigPath() {
+  return join(getConfigDir(), configFilename);
+}
+function parseConfig(raw) {
+  const result = v2.safeParse(PluginConfigSchema, raw);
+  return result.success ? result.output : DEFAULT_CONFIG;
+}
+function initCoreConfig(filename) {
+  configFilename = filename || DEFAULT_CONFIG_FILENAME;
+  cachedConfig = null;
+}
+async function loadConfig() {
+  if (cachedConfig) return cachedConfig;
+  const path = getConfigPath();
+  try {
+    const content = await fs.readFile(path, "utf-8");
+    cachedConfig = parseConfig(JSON.parse(content));
+  } catch {
+    cachedConfig = DEFAULT_CONFIG;
+  }
+  return cachedConfig;
+}
+function getConfig() {
+  if (cachedConfig) return cachedConfig;
+  if (externalConfigGetter && externalConfigGetter !== getConfig) {
+    try {
+      return parseConfig(externalConfigGetter());
+    } catch {
+      return DEFAULT_CONFIG;
+    }
+  }
+  return DEFAULT_CONFIG;
+}
+function setConfigGetter(getter) {
+  if (getter === getConfig) {
+    return;
+  }
+  externalConfigGetter = getter;
+}
+async function updateConfigField(key, value) {
+  const path = getConfigPath();
+  let existing = {};
+  try {
+    const content2 = await fs.readFile(path, "utf-8");
+    existing = JSON.parse(content2);
+  } catch {
+  }
+  existing[key] = value;
+  await fs.mkdir(dirname(path), { recursive: true });
+  const content = `${JSON.stringify(existing, null, 2)}
+`;
+  const tempPath = `${path}.${randomBytes(8).toString("hex")}.tmp`;
+  try {
+    await fs.writeFile(tempPath, content, "utf-8");
+    await fs.rename(tempPath, path);
+  } catch (error) {
+    try {
+      await fs.unlink(tempPath);
+    } catch {
+    }
+    throw error;
+  }
+  cachedConfig = null;
+  await loadConfig();
+}
+
+// ../multi-account-core/src/utils.ts
+function getConfigDir2() {
+  return process.env.OPENCODE_CONFIG_DIR || join2(process.env.XDG_CONFIG_HOME || join2(homedir2(), ".config"), "opencode");
+}
+function getErrorCode(error) {
+  if (typeof error !== "object" || error === null || !("code" in error)) {
+    return void 0;
+  }
+  const code = error.code;
+  return typeof code === "string" ? code : void 0;
+}
+function formatWaitTime(ms) {
+  const totalSeconds = Math.ceil(ms / 1e3);
+  if (totalSeconds < 60) return `${totalSeconds}s`;
+  const days = Math.floor(totalSeconds / 86400);
+  const hours = Math.floor(totalSeconds % 86400 / 3600);
+  const minutes = Math.floor(totalSeconds % 3600 / 60);
+  const seconds = totalSeconds % 60;
+  const parts = [];
+  if (days > 0) parts.push(`${days}d`);
+  if (hours > 0) parts.push(`${hours}h`);
+  if (minutes > 0) parts.push(`${minutes}m`);
+  if (seconds > 0 && days === 0) parts.push(`${seconds}s`);
+  return parts.join(" ") || "0s";
+}
+function getAccountLabel(account) {
+  if (account.label) return account.label;
+  if (account.email) return account.email;
+  if (account.uuid) return `Account (${account.uuid.slice(0, 8)})`;
+  return `Account ${account.index + 1}`;
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function showToast(client, message, variant) {
+  if (getConfig().quiet_mode) return;
+  try {
+    await client.tui.showToast({ body: { message, variant } });
+  } catch {
+  }
+}
+function debugLog(client, message, extra) {
+  if (!getConfig().debug) return;
+  client.app.log({
+    body: { service: "claude-multiauth", level: "debug", message, extra }
+  }).catch(() => {
+  });
+}
+function createMinimalClient() {
+  return {
+    auth: {
+      set: async () => {
+      }
+    },
+    tui: {
+      showToast: async () => {
+      }
+    },
+    app: {
+      log: async () => {
+      }
+    }
+  };
+}
+
+// ../multi-account-core/src/claims.ts
+var CLAIMS_FILENAME = "multiauth-claims.json";
+var CLAIM_EXPIRY_MS = 6e4;
+function getClaimsPath() {
+  return join3(getConfigDir2(), CLAIMS_FILENAME);
+}
+function isClaimShape(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return false;
+  const claim = value;
+  return typeof claim.pid === "number" && Number.isInteger(claim.pid) && claim.pid > 0 && typeof claim.at === "number" && Number.isFinite(claim.at);
+}
+function parseClaims(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return {};
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    return {};
+  }
+  const claims = {};
+  for (const [accountId, claim] of Object.entries(parsed)) {
+    if (isClaimShape(claim)) {
+      claims[accountId] = claim;
+    }
+  }
+  return claims;
+}
+function isProcessAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function cleanClaims(claims, now) {
+  const cleaned = {};
+  let changed = false;
+  for (const [accountId, claim] of Object.entries(claims)) {
+    const expiredByTime = now - claim.at > CLAIM_EXPIRY_MS;
+    const zombieClaim = !isProcessAlive(claim.pid);
+    if (expiredByTime || zombieClaim) {
+      changed = true;
+      continue;
+    }
+    cleaned[accountId] = claim;
+  }
+  return { cleaned, changed };
+}
+async function writeClaimsFile(claims) {
+  const path = getClaimsPath();
+  const tempPath = `${path}.${randomBytes2(6).toString("hex")}.tmp`;
+  await fs2.mkdir(dirname2(path), { recursive: true });
+  try {
+    await fs2.writeFile(tempPath, JSON.stringify(claims, null, 2), { encoding: "utf-8", mode: 384 });
+    await fs2.rename(tempPath, path);
+  } catch (error) {
+    try {
+      await fs2.unlink(tempPath);
+    } catch {
+    }
+    throw error;
+  }
+}
+async function readClaims() {
+  try {
+    const data = await fs2.readFile(getClaimsPath(), "utf-8");
+    const parsed = parseClaims(data);
+    const now = Date.now();
+    const { cleaned, changed } = cleanClaims(parsed, now);
+    if (changed) {
+      try {
+        await writeClaimsFile(cleaned);
+      } catch {
+      }
+    }
+    return cleaned;
+  } catch {
+    return {};
+  }
+}
+async function writeClaim(accountId) {
+  const now = Date.now();
+  const claims = await readClaims();
+  const { cleaned } = cleanClaims(claims, now);
+  cleaned[accountId] = { pid: process.pid, at: now };
+  try {
+    await writeClaimsFile(cleaned);
+  } catch {
+  }
+}
+function isClaimedByOther(claims, accountId) {
+  if (!accountId) return false;
+  const claim = claims[accountId];
+  if (!claim) return false;
+  if (Date.now() - claim.at > CLAIM_EXPIRY_MS) return false;
+  if (!isProcessAlive(claim.pid)) return false;
+  return claim.pid !== process.pid;
+}
+
+// ../multi-account-core/src/account-manager.ts
+var STARTUP_REFRESH_CONCURRENCY = 3;
+var RECENT_429_COOLDOWN_MS = 3e4;
+var HYBRID_SWITCH_MARGIN = 40;
+function createAccountManagerForProvider(dependencies) {
+  const {
+    providerAuthId,
+    isTokenExpired: isTokenExpired2,
+    refreshToken: refreshToken2
+  } = dependencies;
+  return class AccountManager2 {
+    constructor(store) {
+      this.store = store;
+    }
+    cached = [];
+    activeAccountUuid;
+    client = null;
+    runtimeFactory = null;
+    roundRobinCursor = 0;
+    last429Map = /* @__PURE__ */ new Map();
+    static async create(store, currentAuth, client) {
+      const manager = new AccountManager2(store);
+      await manager.initialize(currentAuth, client);
+      return manager;
+    }
+    async initialize(currentAuth, client) {
+      if (client) this.client = client;
+      const storage = await this.store.load();
+      if (storage.accounts.length > 0) {
+        this.cached = storage.accounts.map((account, index) => this.toManagedAccount(account, index));
+        this.activeAccountUuid = storage.activeAccountUuid;
+        if (!this.getActiveAccount() && this.cached.length > 0) {
+          this.activeAccountUuid = this.cached[0].uuid;
+        }
+        return;
+      }
+      if (currentAuth.refresh) {
+        const newAccount = this.createNewAccount(currentAuth, Date.now());
+        await this.store.addAccount(newAccount);
+        await this.store.setActiveUuid(newAccount.uuid);
+        this.cached = [this.toManagedAccount(newAccount, 0)];
+        this.activeAccountUuid = newAccount.uuid;
+      }
+    }
+    async refresh() {
+      const storage = await this.store.load();
+      this.cached = storage.accounts.map((account, index) => this.toManagedAccount(account, index));
+      if (storage.activeAccountUuid) {
+        this.activeAccountUuid = storage.activeAccountUuid;
+      }
+    }
+    toManagedAccount(storedAccount, index) {
+      return {
+        index,
+        uuid: storedAccount.uuid,
+        accountId: storedAccount.accountId,
+        label: storedAccount.label,
+        email: storedAccount.email,
+        planTier: storedAccount.planTier,
+        refreshToken: storedAccount.refreshToken,
+        accessToken: storedAccount.accessToken,
+        expiresAt: storedAccount.expiresAt,
+        addedAt: storedAccount.addedAt,
+        lastUsed: storedAccount.lastUsed,
+        enabled: storedAccount.enabled,
+        rateLimitResetAt: storedAccount.rateLimitResetAt,
+        cachedUsage: storedAccount.cachedUsage,
+        cachedUsageAt: storedAccount.cachedUsageAt,
+        consecutiveAuthFailures: storedAccount.consecutiveAuthFailures,
+        isAuthDisabled: storedAccount.isAuthDisabled,
+        authDisabledReason: storedAccount.authDisabledReason,
+        last429At: storedAccount.uuid ? this.last429Map.get(storedAccount.uuid) : void 0
+      };
+    }
+    createNewAccount(auth, now) {
+      return {
+        uuid: randomUUID(),
+        refreshToken: auth.refresh,
+        accessToken: auth.access,
+        expiresAt: auth.expires,
+        addedAt: now,
+        lastUsed: now,
+        enabled: true,
+        planTier: "",
+        consecutiveAuthFailures: 0,
+        isAuthDisabled: false
+      };
+    }
+    getAccountCount() {
+      return this.getEligibleAccounts().length;
+    }
+    getAccounts() {
+      return [...this.cached];
+    }
+    getActiveAccount() {
+      if (this.activeAccountUuid) {
+        return this.cached.find((account) => account.uuid === this.activeAccountUuid) ?? null;
+      }
+      return this.cached[0] ?? null;
+    }
+    setClient(client) {
+      this.client = client;
+    }
+    setRuntimeFactory(factory) {
+      this.runtimeFactory = factory;
+    }
+    getEligibleAccounts() {
+      return this.cached.filter((account) => account.uuid && account.enabled && !account.isAuthDisabled);
+    }
+    exceedsSoftQuota(account) {
+      const threshold = getConfig().soft_quota_threshold_percent;
+      if (threshold >= 100) return false;
+      const usage = account.cachedUsage;
+      if (!usage) return false;
+      const tiers = [usage.five_hour, usage.seven_day];
+      return tiers.some((tier) => tier != null && tier.utilization >= threshold);
+    }
+    hasAnyUsableAccount() {
+      return this.getEligibleAccounts().length > 0;
+    }
+    isRateLimited(account) {
+      if (account.rateLimitResetAt && Date.now() < account.rateLimitResetAt) {
+        return true;
+      }
+      return this.isUsageExhausted(account);
+    }
+    isUsageExhausted(account) {
+      const usage = account.cachedUsage;
+      if (!usage) return false;
+      const now = Date.now();
+      const tiers = [usage.five_hour, usage.seven_day];
+      return tiers.some(
+        (tier) => tier != null && tier.utilization >= 100 && tier.resets_at != null && Date.parse(tier.resets_at) > now
+      );
+    }
+    clearExpiredRateLimits() {
+      const now = Date.now();
+      for (const account of this.cached) {
+        if (account.rateLimitResetAt && now >= account.rateLimitResetAt) {
+          account.rateLimitResetAt = void 0;
+        }
+      }
+    }
+    getMinWaitTime() {
+      const eligible = this.getEligibleAccounts();
+      const available = eligible.filter((account) => !this.isRateLimited(account));
+      if (available.length > 0) return 0;
+      const now = Date.now();
+      const waits = [];
+      for (const account of eligible) {
+        if (account.rateLimitResetAt) {
+          const ms = account.rateLimitResetAt - now;
+          if (ms > 0) waits.push(ms);
+        }
+        const usageResetMs = this.getUsageResetMs(account);
+        if (usageResetMs !== null && usageResetMs > 0) {
+          waits.push(usageResetMs);
+        }
+      }
+      return waits.length > 0 ? Math.min(...waits) : 0;
+    }
+    getUsageResetMs(account) {
+      const usage = account.cachedUsage;
+      if (!usage) return null;
+      const now = Date.now();
+      const candidates = [];
+      const tiers = [usage.five_hour, usage.seven_day];
+      for (const tier of tiers) {
+        if (tier != null && tier.utilization >= 100 && tier.resets_at != null) {
+          const ms = Date.parse(tier.resets_at) - now;
+          if (ms > 0) candidates.push(ms);
+        }
+      }
+      return candidates.length > 0 ? Math.min(...candidates) : null;
+    }
+    async selectAccount() {
+      await this.refresh();
+      this.clearExpiredRateLimits();
+      const eligible = this.getEligibleAccounts();
+      if (eligible.length === 0) return null;
+      const config = getConfig();
+      const claims = config.cross_process_claims ? await readClaims() : {};
+      const strategy = config.account_selection_strategy;
+      let selected;
+      switch (strategy) {
+        case "round-robin":
+          selected = this.selectRoundRobin(eligible, claims);
+          break;
+        case "hybrid":
+          selected = this.selectHybrid(eligible, claims);
+          break;
+        case "sticky":
+        default:
+          selected = this.selectSticky(eligible, claims);
+          break;
+      }
+      if (selected?.uuid) {
+        this.activeAccountUuid = selected.uuid;
+        this.store.setActiveUuid(selected.uuid).catch(() => {
+        });
+      }
+      if (config.cross_process_claims && selected?.uuid) {
+        writeClaim(selected.uuid).catch(() => {
+        });
+      }
+      return selected;
+    }
+    isUsable(account) {
+      return !this.isRateLimited(account) && !this.isInRecentCooldown(account) && !this.exceedsSoftQuota(account);
+    }
+    isInRecentCooldown(account) {
+      if (!account.last429At) return false;
+      return Date.now() - account.last429At < RECENT_429_COOLDOWN_MS;
+    }
+    fallbackNotRateLimited(eligible) {
+      const account = eligible.find((candidate) => !this.isRateLimited(candidate));
+      if (account) {
+        this.activateAccount(account);
+        return account;
+      }
+      return null;
+    }
+    selectSticky(eligible, claims) {
+      const current = this.getActiveAccount();
+      if (current?.enabled && !current.isAuthDisabled && this.isUsable(current)) {
+        this.activateAccount(current);
+        return current;
+      }
+      const unclaimed = eligible.find(
+        (account) => this.isUsable(account) && !isClaimedByOther(claims, account.uuid)
+      );
+      if (unclaimed) {
+        this.activateAccount(unclaimed);
+        return unclaimed;
+      }
+      const available = eligible.find((account) => this.isUsable(account));
+      if (available) {
+        this.activateAccount(available);
+        return available;
+      }
+      return this.fallbackNotRateLimited(eligible);
+    }
+    selectRoundRobin(eligible, claims) {
+      for (let i = 0; i < eligible.length; i++) {
+        const index = (this.roundRobinCursor + i) % eligible.length;
+        const account = eligible[index];
+        if (this.isUsable(account) && !isClaimedByOther(claims, account.uuid)) {
+          this.roundRobinCursor = (index + 1) % eligible.length;
+          this.activateAccount(account);
+          return account;
+        }
+      }
+      for (let i = 0; i < eligible.length; i++) {
+        const index = (this.roundRobinCursor + i) % eligible.length;
+        const account = eligible[index];
+        if (this.isUsable(account)) {
+          this.roundRobinCursor = (index + 1) % eligible.length;
+          this.activateAccount(account);
+          return account;
+        }
+      }
+      return this.fallbackNotRateLimited(eligible);
+    }
+    selectHybrid(eligible, claims) {
+      const usable = eligible.filter((account) => this.isUsable(account));
+      const pool = usable.length > 0 ? usable : eligible.filter((account) => !this.isRateLimited(account));
+      if (pool.length === 0) return null;
+      const activeUuid = this.activeAccountUuid;
+      let best = pool[0];
+      let bestScore = this.calculateHybridScore(best, best.uuid === activeUuid, claims);
+      for (let i = 1; i < pool.length; i++) {
+        const account = pool[i];
+        const score = this.calculateHybridScore(account, account.uuid === activeUuid, claims);
+        if (score > bestScore) {
+          best = account;
+          bestScore = score;
+        }
+      }
+      const current = pool.find((account) => account.uuid === activeUuid);
+      if (current && current !== best) {
+        const currentScore = this.calculateHybridScore(current, true, claims);
+        const bestWithoutStickiness = this.calculateHybridScore(best, false, claims);
+        if (bestWithoutStickiness <= currentScore + HYBRID_SWITCH_MARGIN) {
+          this.activateAccount(current);
+          return current;
+        }
+      }
+      this.activateAccount(best);
+      return best;
+    }
+    calculateHybridScore(account, isActive, claims) {
+      const maxUtilization = Math.min(100, Math.max(0, this.getMaxUtilization(account)));
+      const usageScore = (100 - maxUtilization) / 100 * 450;
+      const maxFailures = Math.max(1, getConfig().max_consecutive_auth_failures);
+      const healthScore = Math.max(0, (maxFailures - account.consecutiveAuthFailures) / maxFailures * 250);
+      const secondsSinceUsed = (Date.now() - account.lastUsed) / 1e3;
+      const freshnessScore = Math.min(secondsSinceUsed, 900) / 900 * 60;
+      const stickinessBonus = isActive ? 120 : 0;
+      const claimPenalty = isClaimedByOther(claims, account.uuid) ? -200 : 0;
+      return usageScore + healthScore + freshnessScore + stickinessBonus + claimPenalty;
+    }
+    getMaxUtilization(account) {
+      const usage = account.cachedUsage;
+      if (!usage) return 65;
+      const tiers = [usage.five_hour, usage.seven_day];
+      const utilizations = tiers.filter((tier) => tier != null).map((tier) => tier.utilization);
+      return utilizations.length > 0 ? Math.max(...utilizations) : 65;
+    }
+    activateAccount(account) {
+      this.activeAccountUuid = account.uuid;
+      account.lastUsed = Date.now();
+    }
+    async markRateLimited(uuid, backoffMs) {
+      const effectiveBackoff = backoffMs ?? getConfig().rate_limit_min_backoff_ms;
+      this.last429Map.set(uuid, Date.now());
+      await this.store.mutateAccount(uuid, (account) => {
+        account.rateLimitResetAt = Date.now() + effectiveBackoff;
+      });
+    }
+    async markRevoked(uuid) {
+      await this.store.mutateAccount(uuid, (account) => {
+        account.isAuthDisabled = true;
+        account.authDisabledReason = "OAuth token revoked (403)";
+        account.accessToken = void 0;
+        account.expiresAt = void 0;
+      });
+      this.runtimeFactory?.invalidate(uuid);
+    }
+    async markSuccess(uuid) {
+      this.last429Map.delete(uuid);
+      await this.store.mutateAccount(uuid, (account) => {
+        account.rateLimitResetAt = void 0;
+        account.consecutiveAuthFailures = 0;
+        account.lastUsed = Date.now();
+      });
+    }
+    syncToOpenCode(account) {
+      if (!this.client || !account.accessToken || !account.expiresAt) return;
+      this.client.auth.set({
+        path: { id: providerAuthId },
+        body: {
+          type: "oauth",
+          refresh: account.refreshToken,
+          access: account.accessToken,
+          expires: account.expiresAt
+        }
+      }).catch(() => {
+      });
+    }
+    async markAuthFailure(uuid, result) {
+      await this.store.mutateStorage((storage) => {
+        const account = storage.accounts.find((entry) => entry.uuid === uuid);
+        if (!account) return;
+        if (!result.ok && result.permanent) {
+          account.isAuthDisabled = true;
+          account.authDisabledReason = "Token permanently rejected (400/401/403)";
+          return;
+        }
+        account.consecutiveAuthFailures = (account.consecutiveAuthFailures ?? 0) + 1;
+        const maxFailures = getConfig().max_consecutive_auth_failures;
+        const usableCount = storage.accounts.filter(
+          (entry) => entry.enabled && !entry.isAuthDisabled && entry.uuid !== uuid
+        ).length;
+        if (account.consecutiveAuthFailures >= maxFailures && usableCount > 0) {
+          account.isAuthDisabled = true;
+          account.authDisabledReason = `${maxFailures} consecutive auth failures`;
+        }
+      });
+    }
+    async applyUsageCache(uuid, usage) {
+      await this.store.mutateAccount(uuid, (account) => {
+        account.cachedUsage = usage;
+        account.cachedUsageAt = Date.now();
+      });
+    }
+    async applyProfileCache(uuid, profile) {
+      await this.store.mutateAccount(uuid, (account) => {
+        account.email = profile.email ?? account.email;
+        account.planTier = profile.planTier;
+      });
+    }
+    async ensureValidToken(uuid, client) {
+      const credentials = await this.store.readCredentials(uuid);
+      if (!credentials) return { ok: false, permanent: true };
+      if (credentials.accessToken && credentials.expiresAt && !isTokenExpired2(credentials)) {
+        return {
+          ok: true,
+          patch: { accessToken: credentials.accessToken, expiresAt: credentials.expiresAt }
+        };
+      }
+      const result = await refreshToken2(credentials.refreshToken, uuid, client);
+      if (!result.ok) return result;
+      const updated = await this.store.mutateAccount(uuid, (account) => {
+        account.accessToken = result.patch.accessToken;
+        account.expiresAt = result.patch.expiresAt;
+        if (result.patch.refreshToken) account.refreshToken = result.patch.refreshToken;
+        if (result.patch.uuid && result.patch.uuid !== uuid) account.uuid = result.patch.uuid;
+        if (result.patch.accountId) account.accountId = result.patch.accountId;
+        if (result.patch.email) account.email = result.patch.email;
+        account.consecutiveAuthFailures = 0;
+        account.isAuthDisabled = false;
+        account.authDisabledReason = void 0;
+      });
+      if (result.patch.uuid && result.patch.uuid !== uuid && this.activeAccountUuid === uuid) {
+        this.activeAccountUuid = result.patch.uuid;
+        this.store.setActiveUuid(result.patch.uuid).catch(() => {
+        });
+      }
+      if (updated && (uuid === this.activeAccountUuid || updated.uuid === this.activeAccountUuid)) {
+        this.syncToOpenCode(updated);
+      }
+      return result;
+    }
+    async validateNonActiveTokens(client) {
+      await this.refresh();
+      const activeUuid = this.activeAccountUuid;
+      const eligible = this.cached.filter(
+        (account) => account.enabled && !account.isAuthDisabled && account.uuid && account.uuid !== activeUuid
+      );
+      for (let i = 0; i < eligible.length; i += STARTUP_REFRESH_CONCURRENCY) {
+        const batch = eligible.slice(i, i + STARTUP_REFRESH_CONCURRENCY);
+        await Promise.all(
+          batch.map(async (account) => {
+            if (!account.uuid || !isTokenExpired2(account)) return;
+            const result = await this.ensureValidToken(account.uuid, client);
+            if (!result.ok) {
+              await this.markAuthFailure(account.uuid, result);
+            }
+          })
+        );
+      }
+    }
+    async removeAccount(index) {
+      const account = this.cached[index];
+      if (!account?.uuid) return false;
+      const removed = await this.store.removeAccount(account.uuid);
+      if (removed) {
+        await this.refresh();
+      }
+      return removed;
+    }
+    async clearAllAccounts() {
+      await this.store.clear();
+      this.cached = [];
+      this.activeAccountUuid = void 0;
+    }
+    async addAccount(auth) {
+      if (!auth.refresh) return;
+      const existing = this.cached.find((account) => account.refreshToken === auth.refresh);
+      if (existing) return;
+      const newAccount = this.createNewAccount(auth, Date.now());
+      await this.store.addAccount(newAccount);
+      this.activeAccountUuid = newAccount.uuid;
+      await this.store.setActiveUuid(newAccount.uuid);
+      await this.refresh();
+    }
+    async toggleEnabled(uuid) {
+      await this.store.mutateAccount(uuid, (account) => {
+        account.enabled = !(account.enabled ?? true);
+        if (account.enabled) {
+          account.isAuthDisabled = false;
+          account.authDisabledReason = void 0;
+          account.consecutiveAuthFailures = 0;
+        }
+      });
+    }
+    async replaceAccountCredentials(uuid, auth) {
+      const updated = await this.store.mutateAccount(uuid, (account) => {
+        account.refreshToken = auth.refresh;
+        account.accessToken = auth.access;
+        account.expiresAt = auth.expires;
+        account.lastUsed = Date.now();
+        account.enabled = true;
+        account.isAuthDisabled = false;
+        account.authDisabledReason = void 0;
+        account.consecutiveAuthFailures = 0;
+        account.rateLimitResetAt = void 0;
+      });
+      this.runtimeFactory?.invalidate(uuid);
+      if (updated && uuid === this.activeAccountUuid) {
+        this.syncToOpenCode(updated);
+      }
+    }
+    async retryAuth(uuid, client) {
+      await this.store.mutateAccount(uuid, (account) => {
+        account.consecutiveAuthFailures = 0;
+        account.isAuthDisabled = false;
+        account.authDisabledReason = void 0;
+      });
+      this.runtimeFactory?.invalidate(uuid);
+      const credentials = await this.store.readCredentials(uuid);
+      if (!credentials) return { ok: false, permanent: true };
+      const result = await refreshToken2(credentials.refreshToken, uuid, client);
+      if (result.ok) {
+        const updated = await this.store.mutateAccount(uuid, (account) => {
+          account.accessToken = result.patch.accessToken;
+          account.expiresAt = result.patch.expiresAt;
+          if (result.patch.refreshToken) account.refreshToken = result.patch.refreshToken;
+          if (result.patch.uuid) account.uuid = result.patch.uuid;
+          if (result.patch.accountId) account.accountId = result.patch.accountId;
+          if (result.patch.email) account.email = result.patch.email;
+          account.enabled = true;
+          account.consecutiveAuthFailures = 0;
+        });
+        this.runtimeFactory?.invalidate(uuid);
+        if (result.patch.uuid) {
+          this.runtimeFactory?.invalidate(result.patch.uuid);
+        }
+        const nextUuid = result.patch.uuid ?? uuid;
+        if (this.activeAccountUuid === uuid && result.patch.uuid && result.patch.uuid !== uuid) {
+          this.activeAccountUuid = result.patch.uuid;
+          await this.store.setActiveUuid(result.patch.uuid);
+        }
+        if (updated && (uuid === this.activeAccountUuid || nextUuid === this.activeAccountUuid)) {
+          const freshCredentials = await this.store.readCredentials(nextUuid);
+          if (freshCredentials) {
+            this.syncToOpenCode({
+              refreshToken: freshCredentials.refreshToken,
+              accessToken: freshCredentials.accessToken,
+              expiresAt: freshCredentials.expiresAt
+            });
+          }
+        }
+      } else {
+        await this.markAuthFailure(uuid, result);
+        this.runtimeFactory?.invalidate(uuid);
+      }
+      return result;
+    }
+  };
+}
+
+// ../multi-account-core/src/account-store.ts
+import { promises as fs4 } from "node:fs";
+import { randomBytes as randomBytes3 } from "node:crypto";
+import { dirname as dirname4, join as join5 } from "node:path";
+import lockfile from "proper-lockfile";
+import * as v4 from "valibot";
+
+// ../multi-account-core/src/storage.ts
+import { promises as fs3 } from "node:fs";
+import { dirname as dirname3, join as join4 } from "node:path";
+import * as v3 from "valibot";
+
+// ../multi-account-core/src/constants.ts
+var DEFAULT_ACCOUNTS_FILENAME = "multiauth-accounts.json";
+var ACCOUNTS_FILENAME = DEFAULT_ACCOUNTS_FILENAME;
+function setAccountsFilename(filename) {
+  if (!filename) {
+    ACCOUNTS_FILENAME = DEFAULT_ACCOUNTS_FILENAME;
+    return;
+  }
+  ACCOUNTS_FILENAME = filename;
+}
+
+// ../multi-account-core/src/storage.ts
+function getStoragePath() {
+  return join4(getConfigDir2(), ACCOUNTS_FILENAME);
+}
+async function backupCorruptFile(targetPath, content) {
+  const backupPath = `${targetPath}.corrupt.${Date.now()}.bak`;
+  await fs3.mkdir(dirname3(backupPath), { recursive: true });
+  await fs3.writeFile(backupPath, content, "utf-8");
+}
+async function readStorageFromDisk(targetPath, backupOnCorrupt) {
+  let content;
+  try {
+    content = await fs3.readFile(targetPath, "utf-8");
+  } catch (error) {
+    if (getErrorCode(error) === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(content);
+  } catch {
+    if (backupOnCorrupt) {
+      try {
+        await backupCorruptFile(targetPath, content);
+      } catch {
+      }
+    }
+    return null;
+  }
+  const validation = v3.safeParse(AccountStorageSchema, parsed);
+  if (!validation.success) {
+    if (backupOnCorrupt) {
+      try {
+        await backupCorruptFile(targetPath, content);
+      } catch {
+      }
+    }
+    return null;
+  }
+  return validation.output;
+}
+function deduplicateAccounts(accounts) {
+  const deduplicated = [];
+  const indexByUuid = /* @__PURE__ */ new Map();
+  for (const account of accounts) {
+    if (!account.uuid) {
+      deduplicated.push(account);
+      continue;
+    }
+    const existingIndex = indexByUuid.get(account.uuid);
+    if (existingIndex === void 0) {
+      indexByUuid.set(account.uuid, deduplicated.length);
+      deduplicated.push(account);
+      continue;
+    }
+    const existingAccount = deduplicated[existingIndex];
+    if (!existingAccount || account.lastUsed >= existingAccount.lastUsed) {
+      deduplicated[existingIndex] = account;
+    }
+  }
+  return deduplicated;
+}
+async function loadAccounts() {
+  const storagePath = getStoragePath();
+  const storage = await readStorageFromDisk(storagePath, true);
+  if (!storage) {
+    return null;
+  }
+  return {
+    ...storage,
+    accounts: deduplicateAccounts(storage.accounts || [])
+  };
+}
+
+// ../multi-account-core/src/account-store.ts
+var FILE_MODE = 384;
+var LOCK_OPTIONS = {
+  stale: 1e4,
+  retries: { retries: 10, minTimeout: 50, maxTimeout: 2e3, factor: 2 }
+};
+function getStoragePath2() {
+  return join5(getConfigDir2(), ACCOUNTS_FILENAME);
+}
+function createEmptyStorage() {
+  return { version: 1, accounts: [] };
+}
+function buildTempPath(targetPath) {
+  return `${targetPath}.${randomBytes3(8).toString("hex")}.tmp`;
+}
+async function writeAtomicText(targetPath, content) {
+  await fs4.mkdir(dirname4(targetPath), { recursive: true });
+  const tempPath = buildTempPath(targetPath);
+  try {
+    await fs4.writeFile(tempPath, content, { encoding: "utf-8", mode: FILE_MODE });
+    await fs4.chmod(tempPath, FILE_MODE);
+    await fs4.rename(tempPath, targetPath);
+    await fs4.chmod(targetPath, FILE_MODE);
+  } catch (error) {
+    try {
+      await fs4.unlink(tempPath);
+    } catch {
+    }
+    throw error;
+  }
+}
+async function writeStorageAtomic(targetPath, storage) {
+  const validation = v4.safeParse(AccountStorageSchema, storage);
+  if (!validation.success) {
+    throw new Error("Invalid account storage payload");
+  }
+  await writeAtomicText(targetPath, `${JSON.stringify(validation.output, null, 2)}
+`);
+}
+async function ensureStorageFileExists(targetPath) {
+  await fs4.mkdir(dirname4(targetPath), { recursive: true });
+  const emptyContent = `${JSON.stringify(createEmptyStorage(), null, 2)}
+`;
+  try {
+    await fs4.writeFile(targetPath, emptyContent, { flag: "wx", mode: FILE_MODE });
+  } catch (error) {
+    if (getErrorCode(error) !== "EEXIST") throw error;
+  }
+}
+async function withFileLock(fn) {
+  const storagePath = getStoragePath2();
+  await ensureStorageFileExists(storagePath);
+  let release = null;
+  try {
+    release = await lockfile.lock(storagePath, LOCK_OPTIONS);
+    return await fn(storagePath);
+  } finally {
+    if (release) {
+      try {
+        await release();
+      } catch {
+      }
+    }
+  }
+}
+var AccountStore = class {
+  async load() {
+    const storage = await loadAccounts();
+    return storage ?? createEmptyStorage();
+  }
+  async readCredentials(uuid) {
+    const storagePath = getStoragePath2();
+    const storage = await readStorageFromDisk(storagePath, false);
+    if (!storage) return null;
+    const account = storage.accounts.find((a) => a.uuid === uuid);
+    if (!account) return null;
+    return {
+      refreshToken: account.refreshToken,
+      accessToken: account.accessToken,
+      expiresAt: account.expiresAt,
+      accountId: account.accountId
+    };
+  }
+  async mutateAccount(uuid, fn) {
+    return await withFileLock(async (storagePath) => {
+      const current = await readStorageFromDisk(storagePath, false);
+      if (!current) return null;
+      const account = current.accounts.find((a) => a.uuid === uuid);
+      if (!account) return null;
+      fn(account);
+      await writeStorageAtomic(storagePath, current);
+      return { ...account };
+    });
+  }
+  async mutateStorage(fn) {
+    await withFileLock(async (storagePath) => {
+      const current = await readStorageFromDisk(storagePath, false) ?? createEmptyStorage();
+      fn(current);
+      await writeStorageAtomic(storagePath, current);
+    });
+  }
+  async addAccount(account) {
+    await withFileLock(async (storagePath) => {
+      const current = await readStorageFromDisk(storagePath, false) ?? createEmptyStorage();
+      const exists = current.accounts.some(
+        (a) => a.uuid === account.uuid || a.refreshToken === account.refreshToken
+      );
+      if (exists) return;
+      current.accounts.push(account);
+      await writeStorageAtomic(storagePath, current);
+    });
+  }
+  async removeAccount(uuid) {
+    return await withFileLock(async (storagePath) => {
+      const current = await readStorageFromDisk(storagePath, false);
+      if (!current) return false;
+      const initialLength = current.accounts.length;
+      current.accounts = current.accounts.filter((a) => a.uuid !== uuid);
+      if (current.accounts.length === initialLength) return false;
+      if (current.activeAccountUuid === uuid) {
+        current.activeAccountUuid = current.accounts[0]?.uuid;
+      }
+      await writeStorageAtomic(storagePath, current);
+      return true;
+    });
+  }
+  async setActiveUuid(uuid) {
+    await this.mutateStorage((storage) => {
+      storage.activeAccountUuid = uuid;
+    });
+  }
+  async clear() {
+    await withFileLock(async (storagePath) => {
+      await writeStorageAtomic(storagePath, createEmptyStorage());
+    });
+  }
+};
+
+// ../multi-account-core/src/executor.ts
+var MIN_MAX_RETRIES = 6;
+var RETRIES_PER_ACCOUNT = 3;
+var MAX_SERVER_RETRIES_PER_ATTEMPT = 2;
+var MAX_RESOLVE_ATTEMPTS = 10;
+var SERVER_RETRY_BASE_MS = 1e3;
+var SERVER_RETRY_MAX_MS = 4e3;
+var PERMANENT_AUTH_FAILURE_STATUSES = /* @__PURE__ */ new Set([400, 401, 403]);
+function createExecutorForProvider(providerName, dependencies) {
+  const {
+    handleRateLimitResponse: handleRateLimitResponse2,
+    formatWaitTime: formatWaitTime2,
+    sleep: sleep2,
+    showToast: showToast2,
+    getAccountLabel: getAccountLabel2
+  } = dependencies;
+  async function executeWithAccountRotation2(manager, runtimeFactory, client, input, init) {
+    const maxRetries = Math.max(MIN_MAX_RETRIES, manager.getAccountCount() * RETRIES_PER_ACCOUNT);
+    let retries = 0;
+    let previousAccountUuid;
+    while (true) {
+      if (++retries > maxRetries) {
+        throw new Error(
+          `Exhausted ${maxRetries} retries across all accounts. All attempts failed due to auth errors, rate limits, or token issues.`
+        );
+      }
+      await manager.refresh();
+      const account = await resolveAccount(manager, client);
+      const accountUuid = account.uuid;
+      if (!accountUuid) continue;
+      if (previousAccountUuid && accountUuid !== previousAccountUuid && manager.getAccountCount() > 1) {
+        void showToast2(client, `Switched to ${getAccountLabel2(account)}`, "info");
+      }
+      previousAccountUuid = accountUuid;
+      let runtime;
+      let response;
+      try {
+        runtime = await runtimeFactory.getRuntime(accountUuid);
+        response = await runtime.fetch(input, init);
+      } catch (error) {
+        if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
+          continue;
+        }
+        void showToast2(client, `${getAccountLabel2(account)} network error \u2014 switching`, "warning");
+        continue;
+      }
+      if (response.status >= 500) {
+        let serverResponse = response;
+        let networkErrorDuringServerRetry = false;
+        let authFailureDuringServerRetry = false;
+        for (let attempt = 0; attempt < MAX_SERVER_RETRIES_PER_ATTEMPT; attempt++) {
+          const backoff = Math.min(SERVER_RETRY_BASE_MS * 2 ** attempt, SERVER_RETRY_MAX_MS);
+          const jitteredBackoff = backoff * (0.5 + Math.random() * 0.5);
+          await sleep2(jitteredBackoff);
+          try {
+            serverResponse = await runtime.fetch(input, init);
+          } catch (error) {
+            if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
+              authFailureDuringServerRetry = true;
+              break;
+            }
+            networkErrorDuringServerRetry = true;
+            void showToast2(client, `${getAccountLabel2(account)} network error \u2014 switching`, "warning");
+            break;
+          }
+          if (serverResponse.status < 500) break;
+        }
+        if (authFailureDuringServerRetry) {
+          continue;
+        }
+        if (networkErrorDuringServerRetry || serverResponse.status >= 500) {
+          continue;
+        }
+        response = serverResponse;
+      }
+      if (response.status === 401) {
+        runtimeFactory.invalidate(accountUuid);
+        try {
+          const retryRuntime = await runtimeFactory.getRuntime(accountUuid);
+          const retryResponse = await retryRuntime.fetch(input, init);
+          if (retryResponse.status !== 401) {
+            await manager.markSuccess(accountUuid);
+            return retryResponse;
+          }
+        } catch (error) {
+          if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
+            continue;
+          }
+          continue;
+        }
+        await manager.markAuthFailure(accountUuid, { ok: false, permanent: false });
+        await manager.refresh();
+        if (!manager.hasAnyUsableAccount()) {
+          void showToast2(client, "All accounts have auth failures.", "error");
+          throw new Error(
+            `All ${providerName} accounts have authentication failures. Re-authenticate with \`opencode auth login\`.`
+          );
+        }
+        void showToast2(client, `${getAccountLabel2(account)} auth failed \u2014 switching to next account.`, "warning");
+        continue;
+      }
+      if (response.status === 403) {
+        const revoked = await isRevokedTokenResponse(response);
+        if (revoked) {
+          await manager.markRevoked(accountUuid);
+          await manager.refresh();
+          void showToast2(
+            client,
+            `${getAccountLabel2(account)} disabled: OAuth token revoked.`,
+            "error"
+          );
+          if (!manager.hasAnyUsableAccount()) {
+            throw new Error(
+              `All ${providerName} accounts have been revoked or disabled. Re-authenticate with \`opencode auth login\`.`
+            );
+          }
+          continue;
+        }
+      }
+      if (response.status === 429) {
+        await handleRateLimitResponse2(manager, client, account, response);
+        continue;
+      }
+      await manager.markSuccess(accountUuid);
+      return response;
+    }
+  }
+  async function handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error) {
+    const refreshFailureStatus = getRefreshFailureStatus(error);
+    if (refreshFailureStatus === void 0) return false;
+    if (!account.uuid) return false;
+    const accountUuid = account.uuid;
+    runtimeFactory.invalidate(accountUuid);
+    await manager.markAuthFailure(accountUuid, {
+      ok: false,
+      permanent: PERMANENT_AUTH_FAILURE_STATUSES.has(refreshFailureStatus)
+    });
+    await manager.refresh();
+    if (!manager.hasAnyUsableAccount()) {
+      void showToast2(client, "All accounts have auth failures.", "error");
+      throw new Error(
+        `All ${providerName} accounts have authentication failures. Re-authenticate with \`opencode auth login\`.`
+      );
+    }
+    void showToast2(client, `${getAccountLabel2(account)} auth failed \u2014 switching to next account.`, "warning");
+    return true;
+  }
+  async function resolveAccount(manager, client) {
+    let attempts = 0;
+    while (true) {
+      if (++attempts > MAX_RESOLVE_ATTEMPTS) {
+        throw new Error(
+          `Failed to resolve an available account after ${MAX_RESOLVE_ATTEMPTS} attempts. All accounts may be rate-limited or disabled.`
+        );
+      }
+      const account = await manager.selectAccount();
+      if (account) return account;
+      if (!manager.hasAnyUsableAccount()) {
+        throw new Error(
+          `All ${providerName} accounts are disabled. Re-authenticate with \`opencode auth login\`.`
+        );
+      }
+      const waitMs = manager.getMinWaitTime();
+      if (waitMs <= 0) {
+        throw new Error(
+          `All ${providerName} accounts are rate-limited. Add more accounts with \`opencode auth login\` or wait.`
+        );
+      }
+      await showToast2(
+        client,
+        `All ${manager.getAccountCount()} account(s) rate-limited. Waiting ${formatWaitTime2(waitMs)}...`,
+        "warning"
+      );
+      await sleep2(waitMs);
+    }
+  }
+  return {
+    executeWithAccountRotation: executeWithAccountRotation2
+  };
+}
+function getRefreshFailureStatus(error) {
+  if (!(error instanceof Error)) return void 0;
+  const matched = error.message.match(/Token refresh failed:\s*(\d{3})/);
+  if (!matched) return void 0;
+  const status = Number(matched[1]);
+  return Number.isFinite(status) ? status : void 0;
+}
+async function isRevokedTokenResponse(response) {
+  try {
+    const cloned = response.clone();
+    const body = await cloned.text();
+    return body.includes("revoked");
+  } catch {
+    return false;
+  }
+}
+
+// ../multi-account-core/src/proactive-refresh.ts
+var INITIAL_DELAY_MS = 5e3;
+function createProactiveRefreshQueueForProvider(dependencies) {
+  const {
+    getConfig: getConfig2,
+    refreshToken: refreshToken2,
+    isTokenExpired: isTokenExpired2,
+    debugLog: debugLog2
+  } = dependencies;
+  return class ProactiveRefreshQueue {
+    constructor(client, store, onInvalidate) {
+      this.client = client;
+      this.store = store;
+      this.onInvalidate = onInvalidate;
+    }
+    timeoutHandle = null;
+    runToken = 0;
+    inFlight = null;
+    start() {
+      const config = getConfig2();
+      if (!config.proactive_refresh) return;
+      this.runToken++;
+      this.scheduleNext(this.runToken, INITIAL_DELAY_MS);
+      debugLog2(this.client, "Proactive refresh started", {
+        intervalSeconds: config.proactive_refresh_interval_seconds,
+        bufferSeconds: config.proactive_refresh_buffer_seconds
+      });
+    }
+    async stop() {
+      this.runToken++;
+      if (this.timeoutHandle) {
+        clearTimeout(this.timeoutHandle);
+        this.timeoutHandle = null;
+      }
+      if (this.inFlight) {
+        await this.inFlight;
+        this.inFlight = null;
+      }
+      debugLog2(this.client, "Proactive refresh stopped");
+    }
+    scheduleNext(token, delayMs) {
+      this.timeoutHandle = setTimeout(() => {
+        if (token !== this.runToken) return;
+        this.inFlight = this.runCheck(token).finally(() => {
+          this.inFlight = null;
+        });
+      }, delayMs);
+    }
+    needsProactiveRefresh(account) {
+      if (!account.accessToken || !account.expiresAt) return false;
+      if (isTokenExpired2(account)) return false;
+      const bufferMs = getConfig2().proactive_refresh_buffer_seconds * 1e3;
+      return account.expiresAt <= Date.now() + bufferMs;
+    }
+    async runCheck(token) {
+      try {
+        const stored = await this.store.load();
+        if (token !== this.runToken) return;
+        const candidates = stored.accounts.filter(
+          (a) => a.enabled !== false && !a.isAuthDisabled && a.uuid && this.needsProactiveRefresh(a)
+        );
+        if (candidates.length === 0) return;
+        debugLog2(this.client, `Proactive refresh: ${candidates.length} account(s) approaching expiry`);
+        for (const account of candidates) {
+          if (token !== this.runToken) return;
+          const credentials = await this.store.readCredentials(account.uuid);
+          if (!credentials || !this.needsProactiveRefresh(credentials)) continue;
+          const result = await refreshToken2(credentials.refreshToken, account.uuid, this.client);
+          if (result.ok) {
+            await this.store.mutateAccount(account.uuid, (target) => {
+              target.accessToken = result.patch.accessToken;
+              target.expiresAt = result.patch.expiresAt;
+              if (result.patch.refreshToken) target.refreshToken = result.patch.refreshToken;
+              if (result.patch.uuid) target.uuid = result.patch.uuid;
+              if (result.patch.email) target.email = result.patch.email;
+              if (result.patch.accountId) target.accountId = result.patch.accountId;
+              target.consecutiveAuthFailures = 0;
+              target.isAuthDisabled = false;
+              target.authDisabledReason = void 0;
+            });
+            this.onInvalidate?.(account.uuid);
+          } else {
+            await this.persistFailure(account, result.permanent);
+          }
+        }
+      } catch (error) {
+        debugLog2(this.client, `Proactive refresh check error: ${error}`);
+      } finally {
+        if (token === this.runToken) {
+          const intervalMs = getConfig2().proactive_refresh_interval_seconds * 1e3;
+          this.scheduleNext(token, intervalMs);
+        }
+      }
+    }
+    async persistFailure(account, permanent) {
+      try {
+        await this.store.mutateAccount(account.uuid, (target) => {
+          if (permanent) {
+            target.isAuthDisabled = true;
+            target.authDisabledReason = "Token permanently rejected (proactive refresh)";
+          } else {
+            target.consecutiveAuthFailures = (target.consecutiveAuthFailures ?? 0) + 1;
+            const maxFailures = getConfig2().max_consecutive_auth_failures;
+            if (target.consecutiveAuthFailures >= maxFailures) {
+              target.isAuthDisabled = true;
+              target.authDisabledReason = `${maxFailures} consecutive auth failures (proactive refresh)`;
+            }
+          }
+        });
+      } catch {
+        debugLog2(this.client, `Failed to persist auth failure for ${account.uuid}`);
+      }
+    }
+  };
+}
+
+// ../multi-account-core/src/rate-limit.ts
+var USAGE_FETCH_COOLDOWN_MS = 3e4;
+function createRateLimitHandlers(dependencies) {
+  const {
+    fetchUsage: fetchUsage2,
+    getConfig: getConfig2,
+    formatWaitTime: formatWaitTime2,
+    getAccountLabel: getAccountLabel2,
+    showToast: showToast2
+  } = dependencies;
+  function retryAfterMsFromResponse2(response) {
+    const retryAfterMs = response.headers.get("retry-after-ms");
+    if (retryAfterMs) {
+      const parsed = parseInt(retryAfterMs, 10);
+      if (!isNaN(parsed) && parsed > 0) return parsed;
+    }
+    const retryAfter = response.headers.get("retry-after");
+    if (retryAfter) {
+      const parsed = parseInt(retryAfter, 10);
+      if (!isNaN(parsed) && parsed > 0) return parsed * 1e3;
+    }
+    return getConfig2().default_retry_after_ms;
+  }
+  function getResetMsFromUsage2(account) {
+    const usage = account.cachedUsage;
+    if (!usage) return null;
+    const now = Date.now();
+    const candidates = [];
+    if (usage.five_hour?.resets_at) {
+      const ms = Date.parse(usage.five_hour.resets_at) - now;
+      if (ms > 0) candidates.push(ms);
+    }
+    if (usage.seven_day?.resets_at) {
+      const ms = Date.parse(usage.seven_day.resets_at) - now;
+      if (ms > 0) candidates.push(ms);
+    }
+    return candidates.length > 0 ? Math.min(...candidates) : null;
+  }
+  async function fetchUsageLimits2(accessToken, accountId) {
+    if (!accessToken) return null;
+    try {
+      const result = await fetchUsage2(accessToken, accountId);
+      return result.ok ? result.data : null;
+    } catch {
+      return null;
+    }
+  }
+  async function handleRateLimitResponse2(manager, client, account, response) {
+    if (!account.uuid) return;
+    const resetMs = getResetMsFromUsage2(account) ?? retryAfterMsFromResponse2(response);
+    await manager.markRateLimited(account.uuid, resetMs);
+    const shouldFetchUsage = account.accessToken && (!account.cachedUsageAt || Date.now() - account.cachedUsageAt > USAGE_FETCH_COOLDOWN_MS);
+    if (shouldFetchUsage) {
+      const usage = await fetchUsageLimits2(account.accessToken, account.accountId);
+      if (usage) {
+        await manager.applyUsageCache(account.uuid, usage);
+      }
+    }
+    if (manager.getAccountCount() > 1) {
+      void showToast2(
+        client,
+        `${getAccountLabel2(account)} rate-limited (resets in ${formatWaitTime2(resetMs)}). Switching...`,
+        "warning"
+      );
+    }
+  }
+  return {
+    retryAfterMsFromResponse: retryAfterMsFromResponse2,
+    getResetMsFromUsage: getResetMsFromUsage2,
+    fetchUsageLimits: fetchUsageLimits2,
+    handleRateLimitResponse: handleRateLimitResponse2
+  };
+}
+
+// ../multi-account-core/src/auth-migration.ts
+import { promises as fs5 } from "node:fs";
+import { join as join6 } from "node:path";
+var AUTH_JSON_FILENAME = "auth.json";
+function isValidOAuthCredential(value) {
+  if (typeof value !== "object" || value === null) return false;
+  const candidate = value;
+  return candidate.type === "oauth" && typeof candidate.refresh === "string" && candidate.refresh.length > 0;
+}
+function resolveAuthJsonPath() {
+  return join6(getConfigDir2(), AUTH_JSON_FILENAME);
+}
+async function readAuthJson() {
+  const authPath = resolveAuthJsonPath();
+  let content;
+  try {
+    content = await fs5.readFile(authPath, "utf-8");
+  } catch {
+    return null;
+  }
+  try {
+    const parsed = JSON.parse(content);
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+async function migrateFromAuthJson(providerKey, store) {
+  const storage = await store.load();
+  const hasExistingAccounts = storage.accounts.length > 0;
+  if (hasExistingAccounts) return false;
+  const authData = await readAuthJson();
+  if (!authData) return false;
+  const providerCredential = authData[providerKey];
+  if (!isValidOAuthCredential(providerCredential)) return false;
+  const now = Date.now();
+  const newAccount = {
+    uuid: crypto.randomUUID(),
+    refreshToken: providerCredential.refresh,
+    accessToken: providerCredential.access,
+    expiresAt: providerCredential.expires,
+    addedAt: now,
+    lastUsed: now,
+    enabled: true,
+    planTier: "",
+    consecutiveAuthFailures: 0,
+    isAuthDisabled: false
+  };
+  await store.addAccount(newAccount);
+  await store.setActiveUuid(newAccount.uuid);
+  return true;
+}
+
+// ../multi-account-core/src/ui/ansi.ts
+var ANSI = {
+  hide: "\x1B[?25l",
+  show: "\x1B[?25h",
+  up: (n = 1) => `\x1B[${n}A`,
+  down: (n = 1) => `\x1B[${n}B`,
+  clearLine: "\x1B[2K",
+  cyan: "\x1B[36m",
+  green: "\x1B[32m",
+  red: "\x1B[31m",
+  yellow: "\x1B[33m",
+  dim: "\x1B[2m",
+  bold: "\x1B[1m",
+  reset: "\x1B[0m"
+};
+function parseKey(data) {
+  const s = data.toString();
+  if (s === "\x1B[A" || s === "\x1BOA") return "up";
+  if (s === "\x1B[B" || s === "\x1BOB") return "down";
+  if (s === "\r" || s === "\n") return "enter";
+  if (s === "") return "escape";
+  if (s === "\x1B") return "escape-start";
+  return null;
+}
+function isTTY() {
+  return Boolean(process.stdin.isTTY);
+}
+
+// ../multi-account-core/src/ui/select.ts
+var ESCAPE_TIMEOUT_MS = 50;
+var COLOR_MAP = {
+  red: ANSI.red,
+  green: ANSI.green,
+  yellow: ANSI.yellow,
+  cyan: ANSI.cyan
+};
+async function select(items, options) {
+  if (!isTTY()) {
+    throw new Error("Interactive select requires a TTY terminal");
+  }
+  const enabledItems = items.filter((i) => !i.disabled && !i.separator);
+  if (enabledItems.length === 0) {
+    throw new Error("All items disabled");
+  }
+  if (enabledItems.length === 1) {
+    return enabledItems[0].value;
+  }
+  const { message, subtitle } = options;
+  const { stdin, stdout } = process;
+  let cursor = items.findIndex((i) => !i.disabled && !i.separator);
+  if (cursor === -1) cursor = 0;
+  let escapeTimeout = null;
+  let isCleanedUp = false;
+  let isFirstRender = true;
+  const getTotalLines = () => {
+    const subtitleLines = subtitle ? 3 : 0;
+    return 1 + subtitleLines + items.length + 1 + 1;
+  };
+  const renderItemLabel = (item, isSelected) => {
+    const colorCode = item.color ? COLOR_MAP[item.color] ?? "" : "";
+    if (item.disabled) {
+      return `${ANSI.dim}${item.label} (unavailable)${ANSI.reset}`;
+    }
+    const hintSuffix = item.hint ? ` ${ANSI.dim}${item.hint}${ANSI.reset}` : "";
+    if (isSelected) {
+      const label = colorCode ? `${colorCode}${item.label}${ANSI.reset}` : item.label;
+      return `${label}${hintSuffix}`;
+    }
+    const dimLabel = colorCode ? `${ANSI.dim}${colorCode}${item.label}${ANSI.reset}` : `${ANSI.dim}${item.label}${ANSI.reset}`;
+    return `${dimLabel}${hintSuffix}`;
+  };
+  const render = () => {
+    const totalLines = getTotalLines();
+    if (!isFirstRender) {
+      stdout.write(ANSI.up(totalLines) + "\r");
+    }
+    isFirstRender = false;
+    stdout.write(`${ANSI.clearLine}${ANSI.dim}\u250C  ${ANSI.reset}${message}
+`);
+    if (subtitle) {
+      stdout.write(`${ANSI.clearLine}${ANSI.dim}\u2502${ANSI.reset}
+`);
+      stdout.write(`${ANSI.clearLine}${ANSI.cyan}\u25C6${ANSI.reset}  ${subtitle}
+`);
+      stdout.write(`${ANSI.clearLine}
+`);
+    }
+    for (let i = 0; i < items.length; i++) {
+      const item = items[i];
+      if (!item) continue;
+      if (item.separator) {
+        stdout.write(`${ANSI.clearLine}${ANSI.dim}\u2502${ANSI.reset}
+`);
+        continue;
+      }
+      const isSelected = i === cursor;
+      const labelText = renderItemLabel(item, isSelected);
+      const bullet = isSelected ? `${ANSI.green}\u25CF${ANSI.reset}` : `${ANSI.dim}\u25CB${ANSI.reset}`;
+      stdout.write(`${ANSI.clearLine}${ANSI.cyan}\u2502${ANSI.reset}  ${bullet} ${labelText}
+`);
+    }
+    stdout.write(`${ANSI.clearLine}${ANSI.cyan}\u2502${ANSI.reset}  ${ANSI.dim}\u2191/\u2193 to select \u2022 Enter: confirm${ANSI.reset}
+`);
+    stdout.write(`${ANSI.clearLine}${ANSI.cyan}\u2514${ANSI.reset}
+`);
+  };
+  return new Promise((resolve) => {
+    const wasRaw = stdin.isRaw ?? false;
+    const cleanup = () => {
+      if (isCleanedUp) return;
+      isCleanedUp = true;
+      if (escapeTimeout) {
+        clearTimeout(escapeTimeout);
+        escapeTimeout = null;
+      }
+      try {
+        stdin.removeListener("data", onKey);
+        stdin.setRawMode(wasRaw);
+        stdin.pause();
+        stdout.write(ANSI.show);
+      } catch {
+      }
+      process.removeListener("SIGINT", onSignal);
+      process.removeListener("SIGTERM", onSignal);
+    };
+    const onSignal = () => {
+      cleanup();
+      resolve(null);
+    };
+    const finishWithValue = (value) => {
+      cleanup();
+      resolve(value);
+    };
+    const findNextSelectable = (from, direction) => {
+      if (items.length === 0) return from;
+      let next = from;
+      do {
+        next = (next + direction + items.length) % items.length;
+      } while (items[next]?.disabled || items[next]?.separator);
+      return next;
+    };
+    const onKey = (data) => {
+      if (escapeTimeout) {
+        clearTimeout(escapeTimeout);
+        escapeTimeout = null;
+      }
+      const action = parseKey(data);
+      switch (action) {
+        case "up":
+          cursor = findNextSelectable(cursor, -1);
+          render();
+          return;
+        case "down":
+          cursor = findNextSelectable(cursor, 1);
+          render();
+          return;
+        case "enter":
+          finishWithValue(items[cursor]?.value ?? null);
+          return;
+        case "escape":
+          finishWithValue(null);
+          return;
+        case "escape-start":
+          escapeTimeout = setTimeout(() => {
+            finishWithValue(null);
+          }, ESCAPE_TIMEOUT_MS);
+          return;
+        default:
+          return;
+      }
+    };
+    process.once("SIGINT", onSignal);
+    process.once("SIGTERM", onSignal);
+    try {
+      stdin.setRawMode(true);
+    } catch {
+      cleanup();
+      resolve(null);
+      return;
+    }
+    stdin.resume();
+    stdout.write(ANSI.hide);
+    render();
+    stdin.on("data", onKey);
+  });
+}
+
+// ../multi-account-core/src/ui/confirm.ts
+async function confirm(message, defaultYes = false) {
+  const items = defaultYes ? [
+    { label: "Yes", value: true },
+    { label: "No", value: false }
+  ] : [
+    { label: "No", value: false },
+    { label: "Yes", value: true }
+  ];
+  const result = await select(items, { message });
+  return result ?? false;
+}
+
+// ../oauth-adapters/src/openai.ts
+var ISSUER = "https://auth.openai.com";
+var openAIOAuthAdapter = {
+  id: "openai",
+  authProviderId: "openai",
+  modelDisplayName: "ChatGPT",
+  statusToolName: "chatgpt_multiauth_status",
+  authMethodLabel: "ChatGPT Plus/Pro (Multi-Auth)",
+  serviceLogName: "chatgpt-multiauth",
+  oauthClientId: "app_EMoamEEZ73f0CkXaXp7hrann",
+  tokenEndpoint: `${ISSUER}/oauth/token`,
+  usageEndpoint: "",
+  profileEndpoint: "",
+  oauthBetaHeader: "",
+  requestBetaHeader: "",
+  cliUserAgent: "opencode/1.1.53",
+  toolPrefix: "mcp_",
+  accountStorageFilename: "openai-multi-account-accounts.json",
+  transform: {
+    rewriteOpenCodeBranding: false,
+    addToolPrefix: false,
+    stripToolPrefixInResponse: false,
+    enableMessagesBetaQuery: false
+  },
+  planLabels: {
+    pro: "ChatGPT Pro",
+    plus: "ChatGPT Plus",
+    go: "ChatGPT Go",
+    free: "Free"
+  },
+  supported: true
+};
+
+// src/constants.ts
+var OPENAI_OAUTH_ADAPTER = openAIOAuthAdapter;
+var OPENAI_CLIENT_ID = OPENAI_OAUTH_ADAPTER.oauthClientId;
+var OPENAI_TOKEN_ENDPOINT = OPENAI_OAUTH_ADAPTER.tokenEndpoint;
+var OPENAI_USAGE_ENDPOINT = OPENAI_OAUTH_ADAPTER.usageEndpoint;
+var OPENAI_PROFILE_ENDPOINT = OPENAI_OAUTH_ADAPTER.profileEndpoint;
+var CODEX_API_ENDPOINT = "https://chatgpt.com/backend-api/codex/responses";
+var CODEX_USAGE_ENDPOINT = "https://chatgpt.com/backend-api/wham/usage";
+var OAUTH_ISSUER = "https://auth.openai.com";
+var OAUTH_PORT = 1455;
+var OPENAI_BETA_HEADER = OPENAI_OAUTH_ADAPTER.requestBetaHeader;
+var OPENAI_CLI_USER_AGENT = OPENAI_OAUTH_ADAPTER.cliUserAgent;
+var TOOL_PREFIX = OPENAI_OAUTH_ADAPTER.toolPrefix;
+var ACCOUNTS_FILENAME2 = OPENAI_OAUTH_ADAPTER.accountStorageFilename;
+var PLAN_LABELS = OPENAI_OAUTH_ADAPTER.planLabels;
+var TOKEN_EXPIRY_BUFFER_MS = 6e4;
+var TOKEN_REFRESH_TIMEOUT_MS = 3e4;
+
+// src/oauth.ts
+import * as v6 from "valibot";
+
+// src/types.ts
+import * as v5 from "valibot";
+var OAuthCredentialsSchema2 = v5.object({
+  type: v5.literal("oauth"),
+  refresh: v5.string(),
+  access: v5.string(),
+  expires: v5.number()
+});
+var UsageLimitEntrySchema2 = v5.object({
+  utilization: v5.number(),
+  resets_at: v5.nullable(v5.string())
+});
+var UsageLimitsSchema2 = v5.object({
+  five_hour: v5.optional(v5.nullable(UsageLimitEntrySchema2), null),
+  seven_day: v5.optional(v5.nullable(UsageLimitEntrySchema2), null),
+  seven_day_sonnet: v5.optional(v5.nullable(UsageLimitEntrySchema2), null)
+});
+var CredentialRefreshPatchSchema2 = v5.object({
+  accessToken: v5.string(),
+  expiresAt: v5.number(),
+  refreshToken: v5.optional(v5.string()),
+  uuid: v5.optional(v5.string()),
+  accountId: v5.optional(v5.string()),
+  email: v5.optional(v5.string())
+});
+var StoredAccountSchema2 = v5.object({
+  uuid: v5.optional(v5.string()),
+  accountId: v5.optional(v5.string()),
+  label: v5.optional(v5.string()),
+  email: v5.optional(v5.string()),
+  planTier: v5.optional(v5.string(), ""),
+  refreshToken: v5.string(),
+  accessToken: v5.optional(v5.string()),
+  expiresAt: v5.optional(v5.number()),
+  addedAt: v5.number(),
+  lastUsed: v5.number(),
+  enabled: v5.optional(v5.boolean(), true),
+  rateLimitResetAt: v5.optional(v5.number()),
+  cachedUsage: v5.optional(UsageLimitsSchema2),
+  cachedUsageAt: v5.optional(v5.number()),
+  consecutiveAuthFailures: v5.optional(v5.number(), 0),
+  isAuthDisabled: v5.optional(v5.boolean(), false),
+  authDisabledReason: v5.optional(v5.string())
+});
+var AccountStorageSchema2 = v5.object({
+  version: v5.literal(1),
+  accounts: v5.optional(v5.array(StoredAccountSchema2), []),
+  activeAccountUuid: v5.optional(v5.string())
+});
+var TokenResponseSchema = v5.object({
+  id_token: v5.optional(v5.string()),
+  access_token: v5.string(),
+  refresh_token: v5.optional(v5.string()),
+  expires_in: v5.number()
+});
+var AccountSelectionStrategySchema2 = v5.picklist(["sticky", "round-robin", "hybrid"]);
+var PluginConfigSchema2 = v5.object({
+  /** sticky: same account until failure, round-robin: rotate every request, hybrid: health+usage scoring */
+  account_selection_strategy: v5.optional(AccountSelectionStrategySchema2, "sticky"),
+  /** Use cross-process claim file to distribute parallel sessions across accounts */
+  cross_process_claims: v5.optional(v5.boolean(), true),
+  /** Skip account when any usage tier utilization >= this % (100 = disabled) */
+  soft_quota_threshold_percent: v5.optional(v5.pipe(v5.number(), v5.minValue(0), v5.maxValue(100)), 100),
+  /** Minimum backoff after rate limit (ms) */
+  rate_limit_min_backoff_ms: v5.optional(v5.pipe(v5.number(), v5.minValue(0)), 3e4),
+  /** Default retry-after when header is missing (ms) */
+  default_retry_after_ms: v5.optional(v5.pipe(v5.number(), v5.minValue(0)), 6e4),
+  /** Consecutive auth failures before disabling account */
+  max_consecutive_auth_failures: v5.optional(v5.pipe(v5.number(), v5.integer(), v5.minValue(1)), 3),
+  /** Backoff after token refresh failure (ms) */
+  token_failure_backoff_ms: v5.optional(v5.pipe(v5.number(), v5.minValue(0)), 3e4),
+  /** Enable proactive background token refresh */
+  proactive_refresh: v5.optional(v5.boolean(), true),
+  /** Seconds before expiry to trigger proactive refresh (default 30 min) */
+  proactive_refresh_buffer_seconds: v5.optional(v5.pipe(v5.number(), v5.minValue(60)), 1800),
+  /** Interval between background refresh checks in seconds (default 5 min) */
+  proactive_refresh_interval_seconds: v5.optional(v5.pipe(v5.number(), v5.minValue(30)), 300),
+  /** Suppress toast notifications */
+  quiet_mode: v5.optional(v5.boolean(), false),
+  /** Enable debug logging */
+  debug: v5.optional(v5.boolean(), false)
+});
+
+// src/oauth.ts
+var OAUTH_CALLBACK_TIMEOUT_MS = 5 * 60 * 1e3;
+var oauthServer = null;
+var resolveOAuthQuery = null;
+var rejectOAuthQuery = null;
+function getBunRuntime() {
+  const maybeBun = globalThis.Bun;
+  if (!maybeBun || typeof maybeBun.serve !== "function") {
+    throw new Error("Browser OAuth requires Bun runtime");
+  }
+  return maybeBun;
+}
+function getRedirectUri(port = OAUTH_PORT) {
+  return `http://localhost:${port}/auth/callback`;
+}
+function renderHtml(title, body) {
+  return `<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>${title}</title>
+    <style>
+      :root { color-scheme: dark; }
+      body {
+        margin: 0;
+        min-height: 100vh;
+        display: grid;
+        place-items: center;
+        background: #0f1115;
+        color: #f5f7ff;
+        font: 16px/1.45 -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+      }
+      main {
+        width: min(520px, calc(100vw - 32px));
+        border: 1px solid #2a3040;
+        border-radius: 12px;
+        padding: 24px;
+        background: #171b25;
+      }
+      h1 { margin: 0 0 8px 0; font-size: 22px; }
+      p { margin: 0; color: #c4cadb; }
+    </style>
+  </head>
+  <body>
+    <main>
+      <h1>${title}</h1>
+      <p>${body}</p>
+    </main>
+  </body>
+</html>`;
+}
+function renderSuccessHtml() {
+  return renderHtml("Authentication Complete", "You can close this tab and return to OpenCode.");
+}
+function renderErrorHtml(message) {
+  return renderHtml("Authentication Failed", message);
+}
+function completeOAuthQuery(query) {
+  if (resolveOAuthQuery) {
+    resolveOAuthQuery(query);
+  }
+  resolveOAuthQuery = null;
+  rejectOAuthQuery = null;
+}
+function failOAuthQuery(reason) {
+  if (rejectOAuthQuery) {
+    rejectOAuthQuery(reason);
+  }
+  resolveOAuthQuery = null;
+  rejectOAuthQuery = null;
+}
+function tokenEndpoint() {
+  return `${OAUTH_ISSUER}/oauth/token`;
+}
+function parseTokenResponse(json) {
+  return v6.parse(TokenResponseSchema, json);
+}
+async function postTokenForm(body) {
+  const response = await fetch(tokenEndpoint(), {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body
+  });
+  const payload = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    throw new Error(`Token request failed: ${response.status}`);
+  }
+  return parseTokenResponse(payload);
+}
+async function generatePKCE() {
+  const verifier = generateRandomString(64);
+  const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(verifier));
+  const challenge = base64UrlEncode(digest);
+  return { verifier, challenge };
+}
+function generateRandomBytes(length) {
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  return bytes;
+}
+function generateRandomString(length) {
+  const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+  const bytes = generateRandomBytes(length);
+  let out = "";
+  for (const value of bytes) {
+    out += charset[value % charset.length];
+  }
+  return out;
+}
+function base64UrlEncode(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function generateState() {
+  const bytes = generateRandomBytes(32);
+  const buffer = new ArrayBuffer(bytes.byteLength);
+  new Uint8Array(buffer).set(bytes);
+  return base64UrlEncode(buffer);
+}
+async function exchangeCodeForTokens(code, redirectUri, pkce) {
+  return postTokenForm(new URLSearchParams({
+    grant_type: "authorization_code",
+    code,
+    redirect_uri: redirectUri,
+    client_id: OPENAI_CLIENT_ID,
+    code_verifier: pkce.verifier
+  }));
+}
+function base64UrlDecode(value) {
+  const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = normalized + "=".repeat((4 - (normalized.length % 4 || 4)) % 4);
+  return atob(padded);
+}
+function parseJwtClaims(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length < 2 || !parts[1]) return void 0;
+    const json = base64UrlDecode(parts[1]);
+    return JSON.parse(json);
+  } catch {
+    return void 0;
+  }
+}
+function findAccountId(claims) {
+  if (!claims) return void 0;
+  if (claims.chatgpt_account_id) return claims.chatgpt_account_id;
+  if (claims["https://api.openai.com/auth"]?.chatgpt_account_id) {
+    return claims["https://api.openai.com/auth"]?.chatgpt_account_id;
+  }
+  if (Array.isArray(claims.organizations) && claims.organizations[0]?.id) {
+    return claims.organizations[0].id;
+  }
+  return void 0;
+}
+function extractAccountId(tokens) {
+  const fromIdToken = findAccountId(parseJwtClaims(tokens.id_token ?? ""));
+  if (fromIdToken) return fromIdToken;
+  return findAccountId(parseJwtClaims(tokens.access_token));
+}
+async function startOAuthServer() {
+  if (oauthServer) {
+    return { port: OAUTH_PORT, redirectUri: getRedirectUri() };
+  }
+  const bun = getBunRuntime();
+  oauthServer = bun.serve({
+    port: OAUTH_PORT,
+    fetch(request) {
+      const url = new URL(request.url);
+      if (url.pathname === "/cancel") {
+        failOAuthQuery(new Error("Authentication cancelled by user"));
+        return new Response(renderErrorHtml("Authentication was cancelled."), {
+          status: 200,
+          headers: { "Content-Type": "text/html; charset=utf-8" }
+        });
+      }
+      if (url.pathname !== "/auth/callback") {
+        return new Response("Not Found", { status: 404 });
+      }
+      const error = url.searchParams.get("error") ?? void 0;
+      const errorDescription = url.searchParams.get("error_description") ?? void 0;
+      const code = url.searchParams.get("code") ?? void 0;
+      const state = url.searchParams.get("state") ?? void 0;
+      if (error) {
+        failOAuthQuery(new Error(errorDescription ?? error));
+        return new Response(renderErrorHtml(errorDescription ?? error), {
+          status: 400,
+          headers: { "Content-Type": "text/html; charset=utf-8" }
+        });
+      }
+      if (!code) {
+        failOAuthQuery(new Error("Missing authorization code"));
+        return new Response(renderErrorHtml("Missing authorization code."), {
+          status: 400,
+          headers: { "Content-Type": "text/html; charset=utf-8" }
+        });
+      }
+      completeOAuthQuery({ code, state });
+      return new Response(renderSuccessHtml(), {
+        status: 200,
+        headers: { "Content-Type": "text/html; charset=utf-8" }
+      });
+    }
+  });
+  return { port: OAUTH_PORT, redirectUri: getRedirectUri() };
+}
+function stopOAuthServer() {
+  if (oauthServer) {
+    oauthServer.stop(true);
+  }
+  oauthServer = null;
+  failOAuthQuery(new Error("OAuth server stopped"));
+}
+function waitForOAuthCallback(pkce, state) {
+  return new Promise(async (resolve, reject) => {
+    try {
+      const { redirectUri } = await startOAuthServer();
+      if (resolveOAuthQuery || rejectOAuthQuery) {
+        reject(new Error("OAuth callback wait already active"));
+        return;
+      }
+      const timeout = setTimeout(() => {
+        failOAuthQuery(new Error("OAuth callback timed out"));
+      }, OAUTH_CALLBACK_TIMEOUT_MS);
+      resolveOAuthQuery = async (query) => {
+        clearTimeout(timeout);
+        try {
+          if (!query.code) {
+            reject(new Error("Missing OAuth authorization code"));
+            return;
+          }
+          if (!query.state || query.state !== state) {
+            reject(new Error("OAuth state mismatch"));
+            return;
+          }
+          const tokens = await exchangeCodeForTokens(query.code, redirectUri, pkce);
+          resolve(tokens);
+        } catch (error) {
+          reject(error);
+        } finally {
+          resolveOAuthQuery = null;
+          rejectOAuthQuery = null;
+        }
+      };
+      rejectOAuthQuery = (reason) => {
+        clearTimeout(timeout);
+        reject(reason);
+      };
+    } catch (error) {
+      reject(error);
+    }
+  });
+}
+function buildAuthorizeUrl(redirectUri, pkce, state) {
+  const url = new URL(`${OAUTH_ISSUER}/oauth/authorize`);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", OPENAI_CLIENT_ID);
+  url.searchParams.set("redirect_uri", redirectUri);
+  url.searchParams.set("scope", "openid profile email offline_access");
+  url.searchParams.set("code_challenge", pkce.challenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("id_token_add_organizations", "true");
+  url.searchParams.set("codex_cli_simplified_flow", "true");
+  url.searchParams.set("state", state);
+  url.searchParams.set("originator", "opencode");
+  return url.toString();
+}
+
+// src/token.ts
+import * as v7 from "valibot";
+var PERMANENT_FAILURE_STATUSES = /* @__PURE__ */ new Set([400, 401, 403]);
+var refreshMutexByAccountId = /* @__PURE__ */ new Map();
+function isTokenExpired(account) {
+  if (!account.accessToken || !account.expiresAt) return true;
+  return account.expiresAt <= Date.now() + TOKEN_EXPIRY_BUFFER_MS;
+}
+async function refreshToken(currentRefreshToken, accountId, client) {
+  if (!currentRefreshToken) return { ok: false, permanent: true };
+  const inFlightRefresh = refreshMutexByAccountId.get(accountId);
+  if (inFlightRefresh) return inFlightRefresh;
+  const refreshPromise = (async () => {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), TOKEN_REFRESH_TIMEOUT_MS);
+    try {
+      const startTime = Date.now();
+      const response = await fetch(OPENAI_TOKEN_ENDPOINT, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "refresh_token",
+          refresh_token: currentRefreshToken,
+          client_id: OPENAI_CLIENT_ID
+        }),
+        signal: controller.signal
+      });
+      if (!response.ok) {
+        const isPermanent = PERMANENT_FAILURE_STATUSES.has(response.status);
+        await client.app.log({
+          body: {
+            service: OPENAI_OAUTH_ADAPTER.serviceLogName,
+            level: isPermanent ? "error" : "warn",
+            message: `Token refresh failed: ${response.status}${isPermanent ? " (permanent)" : ""}`,
+            extra: { accountId }
+          }
+        }).catch(() => {
+        });
+        return { ok: false, permanent: isPermanent, status: response.status };
+      }
+      const json = v7.parse(TokenResponseSchema, await response.json());
+      const patch = {
+        accessToken: json.access_token,
+        expiresAt: startTime + json.expires_in * 1e3,
+        refreshToken: json.refresh_token,
+        accountId: extractAccountId(json)
+      };
+      return { ok: true, patch };
+    } catch (error) {
+      await client.app.log({
+        body: {
+          service: OPENAI_OAUTH_ADAPTER.serviceLogName,
+          level: "warn",
+          message: `Token refresh network error: ${error instanceof Error ? error.message : String(error)}`,
+          extra: { accountId }
+        }
+      }).catch(() => {
+      });
+      return { ok: false, permanent: false };
+    } finally {
+      clearTimeout(timeout);
+      refreshMutexByAccountId.delete(accountId);
+    }
+  })();
+  refreshMutexByAccountId.set(accountId, refreshPromise);
+  return refreshPromise;
+}
+
+// src/account-manager.ts
+var AccountManager = createAccountManagerForProvider({
+  providerAuthId: "openai",
+  isTokenExpired,
+  refreshToken
+});
+
+// src/config.ts
+initCoreConfig("codex-multiauth.json");
+
+// src/utils.ts
+setConfigGetter(getConfig);
+
+// src/usage.ts
+import * as v8 from "valibot";
+var OPENAI_AUTH_CLAIM = "https://api.openai.com/auth";
+var OPENAI_PROFILE_CLAIM = "https://api.openai.com/profile";
+var OpenAIAuthClaimSchema = v8.object({
+  chatgpt_plan_type: v8.optional(v8.string()),
+  chatgpt_account_id: v8.optional(v8.string()),
+  chatgpt_user_id: v8.optional(v8.string())
+});
+var OpenAIProfileClaimSchema = v8.object({
+  email: v8.optional(v8.string())
+});
+var WhamRateLimitWindowSchema = v8.object({
+  used_percent: v8.number(),
+  reset_after_seconds: v8.number()
+});
+var WhamUsageResponseSchema = v8.object({
+  plan_type: v8.optional(v8.nullable(v8.string())),
+  rate_limit: v8.optional(v8.nullable(v8.object({
+    primary_window: v8.optional(v8.nullable(WhamRateLimitWindowSchema)),
+    secondary_window: v8.optional(v8.nullable(WhamRateLimitWindowSchema))
+  }))),
+  credits: v8.optional(v8.nullable(v8.object({
+    balance: v8.optional(v8.nullable(v8.string())),
+    unlimited: v8.optional(v8.nullable(v8.boolean()))
+  })))
+});
+function secondsToISOResetTime(resetAfterSeconds) {
+  return new Date(Date.now() + resetAfterSeconds * 1e3).toISOString();
+}
+async function fetchUsage(accessToken, accountId) {
+  try {
+    const headers = {
+      Authorization: `Bearer ${accessToken}`,
+      "User-Agent": OPENAI_CLI_USER_AGENT
+    };
+    if (accountId) {
+      headers["ChatGPT-Account-Id"] = accountId;
+    }
+    const response = await fetch(CODEX_USAGE_ENDPOINT, {
+      method: "GET",
+      headers
+    });
+    if (!response.ok) {
+      return { ok: false, reason: `HTTP ${response.status} ${response.statusText}` };
+    }
+    const parsed = v8.safeParse(WhamUsageResponseSchema, await response.json());
+    if (!parsed.success) {
+      return { ok: false, reason: `Invalid response: ${parsed.issues[0]?.message ?? "unknown"}` };
+    }
+    const wham = parsed.output;
+    const primaryWindow = wham.rate_limit?.primary_window;
+    const secondaryWindow = wham.rate_limit?.secondary_window;
+    const usage = {
+      five_hour: primaryWindow ? {
+        utilization: primaryWindow.used_percent,
+        resets_at: secondsToISOResetTime(primaryWindow.reset_after_seconds)
+      } : null,
+      seven_day: secondaryWindow ? {
+        utilization: secondaryWindow.used_percent,
+        resets_at: secondsToISOResetTime(secondaryWindow.reset_after_seconds)
+      } : null,
+      seven_day_sonnet: null
+    };
+    const validated = v8.safeParse(UsageLimitsSchema2, usage);
+    if (!validated.success) {
+      return { ok: false, reason: `Mapping error: ${validated.issues[0]?.message ?? "unknown"}` };
+    }
+    return { ok: true, data: validated.output, planType: wham.plan_type ?? void 0 };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    return { ok: false, reason: message };
+  }
+}
+function derivePlanTier(planType) {
+  const normalized = planType.toLowerCase().trim();
+  return normalized || "free";
+}
+function fetchProfile(accessToken) {
+  try {
+    const claims = parseJwtClaims(accessToken);
+    if (!claims || typeof claims !== "object") {
+      return { ok: true, data: { planTier: "free" } };
+    }
+    const record = claims;
+    const profileClaim = record[OPENAI_PROFILE_CLAIM];
+    const profileParsed = v8.safeParse(OpenAIProfileClaimSchema, profileClaim ?? {});
+    const email = profileParsed.success ? profileParsed.output.email : void 0;
+    const authClaim = record[OPENAI_AUTH_CLAIM];
+    const authParsed = v8.safeParse(OpenAIAuthClaimSchema, authClaim ?? {});
+    const planType = authParsed.success ? authParsed.output.chatgpt_plan_type ?? "" : "";
+    const planTier = derivePlanTier(planType);
+    return {
+      ok: true,
+      data: { email, planTier }
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    return { ok: false, reason: message };
+  }
+}
+function formatTimeRemaining(resetAt) {
+  if (!resetAt) return "unknown";
+  const diffMs = new Date(resetAt).getTime() - Date.now();
+  if (diffMs <= 0) return "0m";
+  return formatWaitTime(diffMs);
+}
+function getUsageSummary(account) {
+  if (!account.cachedUsage) return "no usage data";
+  const parsed = v8.safeParse(UsageLimitsSchema2, account.cachedUsage);
+  if (!parsed.success) return "no usage data";
+  const parts = [];
+  const { five_hour, seven_day } = parsed.output;
+  if (five_hour) {
+    const reset = five_hour.resets_at ? ` (resets ${formatTimeRemaining(five_hour.resets_at)})` : "";
+    parts.push(`5h: ${five_hour.utilization.toFixed(0)}%${reset}`);
+  }
+  if (seven_day) {
+    const reset = seven_day.resets_at ? ` (resets ${formatTimeRemaining(seven_day.resets_at)})` : "";
+    parts.push(`7d: ${seven_day.utilization.toFixed(0)}%${reset}`);
+  }
+  return parts.length > 0 ? parts.join(", ") : "no usage data";
+}
+function getPlanLabel(account) {
+  if (!account.planTier || account.planTier === "free") return "";
+  return PLAN_LABELS[account.planTier] ?? account.planTier.charAt(0).toUpperCase() + account.planTier.slice(1);
+}
+
+// src/rate-limit.ts
+var {
+  fetchUsageLimits,
+  getResetMsFromUsage,
+  handleRateLimitResponse,
+  retryAfterMsFromResponse
+} = createRateLimitHandlers({
+  fetchUsage,
+  getConfig,
+  formatWaitTime,
+  getAccountLabel,
+  showToast
+});
+
+// src/executor.ts
+var { executeWithAccountRotation } = createExecutorForProvider("Codex", {
+  handleRateLimitResponse: async (manager, client, account, response) => handleRateLimitResponse(
+    manager,
+    client,
+    account,
+    response
+  ),
+  formatWaitTime,
+  sleep,
+  showToast,
+  getAccountLabel
+});
+
+// src/auth-handler.ts
+import * as v9 from "valibot";
+
+// src/ui/auth-menu.ts
+function formatRelativeTime(timestamp) {
+  if (!timestamp) return "never";
+  const days = Math.floor((Date.now() - timestamp) / 864e5);
+  if (days === 0) return "today";
+  if (days === 1) return "yesterday";
+  if (days < 7) return `${days}d ago`;
+  if (days < 30) return `${Math.floor(days / 7)}w ago`;
+  return new Date(timestamp).toLocaleDateString();
+}
+function formatDate(timestamp) {
+  if (!timestamp) return "unknown";
+  return new Date(timestamp).toLocaleDateString();
+}
+function getAccountStatus(account) {
+  if (account.isAuthDisabled) return "auth-disabled";
+  if (!account.enabled) return "disabled";
+  if (account.rateLimitResetAt && account.rateLimitResetAt > Date.now()) return "rate-limited";
+  return "active";
+}
+var STATUS_BADGE = {
+  "active": `${ANSI.green}[active]${ANSI.reset}`,
+  "rate-limited": `${ANSI.yellow}[rate-limited]${ANSI.reset}`,
+  "auth-disabled": `${ANSI.red}[auth-disabled]${ANSI.reset}`,
+  "disabled": `${ANSI.red}[disabled]${ANSI.reset}`
+};
+function buildAccountMenuItem(account) {
+  const label = getAccountLabel(account);
+  const status = getAccountStatus(account);
+  const badge = STATUS_BADGE[status];
+  const fullLabel = `${label} ${badge}`;
+  return {
+    label: fullLabel,
+    hint: account.lastUsed ? `used ${formatRelativeTime(account.lastUsed)}` : "",
+    value: account,
+    disabled: false
+  };
+}
+async function showAuthMenu(accounts) {
+  const items = [
+    { label: "Add new account", value: { type: "add" }, color: "green" },
+    { label: "Check quotas", value: { type: "check-quotas" }, color: "cyan" },
+    { label: "Manage accounts", value: { type: "manage" } },
+    { label: "Load balancing", value: { type: "load-balancing" } },
+    { label: "", value: { type: "cancel" }, separator: true },
+    { label: "Delete all accounts", value: { type: "delete-all" }, color: "red" }
+  ];
+  while (true) {
+    const subtitle = `${accounts.length} account(s) registered`;
+    const result = await select(items, {
+      message: "Claude Multi-Auth",
+      subtitle
+    });
+    if (!result) return { type: "cancel" };
+    if (result.type === "delete-all") {
+      const confirmed = await confirm("Delete ALL accounts? This cannot be undone.");
+      if (!confirmed) continue;
+    }
+    return result;
+  }
+}
+async function showManageAccounts(accounts) {
+  const items = [
+    { label: "Back", value: null },
+    { label: "", value: null, separator: true },
+    ...accounts.map(buildAccountMenuItem)
+  ];
+  const selected = await select(items, {
+    message: "Manage Accounts",
+    subtitle: "Select an account to manage"
+  });
+  if (!selected) return { action: "back" };
+  return showAccountDetails(selected);
+}
+async function showAccountDetails(account) {
+  const label = getAccountLabel(account);
+  const status = getAccountStatus(account);
+  const badge = STATUS_BADGE[status];
+  console.log("");
+  console.log(`${ANSI.bold}Account: ${label} ${badge}${ANSI.reset}`);
+  console.log(`${ANSI.dim}Added: ${formatDate(account.addedAt)}${ANSI.reset}`);
+  console.log(`${ANSI.dim}Last used: ${formatRelativeTime(account.lastUsed)}${ANSI.reset}`);
+  if (account.isAuthDisabled) {
+    console.log(`${ANSI.red}Auth disabled: ${account.authDisabledReason ?? "unknown"}${ANSI.reset}`);
+  }
+  console.log("");
+  while (true) {
+    const toggleLabel = account.enabled ? "Disable account" : "Enable account";
+    const toggleColor = account.enabled ? "yellow" : "green";
+    const items = [
+      { label: "Back", value: "back" }
+    ];
+    items.push({ label: toggleLabel, value: "toggle", color: toggleColor });
+    items.push({ label: "Re-authenticate", value: "retry-auth", color: "cyan" });
+    items.push({ label: "Delete this account", value: "delete", color: "red" });
+    const result = await select(items, {
+      message: "Account options",
+      subtitle: label
+    });
+    if (result === "delete") {
+      const confirmed = await confirm(`Delete ${label}?`);
+      if (!confirmed) continue;
+    }
+    return { action: result ?? "cancel", account };
+  }
+}
+function getUsageColor(utilization) {
+  if (utilization >= 90) return ANSI.red;
+  if (utilization >= 60) return ANSI.yellow;
+  return ANSI.green;
+}
+function createProgressBar(utilization, width = 20) {
+  const filled = Math.round(utilization / 100 * width);
+  const empty = width - filled;
+  const color = getUsageColor(utilization);
+  return `${color}${"\u2588".repeat(filled)}${ANSI.reset}${"\u2591".repeat(empty)} ${color}${Math.round(utilization)}% used${ANSI.reset}`;
+}
+function formatResetTime(resetAt) {
+  if (!resetAt) return "";
+  const date = new Date(resetAt);
+  const now = /* @__PURE__ */ new Date();
+  const tz = Intl.DateTimeFormat().resolvedOptions().timeZone;
+  const timeStr = date.toLocaleTimeString(void 0, { hour: "numeric", minute: "2-digit", hour12: true });
+  const isSameDay = date.getFullYear() === now.getFullYear() && date.getMonth() === now.getMonth() && date.getDate() === now.getDate();
+  if (isSameDay) {
+    return ` (resets ${timeStr}, ${tz})`;
+  }
+  const dateStr = date.toLocaleDateString(void 0, { month: "short", day: "numeric" });
+  return ` (resets ${dateStr} ${timeStr}, ${tz})`;
+}
+function printUsageEntry(name, entry, isLast) {
+  const connector = isLast ? "\u2514\u2500" : "\u251C\u2500";
+  if (!entry) {
+    console.log(`     ${connector} ${name.padEnd(16)} no data`);
+    return;
+  }
+  const bar = createProgressBar(entry.utilization);
+  const reset = formatResetTime(entry.resets_at);
+  console.log(`     ${connector} ${name.padEnd(16)} ${bar}${reset}`);
+}
+function printQuotaReport(account, usage) {
+  const label = getAccountLabel(account);
+  const status = getAccountStatus(account);
+  const badge = STATUS_BADGE[status];
+  const planLabel = getPlanLabel(account) || "Free";
+  console.log(`\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501`);
+  console.log(`  ${label} ${badge}`);
+  console.log(`\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501`);
+  if (account.email) {
+    console.log(`  \u{1F4E7} ${account.email}`);
+  }
+  console.log(`  \u{1F4CB} ${planLabel}`);
+  console.log(`
+  \u2514\u2500 Codex Quota`);
+  printUsageEntry("Current session", usage.five_hour, false);
+  printUsageEntry("Current week", usage.seven_day, true);
+  console.log("");
+}
+var STRATEGY_DESCRIPTIONS = {
+  "sticky": "Same account until rate-limited",
+  "round-robin": "Rotate every request",
+  "hybrid": "Score-based (usage + health)"
+};
+async function showStrategySelect(current) {
+  const strategies = ["sticky", "round-robin", "hybrid"];
+  const items = strategies.map((s) => ({
+    label: `${s}${s === current ? " (current)" : ""}`,
+    hint: STRATEGY_DESCRIPTIONS[s],
+    value: s
+  }));
+  return select(items, {
+    message: "Load Balancing Strategy",
+    subtitle: `Current: ${current}`
+  });
+}
+async function showMethodSelect() {
+  const items = [
+    { label: "ChatGPT Pro/Plus (browser)", value: "browser", color: "green" },
+    { label: "ChatGPT Pro/Plus (headless)", value: "headless" }
+  ];
+  return select(items, {
+    message: "Login Method",
+    subtitle: "Select authentication method"
+  });
+}
+function printQuotaError(account, error) {
+  const label = getAccountLabel(account);
+  console.log(`\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501`);
+  console.log(`  ${label}`);
+  if (account.email) {
+    console.log(`  \u{1F4E7} ${account.email}`);
+  }
+  console.log(`\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501`);
+  console.log(`  ${ANSI.red}Error: ${error}${ANSI.reset}
+`);
+}
+
+// src/account-store.ts
+setAccountsFilename(ACCOUNTS_FILENAME2);
+
+// src/auth-handler.ts
+import { randomUUID as randomUUID2 } from "node:crypto";
+var DeviceUserCodeResponseSchema = v9.object({
+  device_code: v9.string(),
+  user_code: v9.string(),
+  expires_in: v9.number(),
+  interval: v9.optional(v9.number())
+});
+function makeFailedFlowResult(message) {
+  return {
+    url: "",
+    instructions: message,
+    method: "auto",
+    callback: async () => ({ type: "failed" })
+  };
+}
+function normalizeMethod(method) {
+  return method === "headless" ? "headless" : "browser";
+}
+function toCallbackResponse(tokens) {
+  if (!tokens.refresh_token) {
+    return { type: "failed" };
+  }
+  return {
+    type: "success",
+    refresh: tokens.refresh_token,
+    access: tokens.access_token,
+    expires: Date.now() + (tokens.expires_in ?? 3600) * 1e3,
+    accountId: extractAccountId(tokens)
+  };
+}
+async function pollDeviceAuthToken(startResult) {
+  const expiresAt = Date.now() + startResult.expires_in * 1e3;
+  let intervalMs = Math.max(1, startResult.interval ?? 5) * 1e3;
+  while (Date.now() < expiresAt) {
+    const response = await fetch(`${OAUTH_ISSUER}/api/accounts/deviceauth/token`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        client_id: OPENAI_CLIENT_ID,
+        device_code: startResult.device_code
+      })
+    });
+    if (response.ok) {
+      return v9.parse(TokenResponseSchema, await response.json());
+    }
+    const payload = await response.json().catch(() => ({}));
+    const error = typeof payload.error === "string" ? payload.error : "";
+    if (error === "authorization_pending") {
+      await new Promise((resolve) => setTimeout(resolve, intervalMs));
+      continue;
+    }
+    if (error === "slow_down") {
+      intervalMs += 5e3;
+      await new Promise((resolve) => setTimeout(resolve, intervalMs));
+      continue;
+    }
+    if (error === "expired_token") {
+      throw new Error("Device code expired. Start authentication again.");
+    }
+    if (error === "access_denied") {
+      throw new Error("Device authorization denied by user.");
+    }
+    throw new Error(`Device token polling failed: ${response.status}`);
+  }
+  throw new Error("Device authorization timed out");
+}
+async function startBrowserAuth() {
+  const { redirectUri } = await startOAuthServer();
+  const pkce = await generatePKCE();
+  const state = generateState();
+  const authUrl = buildAuthorizeUrl(redirectUri, pkce, state);
+  return {
+    url: authUrl,
+    instructions: "Complete authorization in your browser.",
+    method: "auto",
+    callback: async () => {
+      try {
+        const tokens = await waitForOAuthCallback(pkce, state);
+        return toCallbackResponse(tokens);
+      } finally {
+        stopOAuthServer();
+      }
+    }
+  };
+}
+async function startDeviceAuth() {
+  const response = await fetch(`${OAUTH_ISSUER}/api/accounts/deviceauth/usercode`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({ client_id: OPENAI_CLIENT_ID })
+  });
+  if (!response.ok) {
+    throw new Error(`Failed to start device authorization: ${response.status}`);
+  }
+  const startResult = v9.parse(DeviceUserCodeResponseSchema, await response.json());
+  return {
+    url: `${OAUTH_ISSUER}/codex/device`,
+    instructions: `Enter code: ${startResult.user_code}`,
+    method: "auto",
+    callback: async () => {
+      const tokens = await pollDeviceAuthToken(startResult);
+      return toCallbackResponse(tokens);
+    }
+  };
+}
+async function startFlow(method) {
+  if (normalizeMethod(method) === "headless") {
+    return startDeviceAuth();
+  }
+  return startBrowserAuth();
+}
+function wrapCallbackWithAccountReplace(result, manager, targetAccount) {
+  const originalCallback = result.callback;
+  return {
+    ...result,
+    callback: async function() {
+      const code = arguments.length > 0 ? arguments[0] : void 0;
+      const callbackResult = await originalCallback(code);
+      if (callbackResult?.type === "success" && callbackResult.refresh) {
+        const auth = {
+          type: "oauth",
+          refresh: callbackResult.refresh,
+          access: callbackResult.access,
+          expires: callbackResult.expires
+        };
+        if (targetAccount.uuid) {
+          await manager.replaceAccountCredentials(targetAccount.uuid, auth);
+        }
+        const label = getAccountLabel(targetAccount);
+        console.log(`
+\u2705 ${label} re-authenticated successfully.
+`);
+      }
+      return callbackResult;
+    }
+  };
+}
+function wrapCallbackWithManagerSync(result, manager) {
+  const originalCallback = result.callback;
+  return {
+    ...result,
+    callback: async function() {
+      const code = arguments.length > 0 ? arguments[0] : void 0;
+      const callbackResult = await originalCallback(code);
+      if (callbackResult?.type === "success" && callbackResult.refresh) {
+        const auth = {
+          type: "oauth",
+          refresh: callbackResult.refresh,
+          access: callbackResult.access,
+          expires: callbackResult.expires
+        };
+        if (manager) {
+          const countBefore = manager.getAccounts().length;
+          await manager.addAccount(auth);
+          const countAfter = manager.getAccounts().length;
+          if (countAfter > countBefore) {
+            console.log(`
+\u2705 Account added to multi-auth pool (${countAfter} total).
+`);
+          } else {
+            console.log(`
+\u2139\uFE0F  Account already exists in multi-auth pool (${countAfter} total).
+`);
+          }
+        } else {
+          await persistFallback(auth, callbackResult.accountId);
+          console.log("\n\u2705 Account saved.\n");
+        }
+      }
+      return callbackResult;
+    }
+  };
+}
+async function persistFallback(auth, accountId) {
+  try {
+    const store = new AccountStore();
+    const now = Date.now();
+    const account = {
+      uuid: randomUUID2(),
+      accountId,
+      refreshToken: auth.refresh,
+      accessToken: auth.access,
+      expiresAt: auth.expires,
+      addedAt: now,
+      lastUsed: now,
+      enabled: true,
+      planTier: "",
+      consecutiveAuthFailures: 0,
+      isAuthDisabled: false
+    };
+    await store.addAccount(account);
+    await store.setActiveUuid(account.uuid);
+  } catch {
+  }
+}
+async function selectMethodAndStartFlow() {
+  if (!isTTY()) {
+    const flow2 = await startFlow("browser");
+    return { flow: flow2, method: "browser" };
+  }
+  const selected = await showMethodSelect();
+  if (!selected) return null;
+  const flow = await startFlow(selected);
+  return { flow, method: selected };
+}
+async function handleAuthorize(manager, inputs, client) {
+  if (!inputs || !isTTY()) {
+    return wrapCallbackWithManagerSync(await startFlow("browser"), manager);
+  }
+  const effectiveManager = manager ?? await loadManagerFromDisk(client);
+  if (!effectiveManager || effectiveManager.getAccounts().length === 0) {
+    const result = await selectMethodAndStartFlow();
+    if (!result) return makeFailedFlowResult("Authentication cancelled");
+    return wrapCallbackWithManagerSync(result.flow, manager);
+  }
+  return runAccountManagementMenu(effectiveManager, client);
+}
+async function loadManagerFromDisk(client) {
+  const store = new AccountStore();
+  const stored = await store.load();
+  if (stored.accounts.length === 0) return null;
+  const emptyAuth = { type: "oauth", refresh: "", access: "", expires: 0 };
+  const mgr = await AccountManager.create(store, emptyAuth, client);
+  return mgr;
+}
+async function runAccountManagementMenu(manager, client) {
+  while (true) {
+    const allAccounts = manager.getAccounts();
+    const menuAction = await showAuthMenu(allAccounts);
+    switch (menuAction.type) {
+      case "add": {
+        const result = await selectMethodAndStartFlow();
+        if (!result) continue;
+        return wrapCallbackWithManagerSync(result.flow, manager);
+      }
+      case "check-quotas":
+        await handleCheckQuotas(manager, client);
+        continue;
+      case "manage": {
+        const result = await showManageAccounts(allAccounts);
+        if (result.action === "back" || result.action === "cancel") continue;
+        const manageResult = await handleManageAction(manager, result.action, result.account, client);
+        if (manageResult.triggerOAuth) {
+          const methodResult = await selectMethodAndStartFlow();
+          if (!methodResult) continue;
+          return wrapCallbackWithAccountReplace(methodResult.flow, manager, manageResult.account);
+        }
+        continue;
+      }
+      case "load-balancing":
+        await handleLoadBalancing();
+        continue;
+      case "delete-all": {
+        await manager.clearAllAccounts();
+        console.log("\nAll accounts deleted.\n");
+        const result = await selectMethodAndStartFlow();
+        if (!result) return makeFailedFlowResult("Authentication cancelled");
+        return wrapCallbackWithManagerSync(result.flow, manager);
+      }
+      case "cancel":
+        return makeFailedFlowResult("Authentication cancelled");
+    }
+  }
+}
+async function handleCheckQuotas(manager, client) {
+  await manager.refresh();
+  const accounts = manager.getAccounts();
+  const effectiveClient = client ?? createMinimalClient();
+  if (client) manager.setClient(client);
+  console.log(`
+\u{1F4CA} Checking quotas for ${accounts.length} account(s)...
+`);
+  for (const account of accounts) {
+    if (account.isAuthDisabled || !account.accessToken || isTokenExpired(account)) {
+      if (!account.uuid) {
+        printQuotaError(account, "Missing account UUID");
+        continue;
+      }
+      const result = await manager.ensureValidToken(account.uuid, effectiveClient);
+      if (!result.ok) {
+        printQuotaError(account, account.isAuthDisabled ? `${account.authDisabledReason ?? "Auth disabled"} (refresh failed)` : "Failed to refresh token");
+        continue;
+      }
+      await manager.refresh();
+    }
+    const freshAccounts = manager.getAccounts();
+    const freshAccount = freshAccounts.find((candidate) => candidate.uuid === account.uuid);
+    if (!freshAccount?.accessToken) {
+      printQuotaError(account, "No access token available");
+      continue;
+    }
+    const usageResult = await fetchUsage(freshAccount.accessToken, freshAccount.accountId);
+    if (!usageResult.ok) {
+      printQuotaError(freshAccount, `Failed to fetch usage: ${usageResult.reason}`);
+      continue;
+    }
+    if (freshAccount.uuid) {
+      await manager.applyUsageCache(freshAccount.uuid, usageResult.data);
+    }
+    const profileResult = fetchProfile(freshAccount.accessToken);
+    let email = freshAccount.email;
+    let planTier = freshAccount.planTier ?? "";
+    if (profileResult.ok) {
+      email = profileResult.data.email ?? email;
+      planTier = profileResult.data.planTier;
+    }
+    if ((!planTier || planTier === "free") && usageResult.planType) {
+      planTier = derivePlanTier(usageResult.planType);
+    }
+    const profileData = { email, planTier };
+    if (freshAccount.uuid) {
+      await manager.applyProfileCache(freshAccount.uuid, profileData);
+    }
+    const reportAccount = { ...freshAccount, email, planTier };
+    printQuotaReport(reportAccount, usageResult.data);
+  }
+}
+async function handleLoadBalancing() {
+  const current = getConfig().account_selection_strategy;
+  const selected = await showStrategySelect(current);
+  if (!selected || selected === current) return;
+  await updateConfigField("account_selection_strategy", selected);
+  console.log(`
+Load balancing strategy changed: ${current} \u2192 ${selected}
+`);
+}
+async function handleManageAction(manager, action, account, client) {
+  if (!account) return { triggerOAuth: false };
+  const label = getAccountLabel(account);
+  switch (action) {
+    case "toggle":
+      if (!account.uuid) break;
+      await manager.toggleEnabled(account.uuid);
+      await manager.refresh();
+      {
+        const updated = manager.getAccounts().find((candidate) => candidate.uuid === account.uuid);
+        console.log(`
+${label} ${updated?.enabled ? "enabled" : "disabled"}.
+`);
+      }
+      break;
+    case "delete":
+      if (!account.uuid) break;
+      {
+        const removed = await manager.removeAccount(account.index);
+        console.log(removed ? "\nAccount deleted.\n" : "\nFailed to delete account.\n");
+      }
+      break;
+    case "retry-auth": {
+      if (!account.uuid) break;
+      const effectiveClient = client ?? createMinimalClient();
+      console.log(`
+Retrying authentication for ${label}...
+`);
+      const result = await manager.retryAuth(account.uuid, effectiveClient);
+      if (result.ok) {
+        console.log(`\u2705 ${label} re-authenticated successfully.
+`);
+      } else {
+        console.log("Token refresh failed \u2014 starting OAuth flow...\n");
+        return { triggerOAuth: true, account };
+      }
+      break;
+    }
+  }
+  return { triggerOAuth: false };
+}
+
+// src/proactive-refresh.ts
+var ProactiveRefreshQueue = createProactiveRefreshQueueForProvider({
+  getConfig,
+  isTokenExpired,
+  refreshToken,
+  debugLog
+});
+
+// src/request-transform.ts
+function mergeHeaders(base, incoming) {
+  if (!incoming) return;
+  if (incoming instanceof Headers) {
+    incoming.forEach((value, key) => base.set(key, value));
+    return;
+  }
+  if (Array.isArray(incoming)) {
+    for (const [key, value] of incoming) {
+      if (value !== void 0) base.set(key, String(value));
+    }
+    return;
+  }
+  for (const [key, value] of Object.entries(incoming)) {
+    if (value !== void 0) base.set(key, String(value));
+  }
+}
+function buildRequestHeaders(input, init, accessToken, accountId) {
+  const headers = new Headers();
+  if (input instanceof Request) {
+    input.headers.forEach((value, key) => headers.set(key, value));
+  }
+  mergeHeaders(headers, init?.headers);
+  headers.delete("authorization");
+  headers.delete("Authorization");
+  headers.set("authorization", `Bearer ${accessToken}`);
+  headers.set("originator", "opencode");
+  headers.set("User-Agent", OPENAI_CLI_USER_AGENT);
+  if (accountId) {
+    headers.set("ChatGPT-Account-Id", accountId);
+  } else {
+    headers.delete("ChatGPT-Account-Id");
+  }
+  headers.delete("x-api-key");
+  return headers;
+}
+function asUrl(input) {
+  try {
+    if (typeof input === "string" || input instanceof URL) {
+      return new URL(input.toString());
+    }
+    if (input instanceof Request) {
+      return new URL(input.url);
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function transformRequestUrl(input) {
+  const url = asUrl(input);
+  if (!url) return input;
+  const shouldRewrite = url.pathname.includes("/v1/responses") || url.pathname.includes("/chat/completions");
+  if (!shouldRewrite) return input;
+  const rewritten = new URL(CODEX_API_ENDPOINT);
+  rewritten.search = url.search;
+  if (input instanceof Request) {
+    return new Request(rewritten.toString(), input);
+  }
+  return rewritten;
+}
+
+// src/runtime-factory.ts
+var AccountRuntimeFactory = class {
+  constructor(store, client) {
+    this.store = store;
+    this.client = client;
+  }
+  runtimes = /* @__PURE__ */ new Map();
+  initLocks = /* @__PURE__ */ new Map();
+  async getRuntime(uuid) {
+    const cached = this.runtimes.get(uuid);
+    if (cached) return cached;
+    const existing = this.initLocks.get(uuid);
+    if (existing) return existing;
+    const initPromise = this.createRuntime(uuid);
+    this.initLocks.set(uuid, initPromise);
+    try {
+      const runtime = await initPromise;
+      this.runtimes.set(uuid, runtime);
+      return runtime;
+    } finally {
+      this.initLocks.delete(uuid);
+    }
+  }
+  invalidate(uuid) {
+    this.runtimes.delete(uuid);
+  }
+  invalidateAll() {
+    this.runtimes.clear();
+  }
+  async createRuntime(uuid) {
+    const fetchWithAccount = async (input, init) => {
+      const storage = await this.store.load();
+      const storedAccount = storage.accounts.find((account) => account.uuid === uuid);
+      if (!storedAccount) {
+        throw new Error(`No credentials found for account ${uuid}`);
+      }
+      let accessToken = storedAccount.accessToken;
+      let expiresAt = storedAccount.expiresAt;
+      let accountId = storedAccount.accountId;
+      if (!accessToken || !expiresAt || isTokenExpired({ accessToken, expiresAt })) {
+        const refreshed = await refreshToken(storedAccount.refreshToken, uuid, this.client);
+        if (!refreshed.ok) {
+          if (typeof refreshed.status === "number") {
+            throw new Error(`Token refresh failed: ${refreshed.status}`);
+          }
+          throw new Error("Token refresh failed");
+        }
+        accessToken = refreshed.patch.accessToken;
+        expiresAt = refreshed.patch.expiresAt;
+        accountId = refreshed.patch.accountId ?? accountId;
+        await this.store.mutateAccount(uuid, (account) => {
+          account.accessToken = refreshed.patch.accessToken;
+          account.expiresAt = refreshed.patch.expiresAt;
+          if (refreshed.patch.refreshToken) account.refreshToken = refreshed.patch.refreshToken;
+          if (refreshed.patch.accountId) account.accountId = refreshed.patch.accountId;
+          if (refreshed.patch.email) account.email = refreshed.patch.email;
+          account.consecutiveAuthFailures = 0;
+          account.isAuthDisabled = false;
+          account.authDisabledReason = void 0;
+        });
+      }
+      if (!accessToken) {
+        throw new Error(`No access token available for account ${uuid}`);
+      }
+      const transformedInput = transformRequestUrl(input);
+      const headers = buildRequestHeaders(transformedInput, init, accessToken, accountId);
+      return fetch(transformedInput, {
+        ...init,
+        headers
+      });
+    };
+    debugLog(this.client, `Runtime created for account ${uuid.slice(0, 8)}`);
+    return { fetch: fetchWithAccount };
+  }
+};
+
+// src/index.ts
+var CodexMultiAuthPlugin = async (ctx) => {
+  const { client } = ctx;
+  await loadConfig();
+  const store = new AccountStore();
+  let manager = null;
+  let runtimeFactory = null;
+  let refreshQueue = null;
+  return {
+    tool: {
+      [OPENAI_OAUTH_ADAPTER.statusToolName]: tool({
+        description: "Show status of all multi-auth accounts including rate limits and usage.",
+        args: {},
+        async execute(_args, _context) {
+          if (!manager) {
+            return "Multi-auth not initialized. No OAuth accounts detected.";
+          }
+          const accounts = manager.getAccounts();
+          if (accounts.length === 0) {
+            return "No accounts configured. Run `opencode auth login` to add an account.";
+          }
+          const lines = [
+            `## Codex Multi-Auth Status (${accounts.length} accounts)
+`
+          ];
+          for (const account of accounts) {
+            const isActive = account.uuid === manager.getActiveAccount()?.uuid;
+            const marker = isActive ? " **[ACTIVE]**" : "";
+            const label = getAccountLabel(account);
+            const usage = getUsageSummary(account);
+            const statusParts = [];
+            if (account.isAuthDisabled) statusParts.push(`AUTH DISABLED: ${account.authDisabledReason}`);
+            else if (!account.enabled) statusParts.push("disabled");
+            else statusParts.push("enabled");
+            if (account.rateLimitResetAt && account.rateLimitResetAt > Date.now()) {
+              const remaining = formatWaitTime(account.rateLimitResetAt - Date.now());
+              statusParts.push(`RATE LIMITED (resets in ${remaining})`);
+            }
+            lines.push(
+              `- **${label}**${marker}: ${statusParts.join(" | ")} | ${usage}`
+            );
+          }
+          return lines.join("\n");
+        }
+      })
+    },
+    auth: {
+      provider: OPENAI_OAUTH_ADAPTER.authProviderId,
+      methods: [
+        {
+          label: OPENAI_OAUTH_ADAPTER.authMethodLabel,
+          type: "oauth",
+          async authorize() {
+            const inputs = arguments.length > 0 ? arguments[0] : void 0;
+            return handleAuthorize(manager, inputs, client);
+          }
+        },
+        { type: "api", label: "Manually enter API Key" }
+      ],
+      async loader(getAuth, provider) {
+        const auth = await getAuth();
+        if (auth.type !== "oauth") {
+          return { apiKey: "", fetch };
+        }
+        for (const model of Object.values(provider.models ?? {})) {
+          if (model) {
+            model.cost = { input: 0, output: 0, cache: { read: 0, write: 0 } };
+          }
+        }
+        const credentials = auth;
+        await migrateFromAuthJson("openai", store);
+        manager = await AccountManager.create(store, credentials, client);
+        runtimeFactory = new AccountRuntimeFactory(store, client);
+        manager.setRuntimeFactory(runtimeFactory);
+        if (manager.getAccountCount() > 0) {
+          const activeAccount = manager.getActiveAccount();
+          const activeLabel = activeAccount ? getAccountLabel(activeAccount) : "none";
+          void showToast(
+            client,
+            `Multi-Auth: ${manager.getAccountCount()} account(s) loaded. Active: ${activeLabel}`,
+            "info"
+          );
+          await manager.validateNonActiveTokens(client);
+          const disabledCount = manager.getAccounts().filter((a) => a.isAuthDisabled).length;
+          if (disabledCount > 0) {
+            void showToast(
+              client,
+              `${disabledCount} account(s) have auth failures.`,
+              "warning"
+            );
+          }
+          if (refreshQueue) {
+            await refreshQueue.stop();
+          }
+          refreshQueue = new ProactiveRefreshQueue(
+            client,
+            store,
+            (uuid) => runtimeFactory?.invalidate(uuid)
+          );
+          refreshQueue.start();
+        }
+        return {
+          apiKey: "CODEX_OAUTH",
+          async fetch(input, init) {
+            if (!manager || !runtimeFactory) {
+              return fetch(input, init);
+            }
+            if (manager.getAccountCount() === 0) {
+              throw new Error(
+                "No Codex accounts configured. Run `opencode auth login` to add an account."
+              );
+            }
+            return executeWithAccountRotation(manager, runtimeFactory, client, input, init);
+          }
+        };
+      }
+    }
+  };
+};
+export {
+  CodexMultiAuthPlugin
+};