opencode-openai-codex-multi-auth 4.5.5 → 4.5.9

package/dist/lib/storage.js

@@ -1,15 +1,157 @@
-import { existsSync } from "node:fs";
-import { promises as fs } from "node:fs";
+import { randomBytes } from "node:crypto";
+import { existsSync, promises as fs } from "node:fs";
 import { homedir } from "node:os";
 import { dirname, join } from "node:path";
+import lockfile from "proper-lockfile";
 import { findAccountMatchIndex } from "./account-matching.js";
 const STORAGE_FILE = "openai-codex-accounts.json";
 const AUTH_DEBUG_ENABLED = process.env.OPENCODE_OPENAI_AUTH_DEBUG === "1";
+const MAX_QUARANTINE_FILES = 20;
 function debug(...args) {
     if (!AUTH_DEBUG_ENABLED)
         return;
     console.debug(...args);
 }
+function hasCompleteIdentity(record) {
+    return Boolean(record.accountId && record.email && record.plan);
+}
+function normalizeAccountRecord(candidate, now) {
+    if (!candidate || typeof candidate !== "object")
+        return null;
+    const record = candidate;
+    const refreshTokenRaw = typeof record.refreshToken === "string"
+        ? record.refreshToken
+        : typeof record.refresh_token === "string"
+            ? record.refresh_token
+            : typeof record.refresh === "string"
+                ? record.refresh
+                : undefined;
+    const refreshToken = typeof refreshTokenRaw === "string" ? refreshTokenRaw.trim() : "";
+    if (!refreshToken)
+        return null;
+    const accountIdRaw = typeof record.accountId === "string"
+        ? record.accountId
+        : typeof record.account_id === "string"
+            ? record.account_id
+            : undefined;
+    const accountId = typeof accountIdRaw === "string" && accountIdRaw.trim() ? accountIdRaw : undefined;
+    const emailRaw = typeof record.email === "string" ? record.email : undefined;
+    const email = typeof emailRaw === "string" && emailRaw.trim() ? emailRaw : undefined;
+    const planRaw = typeof record.plan === "string"
+        ? record.plan
+        : typeof record.chatgpt_plan_type === "string"
+            ? record.chatgpt_plan_type
+            : undefined;
+    const plan = typeof planRaw === "string" && planRaw.trim() ? planRaw : undefined;
+    const enabled = typeof record.enabled === "boolean" ? record.enabled : undefined;
+    const addedAt = typeof record.addedAt === "number" && Number.isFinite(record.addedAt)
+        ? record.addedAt
+        : now;
+    const lastUsed = typeof record.lastUsed === "number" && Number.isFinite(record.lastUsed)
+        ? record.lastUsed
+        : now;
+    const lastSwitchReason = typeof record.lastSwitchReason === "string" ? record.lastSwitchReason : undefined;
+    const rateLimitResetTimes = record.rateLimitResetTimes && typeof record.rateLimitResetTimes === "object"
+        ? record.rateLimitResetTimes
+        : undefined;
+    const coolingDownUntil = typeof record.coolingDownUntil === "number" && Number.isFinite(record.coolingDownUntil)
+        ? record.coolingDownUntil
+        : undefined;
+    const cooldownReasonRaw = typeof record.cooldownReason === "string" ? record.cooldownReason : undefined;
+    const cooldownReason = cooldownReasonRaw === "auth-failure" ? "auth-failure" : undefined;
+    return {
+        refreshToken,
+        accountId,
+        email,
+        plan,
+        enabled,
+        addedAt: Math.max(0, Math.floor(addedAt)),
+        lastUsed: Math.max(0, Math.floor(lastUsed)),
+        lastSwitchReason: lastSwitchReason === "rate-limit" ||
+            lastSwitchReason === "initial" ||
+            lastSwitchReason === "rotation"
+            ? lastSwitchReason
+            : undefined,
+        rateLimitResetTimes,
+        coolingDownUntil,
+        cooldownReason,
+    };
+}
+const LOCK_OPTIONS = {
+    stale: 10_000,
+    retries: {
+        retries: 5,
+        minTimeout: 100,
+        maxTimeout: 1000,
+        factor: 2,
+    },
+    realpath: false,
+};
+async function ensureFileExists(path) {
+    if (existsSync(path))
+        return;
+    await fs.mkdir(dirname(path), { recursive: true });
+    await fs.writeFile(path, JSON.stringify({ version: 3, accounts: [], activeIndex: 0, activeIndexByFamily: {} }, null, 2), "utf-8");
+}
+async function withFileLock(path, fn) {
+    let release = null;
+    try {
+        await ensureFileExists(path).catch(() => undefined);
+        release = await lockfile.lock(path, LOCK_OPTIONS);
+        return await fn();
+    }
+    finally {
+        if (release) {
+            try {
+                await release();
+            }
+            catch {
+                // ignore lock release errors
+            }
+        }
+    }
+}
+async function ensurePrivateFileMode(path) {
+    try {
+        // Best-effort: make quarantine files readable only by the current user.
+        await fs.chmod(path, 0o600);
+    }
+    catch {
+        // ignore (unsupported on some platforms/filesystems)
+    }
+}
+async function cleanupQuarantineFiles(storagePath) {
+    try {
+        const dir = dirname(storagePath);
+        const entries = await fs.readdir(dir);
+        const prefix = `${STORAGE_FILE}.quarantine-`;
+        const matches = entries
+            .filter((name) => name.startsWith(prefix) && name.endsWith(".json"))
+            .map((name) => {
+            const stampRaw = name.slice(prefix.length, name.length - ".json".length);
+            const stamp = Number.parseInt(stampRaw, 10);
+            return {
+                name,
+                stamp: Number.isFinite(stamp) ? stamp : 0,
+            };
+        })
+            .sort((a, b) => a.stamp - b.stamp);
+        if (matches.length <= MAX_QUARANTINE_FILES)
+            return;
+        const toDelete = matches.slice(0, matches.length - MAX_QUARANTINE_FILES);
+        await Promise.all(toDelete.map(async (entry) => {
+            try {
+                await fs.unlink(join(dir, entry.name));
+            }
+            catch {
+                // ignore per-file deletion failures
+            }
+        }));
+    }
+    catch {
+        // ignore cleanup failures
+    }
+}
 function getOpencodeConfigDir() {
     const xdgConfigHome = process.env.XDG_CONFIG_HOME;
     if (xdgConfigHome && xdgConfigHome.trim()) {
@@ -23,71 +165,23 @@ function getLegacyOpencodeDir() {
 export function getStoragePath() {
     return join(getOpencodeConfigDir(), STORAGE_FILE);
 }
+export async function backupAccountsFile() {
+    const filePath = getStoragePath();
+    if (!existsSync(filePath))
+        return null;
+    const backupPath = `${filePath}.bak-${Date.now()}`;
+    await withFileLock(filePath, async () => {
+        if (!existsSync(filePath))
+            return;
+        await fs.copyFile(filePath, backupPath);
+    });
+    return backupPath;
+}
 function getLegacyStoragePath() {
     return join(getLegacyOpencodeDir(), STORAGE_FILE);
 }
 function normalizeStorage(parsed) {
     const now = Date.now();
-    const normalizeAccountRecord = (candidate) => {
-        if (!candidate || typeof candidate !== "object")
-            return null;
-        const record = candidate;
-        const refreshTokenRaw = typeof record.refreshToken === "string"
-            ? record.refreshToken
-            : typeof record.refresh_token === "string"
-                ? record.refresh_token
-                : typeof record.refresh === "string"
-                    ? record.refresh
-                    : undefined;
-        const refreshToken = typeof refreshTokenRaw === "string" ? refreshTokenRaw.trim() : "";
-        if (!refreshToken)
-            return null;
-        const accountIdRaw = typeof record.accountId === "string"
-            ? record.accountId
-            : typeof record.account_id === "string"
-                ? record.account_id
-                : undefined;
-        const accountId = typeof accountIdRaw === "string" && accountIdRaw.trim() ? accountIdRaw : undefined;
-        const emailRaw = typeof record.email === "string" ? record.email : undefined;
-        const email = typeof emailRaw === "string" && emailRaw.trim() ? emailRaw : undefined;
-        const planRaw = typeof record.plan === "string"
-            ? record.plan
-            : typeof record.chatgpt_plan_type === "string"
-                ? record.chatgpt_plan_type
-                : undefined;
-        const plan = typeof planRaw === "string" && planRaw.trim() ? planRaw : undefined;
-        const addedAt = typeof record.addedAt === "number" && Number.isFinite(record.addedAt)
-            ? record.addedAt
-            : now;
-        const lastUsed = typeof record.lastUsed === "number" && Number.isFinite(record.lastUsed)
-            ? record.lastUsed
-            : now;
-        const lastSwitchReason = typeof record.lastSwitchReason === "string" ? record.lastSwitchReason : undefined;
-        const rateLimitResetTimes = record.rateLimitResetTimes && typeof record.rateLimitResetTimes === "object"
-            ? record.rateLimitResetTimes
-            : undefined;
-        const coolingDownUntil = typeof record.coolingDownUntil === "number" && Number.isFinite(record.coolingDownUntil)
-            ? record.coolingDownUntil
-            : undefined;
-        const cooldownReasonRaw = typeof record.cooldownReason === "string" ? record.cooldownReason : undefined;
-        const cooldownReason = cooldownReasonRaw === "auth-failure" ? "auth-failure" : undefined;
-        return {
-            refreshToken,
-            accountId,
-            email,
-            plan,
-            addedAt: Math.max(0, Math.floor(addedAt)),
-            lastUsed: Math.max(0, Math.floor(lastUsed)),
-            lastSwitchReason: lastSwitchReason === "rate-limit" ||
-                lastSwitchReason === "initial" ||
-                lastSwitchReason === "rotation"
-                ? lastSwitchReason
-                : undefined,
-            rateLimitResetTimes,
-            coolingDownUntil,
-            cooldownReason,
-        };
-    };
     let accountsSource;
     let activeIndexSource = 0;
     let activeIndexByFamilySource = undefined;
@@ -105,18 +199,51 @@ function normalizeStorage(parsed) {
     }
     if (!Array.isArray(accountsSource))
         return null;
-    const accounts = accountsSource
-        .map(normalizeAccountRecord)
+    const normalizedAccounts = accountsSource
+        .map((entry) => normalizeAccountRecord(entry, now))
         .filter((a) => a !== null);
-    if (accounts.length === 0)
-        return null;
-    const activeIndex = typeof activeIndexSource === "number" && Number.isFinite(activeIndexSource)
+    const activeIndexRaw = typeof activeIndexSource === "number" && Number.isFinite(activeIndexSource)
         ? Math.max(0, Math.floor(activeIndexSource))
         : 0;
-    const clampedActiveIndex = accounts.length > 0 ? Math.min(activeIndex, accounts.length - 1) : 0;
-    const activeIndexByFamily = activeIndexByFamilySource && typeof activeIndexByFamilySource === "object"
+    const activeIndexClamped = normalizedAccounts.length > 0
+        ? Math.min(activeIndexRaw, normalizedAccounts.length - 1)
+        : 0;
+    const activeCandidate = normalizedAccounts[activeIndexClamped] ?? null;
+    const activeIndexByFamilyRaw = (activeIndexByFamilySource && typeof activeIndexByFamilySource === "object"
         ? activeIndexByFamilySource
-        : {};
+        : {}) ?? {};
+    const activeCandidatesByFamily = {};
+    for (const [family, index] of Object.entries(activeIndexByFamilyRaw)) {
+        if (typeof index !== "number" || !Number.isFinite(index))
+            continue;
+        const clamped = normalizedAccounts.length > 0
+            ? Math.min(Math.max(0, Math.floor(index)), normalizedAccounts.length - 1)
+            : 0;
+        const candidate = normalizedAccounts[clamped];
+        if (candidate)
+            activeCandidatesByFamily[family] = candidate;
+    }
+    const { accounts } = dedupeRefreshTokens(normalizedAccounts);
+    if (accounts.length === 0)
+        return null;
+    const mappedActiveIndex = activeCandidate
+        ? findAccountMatchIndex(accounts, {
+            accountId: activeCandidate.accountId,
+            plan: activeCandidate.plan,
+            email: activeCandidate.email,
+        })
+        : -1;
+    const fallbackActiveIndex = accounts.length > 0 ? Math.min(activeIndexRaw, accounts.length - 1) : 0;
+    const clampedActiveIndex = mappedActiveIndex >= 0 ? mappedActiveIndex : fallbackActiveIndex;
+    const activeIndexByFamily = {};
+    for (const [family, candidate] of Object.entries(activeCandidatesByFamily)) {
+        const mappedIndex = findAccountMatchIndex(accounts, {
+            accountId: candidate.accountId,
+            plan: candidate.plan,
+            email: candidate.email,
+        });
+        activeIndexByFamily[family] = mappedIndex >= 0 ? mappedIndex : clampedActiveIndex;
+    }
     return {
         version: 3,
         accounts,
@@ -135,6 +262,33 @@ function areRateLimitStatesEqual(left, right) {
     }
     return true;
 }
+function shouldPreferDuplicate(candidate, existing) {
+    if (candidate.lastUsed !== existing.lastUsed) {
+        return candidate.lastUsed > existing.lastUsed;
+    }
+    return candidate.addedAt > existing.addedAt;
+}
+function dedupeRefreshTokens(accounts) {
+    const deduped = [];
+    const indexByToken = new Map();
+    let changed = false;
+    for (const account of accounts) {
+        const existingIndex = indexByToken.get(account.refreshToken);
+        if (existingIndex === undefined) {
+            indexByToken.set(account.refreshToken, deduped.length);
+            deduped.push(account);
+            continue;
+        }
+        const existing = deduped[existingIndex];
+        if (!existing)
+            continue;
+        if (shouldPreferDuplicate(account, existing)) {
+            deduped[existingIndex] = account;
+        }
+        changed = true;
+    }
+    return { accounts: deduped, changed };
+}
 function mergeAccounts(existing, incoming) {
     const merged = existing.map((account) => ({ ...account }));
     let changed = false;
@@ -152,7 +306,7 @@ function mergeAccounts(existing, incoming) {
         const current = merged[matchIndex];
         const updated = { ...current };
         let didUpdate = false;
-        if (!updated.refreshToken && candidate.refreshToken) {
+        if (candidate.refreshToken && candidate.refreshToken !== updated.refreshToken) {
             updated.refreshToken = candidate.refreshToken;
             didUpdate = true;
         }
@@ -168,6 +322,10 @@ function mergeAccounts(existing, incoming) {
             updated.plan = candidate.plan;
             didUpdate = true;
         }
+        if (typeof candidate.enabled === "boolean" && candidate.enabled !== updated.enabled) {
+            updated.enabled = candidate.enabled;
+            didUpdate = true;
+        }
         const candidateAddedAt = typeof candidate.addedAt === "number" && Number.isFinite(candidate.addedAt)
             ? candidate.addedAt
             : undefined;
@@ -195,10 +353,14 @@ function mergeAccounts(existing, incoming) {
             didUpdate = true;
         }
         if (candidate.rateLimitResetTimes) {
-            const mergedRateLimits = {
-                ...candidate.rateLimitResetTimes,
-                ...updated.rateLimitResetTimes,
-            };
+            const mergedRateLimits = { ...(updated.rateLimitResetTimes ?? {}) };
+            for (const [key, value] of Object.entries(candidate.rateLimitResetTimes)) {
+                if (typeof value !== "number")
+                    continue;
+                const currentValue = mergedRateLimits[key];
+                mergedRateLimits[key] =
+                    typeof currentValue === "number" ? Math.max(currentValue, value) : value;
+            }
             const currentRateLimits = updated.rateLimitResetTimes ?? {};
             if (!areRateLimitStatesEqual(currentRateLimits, mergedRateLimits)) {
                 updated.rateLimitResetTimes = mergedRateLimits;
@@ -225,31 +387,54 @@ function mergeAccounts(existing, incoming) {
             changed = true;
         }
     }
-    return { accounts: merged, changed };
+    const deduped = dedupeRefreshTokens(merged);
+    if (deduped.changed)
+        changed = true;
+    return { accounts: deduped.accounts, changed };
+}
+function mergeAccountStorage(existing, incoming) {
+    const { accounts: mergedAccounts } = mergeAccounts(existing.accounts, incoming.accounts);
+    const incomingActive = incoming.activeIndex >= 0 && incoming.activeIndex < incoming.accounts.length
+        ? incoming.accounts[incoming.activeIndex]
+        : null;
+    const mappedIndex = incomingActive
+        ? findAccountMatchIndex(mergedAccounts, {
+            accountId: incomingActive.accountId,
+            plan: incomingActive.plan,
+            email: incomingActive.email,
+        })
+        : -1;
+    const baseActiveIndex = mappedIndex >= 0
+        ? mappedIndex
+        : incoming.accounts.length > 0
+            ? incoming.activeIndex
+            : existing.activeIndex;
+    const activeIndex = mergedAccounts.length > 0
+        ? Math.min(Math.max(0, baseActiveIndex), mergedAccounts.length - 1)
+        : 0;
+    const activeIndexByFamily = {
+        ...(existing.activeIndexByFamily ?? {}),
+        ...(incoming.activeIndexByFamily ?? {}),
+    };
+    return {
+        version: 3,
+        accounts: mergedAccounts,
+        activeIndex,
+        activeIndexByFamily,
+    };
 }
 async function migrateLegacyAccountsFileIfNeeded() {
     const newPath = getStoragePath();
     const legacyPath = getLegacyStoragePath();
-    const newExists = existsSync(newPath);
-    const legacyExists = existsSync(legacyPath);
-    if (!legacyExists)
+    if (!existsSync(legacyPath))
         return;
-    if (!newExists) {
-        await fs.mkdir(dirname(newPath), { recursive: true });
-        try {
-            await fs.rename(legacyPath, newPath);
-        }
-        catch {
-            try {
-                await fs.copyFile(legacyPath, newPath);
-                await fs.unlink(legacyPath);
-            }
-            catch {
-                // Best-effort; ignore.
-            }
-        }
+    await withFileLock(newPath, async () => {
+        await migrateLegacyAccountsFileIfNeededLocked(newPath, legacyPath);
+    });
+}
+async function migrateLegacyAccountsFileIfNeededLocked(newPath, legacyPath) {
+    if (!existsSync(legacyPath))
         return;
-    }
     try {
         const [newRaw, legacyRaw] = await Promise.all([
             fs.readFile(newPath, "utf-8"),
@@ -262,6 +447,12 @@ async function migrateLegacyAccountsFileIfNeeded() {
         if (!newStorage) {
             debug("[StorageMigration] New storage invalid, adopting legacy accounts");
             await fs.writeFile(newPath, JSON.stringify(legacyStorage, null, 2), "utf-8");
+            try {
+                await fs.unlink(legacyPath);
+            }
+            catch {
+                // Best-effort; ignore.
+            }
             return;
         }
         const { accounts: mergedAccounts, changed } = mergeAccounts(newStorage.accounts, legacyStorage.accounts);
@@ -294,6 +485,178 @@ async function migrateLegacyAccountsFileIfNeeded() {
         // Best-effort; ignore.
     }
 }
+async function loadAccountsUnsafe(filePath) {
+    try {
+        const raw = await fs.readFile(filePath, "utf-8");
+        const parsed = JSON.parse(raw);
+        return normalizeStorage(parsed);
+    }
+    catch {
+        return null;
+    }
+}
+function extractAccountsSource(parsed) {
+    if (Array.isArray(parsed)) {
+        return { accountsSource: parsed, activeIndexSource: 0, activeIndexByFamilySource: undefined };
+    }
+    if (parsed && typeof parsed === "object") {
+        const storage = parsed;
+        if (!Array.isArray(storage.accounts))
+            return null;
+        return {
+            accountsSource: storage.accounts,
+            activeIndexSource: storage.activeIndex,
+            activeIndexByFamilySource: storage.activeIndexByFamily,
+        };
+    }
+    return null;
+}
+export async function inspectAccountsFile() {
+    const filePath = getStoragePath();
+    if (!existsSync(filePath)) {
+        return { status: "missing", corruptEntries: [], legacyEntries: [], validEntries: [] };
+    }
+    try {
+        const raw = await fs.readFile(filePath, "utf-8");
+        const parsed = JSON.parse(raw);
+        const source = extractAccountsSource(parsed);
+        if (!source) {
+            return {
+                status: "corrupt-file",
+                reason: "invalid-shape",
+                corruptEntries: [],
+                legacyEntries: [],
+                validEntries: [],
+            };
+        }
+        const now = Date.now();
+        const corruptEntries = [];
+        const legacyEntries = [];
+        const validEntries = [];
+        for (const entry of source.accountsSource) {
+            const normalized = normalizeAccountRecord(entry, now);
+            if (!normalized) {
+                corruptEntries.push(entry);
+                continue;
+            }
+            if (!hasCompleteIdentity(normalized)) {
+                legacyEntries.push(normalized);
+                continue;
+            }
+            validEntries.push(normalized);
+        }
+        if (corruptEntries.length > 0 || legacyEntries.length > 0) {
+            return {
+                status: "needs-repair",
+                corruptEntries,
+                legacyEntries,
+                validEntries,
+            };
+        }
+        return { status: "ok", corruptEntries: [], legacyEntries: [], validEntries };
+    }
+    catch {
+        return {
+            status: "corrupt-file",
+            reason: "parse-error",
+            corruptEntries: [],
+            legacyEntries: [],
+            validEntries: [],
+        };
+    }
+}
+async function writeAccountsFile(storage) {
+    const filePath = getStoragePath();
+    await withFileLock(filePath, async () => {
+        const jsonContent = JSON.stringify(storage, null, 2);
+        const tmpPath = `${filePath}.${randomBytes(6).toString("hex")}.tmp`;
+        try {
+            await fs.writeFile(tmpPath, jsonContent, "utf-8");
+            await fs.rename(tmpPath, filePath);
+        }
+        catch (error) {
+            try {
+                await fs.unlink(tmpPath);
+            }
+            catch {
+                // ignore cleanup errors
+            }
+            throw error;
+        }
+    });
+}
+export async function writeQuarantineFile(records, reason) {
+    const filePath = getStoragePath();
+    const quarantinePath = `${filePath}.quarantine-${Date.now()}.json`;
+    await fs.mkdir(dirname(filePath), { recursive: true });
+    const payload = {
+        reason,
+        quarantinedAt: new Date().toISOString(),
+        records,
+    };
+    if (existsSync(filePath)) {
+        await withFileLock(filePath, async () => {
+            await fs.writeFile(quarantinePath, JSON.stringify(payload, null, 2), "utf-8");
+            await ensurePrivateFileMode(quarantinePath);
+            await cleanupQuarantineFiles(filePath);
+        });
+        return quarantinePath;
+    }
+    await fs.writeFile(quarantinePath, JSON.stringify(payload, null, 2), "utf-8");
+    await ensurePrivateFileMode(quarantinePath);
+    await cleanupQuarantineFiles(filePath);
+    return quarantinePath;
+}
+export async function replaceAccountsFile(storage) {
+    await writeAccountsFile(storage);
+}
+export async function quarantineCorruptFile() {
+    const filePath = getStoragePath();
+    if (!existsSync(filePath))
+        return null;
+    const quarantinePath = `${filePath}.quarantine-${Date.now()}.json`;
+    await withFileLock(filePath, async () => {
+        if (!existsSync(filePath))
+            return;
+        await fs.copyFile(filePath, quarantinePath);
+        await ensurePrivateFileMode(quarantinePath);
+        await cleanupQuarantineFiles(filePath);
+    });
+    await writeAccountsFile({
+        version: 3,
+        accounts: [],
+        activeIndex: 0,
+        activeIndexByFamily: {},
+    });
+    return quarantinePath;
+}
+export async function autoQuarantineCorruptAccountsFile() {
+    const inspection = await inspectAccountsFile();
+    if (inspection.status !== "corrupt-file")
+        return null;
+    return await quarantineCorruptFile();
+}
+export async function quarantineAccounts(storage, entries, reason) {
+    if (!entries.length) {
+        return { storage, quarantinePath: await writeQuarantineFile([], reason) };
+    }
+    const tokens = new Set(entries.map((entry) => entry.refreshToken));
+    const remaining = storage.accounts.filter((account) => !tokens.has(account.refreshToken));
+    const normalized = normalizeStorage({
+        accounts: remaining,
+        activeIndex: storage.activeIndex,
+        activeIndexByFamily: storage.activeIndexByFamily,
+    });
+    const updated = normalized ?? {
+        version: 3,
+        accounts: [],
+        activeIndex: 0,
+        activeIndexByFamily: {},
+    };
+    const quarantinePath = await writeQuarantineFile(entries, reason);
+    await writeAccountsFile(updated);
+    return { storage: updated, quarantinePath };
+}
 export async function loadAccounts() {
     await migrateLegacyAccountsFileIfNeeded();
     const filePath = getStoragePath();
@@ -311,26 +674,57 @@ export async function loadAccounts() {
         return null;
     }
 }
+export function toggleAccountEnabled(storage, index) {
+    if (!storage?.accounts)
+        return null;
+    if (!Number.isFinite(index))
+        return null;
+    const targetIndex = Math.floor(index);
+    if (targetIndex < 0 || targetIndex >= storage.accounts.length)
+        return null;
+    const accounts = storage.accounts.map((account, idx) => {
+        if (idx !== targetIndex)
+            return account;
+        const enabled = account.enabled === false ? true : false;
+        return { ...account, enabled };
+    });
+    return { ...storage, accounts };
+}
 export async function saveAccounts(storage) {
     const filePath = getStoragePath();
     debug(`[SaveAccounts] Saving to ${filePath} with ${storage.accounts.length} accounts`);
     try {
-        await fs.mkdir(dirname(filePath), { recursive: true });
-        const jsonContent = JSON.stringify(storage, null, 2);
-        debug(`[SaveAccounts] Writing ${jsonContent.length} bytes`);
-        const tmpPath = `${filePath}.tmp`;
-        await fs.writeFile(tmpPath, jsonContent, "utf-8");
-        await fs.rename(tmpPath, filePath);
-        if (AUTH_DEBUG_ENABLED) {
-            const verifyContent = await fs.readFile(filePath, "utf-8");
-            const verifyStorage = normalizeStorage(JSON.parse(verifyContent));
-            if (verifyStorage) {
-                debug(`[SaveAccounts] Verification successful - ${verifyStorage.accounts.length} accounts in file`);
+        await withFileLock(filePath, async () => {
+            await migrateLegacyAccountsFileIfNeededLocked(filePath, getLegacyStoragePath());
+            const existing = await loadAccountsUnsafe(filePath);
+            const mergedStorage = existing ? mergeAccountStorage(existing, storage) : storage;
+            const jsonContent = JSON.stringify(mergedStorage, null, 2);
+            debug(`[SaveAccounts] Writing ${jsonContent.length} bytes`);
+            const tmpPath = `${filePath}.${randomBytes(6).toString("hex")}.tmp`;
+            try {
+                await fs.writeFile(tmpPath, jsonContent, "utf-8");
+                await fs.rename(tmpPath, filePath);
             }
-            else {
-                debug("[SaveAccounts] Verification failed - invalid storage format");
+            catch (error) {
+                try {
+                    await fs.unlink(tmpPath);
+                }
+                catch {
+                    // ignore cleanup errors
+                }
+                throw error;
             }
-        }
+            if (AUTH_DEBUG_ENABLED) {
+                const verifyContent = await fs.readFile(filePath, "utf-8");
+                const verifyStorage = normalizeStorage(JSON.parse(verifyContent));
+                if (verifyStorage) {
+                    debug(`[SaveAccounts] Verification successful - ${verifyStorage.accounts.length} accounts in file`);
+                }
+                else {
+                    debug("[SaveAccounts] Verification failed - invalid storage format");
+                }
+            }
+        });
     }
     catch (error) {
         console.error("[SaveAccounts] Error saving accounts:", error);