npm - zele - Versions diffs - 0.3.0 → 0.3.6 - Mend

zele 0.3.0 → 0.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/README.md +1 -1
package/bin/zele +27 -0
package/dist/api-utils.d.ts +51 -2
package/dist/api-utils.js +89 -3
package/dist/api-utils.js.map +1 -1
package/dist/auth.d.ts +27 -6
package/dist/auth.js +185 -129
package/dist/auth.js.map +1 -1
package/dist/calendar-client.d.ts +16 -9
package/dist/calendar-client.js +163 -59
package/dist/calendar-client.js.map +1 -1
package/dist/cli.js +34 -1
package/dist/cli.js.map +1 -1
package/dist/commands/attachment.js +17 -15
package/dist/commands/attachment.js.map +1 -1
package/dist/commands/auth-cmd.js +20 -9
package/dist/commands/auth-cmd.js.map +1 -1
package/dist/commands/calendar.js +67 -78
package/dist/commands/calendar.js.map +1 -1
package/dist/commands/draft.js +25 -18
package/dist/commands/draft.js.map +1 -1
package/dist/commands/label.js +33 -45
package/dist/commands/label.js.map +1 -1
package/dist/commands/mail-actions.js +11 -13
package/dist/commands/mail-actions.js.map +1 -1
package/dist/commands/mail.js +119 -127
package/dist/commands/mail.js.map +1 -1
package/dist/commands/profile.js +18 -21
package/dist/commands/profile.js.map +1 -1
package/dist/commands/watch.js +33 -261
package/dist/commands/watch.js.map +1 -1
package/dist/db.js +12 -13
package/dist/db.js.map +1 -1
package/dist/generated/browser.d.ts +12 -27
package/dist/generated/client.d.ts +13 -28
package/dist/generated/client.js +1 -1
package/dist/generated/commonInputTypes.d.ts +90 -26
package/dist/generated/enums.d.ts +0 -4
package/dist/generated/enums.js +0 -3
package/dist/generated/enums.js.map +1 -1
package/dist/generated/internal/class.d.ts +22 -55
package/dist/generated/internal/class.js +12 -4
package/dist/generated/internal/class.js.map +1 -1
package/dist/generated/internal/prismaNamespace.d.ts +272 -511
package/dist/generated/internal/prismaNamespace.js +54 -66
package/dist/generated/internal/prismaNamespace.js.map +1 -1
package/dist/generated/internal/prismaNamespaceBrowser.d.ts +60 -74
package/dist/generated/internal/prismaNamespaceBrowser.js +50 -62
package/dist/generated/internal/prismaNamespaceBrowser.js.map +1 -1
package/dist/generated/models/Account.d.ts +1637 -0
package/dist/generated/models/Account.js +2 -0
package/dist/generated/models/Account.js.map +1 -0
package/dist/generated/models/CalendarList.d.ts +1161 -0
package/dist/generated/models/CalendarList.js +2 -0
package/dist/generated/models/CalendarList.js.map +1 -0
package/dist/generated/models/Label.d.ts +1161 -0
package/dist/generated/models/Label.js +2 -0
package/dist/generated/models/Label.js.map +1 -0
package/dist/generated/models/Profile.d.ts +1269 -0
package/dist/generated/models/Profile.js +2 -0
package/dist/generated/models/Profile.js.map +1 -0
package/dist/generated/models/SyncState.d.ts +1130 -0
package/dist/generated/models/SyncState.js +2 -0
package/dist/generated/models/SyncState.js.map +1 -0
package/dist/generated/models/Thread.d.ts +1608 -0
package/dist/generated/models/Thread.js +2 -0
package/dist/generated/models/Thread.js.map +1 -0
package/dist/generated/models.d.ts +6 -9
package/dist/gmail-client.d.ts +119 -94
package/dist/gmail-client.js +862 -322
package/dist/gmail-client.js.map +1 -1
package/dist/mail-tui.d.ts +1 -0
package/dist/mail-tui.js +517 -0
package/dist/mail-tui.js.map +1 -0
package/dist/output.d.ts +6 -0
package/dist/output.js +124 -11
package/dist/output.js.map +1 -1
package/package.json +39 -11
package/schema.prisma +81 -113
package/src/api-utils.ts +103 -5
package/src/auth.ts +224 -143
package/src/calendar-client.ts +196 -89
package/src/cli.ts +39 -1
package/src/commands/attachment.ts +18 -19
package/src/commands/auth-cmd.ts +19 -9
package/src/commands/calendar.ts +42 -85
package/src/commands/draft.ts +19 -22
package/src/commands/label.ts +21 -57
package/src/commands/mail-actions.ts +11 -19
package/src/commands/mail.ts +109 -148
package/src/commands/profile.ts +12 -28
package/src/commands/watch.ts +37 -304
package/src/db.ts +13 -16
package/src/generated/browser.ts +49 -0
package/src/generated/client.ts +71 -0
package/src/generated/commonInputTypes.ts +332 -0
package/src/generated/enums.ts +17 -0
package/src/generated/internal/class.ts +250 -0
package/src/generated/internal/prismaNamespace.ts +1198 -0
package/src/generated/internal/prismaNamespaceBrowser.ts +169 -0
package/src/generated/models/Account.ts +1848 -0
package/src/generated/models/CalendarList.ts +1331 -0
package/src/generated/models/Label.ts +1331 -0
package/src/generated/models/Profile.ts +1439 -0
package/src/generated/models/SyncState.ts +1300 -0
package/src/generated/models/Thread.ts +1787 -0
package/src/generated/models.ts +17 -0
package/src/gmail-client.test.ts +59 -0
package/src/gmail-client.ts +1034 -429
package/src/mail-tui.tsx +1061 -0
package/src/output.test.ts +1093 -0
package/src/output.ts +128 -13
package/src/schema.sql +58 -68
package/src/test-fixtures/email-html/safe-claude-event.html +28 -0
package/src/test-fixtures/email-html/safe-product-announcement.html +25 -0
package/src/test-fixtures/email-html/safe-tracked-links.html +27 -0
package/src/test-fixtures/email-html-snapshots/safe-claude-event.html.md +9 -0
package/src/test-fixtures/email-html-snapshots/safe-product-announcement.html.md +13 -0
package/src/test-fixtures/email-html-snapshots/safe-tracked-links.html.md +7 -0
package/AGENTS.md +0 -26
package/CHANGELOG.md +0 -43
package/dist/generated/models/accounts.d.ts +0 -2000
package/dist/generated/models/accounts.js +0 -2
package/dist/generated/models/accounts.js.map +0 -1
package/dist/generated/models/calendar_events.d.ts +0 -1433
package/dist/generated/models/calendar_events.js +0 -2
package/dist/generated/models/calendar_events.js.map +0 -1
package/dist/generated/models/calendar_lists.d.ts +0 -1131
package/dist/generated/models/calendar_lists.js +0 -2
package/dist/generated/models/calendar_lists.js.map +0 -1
package/dist/generated/models/label_counts.d.ts +0 -1131
package/dist/generated/models/label_counts.js +0 -2
package/dist/generated/models/label_counts.js.map +0 -1
package/dist/generated/models/labels.d.ts +0 -1131
package/dist/generated/models/labels.js +0 -2
package/dist/generated/models/labels.js.map +0 -1
package/dist/generated/models/profiles.d.ts +0 -1131
package/dist/generated/models/profiles.js +0 -2
package/dist/generated/models/profiles.js.map +0 -1
package/dist/generated/models/sync_states.d.ts +0 -1107
package/dist/generated/models/sync_states.js +0 -2
package/dist/generated/models/sync_states.js.map +0 -1
package/dist/generated/models/thread_lists.d.ts +0 -1404
package/dist/generated/models/thread_lists.js +0 -2
package/dist/generated/models/thread_lists.js.map +0 -1
package/dist/generated/models/threads.d.ts +0 -1247
package/dist/generated/models/threads.js +0 -2
package/dist/generated/models/threads.js.map +0 -1
package/dist/gmail-cache.d.ts +0 -60
package/dist/gmail-cache.js +0 -264
package/dist/gmail-cache.js.map +0 -1
package/docs/gogcli-gmail-implementation.md +0 -599
package/scripts/test-device-code-clients.ts +0 -186
package/scripts/test-micropython-scopes.ts +0 -72
package/scripts/test-oauth-clients.ts +0 -257
package/src/gmail-cache.ts +0 -339
package/tsconfig.json +0 -16

package/src/auth.ts CHANGED Viewed

@@ -1,29 +1,22 @@
 // OAuth2 authentication module for zele.
 // Multi-account support: tokens are stored in the Prisma-managed SQLite DB
-// (accounts table) keyed by email. Supports login (browser OAuth), per-account
-// token refresh, and helpers to get authenticated GmailClient instances for
-// one or all accounts.
-// Migration: on first use, if legacy ~/.zele/tokens.json exists, it is
-// imported into the DB and renamed to tokens.json.bak.
+// (accounts table) keyed by (email, app_id). Supports login (browser OAuth),
+// per-account token refresh, and helpers to get authenticated GmailClient
+// instances for one or all accounts.
+// app_id is the Google OAuth client ID used during login, enabling future
+// support for multiple OAuth apps per email.
 import http from 'node:http'
 import readline from 'node:readline'
-import fs from 'node:fs'
-import path from 'node:path'
-import os from 'node:os'
+import { spawn } from 'node:child_process'
 import { OAuth2Client, type Credentials } from 'google-auth-library'
 import fkill from 'fkill'
 import pc from 'picocolors'
 import { getPrisma } from './db.js'
 import { GmailClient } from './gmail-client.js'
 import { CalendarClient } from './calendar-client.js'
-// ---------------------------------------------------------------------------
-// Config
-// ---------------------------------------------------------------------------
-const ZELE_DIR = path.join(os.homedir(), '.zele')
-const LEGACY_TOKENS_FILE = path.join(ZELE_DIR, 'tokens.json')
+import * as errore from 'errore'
+import { AuthError } from './api-utils.js'
 // ---------------------------------------------------------------------------
 // Known open-source Google OAuth clients (Desktop app type).
@@ -33,28 +26,31 @@ const LEGACY_TOKENS_FILE = path.join(ZELE_DIR, 'tokens.json')
 // which Google restricts — Gmail scopes are blocked from device code entirely).
 // Source: public open-source repos, tested 2026-02-09.
 // ---------------------------------------------------------------------------
-const OAUTH_CLIENTS = {
+const OAUTH_CLIENTS: Record<string, { clientId: string; clientSecret: string; redirectPort: number }> = {
   // Mozilla Thunderbird — largest user base, highest Google quota.
   // Source: searchfox.org/comm-central/source/mailnews/base/src/OAuth2Providers.sys.mjs
   thunderbird: {
     clientId: '406964657835-aq8lmia8j95dhl1a2bvharmfk3t1hgqj.apps.googleusercontent.com',
     clientSecret: 'kSmqreRr0qwBWJgbf5Y-PjSU',
+    redirectPort: 8089,
   },
   // GNOME Online Accounts — used by Evolution, GNOME Calendar, Nautilus (Drive).
   // Source: github.com/GNOME/gnome-online-accounts/blob/master/meson_options.txt
   gnome: {
     clientId: '44438659992-7kgjeitenc16ssihbtdjbgguch7ju55s.apps.googleusercontent.com',
     clientSecret: '-gMLuQyDiI0XrQS_vx_mhuYF',
+    redirectPort: 8089,
   },
   // KDE KAccounts — used by KMail, KOrganizer, Kontact.
   // Source: github.com/KDE/kaccounts-providers google.provider.in
   kde: {
     clientId: '317066460457-pkpkedrvt2ldq6g2hj1egfka2n7vpuoo.apps.googleusercontent.com',
     clientSecret: 'Y8eFAaWfcanV3amZdDvtbYUq',
+    redirectPort: 8089,
   },
-} as const
+}
-const ACTIVE_CLIENT = OAUTH_CLIENTS.thunderbird
+const ACTIVE_CLIENT = OAUTH_CLIENTS.thunderbird!
 const CLIENT_ID =
   process.env.ZELE_CLIENT_ID ?? ACTIVE_CLIENT.clientId
@@ -62,7 +58,6 @@ const CLIENT_ID =
 const CLIENT_SECRET =
   process.env.ZELE_CLIENT_SECRET ?? ACTIVE_CLIENT.clientSecret
-const REDIRECT_PORT = 8089
 const SCOPES = [
   'https://mail.google.com/',                       // Gmail (full)
   'https://www.googleapis.com/auth/calendar',       // Calendar (full)
@@ -70,64 +65,64 @@ const SCOPES = [
 ]
 // ---------------------------------------------------------------------------
-// OAuth2 client factory
+// OAuth client resolution
 // ---------------------------------------------------------------------------
-export function createOAuth2Client(): OAuth2Client {
-  return new OAuth2Client({
-    clientId: CLIENT_ID,
-    clientSecret: CLIENT_SECRET,
-    redirectUri: `http://localhost:${REDIRECT_PORT}`,
-  })
+/**
+ * Resolve OAuth credentials and redirect port for a given appId.
+ * Looks up the matching entry in OAUTH_CLIENTS by client ID.
+ * Falls back to the active client / env vars.
+ */
+function resolveOAuthClient(appId?: string) {
+  let clientId = CLIENT_ID
+  let clientSecret = CLIENT_SECRET
+  let redirectPort = ACTIVE_CLIENT.redirectPort
+  if (appId) {
+    // Look up by client ID value in OAUTH_CLIENTS
+    const entry = Object.values(OAUTH_CLIENTS).find((c) => c.clientId === appId)
+    if (entry) {
+      clientId = entry.clientId
+      clientSecret = entry.clientSecret
+      redirectPort = entry.redirectPort
+    } else {
+      // Unknown app ID — use it directly (custom client scenario).
+      // The caller must have set ZELE_CLIENT_SECRET or the token must
+      // already have a refresh_token that works without the secret.
+      clientId = appId
+    }
+  }
+  return { clientId, clientSecret, redirectPort }
 }
 // ---------------------------------------------------------------------------
-// Legacy migration: tokens.json → DB
+// OAuth2 client factory
 // ---------------------------------------------------------------------------
-async function migrateLegacyTokens(): Promise<void> {
-  if (!fs.existsSync(LEGACY_TOKENS_FILE)) return
-  const prisma = await getPrisma()
-  const count = await prisma.accounts.count()
-  if (count > 0) {
-    // DB already has accounts — skip migration
-    return
-  }
-  try {
-    const data = fs.readFileSync(LEGACY_TOKENS_FILE, 'utf-8')
-    const tokens: Credentials = JSON.parse(data)
-    // We need to discover the email for this token
-    const oauth2Client = createOAuth2Client()
-    oauth2Client.setCredentials(tokens)
-    // Refresh if expired
-    if (tokens.expiry_date && tokens.expiry_date < Date.now()) {
-      const { credentials } = await oauth2Client.refreshAccessToken()
-      oauth2Client.setCredentials(credentials)
-      Object.assign(tokens, credentials)
-    }
+/**
+ * Create an OAuth2Client. If appId is provided, looks up the matching
+ * client credentials from OAUTH_CLIENTS by client ID. Falls back to
+ * the active client / env vars.
+ */
+export function createOAuth2Client(appId?: string): OAuth2Client {
+  const { clientId, clientSecret, redirectPort } = resolveOAuthClient(appId)
-    const client = new GmailClient({ auth: oauth2Client })
-    const profile = await client.getProfile()
-    const email = profile.emailAddress
+  return new OAuth2Client({
+    clientId,
+    clientSecret,
+    redirectUri: `http://localhost:${redirectPort}`,
+  })
+}
-    await prisma.accounts.create({
-      data: {
-        email,
-        tokens: JSON.stringify(tokens),
-        updated_at: new Date(),
-      },
-    })
+// ---------------------------------------------------------------------------
+// Account identifier — used throughout the codebase to scope data
+// to a specific (email, app_id) pair.
+// ---------------------------------------------------------------------------
-    // Rename old file so we don't migrate again
-    fs.renameSync(LEGACY_TOKENS_FILE, LEGACY_TOKENS_FILE + '.bak')
-    process.stderr.write(pc.green(`Migrated legacy tokens for ${email}`) + '\n')
-  } catch (err) {
-    process.stderr.write(pc.yellow(`Warning: legacy token migration failed: ${err}`) + '\n')
-  }
+export interface AccountId {
+  email: string
+  appId: string
 }
 // ---------------------------------------------------------------------------
@@ -138,12 +133,10 @@ function extractCodeFromInput(input: string): string | null {
   const trimmed = input.trim()
   if (!trimmed) return null
-  try {
-    const url = new URL(trimmed)
+  const url = errore.tryFn(() => new URL(trimmed))
+  if (!(url instanceof Error)) {
     const code = url.searchParams.get('code')
     if (code) return code
-  } catch {
-    // Not a URL
   }
   if (trimmed.length > 10 && !trimmed.includes(' ')) {
@@ -153,30 +146,84 @@ function extractCodeFromInput(input: string): string | null {
   return null
 }
-async function getAuthCodeFromBrowser(oauth2Client: OAuth2Client): Promise<string> {
+interface BrowserAuthOptions {
+  openBrowser?: boolean
+  allowManualCodeEntry?: boolean
+  showInstructions?: boolean
+}
+function openUrlInBrowser(url: string): Error | void {
+  const command = process.platform === 'darwin'
+    ? { bin: 'open', args: [url] }
+    : process.platform === 'win32'
+      ? { bin: 'cmd', args: ['/c', 'start', '', url] }
+      : { bin: 'xdg-open', args: [url] }
+  const child = errore.tryFn(() =>
+    spawn(command.bin, command.args, {
+      detached: true,
+      stdio: 'ignore',
+    }),
+  )
+  if (child instanceof Error) {
+    return new Error(`Failed to open browser with ${command.bin}`, { cause: child })
+  }
+  child.unref()
+}
+async function getAuthCodeFromBrowser(
+  oauth2Client: OAuth2Client,
+  port: number,
+  options?: BrowserAuthOptions,
+): Promise<string | Error> {
+  const openBrowser = options?.openBrowser ?? true
+  const allowManualCodeEntry = options?.allowManualCodeEntry ?? true
+  const showInstructions = options?.showInstructions ?? true
   const authUrl = oauth2Client.generateAuthUrl({
     access_type: 'offline',
     scope: SCOPES,
     prompt: 'consent',
   })
-  await fkill(`:${REDIRECT_PORT}`, { force: true, silent: true }).catch(() => {})
+  await errore.tryAsync({
+    try: () => fkill(`:${port}`, { force: true, silent: true }),
+    catch: (err) => new Error(String(err), { cause: err }),
+  })
-  process.stderr.write('\n' + pc.bold('1.') + ' Open this URL to authorize:\n\n')
-  process.stderr.write('   ' + pc.cyan(pc.underline(authUrl)) + '\n\n')
-  process.stderr.write(pc.bold('2.') + ' If running locally, the browser will redirect automatically.\n')
-  process.stderr.write(pc.dim('   If running remotely, the redirect page won\'t load — that\'s fine.') + '\n')
-  process.stderr.write(pc.dim('   Just copy the URL from your browser\'s address bar and paste it below.') + '\n\n')
+  if (showInstructions) {
+    console.error('\n' + pc.bold('1.') + ' Open this URL to authorize:\n')
+    console.error('   ' + pc.cyan(pc.underline(authUrl)) + '\n')
+    console.error(pc.bold('2.') + ' If running locally, the browser will redirect automatically.')
+    console.error(pc.dim('   If running remotely, the redirect page won\'t load — that\'s fine.'))
+    console.error(pc.dim('   Just copy the URL from your browser\'s address bar and paste it below.') + '\n')
+  }
-  return new Promise((resolve, reject) => {
+  if (openBrowser) {
+    const openResult = openUrlInBrowser(authUrl)
+    if (openResult instanceof Error && showInstructions) {
+      console.error(pc.yellow(`Could not auto-open browser: ${openResult.message}`))
+      console.error(pc.dim('Open the URL above manually.'))
+    }
+  }
+  return new Promise((resolve) => {
     let resolved = false
     let server: http.Server | null = null
     let rl: readline.Interface | null = null
+    function closeServer() {
+      if (server) {
+        server.closeAllConnections()
+        server.close()
+      }
+    }
     function finish(code: string) {
       if (resolved) return
       resolved = true
-      server?.close()
+      closeServer()
       if (rl) {
         rl.close()
         process.stdin.unref()
@@ -187,13 +234,13 @@ async function getAuthCodeFromBrowser(oauth2Client: OAuth2Client): Promise<strin
     function fail(err: Error) {
       if (resolved) return
       resolved = true
-      server?.close()
+      closeServer()
       rl?.close()
-      reject(err)
+      resolve(err)
     }
     server = http.createServer((req, res) => {
-      const url = new URL(req.url!, `http://localhost:${REDIRECT_PORT}`)
+      const url = new URL(req.url!, `http://localhost:${port}`)
       const code = url.searchParams.get('code')
       const error = url.searchParams.get('error')
@@ -215,17 +262,20 @@ async function getAuthCodeFromBrowser(oauth2Client: OAuth2Client): Promise<strin
       res.end('<h1>No authorization code received</h1>')
     })
-    server.listen(REDIRECT_PORT)
+    server.listen(port)
+    server.on('error', (err) => {
+      fail(new Error(`Failed to start local auth callback server on port ${port}`, { cause: err }))
+    })
-    if (process.stdin.isTTY) {
+    if (allowManualCodeEntry && process.stdin.isTTY) {
       rl = readline.createInterface({ input: process.stdin, output: process.stderr })
       rl.question(pc.dim('Paste redirect URL here (or wait for auto-redirect): '), (answer) => {
         const code = extractCodeFromInput(answer)
         if (code) {
           finish(code)
         } else {
-          process.stderr.write(pc.yellow('Could not extract authorization code from input.') + '\n')
-          process.stderr.write(pc.dim('Waiting for browser redirect...') + '\n')
+          console.error(pc.yellow('Could not extract authorization code from input.'))
+          console.error(pc.dim('Waiting for browser redirect...'))
         }
       })
     }
@@ -238,51 +288,82 @@ async function getAuthCodeFromBrowser(oauth2Client: OAuth2Client): Promise<strin
 /**
  * Run the full browser OAuth flow and save the account to the DB.
- * Returns the email and an authenticated GmailClient.
+ * Returns either a successful login payload or an Error value.
  */
-export async function login(): Promise<{ email: string; client: GmailClient }> {
-  const oauth2Client = createOAuth2Client()
+export async function login(
+  appId?: string,
+  options?: BrowserAuthOptions,
+): Promise<{ email: string; appId: string; client: GmailClient } | Error> {
+  const resolved = resolveOAuthClient(appId)
+  const oauth2Client = createOAuth2Client(appId)
+  const code = await getAuthCodeFromBrowser(oauth2Client, resolved.redirectPort, options)
+  if (code instanceof Error) return code
+  if (options?.showInstructions ?? true) {
+    console.error(pc.dim('Got authorization code, exchanging for tokens...'))
+  }
-  const code = await getAuthCodeFromBrowser(oauth2Client)
-  process.stderr.write(pc.dim('Got authorization code, exchanging for tokens...') + '\n')
+  const tokenResponse = await errore.tryAsync({
+    try: () => oauth2Client.getToken(code),
+    catch: (err) => new Error('Failed to exchange authorization code for tokens', { cause: err }),
+  })
+  if (tokenResponse instanceof Error) return tokenResponse
-  const { tokens } = await oauth2Client.getToken(code)
+  const { tokens } = tokenResponse
   oauth2Client.setCredentials(tokens)
   // Discover email
   const client = new GmailClient({ auth: oauth2Client })
   const profile = await client.getProfile()
+  if (profile instanceof Error) return profile
   const email = profile.emailAddress
   // Upsert account in DB
   const prisma = await getPrisma()
-  await prisma.accounts.upsert({
-    where: { email },
-    create: { email, tokens: JSON.stringify(tokens), updated_at: new Date() },
-    update: { tokens: JSON.stringify(tokens), updated_at: new Date() },
+  const upsertResult = await errore.tryAsync({
+    try: () =>
+      prisma.account.upsert({
+        where: { email_appId: { email, appId: resolved.clientId } },
+        create: {
+          email,
+          appId: resolved.clientId,
+          accountStatus: 'active',
+          tokens: JSON.stringify(tokens),
+          createdAt: new Date(),
+          updatedAt: new Date(),
+        },
+        update: { tokens: JSON.stringify(tokens), updatedAt: new Date() },
+      }),
+    catch: (err) => new Error(`Failed to save account ${email}`, { cause: err }),
   })
+  if (upsertResult instanceof Error) return upsertResult
-  return { email, client }
+  return { email, appId: resolved.clientId, client }
 }
 // ---------------------------------------------------------------------------
 // Logout: remove account from DB
 // ---------------------------------------------------------------------------
-export async function logout(email: string): Promise<void> {
+export async function logout(email: string): Promise<void | Error> {
   const prisma = await getPrisma()
-  await prisma.accounts.delete({ where: { email } })
+  // Delete all app_id entries for this email (logout removes all credentials for the email)
+  const result = await errore.tryAsync({
+    try: () => prisma.account.deleteMany({ where: { email } }),
+    catch: (err) => new Error(`Failed to remove credentials for ${email}`, { cause: err }),
+  })
+  if (result instanceof Error) return result
 }
 // ---------------------------------------------------------------------------
 // Account listing
 // ---------------------------------------------------------------------------
-export async function listAccounts(): Promise<string[]> {
-  await migrateLegacyTokens()
+export async function listAccounts(): Promise<AccountId[]> {
   const prisma = await getPrisma()
-  const rows = await prisma.accounts.findMany({ select: { email: true } })
-  return rows.map((r) => r.email)
+  const rows = await prisma.account.findMany({ select: { email: true, appId: true } })
+  return rows.map((r) => ({ email: r.email, appId: r.appId }))
 }
 // ---------------------------------------------------------------------------
@@ -292,28 +373,31 @@ export async function listAccounts(): Promise<string[]> {
 /**
  * Create an authenticated OAuth2Client for a known account.
  * Loads tokens from DB, refreshes if expired, saves refreshed tokens back.
+ * Uses the stored app_id to create the OAuth2 client with the correct credentials.
  */
-async function authenticateAccount(email: string): Promise<OAuth2Client> {
+async function authenticateAccount(account: AccountId): Promise<OAuth2Client> {
   const prisma = await getPrisma()
-  const row = await prisma.accounts.findUnique({ where: { email } })
+  const row = await prisma.account.findUnique({
+    where: { email_appId: { email: account.email, appId: account.appId } },
+  })
   if (!row) {
-    throw new Error(`No account found for ${email}. Run: zele login`)
+    throw new Error(`No account found for ${account.email}. Run: zele login`)
   }
   const tokens: Credentials = JSON.parse(row.tokens)
-  const oauth2Client = createOAuth2Client()
+  const oauth2Client = createOAuth2Client(account.appId)
   oauth2Client.setCredentials(tokens)
   // Refresh if expired — merge to preserve refresh_token which Google
   // often omits from refresh responses
   if (tokens.expiry_date && tokens.expiry_date < Date.now()) {
-    process.stderr.write(pc.dim(`Token expired for ${email}, refreshing...`) + '\n')
+    console.error(pc.dim(`Token expired for ${account.email}, refreshing...`))
     const { credentials } = await oauth2Client.refreshAccessToken()
     const merged = { ...tokens, ...credentials }
     oauth2Client.setCredentials(merged)
-    await prisma.accounts.update({
-      where: { email },
-      data: { tokens: JSON.stringify(merged), updated_at: new Date() },
+    await prisma.account.update({
+      where: { email_appId: { email: account.email, appId: account.appId } },
+      data: { tokens: JSON.stringify(merged), updatedAt: new Date() },
     })
   }
@@ -326,27 +410,25 @@ async function authenticateAccount(email: string): Promise<OAuth2Client> {
  */
 export async function getClients(
   accounts?: string[],
-): Promise<Array<{ email: string; client: GmailClient }>> {
-  await migrateLegacyTokens()
-  const allEmails = await listAccounts()
-  if (allEmails.length === 0) {
+): Promise<Array<{ email: string; appId: string; client: GmailClient }>> {
+  const allAccounts = await listAccounts()
+  if (allAccounts.length === 0) {
     throw new Error('No accounts registered. Run: zele login')
   }
-  const emails = accounts && accounts.length > 0
-    ? allEmails.filter((e) => accounts.includes(e))
-    : allEmails
+  const filtered = accounts && accounts.length > 0
+    ? allAccounts.filter((a) => accounts.includes(a.email))
+    : allAccounts
-  if (emails.length === 0) {
-    const available = allEmails.join(', ')
+  if (filtered.length === 0) {
+    const available = allAccounts.map((a) => a.email).join(', ')
     throw new Error(`No matching accounts. Available: ${available}`)
   }
   const results = await Promise.all(
-    emails.map(async (email) => {
-      const auth = await authenticateAccount(email)
-      return { email, client: new GmailClient({ auth }) }
+    filtered.map(async (account) => {
+      const auth = await authenticateAccount(account)
+      return { email: account.email, appId: account.appId, client: new GmailClient({ auth, account }) }
     }),
   )
@@ -359,7 +441,7 @@ export async function getClients(
  */
 export async function getClient(
   accounts?: string[],
-): Promise<{ email: string; client: GmailClient }> {
+): Promise<{ email: string; appId: string; client: GmailClient }> {
   const clients = await getClients(accounts)
   if (clients.length === 1) {
     return clients[0]!
@@ -380,29 +462,27 @@ export async function getClient(
  */
 export async function getCalendarClients(
   accounts?: string[],
-): Promise<Array<{ email: string; client: CalendarClient }>> {
-  await migrateLegacyTokens()
-  const allEmails = await listAccounts()
-  if (allEmails.length === 0) {
+): Promise<Array<{ email: string; appId: string; client: CalendarClient }>> {
+  const allAccounts = await listAccounts()
+  if (allAccounts.length === 0) {
     throw new Error('No accounts registered. Run: zele login')
   }
-  const emails = accounts && accounts.length > 0
-    ? allEmails.filter((e) => accounts.includes(e))
-    : allEmails
+  const filtered = accounts && accounts.length > 0
+    ? allAccounts.filter((a) => accounts.includes(a.email))
+    : allAccounts
-  if (emails.length === 0) {
-    const available = allEmails.join(', ')
+  if (filtered.length === 0) {
+    const available = allAccounts.map((a) => a.email).join(', ')
     throw new Error(`No matching accounts. Available: ${available}`)
   }
   const results = await Promise.all(
-    emails.map(async (email) => {
-      const auth = await authenticateAccount(email)
+    filtered.map(async (account) => {
+      const auth = await authenticateAccount(account)
       const { token } = await auth.getAccessToken()
-      if (!token) throw new Error(`Failed to get access token for ${email}`)
-      return { email, client: new CalendarClient({ accessToken: token, email }) }
+      if (!token) throw new Error(`Failed to get access token for ${account.email}`)
+      return { email: account.email, appId: account.appId, client: new CalendarClient({ accessToken: token, email: account.email, appId: account.appId }) }
     }),
   )
@@ -415,7 +495,7 @@ export async function getCalendarClients(
  */
 export async function getCalendarClient(
   accounts?: string[],
-): Promise<{ email: string; client: CalendarClient }> {
+): Promise<{ email: string; appId: string; client: CalendarClient }> {
   const clients = await getCalendarClients(accounts)
   if (clients.length === 1) {
     return clients[0]!
@@ -433,18 +513,19 @@ export async function getCalendarClient(
 export interface AuthStatus {
   email: string
+  appId: string
   expiresAt?: Date
 }
 export async function getAuthStatuses(): Promise<AuthStatus[]> {
-  await migrateLegacyTokens()
   const prisma = await getPrisma()
-  const rows = await prisma.accounts.findMany()
+  const rows = await prisma.account.findMany()
   return rows.map((row) => {
     const tokens: Credentials = JSON.parse(row.tokens)
     return {
       email: row.email,
+      appId: row.appId,
       expiresAt: tokens.expiry_date ? new Date(tokens.expiry_date) : undefined,
     }
   })