npm - opencode-multi-account-core - Versions diffs - 0.1.0 - Mend

opencode-multi-account-core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,1798 @@
+// src/account-manager.ts
+import { randomUUID } from "node:crypto";
+// src/claims.ts
+import { promises as fs2 } from "node:fs";
+import { randomBytes as randomBytes2 } from "node:crypto";
+import { dirname as dirname2, join as join3 } from "node:path";
+// src/utils.ts
+import { join as join2 } from "node:path";
+import { homedir as homedir2 } from "node:os";
+// src/config.ts
+import { promises as fs } from "node:fs";
+import { randomBytes } from "node:crypto";
+import { dirname, join } from "node:path";
+import { homedir } from "node:os";
+import * as v2 from "valibot";
+// src/types.ts
+import * as v from "valibot";
+var OAuthCredentialsSchema = v.object({
+  type: v.literal("oauth"),
+  refresh: v.string(),
+  access: v.string(),
+  expires: v.number()
+});
+var UsageLimitEntrySchema = v.object({
+  utilization: v.number(),
+  resets_at: v.nullable(v.string())
+});
+var UsageLimitsSchema = v.object({
+  five_hour: v.optional(v.nullable(UsageLimitEntrySchema), null),
+  seven_day: v.optional(v.nullable(UsageLimitEntrySchema), null),
+  seven_day_sonnet: v.optional(v.nullable(UsageLimitEntrySchema), null)
+});
+var CredentialRefreshPatchSchema = v.object({
+  accessToken: v.string(),
+  expiresAt: v.number(),
+  refreshToken: v.optional(v.string()),
+  uuid: v.optional(v.string()),
+  accountId: v.optional(v.string()),
+  email: v.optional(v.string())
+});
+var StoredAccountSchema = v.object({
+  uuid: v.optional(v.string()),
+  accountId: v.optional(v.string()),
+  label: v.optional(v.string()),
+  email: v.optional(v.string()),
+  planTier: v.optional(v.string(), ""),
+  refreshToken: v.string(),
+  accessToken: v.optional(v.string()),
+  expiresAt: v.optional(v.number()),
+  addedAt: v.number(),
+  lastUsed: v.number(),
+  enabled: v.optional(v.boolean(), true),
+  rateLimitResetAt: v.optional(v.number()),
+  cachedUsage: v.optional(UsageLimitsSchema),
+  cachedUsageAt: v.optional(v.number()),
+  consecutiveAuthFailures: v.optional(v.number(), 0),
+  isAuthDisabled: v.optional(v.boolean(), false),
+  authDisabledReason: v.optional(v.string())
+});
+var AccountStorageSchema = v.object({
+  version: v.literal(1),
+  accounts: v.optional(v.array(StoredAccountSchema), []),
+  activeAccountUuid: v.optional(v.string())
+});
+var AccountSelectionStrategySchema = v.picklist(["sticky", "round-robin", "hybrid"]);
+var PluginConfigSchema = v.object({
+  account_selection_strategy: v.optional(AccountSelectionStrategySchema, "sticky"),
+  cross_process_claims: v.optional(v.boolean(), true),
+  soft_quota_threshold_percent: v.optional(v.pipe(v.number(), v.minValue(0), v.maxValue(100)), 100),
+  rate_limit_min_backoff_ms: v.optional(v.pipe(v.number(), v.minValue(0)), 3e4),
+  default_retry_after_ms: v.optional(v.pipe(v.number(), v.minValue(0)), 6e4),
+  max_consecutive_auth_failures: v.optional(v.pipe(v.number(), v.integer(), v.minValue(1)), 3),
+  token_failure_backoff_ms: v.optional(v.pipe(v.number(), v.minValue(0)), 3e4),
+  proactive_refresh: v.optional(v.boolean(), true),
+  proactive_refresh_buffer_seconds: v.optional(v.pipe(v.number(), v.minValue(60)), 1800),
+  proactive_refresh_interval_seconds: v.optional(v.pipe(v.number(), v.minValue(30)), 300),
+  quiet_mode: v.optional(v.boolean(), false),
+  debug: v.optional(v.boolean(), false)
+});
+// src/config.ts
+var DEFAULT_CONFIG_FILENAME = "multiauth-config.json";
+var DEFAULT_CONFIG = v2.parse(PluginConfigSchema, {});
+var configFilename = DEFAULT_CONFIG_FILENAME;
+var cachedConfig = null;
+var externalConfigGetter = null;
+function getConfigDir() {
+  return process.env.OPENCODE_CONFIG_DIR || join(process.env.XDG_CONFIG_HOME || join(homedir(), ".config"), "opencode");
+}
+function getConfigPath() {
+  return join(getConfigDir(), configFilename);
+}
+function parseConfig(raw) {
+  const result = v2.safeParse(PluginConfigSchema, raw);
+  return result.success ? result.output : DEFAULT_CONFIG;
+}
+function initCoreConfig(filename) {
+  configFilename = filename || DEFAULT_CONFIG_FILENAME;
+  cachedConfig = null;
+}
+async function loadConfig() {
+  if (cachedConfig) return cachedConfig;
+  const path = getConfigPath();
+  try {
+    const content = await fs.readFile(path, "utf-8");
+    cachedConfig = parseConfig(JSON.parse(content));
+  } catch {
+    cachedConfig = DEFAULT_CONFIG;
+  }
+  return cachedConfig;
+}
+function getConfig() {
+  if (cachedConfig) return cachedConfig;
+  if (externalConfigGetter && externalConfigGetter !== getConfig) {
+    try {
+      return parseConfig(externalConfigGetter());
+    } catch {
+      return DEFAULT_CONFIG;
+    }
+  }
+  return DEFAULT_CONFIG;
+}
+function resetConfigCache() {
+  cachedConfig = null;
+}
+function setConfigGetter(getter) {
+  if (getter === getConfig) {
+    return;
+  }
+  externalConfigGetter = getter;
+}
+async function updateConfigField(key, value) {
+  const path = getConfigPath();
+  let existing = {};
+  try {
+    const content2 = await fs.readFile(path, "utf-8");
+    existing = JSON.parse(content2);
+  } catch {
+  }
+  existing[key] = value;
+  await fs.mkdir(dirname(path), { recursive: true });
+  const content = `${JSON.stringify(existing, null, 2)}
+`;
+  const tempPath = `${path}.${randomBytes(8).toString("hex")}.tmp`;
+  try {
+    await fs.writeFile(tempPath, content, "utf-8");
+    await fs.rename(tempPath, path);
+  } catch (error) {
+    try {
+      await fs.unlink(tempPath);
+    } catch {
+    }
+    throw error;
+  }
+  cachedConfig = null;
+  await loadConfig();
+}
+// src/utils.ts
+function getConfigDir2() {
+  return process.env.OPENCODE_CONFIG_DIR || join2(process.env.XDG_CONFIG_HOME || join2(homedir2(), ".config"), "opencode");
+}
+function getErrorCode(error) {
+  if (typeof error !== "object" || error === null || !("code" in error)) {
+    return void 0;
+  }
+  const code = error.code;
+  return typeof code === "string" ? code : void 0;
+}
+function formatWaitTime(ms) {
+  const totalSeconds = Math.ceil(ms / 1e3);
+  if (totalSeconds < 60) return `${totalSeconds}s`;
+  const days = Math.floor(totalSeconds / 86400);
+  const hours = Math.floor(totalSeconds % 86400 / 3600);
+  const minutes = Math.floor(totalSeconds % 3600 / 60);
+  const seconds = totalSeconds % 60;
+  const parts = [];
+  if (days > 0) parts.push(`${days}d`);
+  if (hours > 0) parts.push(`${hours}h`);
+  if (minutes > 0) parts.push(`${minutes}m`);
+  if (seconds > 0 && days === 0) parts.push(`${seconds}s`);
+  return parts.join(" ") || "0s";
+}
+function getAccountLabel(account) {
+  if (account.label) return account.label;
+  if (account.email) return account.email;
+  if (account.uuid) return `Account (${account.uuid.slice(0, 8)})`;
+  return `Account ${account.index + 1}`;
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function showToast(client, message, variant) {
+  if (getConfig().quiet_mode) return;
+  try {
+    await client.tui.showToast({ body: { message, variant } });
+  } catch {
+  }
+}
+function debugLog(client, message, extra) {
+  if (!getConfig().debug) return;
+  client.app.log({
+    body: { service: "claude-multiauth", level: "debug", message, extra }
+  }).catch(() => {
+  });
+}
+function createMinimalClient() {
+  return {
+    auth: {
+      set: async () => {
+      }
+    },
+    tui: {
+      showToast: async () => {
+      }
+    },
+    app: {
+      log: async () => {
+      }
+    }
+  };
+}
+// src/claims.ts
+var CLAIMS_FILENAME = "multiauth-claims.json";
+var CLAIM_EXPIRY_MS = 6e4;
+function getClaimsPath() {
+  return join3(getConfigDir2(), CLAIMS_FILENAME);
+}
+function isClaimShape(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return false;
+  const claim = value;
+  return typeof claim.pid === "number" && Number.isInteger(claim.pid) && claim.pid > 0 && typeof claim.at === "number" && Number.isFinite(claim.at);
+}
+function parseClaims(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return {};
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    return {};
+  }
+  const claims = {};
+  for (const [accountId, claim] of Object.entries(parsed)) {
+    if (isClaimShape(claim)) {
+      claims[accountId] = claim;
+    }
+  }
+  return claims;
+}
+function isProcessAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function cleanClaims(claims, now) {
+  const cleaned = {};
+  let changed = false;
+  for (const [accountId, claim] of Object.entries(claims)) {
+    const expiredByTime = now - claim.at > CLAIM_EXPIRY_MS;
+    const zombieClaim = !isProcessAlive(claim.pid);
+    if (expiredByTime || zombieClaim) {
+      changed = true;
+      continue;
+    }
+    cleaned[accountId] = claim;
+  }
+  return { cleaned, changed };
+}
+async function writeClaimsFile(claims) {
+  const path = getClaimsPath();
+  const tempPath = `${path}.${randomBytes2(6).toString("hex")}.tmp`;
+  await fs2.mkdir(dirname2(path), { recursive: true });
+  try {
+    await fs2.writeFile(tempPath, JSON.stringify(claims, null, 2), { encoding: "utf-8", mode: 384 });
+    await fs2.rename(tempPath, path);
+  } catch (error) {
+    try {
+      await fs2.unlink(tempPath);
+    } catch {
+    }
+    throw error;
+  }
+}
+async function readClaims() {
+  try {
+    const data = await fs2.readFile(getClaimsPath(), "utf-8");
+    const parsed = parseClaims(data);
+    const now = Date.now();
+    const { cleaned, changed } = cleanClaims(parsed, now);
+    if (changed) {
+      try {
+        await writeClaimsFile(cleaned);
+      } catch {
+      }
+    }
+    return cleaned;
+  } catch {
+    return {};
+  }
+}
+async function writeClaim(accountId) {
+  const now = Date.now();
+  const claims = await readClaims();
+  const { cleaned } = cleanClaims(claims, now);
+  cleaned[accountId] = { pid: process.pid, at: now };
+  try {
+    await writeClaimsFile(cleaned);
+  } catch {
+  }
+}
+async function releaseClaim(accountId) {
+  const now = Date.now();
+  const claims = await readClaims();
+  const { cleaned } = cleanClaims(claims, now);
+  const currentClaim = cleaned[accountId];
+  if (!currentClaim || currentClaim.pid !== process.pid) {
+    return;
+  }
+  delete cleaned[accountId];
+  try {
+    await writeClaimsFile(cleaned);
+  } catch {
+  }
+}
+function isClaimedByOther(claims, accountId) {
+  if (!accountId) return false;
+  const claim = claims[accountId];
+  if (!claim) return false;
+  if (Date.now() - claim.at > CLAIM_EXPIRY_MS) return false;
+  if (!isProcessAlive(claim.pid)) return false;
+  return claim.pid !== process.pid;
+}
+// src/account-manager.ts
+var STARTUP_REFRESH_CONCURRENCY = 3;
+var RECENT_429_COOLDOWN_MS = 3e4;
+var HYBRID_SWITCH_MARGIN = 40;
+function createAccountManagerForProvider(dependencies) {
+  const {
+    providerAuthId,
+    isTokenExpired,
+    refreshToken
+  } = dependencies;
+  return class AccountManager {
+    constructor(store) {
+      this.store = store;
+    }
+    cached = [];
+    activeAccountUuid;
+    client = null;
+    runtimeFactory = null;
+    roundRobinCursor = 0;
+    last429Map = /* @__PURE__ */ new Map();
+    static async create(store, currentAuth, client) {
+      const manager = new AccountManager(store);
+      await manager.initialize(currentAuth, client);
+      return manager;
+    }
+    async initialize(currentAuth, client) {
+      if (client) this.client = client;
+      const storage = await this.store.load();
+      if (storage.accounts.length > 0) {
+        this.cached = storage.accounts.map((account, index) => this.toManagedAccount(account, index));
+        this.activeAccountUuid = storage.activeAccountUuid;
+        if (!this.getActiveAccount() && this.cached.length > 0) {
+          this.activeAccountUuid = this.cached[0].uuid;
+        }
+        return;
+      }
+      if (currentAuth.refresh) {
+        const newAccount = this.createNewAccount(currentAuth, Date.now());
+        await this.store.addAccount(newAccount);
+        await this.store.setActiveUuid(newAccount.uuid);
+        this.cached = [this.toManagedAccount(newAccount, 0)];
+        this.activeAccountUuid = newAccount.uuid;
+      }
+    }
+    async refresh() {
+      const storage = await this.store.load();
+      this.cached = storage.accounts.map((account, index) => this.toManagedAccount(account, index));
+      if (storage.activeAccountUuid) {
+        this.activeAccountUuid = storage.activeAccountUuid;
+      }
+    }
+    toManagedAccount(storedAccount, index) {
+      return {
+        index,
+        uuid: storedAccount.uuid,
+        accountId: storedAccount.accountId,
+        label: storedAccount.label,
+        email: storedAccount.email,
+        planTier: storedAccount.planTier,
+        refreshToken: storedAccount.refreshToken,
+        accessToken: storedAccount.accessToken,
+        expiresAt: storedAccount.expiresAt,
+        addedAt: storedAccount.addedAt,
+        lastUsed: storedAccount.lastUsed,
+        enabled: storedAccount.enabled,
+        rateLimitResetAt: storedAccount.rateLimitResetAt,
+        cachedUsage: storedAccount.cachedUsage,
+        cachedUsageAt: storedAccount.cachedUsageAt,
+        consecutiveAuthFailures: storedAccount.consecutiveAuthFailures,
+        isAuthDisabled: storedAccount.isAuthDisabled,
+        authDisabledReason: storedAccount.authDisabledReason,
+        last429At: storedAccount.uuid ? this.last429Map.get(storedAccount.uuid) : void 0
+      };
+    }
+    createNewAccount(auth, now) {
+      return {
+        uuid: randomUUID(),
+        refreshToken: auth.refresh,
+        accessToken: auth.access,
+        expiresAt: auth.expires,
+        addedAt: now,
+        lastUsed: now,
+        enabled: true,
+        planTier: "",
+        consecutiveAuthFailures: 0,
+        isAuthDisabled: false
+      };
+    }
+    getAccountCount() {
+      return this.getEligibleAccounts().length;
+    }
+    getAccounts() {
+      return [...this.cached];
+    }
+    getActiveAccount() {
+      if (this.activeAccountUuid) {
+        return this.cached.find((account) => account.uuid === this.activeAccountUuid) ?? null;
+      }
+      return this.cached[0] ?? null;
+    }
+    setClient(client) {
+      this.client = client;
+    }
+    setRuntimeFactory(factory) {
+      this.runtimeFactory = factory;
+    }
+    getEligibleAccounts() {
+      return this.cached.filter((account) => account.uuid && account.enabled && !account.isAuthDisabled);
+    }
+    exceedsSoftQuota(account) {
+      const threshold = getConfig().soft_quota_threshold_percent;
+      if (threshold >= 100) return false;
+      const usage = account.cachedUsage;
+      if (!usage) return false;
+      const tiers = [usage.five_hour, usage.seven_day];
+      return tiers.some((tier) => tier != null && tier.utilization >= threshold);
+    }
+    hasAnyUsableAccount() {
+      return this.getEligibleAccounts().length > 0;
+    }
+    isRateLimited(account) {
+      if (account.rateLimitResetAt && Date.now() < account.rateLimitResetAt) {
+        return true;
+      }
+      return this.isUsageExhausted(account);
+    }
+    isUsageExhausted(account) {
+      const usage = account.cachedUsage;
+      if (!usage) return false;
+      const now = Date.now();
+      const tiers = [usage.five_hour, usage.seven_day];
+      return tiers.some(
+        (tier) => tier != null && tier.utilization >= 100 && tier.resets_at != null && Date.parse(tier.resets_at) > now
+      );
+    }
+    clearExpiredRateLimits() {
+      const now = Date.now();
+      for (const account of this.cached) {
+        if (account.rateLimitResetAt && now >= account.rateLimitResetAt) {
+          account.rateLimitResetAt = void 0;
+        }
+      }
+    }
+    getMinWaitTime() {
+      const eligible = this.getEligibleAccounts();
+      const available = eligible.filter((account) => !this.isRateLimited(account));
+      if (available.length > 0) return 0;
+      const now = Date.now();
+      const waits = [];
+      for (const account of eligible) {
+        if (account.rateLimitResetAt) {
+          const ms = account.rateLimitResetAt - now;
+          if (ms > 0) waits.push(ms);
+        }
+        const usageResetMs = this.getUsageResetMs(account);
+        if (usageResetMs !== null && usageResetMs > 0) {
+          waits.push(usageResetMs);
+        }
+      }
+      return waits.length > 0 ? Math.min(...waits) : 0;
+    }
+    getUsageResetMs(account) {
+      const usage = account.cachedUsage;
+      if (!usage) return null;
+      const now = Date.now();
+      const candidates = [];
+      const tiers = [usage.five_hour, usage.seven_day];
+      for (const tier of tiers) {
+        if (tier != null && tier.utilization >= 100 && tier.resets_at != null) {
+          const ms = Date.parse(tier.resets_at) - now;
+          if (ms > 0) candidates.push(ms);
+        }
+      }
+      return candidates.length > 0 ? Math.min(...candidates) : null;
+    }
+    async selectAccount() {
+      await this.refresh();
+      this.clearExpiredRateLimits();
+      const eligible = this.getEligibleAccounts();
+      if (eligible.length === 0) return null;
+      const config = getConfig();
+      const claims = config.cross_process_claims ? await readClaims() : {};
+      const strategy = config.account_selection_strategy;
+      let selected;
+      switch (strategy) {
+        case "round-robin":
+          selected = this.selectRoundRobin(eligible, claims);
+          break;
+        case "hybrid":
+          selected = this.selectHybrid(eligible, claims);
+          break;
+        case "sticky":
+        default:
+          selected = this.selectSticky(eligible, claims);
+          break;
+      }
+      if (selected?.uuid) {
+        this.activeAccountUuid = selected.uuid;
+        this.store.setActiveUuid(selected.uuid).catch(() => {
+        });
+      }
+      if (config.cross_process_claims && selected?.uuid) {
+        writeClaim(selected.uuid).catch(() => {
+        });
+      }
+      return selected;
+    }
+    isUsable(account) {
+      return !this.isRateLimited(account) && !this.isInRecentCooldown(account) && !this.exceedsSoftQuota(account);
+    }
+    isInRecentCooldown(account) {
+      if (!account.last429At) return false;
+      return Date.now() - account.last429At < RECENT_429_COOLDOWN_MS;
+    }
+    fallbackNotRateLimited(eligible) {
+      const account = eligible.find((candidate) => !this.isRateLimited(candidate));
+      if (account) {
+        this.activateAccount(account);
+        return account;
+      }
+      return null;
+    }
+    selectSticky(eligible, claims) {
+      const current = this.getActiveAccount();
+      if (current?.enabled && !current.isAuthDisabled && this.isUsable(current)) {
+        this.activateAccount(current);
+        return current;
+      }
+      const unclaimed = eligible.find(
+        (account) => this.isUsable(account) && !isClaimedByOther(claims, account.uuid)
+      );
+      if (unclaimed) {
+        this.activateAccount(unclaimed);
+        return unclaimed;
+      }
+      const available = eligible.find((account) => this.isUsable(account));
+      if (available) {
+        this.activateAccount(available);
+        return available;
+      }
+      return this.fallbackNotRateLimited(eligible);
+    }
+    selectRoundRobin(eligible, claims) {
+      for (let i = 0; i < eligible.length; i++) {
+        const index = (this.roundRobinCursor + i) % eligible.length;
+        const account = eligible[index];
+        if (this.isUsable(account) && !isClaimedByOther(claims, account.uuid)) {
+          this.roundRobinCursor = (index + 1) % eligible.length;
+          this.activateAccount(account);
+          return account;
+        }
+      }
+      for (let i = 0; i < eligible.length; i++) {
+        const index = (this.roundRobinCursor + i) % eligible.length;
+        const account = eligible[index];
+        if (this.isUsable(account)) {
+          this.roundRobinCursor = (index + 1) % eligible.length;
+          this.activateAccount(account);
+          return account;
+        }
+      }
+      return this.fallbackNotRateLimited(eligible);
+    }
+    selectHybrid(eligible, claims) {
+      const usable = eligible.filter((account) => this.isUsable(account));
+      const pool = usable.length > 0 ? usable : eligible.filter((account) => !this.isRateLimited(account));
+      if (pool.length === 0) return null;
+      const activeUuid = this.activeAccountUuid;
+      let best = pool[0];
+      let bestScore = this.calculateHybridScore(best, best.uuid === activeUuid, claims);
+      for (let i = 1; i < pool.length; i++) {
+        const account = pool[i];
+        const score = this.calculateHybridScore(account, account.uuid === activeUuid, claims);
+        if (score > bestScore) {
+          best = account;
+          bestScore = score;
+        }
+      }
+      const current = pool.find((account) => account.uuid === activeUuid);
+      if (current && current !== best) {
+        const currentScore = this.calculateHybridScore(current, true, claims);
+        const bestWithoutStickiness = this.calculateHybridScore(best, false, claims);
+        if (bestWithoutStickiness <= currentScore + HYBRID_SWITCH_MARGIN) {
+          this.activateAccount(current);
+          return current;
+        }
+      }
+      this.activateAccount(best);
+      return best;
+    }
+    calculateHybridScore(account, isActive, claims) {
+      const maxUtilization = Math.min(100, Math.max(0, this.getMaxUtilization(account)));
+      const usageScore = (100 - maxUtilization) / 100 * 450;
+      const maxFailures = Math.max(1, getConfig().max_consecutive_auth_failures);
+      const healthScore = Math.max(0, (maxFailures - account.consecutiveAuthFailures) / maxFailures * 250);
+      const secondsSinceUsed = (Date.now() - account.lastUsed) / 1e3;
+      const freshnessScore = Math.min(secondsSinceUsed, 900) / 900 * 60;
+      const stickinessBonus = isActive ? 120 : 0;
+      const claimPenalty = isClaimedByOther(claims, account.uuid) ? -200 : 0;
+      return usageScore + healthScore + freshnessScore + stickinessBonus + claimPenalty;
+    }
+    getMaxUtilization(account) {
+      const usage = account.cachedUsage;
+      if (!usage) return 65;
+      const tiers = [usage.five_hour, usage.seven_day];
+      const utilizations = tiers.filter((tier) => tier != null).map((tier) => tier.utilization);
+      return utilizations.length > 0 ? Math.max(...utilizations) : 65;
+    }
+    activateAccount(account) {
+      this.activeAccountUuid = account.uuid;
+      account.lastUsed = Date.now();
+    }
+    async markRateLimited(uuid, backoffMs) {
+      const effectiveBackoff = backoffMs ?? getConfig().rate_limit_min_backoff_ms;
+      this.last429Map.set(uuid, Date.now());
+      await this.store.mutateAccount(uuid, (account) => {
+        account.rateLimitResetAt = Date.now() + effectiveBackoff;
+      });
+    }
+    async markRevoked(uuid) {
+      await this.store.mutateAccount(uuid, (account) => {
+        account.isAuthDisabled = true;
+        account.authDisabledReason = "OAuth token revoked (403)";
+        account.accessToken = void 0;
+        account.expiresAt = void 0;
+      });
+      this.runtimeFactory?.invalidate(uuid);
+    }
+    async markSuccess(uuid) {
+      this.last429Map.delete(uuid);
+      await this.store.mutateAccount(uuid, (account) => {
+        account.rateLimitResetAt = void 0;
+        account.consecutiveAuthFailures = 0;
+        account.lastUsed = Date.now();
+      });
+    }
+    syncToOpenCode(account) {
+      if (!this.client || !account.accessToken || !account.expiresAt) return;
+      this.client.auth.set({
+        path: { id: providerAuthId },
+        body: {
+          type: "oauth",
+          refresh: account.refreshToken,
+          access: account.accessToken,
+          expires: account.expiresAt
+        }
+      }).catch(() => {
+      });
+    }
+    async markAuthFailure(uuid, result) {
+      await this.store.mutateStorage((storage) => {
+        const account = storage.accounts.find((entry) => entry.uuid === uuid);
+        if (!account) return;
+        if (!result.ok && result.permanent) {
+          account.isAuthDisabled = true;
+          account.authDisabledReason = "Token permanently rejected (400/401/403)";
+          return;
+        }
+        account.consecutiveAuthFailures = (account.consecutiveAuthFailures ?? 0) + 1;
+        const maxFailures = getConfig().max_consecutive_auth_failures;
+        const usableCount = storage.accounts.filter(
+          (entry) => entry.enabled && !entry.isAuthDisabled && entry.uuid !== uuid
+        ).length;
+        if (account.consecutiveAuthFailures >= maxFailures && usableCount > 0) {
+          account.isAuthDisabled = true;
+          account.authDisabledReason = `${maxFailures} consecutive auth failures`;
+        }
+      });
+    }
+    async applyUsageCache(uuid, usage) {
+      await this.store.mutateAccount(uuid, (account) => {
+        account.cachedUsage = usage;
+        account.cachedUsageAt = Date.now();
+      });
+    }
+    async applyProfileCache(uuid, profile) {
+      await this.store.mutateAccount(uuid, (account) => {
+        account.email = profile.email ?? account.email;
+        account.planTier = profile.planTier;
+      });
+    }
+    async ensureValidToken(uuid, client) {
+      const credentials = await this.store.readCredentials(uuid);
+      if (!credentials) return { ok: false, permanent: true };
+      if (credentials.accessToken && credentials.expiresAt && !isTokenExpired(credentials)) {
+        return {
+          ok: true,
+          patch: { accessToken: credentials.accessToken, expiresAt: credentials.expiresAt }
+        };
+      }
+      const result = await refreshToken(credentials.refreshToken, uuid, client);
+      if (!result.ok) return result;
+      const updated = await this.store.mutateAccount(uuid, (account) => {
+        account.accessToken = result.patch.accessToken;
+        account.expiresAt = result.patch.expiresAt;
+        if (result.patch.refreshToken) account.refreshToken = result.patch.refreshToken;
+        if (result.patch.uuid && result.patch.uuid !== uuid) account.uuid = result.patch.uuid;
+        if (result.patch.accountId) account.accountId = result.patch.accountId;
+        if (result.patch.email) account.email = result.patch.email;
+        account.consecutiveAuthFailures = 0;
+        account.isAuthDisabled = false;
+        account.authDisabledReason = void 0;
+      });
+      if (result.patch.uuid && result.patch.uuid !== uuid && this.activeAccountUuid === uuid) {
+        this.activeAccountUuid = result.patch.uuid;
+        this.store.setActiveUuid(result.patch.uuid).catch(() => {
+        });
+      }
+      if (updated && (uuid === this.activeAccountUuid || updated.uuid === this.activeAccountUuid)) {
+        this.syncToOpenCode(updated);
+      }
+      return result;
+    }
+    async validateNonActiveTokens(client) {
+      await this.refresh();
+      const activeUuid = this.activeAccountUuid;
+      const eligible = this.cached.filter(
+        (account) => account.enabled && !account.isAuthDisabled && account.uuid && account.uuid !== activeUuid
+      );
+      for (let i = 0; i < eligible.length; i += STARTUP_REFRESH_CONCURRENCY) {
+        const batch = eligible.slice(i, i + STARTUP_REFRESH_CONCURRENCY);
+        await Promise.all(
+          batch.map(async (account) => {
+            if (!account.uuid || !isTokenExpired(account)) return;
+            const result = await this.ensureValidToken(account.uuid, client);
+            if (!result.ok) {
+              await this.markAuthFailure(account.uuid, result);
+            }
+          })
+        );
+      }
+    }
+    async removeAccount(index) {
+      const account = this.cached[index];
+      if (!account?.uuid) return false;
+      const removed = await this.store.removeAccount(account.uuid);
+      if (removed) {
+        await this.refresh();
+      }
+      return removed;
+    }
+    async clearAllAccounts() {
+      await this.store.clear();
+      this.cached = [];
+      this.activeAccountUuid = void 0;
+    }
+    async addAccount(auth) {
+      if (!auth.refresh) return;
+      const existing = this.cached.find((account) => account.refreshToken === auth.refresh);
+      if (existing) return;
+      const newAccount = this.createNewAccount(auth, Date.now());
+      await this.store.addAccount(newAccount);
+      this.activeAccountUuid = newAccount.uuid;
+      await this.store.setActiveUuid(newAccount.uuid);
+      await this.refresh();
+    }
+    async toggleEnabled(uuid) {
+      await this.store.mutateAccount(uuid, (account) => {
+        account.enabled = !(account.enabled ?? true);
+        if (account.enabled) {
+          account.isAuthDisabled = false;
+          account.authDisabledReason = void 0;
+          account.consecutiveAuthFailures = 0;
+        }
+      });
+    }
+    async replaceAccountCredentials(uuid, auth) {
+      const updated = await this.store.mutateAccount(uuid, (account) => {
+        account.refreshToken = auth.refresh;
+        account.accessToken = auth.access;
+        account.expiresAt = auth.expires;
+        account.lastUsed = Date.now();
+        account.enabled = true;
+        account.isAuthDisabled = false;
+        account.authDisabledReason = void 0;
+        account.consecutiveAuthFailures = 0;
+        account.rateLimitResetAt = void 0;
+      });
+      this.runtimeFactory?.invalidate(uuid);
+      if (updated && uuid === this.activeAccountUuid) {
+        this.syncToOpenCode(updated);
+      }
+    }
+    async retryAuth(uuid, client) {
+      await this.store.mutateAccount(uuid, (account) => {
+        account.consecutiveAuthFailures = 0;
+        account.isAuthDisabled = false;
+        account.authDisabledReason = void 0;
+      });
+      this.runtimeFactory?.invalidate(uuid);
+      const credentials = await this.store.readCredentials(uuid);
+      if (!credentials) return { ok: false, permanent: true };
+      const result = await refreshToken(credentials.refreshToken, uuid, client);
+      if (result.ok) {
+        const updated = await this.store.mutateAccount(uuid, (account) => {
+          account.accessToken = result.patch.accessToken;
+          account.expiresAt = result.patch.expiresAt;
+          if (result.patch.refreshToken) account.refreshToken = result.patch.refreshToken;
+          if (result.patch.uuid) account.uuid = result.patch.uuid;
+          if (result.patch.accountId) account.accountId = result.patch.accountId;
+          if (result.patch.email) account.email = result.patch.email;
+          account.enabled = true;
+          account.consecutiveAuthFailures = 0;
+        });
+        this.runtimeFactory?.invalidate(uuid);
+        if (result.patch.uuid) {
+          this.runtimeFactory?.invalidate(result.patch.uuid);
+        }
+        const nextUuid = result.patch.uuid ?? uuid;
+        if (this.activeAccountUuid === uuid && result.patch.uuid && result.patch.uuid !== uuid) {
+          this.activeAccountUuid = result.patch.uuid;
+          await this.store.setActiveUuid(result.patch.uuid);
+        }
+        if (updated && (uuid === this.activeAccountUuid || nextUuid === this.activeAccountUuid)) {
+          const freshCredentials = await this.store.readCredentials(nextUuid);
+          if (freshCredentials) {
+            this.syncToOpenCode({
+              refreshToken: freshCredentials.refreshToken,
+              accessToken: freshCredentials.accessToken,
+              expiresAt: freshCredentials.expiresAt
+            });
+          }
+        }
+      } else {
+        await this.markAuthFailure(uuid, result);
+        this.runtimeFactory?.invalidate(uuid);
+      }
+      return result;
+    }
+  };
+}
+// src/account-store.ts
+import { promises as fs4 } from "node:fs";
+import { randomBytes as randomBytes3 } from "node:crypto";
+import { dirname as dirname4, join as join5 } from "node:path";
+import lockfile from "proper-lockfile";
+import * as v4 from "valibot";
+// src/storage.ts
+import { promises as fs3 } from "node:fs";
+import { dirname as dirname3, join as join4 } from "node:path";
+import * as v3 from "valibot";
+// src/constants.ts
+var DEFAULT_ACCOUNTS_FILENAME = "multiauth-accounts.json";
+var ACCOUNTS_FILENAME = DEFAULT_ACCOUNTS_FILENAME;
+function setAccountsFilename(filename) {
+  if (!filename) {
+    ACCOUNTS_FILENAME = DEFAULT_ACCOUNTS_FILENAME;
+    return;
+  }
+  ACCOUNTS_FILENAME = filename;
+}
+// src/storage.ts
+function getStoragePath() {
+  return join4(getConfigDir2(), ACCOUNTS_FILENAME);
+}
+async function backupCorruptFile(targetPath, content) {
+  const backupPath = `${targetPath}.corrupt.${Date.now()}.bak`;
+  await fs3.mkdir(dirname3(backupPath), { recursive: true });
+  await fs3.writeFile(backupPath, content, "utf-8");
+}
+async function readStorageFromDisk(targetPath, backupOnCorrupt) {
+  let content;
+  try {
+    content = await fs3.readFile(targetPath, "utf-8");
+  } catch (error) {
+    if (getErrorCode(error) === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(content);
+  } catch {
+    if (backupOnCorrupt) {
+      try {
+        await backupCorruptFile(targetPath, content);
+      } catch {
+      }
+    }
+    return null;
+  }
+  const validation = v3.safeParse(AccountStorageSchema, parsed);
+  if (!validation.success) {
+    if (backupOnCorrupt) {
+      try {
+        await backupCorruptFile(targetPath, content);
+      } catch {
+      }
+    }
+    return null;
+  }
+  return validation.output;
+}
+function deduplicateAccounts(accounts) {
+  const deduplicated = [];
+  const indexByUuid = /* @__PURE__ */ new Map();
+  for (const account of accounts) {
+    if (!account.uuid) {
+      deduplicated.push(account);
+      continue;
+    }
+    const existingIndex = indexByUuid.get(account.uuid);
+    if (existingIndex === void 0) {
+      indexByUuid.set(account.uuid, deduplicated.length);
+      deduplicated.push(account);
+      continue;
+    }
+    const existingAccount = deduplicated[existingIndex];
+    if (!existingAccount || account.lastUsed >= existingAccount.lastUsed) {
+      deduplicated[existingIndex] = account;
+    }
+  }
+  return deduplicated;
+}
+async function loadAccounts() {
+  const storagePath = getStoragePath();
+  const storage = await readStorageFromDisk(storagePath, true);
+  if (!storage) {
+    return null;
+  }
+  return {
+    ...storage,
+    accounts: deduplicateAccounts(storage.accounts || [])
+  };
+}
+// src/account-store.ts
+var FILE_MODE = 384;
+var LOCK_OPTIONS = {
+  stale: 1e4,
+  retries: { retries: 10, minTimeout: 50, maxTimeout: 2e3, factor: 2 }
+};
+function getStoragePath2() {
+  return join5(getConfigDir2(), ACCOUNTS_FILENAME);
+}
+function createEmptyStorage() {
+  return { version: 1, accounts: [] };
+}
+function buildTempPath(targetPath) {
+  return `${targetPath}.${randomBytes3(8).toString("hex")}.tmp`;
+}
+async function writeAtomicText(targetPath, content) {
+  await fs4.mkdir(dirname4(targetPath), { recursive: true });
+  const tempPath = buildTempPath(targetPath);
+  try {
+    await fs4.writeFile(tempPath, content, { encoding: "utf-8", mode: FILE_MODE });
+    await fs4.chmod(tempPath, FILE_MODE);
+    await fs4.rename(tempPath, targetPath);
+    await fs4.chmod(targetPath, FILE_MODE);
+  } catch (error) {
+    try {
+      await fs4.unlink(tempPath);
+    } catch {
+    }
+    throw error;
+  }
+}
+async function writeStorageAtomic(targetPath, storage) {
+  const validation = v4.safeParse(AccountStorageSchema, storage);
+  if (!validation.success) {
+    throw new Error("Invalid account storage payload");
+  }
+  await writeAtomicText(targetPath, `${JSON.stringify(validation.output, null, 2)}
+`);
+}
+async function ensureStorageFileExists(targetPath) {
+  await fs4.mkdir(dirname4(targetPath), { recursive: true });
+  const emptyContent = `${JSON.stringify(createEmptyStorage(), null, 2)}
+`;
+  try {
+    await fs4.writeFile(targetPath, emptyContent, { flag: "wx", mode: FILE_MODE });
+  } catch (error) {
+    if (getErrorCode(error) !== "EEXIST") throw error;
+  }
+}
+async function withFileLock(fn) {
+  const storagePath = getStoragePath2();
+  await ensureStorageFileExists(storagePath);
+  let release = null;
+  try {
+    release = await lockfile.lock(storagePath, LOCK_OPTIONS);
+    return await fn(storagePath);
+  } finally {
+    if (release) {
+      try {
+        await release();
+      } catch {
+      }
+    }
+  }
+}
+var AccountStore = class {
+  async load() {
+    const storage = await loadAccounts();
+    return storage ?? createEmptyStorage();
+  }
+  async readCredentials(uuid) {
+    const storagePath = getStoragePath2();
+    const storage = await readStorageFromDisk(storagePath, false);
+    if (!storage) return null;
+    const account = storage.accounts.find((a) => a.uuid === uuid);
+    if (!account) return null;
+    return {
+      refreshToken: account.refreshToken,
+      accessToken: account.accessToken,
+      expiresAt: account.expiresAt,
+      accountId: account.accountId
+    };
+  }
+  async mutateAccount(uuid, fn) {
+    return await withFileLock(async (storagePath) => {
+      const current = await readStorageFromDisk(storagePath, false);
+      if (!current) return null;
+      const account = current.accounts.find((a) => a.uuid === uuid);
+      if (!account) return null;
+      fn(account);
+      await writeStorageAtomic(storagePath, current);
+      return { ...account };
+    });
+  }
+  async mutateStorage(fn) {
+    await withFileLock(async (storagePath) => {
+      const current = await readStorageFromDisk(storagePath, false) ?? createEmptyStorage();
+      fn(current);
+      await writeStorageAtomic(storagePath, current);
+    });
+  }
+  async addAccount(account) {
+    await withFileLock(async (storagePath) => {
+      const current = await readStorageFromDisk(storagePath, false) ?? createEmptyStorage();
+      const exists = current.accounts.some(
+        (a) => a.uuid === account.uuid || a.refreshToken === account.refreshToken
+      );
+      if (exists) return;
+      current.accounts.push(account);
+      await writeStorageAtomic(storagePath, current);
+    });
+  }
+  async removeAccount(uuid) {
+    return await withFileLock(async (storagePath) => {
+      const current = await readStorageFromDisk(storagePath, false);
+      if (!current) return false;
+      const initialLength = current.accounts.length;
+      current.accounts = current.accounts.filter((a) => a.uuid !== uuid);
+      if (current.accounts.length === initialLength) return false;
+      if (current.activeAccountUuid === uuid) {
+        current.activeAccountUuid = current.accounts[0]?.uuid;
+      }
+      await writeStorageAtomic(storagePath, current);
+      return true;
+    });
+  }
+  async setActiveUuid(uuid) {
+    await this.mutateStorage((storage) => {
+      storage.activeAccountUuid = uuid;
+    });
+  }
+  async clear() {
+    await withFileLock(async (storagePath) => {
+      await writeStorageAtomic(storagePath, createEmptyStorage());
+    });
+  }
+};
+// src/executor.ts
+var MIN_MAX_RETRIES = 6;
+var RETRIES_PER_ACCOUNT = 3;
+var MAX_SERVER_RETRIES_PER_ATTEMPT = 2;
+var MAX_RESOLVE_ATTEMPTS = 10;
+var SERVER_RETRY_BASE_MS = 1e3;
+var SERVER_RETRY_MAX_MS = 4e3;
+var PERMANENT_AUTH_FAILURE_STATUSES = /* @__PURE__ */ new Set([400, 401, 403]);
+function createExecutorForProvider(providerName, dependencies) {
+  const {
+    handleRateLimitResponse,
+    formatWaitTime: formatWaitTime2,
+    sleep: sleep2,
+    showToast: showToast2,
+    getAccountLabel: getAccountLabel2
+  } = dependencies;
+  async function executeWithAccountRotation(manager, runtimeFactory, client, input, init) {
+    const maxRetries = Math.max(MIN_MAX_RETRIES, manager.getAccountCount() * RETRIES_PER_ACCOUNT);
+    let retries = 0;
+    let previousAccountUuid;
+    while (true) {
+      if (++retries > maxRetries) {
+        throw new Error(
+          `Exhausted ${maxRetries} retries across all accounts. All attempts failed due to auth errors, rate limits, or token issues.`
+        );
+      }
+      await manager.refresh();
+      const account = await resolveAccount(manager, client);
+      const accountUuid = account.uuid;
+      if (!accountUuid) continue;
+      if (previousAccountUuid && accountUuid !== previousAccountUuid && manager.getAccountCount() > 1) {
+        void showToast2(client, `Switched to ${getAccountLabel2(account)}`, "info");
+      }
+      previousAccountUuid = accountUuid;
+      let runtime;
+      let response;
+      try {
+        runtime = await runtimeFactory.getRuntime(accountUuid);
+        response = await runtime.fetch(input, init);
+      } catch (error) {
+        if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
+          continue;
+        }
+        void showToast2(client, `${getAccountLabel2(account)} network error \u2014 switching`, "warning");
+        continue;
+      }
+      if (response.status >= 500) {
+        let serverResponse = response;
+        let networkErrorDuringServerRetry = false;
+        let authFailureDuringServerRetry = false;
+        for (let attempt = 0; attempt < MAX_SERVER_RETRIES_PER_ATTEMPT; attempt++) {
+          const backoff = Math.min(SERVER_RETRY_BASE_MS * 2 ** attempt, SERVER_RETRY_MAX_MS);
+          const jitteredBackoff = backoff * (0.5 + Math.random() * 0.5);
+          await sleep2(jitteredBackoff);
+          try {
+            serverResponse = await runtime.fetch(input, init);
+          } catch (error) {
+            if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
+              authFailureDuringServerRetry = true;
+              break;
+            }
+            networkErrorDuringServerRetry = true;
+            void showToast2(client, `${getAccountLabel2(account)} network error \u2014 switching`, "warning");
+            break;
+          }
+          if (serverResponse.status < 500) break;
+        }
+        if (authFailureDuringServerRetry) {
+          continue;
+        }
+        if (networkErrorDuringServerRetry || serverResponse.status >= 500) {
+          continue;
+        }
+        response = serverResponse;
+      }
+      if (response.status === 401) {
+        runtimeFactory.invalidate(accountUuid);
+        try {
+          const retryRuntime = await runtimeFactory.getRuntime(accountUuid);
+          const retryResponse = await retryRuntime.fetch(input, init);
+          if (retryResponse.status !== 401) {
+            await manager.markSuccess(accountUuid);
+            return retryResponse;
+          }
+        } catch (error) {
+          if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
+            continue;
+          }
+          continue;
+        }
+        await manager.markAuthFailure(accountUuid, { ok: false, permanent: false });
+        await manager.refresh();
+        if (!manager.hasAnyUsableAccount()) {
+          void showToast2(client, "All accounts have auth failures.", "error");
+          throw new Error(
+            `All ${providerName} accounts have authentication failures. Re-authenticate with \`opencode auth login\`.`
+          );
+        }
+        void showToast2(client, `${getAccountLabel2(account)} auth failed \u2014 switching to next account.`, "warning");
+        continue;
+      }
+      if (response.status === 403) {
+        const revoked = await isRevokedTokenResponse(response);
+        if (revoked) {
+          await manager.markRevoked(accountUuid);
+          await manager.refresh();
+          void showToast2(
+            client,
+            `${getAccountLabel2(account)} disabled: OAuth token revoked.`,
+            "error"
+          );
+          if (!manager.hasAnyUsableAccount()) {
+            throw new Error(
+              `All ${providerName} accounts have been revoked or disabled. Re-authenticate with \`opencode auth login\`.`
+            );
+          }
+          continue;
+        }
+      }
+      if (response.status === 429) {
+        await handleRateLimitResponse(manager, client, account, response);
+        continue;
+      }
+      await manager.markSuccess(accountUuid);
+      return response;
+    }
+  }
+  async function handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error) {
+    const refreshFailureStatus = getRefreshFailureStatus(error);
+    if (refreshFailureStatus === void 0) return false;
+    if (!account.uuid) return false;
+    const accountUuid = account.uuid;
+    runtimeFactory.invalidate(accountUuid);
+    await manager.markAuthFailure(accountUuid, {
+      ok: false,
+      permanent: PERMANENT_AUTH_FAILURE_STATUSES.has(refreshFailureStatus)
+    });
+    await manager.refresh();
+    if (!manager.hasAnyUsableAccount()) {
+      void showToast2(client, "All accounts have auth failures.", "error");
+      throw new Error(
+        `All ${providerName} accounts have authentication failures. Re-authenticate with \`opencode auth login\`.`
+      );
+    }
+    void showToast2(client, `${getAccountLabel2(account)} auth failed \u2014 switching to next account.`, "warning");
+    return true;
+  }
+  async function resolveAccount(manager, client) {
+    let attempts = 0;
+    while (true) {
+      if (++attempts > MAX_RESOLVE_ATTEMPTS) {
+        throw new Error(
+          `Failed to resolve an available account after ${MAX_RESOLVE_ATTEMPTS} attempts. All accounts may be rate-limited or disabled.`
+        );
+      }
+      const account = await manager.selectAccount();
+      if (account) return account;
+      if (!manager.hasAnyUsableAccount()) {
+        throw new Error(
+          `All ${providerName} accounts are disabled. Re-authenticate with \`opencode auth login\`.`
+        );
+      }
+      const waitMs = manager.getMinWaitTime();
+      if (waitMs <= 0) {
+        throw new Error(
+          `All ${providerName} accounts are rate-limited. Add more accounts with \`opencode auth login\` or wait.`
+        );
+      }
+      await showToast2(
+        client,
+        `All ${manager.getAccountCount()} account(s) rate-limited. Waiting ${formatWaitTime2(waitMs)}...`,
+        "warning"
+      );
+      await sleep2(waitMs);
+    }
+  }
+  return {
+    executeWithAccountRotation
+  };
+}
+function getRefreshFailureStatus(error) {
+  if (!(error instanceof Error)) return void 0;
+  const matched = error.message.match(/Token refresh failed:\s*(\d{3})/);
+  if (!matched) return void 0;
+  const status = Number(matched[1]);
+  return Number.isFinite(status) ? status : void 0;
+}
+async function isRevokedTokenResponse(response) {
+  try {
+    const cloned = response.clone();
+    const body = await cloned.text();
+    return body.includes("revoked");
+  } catch {
+    return false;
+  }
+}
+// src/proactive-refresh.ts
+var INITIAL_DELAY_MS = 5e3;
+function createProactiveRefreshQueueForProvider(dependencies) {
+  const {
+    getConfig: getConfig2,
+    refreshToken,
+    isTokenExpired,
+    debugLog: debugLog2
+  } = dependencies;
+  return class ProactiveRefreshQueue {
+    constructor(client, store, onInvalidate) {
+      this.client = client;
+      this.store = store;
+      this.onInvalidate = onInvalidate;
+    }
+    timeoutHandle = null;
+    runToken = 0;
+    inFlight = null;
+    start() {
+      const config = getConfig2();
+      if (!config.proactive_refresh) return;
+      this.runToken++;
+      this.scheduleNext(this.runToken, INITIAL_DELAY_MS);
+      debugLog2(this.client, "Proactive refresh started", {
+        intervalSeconds: config.proactive_refresh_interval_seconds,
+        bufferSeconds: config.proactive_refresh_buffer_seconds
+      });
+    }
+    async stop() {
+      this.runToken++;
+      if (this.timeoutHandle) {
+        clearTimeout(this.timeoutHandle);
+        this.timeoutHandle = null;
+      }
+      if (this.inFlight) {
+        await this.inFlight;
+        this.inFlight = null;
+      }
+      debugLog2(this.client, "Proactive refresh stopped");
+    }
+    scheduleNext(token, delayMs) {
+      this.timeoutHandle = setTimeout(() => {
+        if (token !== this.runToken) return;
+        this.inFlight = this.runCheck(token).finally(() => {
+          this.inFlight = null;
+        });
+      }, delayMs);
+    }
+    needsProactiveRefresh(account) {
+      if (!account.accessToken || !account.expiresAt) return false;
+      if (isTokenExpired(account)) return false;
+      const bufferMs = getConfig2().proactive_refresh_buffer_seconds * 1e3;
+      return account.expiresAt <= Date.now() + bufferMs;
+    }
+    async runCheck(token) {
+      try {
+        const stored = await this.store.load();
+        if (token !== this.runToken) return;
+        const candidates = stored.accounts.filter(
+          (a) => a.enabled !== false && !a.isAuthDisabled && a.uuid && this.needsProactiveRefresh(a)
+        );
+        if (candidates.length === 0) return;
+        debugLog2(this.client, `Proactive refresh: ${candidates.length} account(s) approaching expiry`);
+        for (const account of candidates) {
+          if (token !== this.runToken) return;
+          const credentials = await this.store.readCredentials(account.uuid);
+          if (!credentials || !this.needsProactiveRefresh(credentials)) continue;
+          const result = await refreshToken(credentials.refreshToken, account.uuid, this.client);
+          if (result.ok) {
+            await this.store.mutateAccount(account.uuid, (target) => {
+              target.accessToken = result.patch.accessToken;
+              target.expiresAt = result.patch.expiresAt;
+              if (result.patch.refreshToken) target.refreshToken = result.patch.refreshToken;
+              if (result.patch.uuid) target.uuid = result.patch.uuid;
+              if (result.patch.email) target.email = result.patch.email;
+              if (result.patch.accountId) target.accountId = result.patch.accountId;
+              target.consecutiveAuthFailures = 0;
+              target.isAuthDisabled = false;
+              target.authDisabledReason = void 0;
+            });
+            this.onInvalidate?.(account.uuid);
+          } else {
+            await this.persistFailure(account, result.permanent);
+          }
+        }
+      } catch (error) {
+        debugLog2(this.client, `Proactive refresh check error: ${error}`);
+      } finally {
+        if (token === this.runToken) {
+          const intervalMs = getConfig2().proactive_refresh_interval_seconds * 1e3;
+          this.scheduleNext(token, intervalMs);
+        }
+      }
+    }
+    async persistFailure(account, permanent) {
+      try {
+        await this.store.mutateAccount(account.uuid, (target) => {
+          if (permanent) {
+            target.isAuthDisabled = true;
+            target.authDisabledReason = "Token permanently rejected (proactive refresh)";
+          } else {
+            target.consecutiveAuthFailures = (target.consecutiveAuthFailures ?? 0) + 1;
+            const maxFailures = getConfig2().max_consecutive_auth_failures;
+            if (target.consecutiveAuthFailures >= maxFailures) {
+              target.isAuthDisabled = true;
+              target.authDisabledReason = `${maxFailures} consecutive auth failures (proactive refresh)`;
+            }
+          }
+        });
+      } catch {
+        debugLog2(this.client, `Failed to persist auth failure for ${account.uuid}`);
+      }
+    }
+  };
+}
+// src/rate-limit.ts
+var USAGE_FETCH_COOLDOWN_MS = 3e4;
+function createRateLimitHandlers(dependencies) {
+  const {
+    fetchUsage,
+    getConfig: getConfig2,
+    formatWaitTime: formatWaitTime2,
+    getAccountLabel: getAccountLabel2,
+    showToast: showToast2
+  } = dependencies;
+  function retryAfterMsFromResponse(response) {
+    const retryAfterMs = response.headers.get("retry-after-ms");
+    if (retryAfterMs) {
+      const parsed = parseInt(retryAfterMs, 10);
+      if (!isNaN(parsed) && parsed > 0) return parsed;
+    }
+    const retryAfter = response.headers.get("retry-after");
+    if (retryAfter) {
+      const parsed = parseInt(retryAfter, 10);
+      if (!isNaN(parsed) && parsed > 0) return parsed * 1e3;
+    }
+    return getConfig2().default_retry_after_ms;
+  }
+  function getResetMsFromUsage(account) {
+    const usage = account.cachedUsage;
+    if (!usage) return null;
+    const now = Date.now();
+    const candidates = [];
+    if (usage.five_hour?.resets_at) {
+      const ms = Date.parse(usage.five_hour.resets_at) - now;
+      if (ms > 0) candidates.push(ms);
+    }
+    if (usage.seven_day?.resets_at) {
+      const ms = Date.parse(usage.seven_day.resets_at) - now;
+      if (ms > 0) candidates.push(ms);
+    }
+    return candidates.length > 0 ? Math.min(...candidates) : null;
+  }
+  async function fetchUsageLimits(accessToken, accountId) {
+    if (!accessToken) return null;
+    try {
+      const result = await fetchUsage(accessToken, accountId);
+      return result.ok ? result.data : null;
+    } catch {
+      return null;
+    }
+  }
+  async function handleRateLimitResponse(manager, client, account, response) {
+    if (!account.uuid) return;
+    const resetMs = getResetMsFromUsage(account) ?? retryAfterMsFromResponse(response);
+    await manager.markRateLimited(account.uuid, resetMs);
+    const shouldFetchUsage = account.accessToken && (!account.cachedUsageAt || Date.now() - account.cachedUsageAt > USAGE_FETCH_COOLDOWN_MS);
+    if (shouldFetchUsage) {
+      const usage = await fetchUsageLimits(account.accessToken, account.accountId);
+      if (usage) {
+        await manager.applyUsageCache(account.uuid, usage);
+      }
+    }
+    if (manager.getAccountCount() > 1) {
+      void showToast2(
+        client,
+        `${getAccountLabel2(account)} rate-limited (resets in ${formatWaitTime2(resetMs)}). Switching...`,
+        "warning"
+      );
+    }
+  }
+  return {
+    retryAfterMsFromResponse,
+    getResetMsFromUsage,
+    fetchUsageLimits,
+    handleRateLimitResponse
+  };
+}
+// src/auth-migration.ts
+import { promises as fs5 } from "node:fs";
+import { join as join6 } from "node:path";
+var AUTH_JSON_FILENAME = "auth.json";
+function isValidOAuthCredential(value) {
+  if (typeof value !== "object" || value === null) return false;
+  const candidate = value;
+  return candidate.type === "oauth" && typeof candidate.refresh === "string" && candidate.refresh.length > 0;
+}
+function resolveAuthJsonPath() {
+  return join6(getConfigDir2(), AUTH_JSON_FILENAME);
+}
+async function readAuthJson() {
+  const authPath = resolveAuthJsonPath();
+  let content;
+  try {
+    content = await fs5.readFile(authPath, "utf-8");
+  } catch {
+    return null;
+  }
+  try {
+    const parsed = JSON.parse(content);
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+      return null;
+    }
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+async function migrateFromAuthJson(providerKey, store) {
+  const storage = await store.load();
+  const hasExistingAccounts = storage.accounts.length > 0;
+  if (hasExistingAccounts) return false;
+  const authData = await readAuthJson();
+  if (!authData) return false;
+  const providerCredential = authData[providerKey];
+  if (!isValidOAuthCredential(providerCredential)) return false;
+  const now = Date.now();
+  const newAccount = {
+    uuid: crypto.randomUUID(),
+    refreshToken: providerCredential.refresh,
+    accessToken: providerCredential.access,
+    expiresAt: providerCredential.expires,
+    addedAt: now,
+    lastUsed: now,
+    enabled: true,
+    planTier: "",
+    consecutiveAuthFailures: 0,
+    isAuthDisabled: false
+  };
+  await store.addAccount(newAccount);
+  await store.setActiveUuid(newAccount.uuid);
+  return true;
+}
+// src/ui/ansi.ts
+var ANSI = {
+  hide: "\x1B[?25l",
+  show: "\x1B[?25h",
+  up: (n = 1) => `\x1B[${n}A`,
+  down: (n = 1) => `\x1B[${n}B`,
+  clearLine: "\x1B[2K",
+  cyan: "\x1B[36m",
+  green: "\x1B[32m",
+  red: "\x1B[31m",
+  yellow: "\x1B[33m",
+  dim: "\x1B[2m",
+  bold: "\x1B[1m",
+  reset: "\x1B[0m"
+};
+function parseKey(data) {
+  const s = data.toString();
+  if (s === "\x1B[A" || s === "\x1BOA") return "up";
+  if (s === "\x1B[B" || s === "\x1BOB") return "down";
+  if (s === "\r" || s === "\n") return "enter";
+  if (s === "") return "escape";
+  if (s === "\x1B") return "escape-start";
+  return null;
+}
+function isTTY() {
+  return Boolean(process.stdin.isTTY);
+}
+// src/ui/select.ts
+var ESCAPE_TIMEOUT_MS = 50;
+var COLOR_MAP = {
+  red: ANSI.red,
+  green: ANSI.green,
+  yellow: ANSI.yellow,
+  cyan: ANSI.cyan
+};
+async function select(items, options) {
+  if (!isTTY()) {
+    throw new Error("Interactive select requires a TTY terminal");
+  }
+  const enabledItems = items.filter((i) => !i.disabled && !i.separator);
+  if (enabledItems.length === 0) {
+    throw new Error("All items disabled");
+  }
+  if (enabledItems.length === 1) {
+    return enabledItems[0].value;
+  }
+  const { message, subtitle } = options;
+  const { stdin, stdout } = process;
+  let cursor = items.findIndex((i) => !i.disabled && !i.separator);
+  if (cursor === -1) cursor = 0;
+  let escapeTimeout = null;
+  let isCleanedUp = false;
+  let isFirstRender = true;
+  const getTotalLines = () => {
+    const subtitleLines = subtitle ? 3 : 0;
+    return 1 + subtitleLines + items.length + 1 + 1;
+  };
+  const renderItemLabel = (item, isSelected) => {
+    const colorCode = item.color ? COLOR_MAP[item.color] ?? "" : "";
+    if (item.disabled) {
+      return `${ANSI.dim}${item.label} (unavailable)${ANSI.reset}`;
+    }
+    const hintSuffix = item.hint ? ` ${ANSI.dim}${item.hint}${ANSI.reset}` : "";
+    if (isSelected) {
+      const label = colorCode ? `${colorCode}${item.label}${ANSI.reset}` : item.label;
+      return `${label}${hintSuffix}`;
+    }
+    const dimLabel = colorCode ? `${ANSI.dim}${colorCode}${item.label}${ANSI.reset}` : `${ANSI.dim}${item.label}${ANSI.reset}`;
+    return `${dimLabel}${hintSuffix}`;
+  };
+  const render = () => {
+    const totalLines = getTotalLines();
+    if (!isFirstRender) {
+      stdout.write(ANSI.up(totalLines) + "\r");
+    }
+    isFirstRender = false;
+    stdout.write(`${ANSI.clearLine}${ANSI.dim}\u250C  ${ANSI.reset}${message}
+`);
+    if (subtitle) {
+      stdout.write(`${ANSI.clearLine}${ANSI.dim}\u2502${ANSI.reset}
+`);
+      stdout.write(`${ANSI.clearLine}${ANSI.cyan}\u25C6${ANSI.reset}  ${subtitle}
+`);
+      stdout.write(`${ANSI.clearLine}
+`);
+    }
+    for (let i = 0; i < items.length; i++) {
+      const item = items[i];
+      if (!item) continue;
+      if (item.separator) {
+        stdout.write(`${ANSI.clearLine}${ANSI.dim}\u2502${ANSI.reset}
+`);
+        continue;
+      }
+      const isSelected = i === cursor;
+      const labelText = renderItemLabel(item, isSelected);
+      const bullet = isSelected ? `${ANSI.green}\u25CF${ANSI.reset}` : `${ANSI.dim}\u25CB${ANSI.reset}`;
+      stdout.write(`${ANSI.clearLine}${ANSI.cyan}\u2502${ANSI.reset}  ${bullet} ${labelText}
+`);
+    }
+    stdout.write(`${ANSI.clearLine}${ANSI.cyan}\u2502${ANSI.reset}  ${ANSI.dim}\u2191/\u2193 to select \u2022 Enter: confirm${ANSI.reset}
+`);
+    stdout.write(`${ANSI.clearLine}${ANSI.cyan}\u2514${ANSI.reset}
+`);
+  };
+  return new Promise((resolve) => {
+    const wasRaw = stdin.isRaw ?? false;
+    const cleanup = () => {
+      if (isCleanedUp) return;
+      isCleanedUp = true;
+      if (escapeTimeout) {
+        clearTimeout(escapeTimeout);
+        escapeTimeout = null;
+      }
+      try {
+        stdin.removeListener("data", onKey);
+        stdin.setRawMode(wasRaw);
+        stdin.pause();
+        stdout.write(ANSI.show);
+      } catch {
+      }
+      process.removeListener("SIGINT", onSignal);
+      process.removeListener("SIGTERM", onSignal);
+    };
+    const onSignal = () => {
+      cleanup();
+      resolve(null);
+    };
+    const finishWithValue = (value) => {
+      cleanup();
+      resolve(value);
+    };
+    const findNextSelectable = (from, direction) => {
+      if (items.length === 0) return from;
+      let next = from;
+      do {
+        next = (next + direction + items.length) % items.length;
+      } while (items[next]?.disabled || items[next]?.separator);
+      return next;
+    };
+    const onKey = (data) => {
+      if (escapeTimeout) {
+        clearTimeout(escapeTimeout);
+        escapeTimeout = null;
+      }
+      const action = parseKey(data);
+      switch (action) {
+        case "up":
+          cursor = findNextSelectable(cursor, -1);
+          render();
+          return;
+        case "down":
+          cursor = findNextSelectable(cursor, 1);
+          render();
+          return;
+        case "enter":
+          finishWithValue(items[cursor]?.value ?? null);
+          return;
+        case "escape":
+          finishWithValue(null);
+          return;
+        case "escape-start":
+          escapeTimeout = setTimeout(() => {
+            finishWithValue(null);
+          }, ESCAPE_TIMEOUT_MS);
+          return;
+        default:
+          return;
+      }
+    };
+    process.once("SIGINT", onSignal);
+    process.once("SIGTERM", onSignal);
+    try {
+      stdin.setRawMode(true);
+    } catch {
+      cleanup();
+      resolve(null);
+      return;
+    }
+    stdin.resume();
+    stdout.write(ANSI.hide);
+    render();
+    stdin.on("data", onKey);
+  });
+}
+// src/ui/confirm.ts
+async function confirm(message, defaultYes = false) {
+  const items = defaultYes ? [
+    { label: "Yes", value: true },
+    { label: "No", value: false }
+  ] : [
+    { label: "No", value: false },
+    { label: "Yes", value: true }
+  ];
+  const result = await select(items, { message });
+  return result ?? false;
+}
+export {
+  ACCOUNTS_FILENAME,
+  ANSI,
+  AccountSelectionStrategySchema,
+  AccountStorageSchema,
+  AccountStore,
+  CredentialRefreshPatchSchema,
+  OAuthCredentialsSchema,
+  PluginConfigSchema,
+  StoredAccountSchema,
+  UsageLimitEntrySchema,
+  UsageLimitsSchema,
+  confirm,
+  createAccountManagerForProvider,
+  createExecutorForProvider,
+  createMinimalClient,
+  createProactiveRefreshQueueForProvider,
+  createRateLimitHandlers,
+  debugLog,
+  deduplicateAccounts,
+  formatWaitTime,
+  getAccountLabel,
+  getConfig,
+  getConfigDir2 as getConfigDir,
+  getErrorCode,
+  initCoreConfig,
+  isClaimedByOther,
+  isTTY,
+  loadAccounts,
+  loadConfig,
+  migrateFromAuthJson,
+  parseKey,
+  readClaims,
+  readStorageFromDisk,
+  releaseClaim,
+  resetConfigCache,
+  select,
+  setAccountsFilename,
+  setConfigGetter,
+  showToast,
+  sleep,
+  updateConfigField,
+  writeClaim
+};