agentctx 0.2.0__tar.gz → 0.4.0__tar.gz

{agentctx-0.2.0 → agentctx-0.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agentctx
-Version: 0.2.0
+Version: 0.4.0
 Summary: kubectx-like CLI for switching Codex auth profiles
 License: MIT
 License-File: LICENSE
@@ -30,7 +30,7 @@ Description-Content-Type: text/markdown
 
 `agentctx` is a kubectx-like CLI for saving and switching local Codex auth profiles.
 
-It manages copies of `~/.codex/auth.json` under `~/.agentctx` and atomically swaps the active auth file when you switch profiles. Token contents are never printed.
+It manages copies of `~/.codex/auth.json` under `~/.agentctx` and atomically swaps the active auth file when you switch profiles. When saving the current auth via `=.`, the profile name is derived from the user's email claim in the JWT. Token contents are never printed.
 
 ## Install
 
@@ -52,7 +52,8 @@ agentctx                 # list profiles or open fzf selector when interactive
 agentctx work            # switch to profile
 agentctx -               # switch to previous profile
 agentctx -c              # show current profile
-agentctx work=.          # save current Codex auth as profile, or rename current profile
+agentctx =.              # save/rename current Codex auth as JWT email profile
+agentctx user@example.com=. # same, but validate name matches JWT email
 agentctx prod=work       # rename profile
 agentctx -d old-profile  # delete profile
 agentctx -u              # unset current marker
@@ -74,7 +75,7 @@ CRUD-style subcommands are intentionally not part of the public CLI.
 ```text
 ~/.agentctx/
   profiles/
-    <name>/
+    <email-or-name>/
       auth.json
       metadata.json
   backups/

{agentctx-0.2.0 → agentctx-0.4.0}/README.md

@@ -2,7 +2,7 @@
 
 `agentctx` is a kubectx-like CLI for saving and switching local Codex auth profiles.
 
-It manages copies of `~/.codex/auth.json` under `~/.agentctx` and atomically swaps the active auth file when you switch profiles. Token contents are never printed.
+It manages copies of `~/.codex/auth.json` under `~/.agentctx` and atomically swaps the active auth file when you switch profiles. When saving the current auth via `=.`, the profile name is derived from the user's email claim in the JWT. Token contents are never printed.
 
 ## Install
 
@@ -24,7 +24,8 @@ agentctx                 # list profiles or open fzf selector when interactive
 agentctx work            # switch to profile
 agentctx -               # switch to previous profile
 agentctx -c              # show current profile
-agentctx work=.          # save current Codex auth as profile, or rename current profile
+agentctx =.              # save/rename current Codex auth as JWT email profile
+agentctx user@example.com=. # same, but validate name matches JWT email
 agentctx prod=work       # rename profile
 agentctx -d old-profile  # delete profile
 agentctx -u              # unset current marker
@@ -46,7 +47,7 @@ CRUD-style subcommands are intentionally not part of the public CLI.
 ```text
 ~/.agentctx/
   profiles/
-    <name>/
+    <email-or-name>/
       auth.json
       metadata.json
   backups/

{agentctx-0.2.0 → agentctx-0.4.0}/agentctx/__init__.py

@@ -1,3 +1,3 @@
 """agentctx: kubectx-like Codex auth profile switcher."""
 
-__version__ = "0.2.0"
+__version__ = "0.4.0"

{agentctx-0.2.0 → agentctx-0.4.0}/agentctx/auth.py

@@ -1,5 +1,7 @@
 """Safe operations for Codex auth.json files."""
 
+import base64
+import binascii
 import contextlib
 import datetime as _dt
 import hashlib
@@ -7,7 +9,7 @@ import json
 import os
 import tempfile
 from pathlib import Path
-from typing import Iterator, Optional
+from typing import Any, Iterator, List, Optional
 
 from agentctx import paths
 from agentctx.errors import InvalidAuthJson, LockError, UnsafeAuthFile
@@ -66,10 +68,57 @@ def read_valid_auth_bytes(path: Path) -> bytes:
     return data
 
 
+def read_valid_auth_json(path: Path) -> Any:
+    return json.loads(read_valid_auth_bytes(path).decode("utf-8"))
+
+
 def validate_auth_json(path: Path) -> None:
     read_valid_auth_bytes(path)
 
 
+def _jwt_payload(token: str) -> Optional[dict]:
+    parts = token.split(".")
+    if len(parts) != 3 or not parts[1]:
+        return None
+    payload = parts[1]
+    payload += "=" * (-len(payload) % 4)
+    try:
+        raw = base64.urlsafe_b64decode(payload.encode("ascii"))
+        decoded = json.loads(raw.decode("utf-8"))
+    except (UnicodeEncodeError, binascii.Error, UnicodeDecodeError, json.JSONDecodeError):
+        return None
+    return decoded if isinstance(decoded, dict) else None
+
+
+def _collect_jwt_candidates(value: Any, key: str = "") -> List[str]:
+    preferred_keys = {"id_token", "jwt", "token", "access_token"}
+    if isinstance(value, str):
+        return [value] if key in preferred_keys or value.count(".") == 2 else []
+    if isinstance(value, dict):
+        preferred = []  # type: List[str]
+        rest = []  # type: List[str]
+        for child_key, child_value in value.items():
+            target = preferred if child_key in preferred_keys else rest
+            target.extend(_collect_jwt_candidates(child_value, str(child_key)))
+        return preferred + rest
+    if isinstance(value, list):
+        result = []  # type: List[str]
+        for item in value:
+            result.extend(_collect_jwt_candidates(item, key))
+        return result
+    return []
+
+
+def email_from_auth_jwt(path: Path) -> str:
+    data = read_valid_auth_json(path)
+    for token in _collect_jwt_candidates(data):
+        payload = _jwt_payload(token)
+        email = payload.get("email") if payload else None
+        if isinstance(email, str) and email.strip():
+            return email.strip().lower()
+    raise InvalidAuthJson("JWT email not found in {0}".format(path))
+
+
 def sha256_file(path: Path) -> str:
     reject_unsafe_existing_file(path)
     digest = hashlib.sha256()

{agentctx-0.2.0 → agentctx-0.4.0}/agentctx/cli.py

@@ -17,7 +17,8 @@ USAGE:
   agentctx -                     : switch to the previous profile
   agentctx -c, --current         : show the current profile name
   agentctx <NEW_NAME>=<NAME>     : rename profile <NAME> to <NEW_NAME>
-  agentctx <NEW_NAME>=.          : save or rename current active auth to <NEW_NAME>
+  agentctx =.                    : save or rename current active auth using JWT email
+  agentctx <EMAIL>=.             : same, but validate <EMAIL> matches JWT email
   agentctx -d <NAME> [<NAME...>] : delete profile <NAME> ('.' for current profile)
                                   (this command won't delete the active auth file
                                   that is used by Codex)
@@ -40,7 +41,7 @@ def _print_profile_list() -> int:
 
 
 def _maybe_interactive_select() -> Optional[str]:
-    if not sys.stdout.isatty():
+    if not sys.stdin.isatty() or not sys.stdout.isatty():
         return None
     if shutil.which("fzf") is None:
         return None
@@ -77,14 +78,14 @@ def _list_or_select() -> int:
 
 def _handle_rename_or_save(spec: str) -> int:
     new_name, old_name = spec.split("=", 1)
-    if not new_name or not old_name:
+    if not old_name or (not new_name and old_name != "."):
         raise AgentctxError("invalid rename syntax: {0}".format(spec))
     if old_name == ".":
-        outcome = profiles.save_or_rename_current(new_name)
+        outcome, profile_name = profiles.save_or_rename_current_from_jwt_email(new_name or None)
         if outcome == "saved":
-            print('Saved current Codex auth as profile "{0}".'.format(new_name))
+            print('Saved current Codex auth as profile "{0}".'.format(profile_name))
         else:
-            print('Current profile renamed to "{0}".'.format(new_name))
+            print('Current profile renamed to "{0}".'.format(profile_name))
         return 0
     profiles.rename_profile(old_name, new_name)
     print('Profile "{0}" renamed to "{1}".'.format(old_name, new_name))

{agentctx-0.2.0 → agentctx-0.4.0}/agentctx/profiles.py

@@ -10,7 +10,8 @@ from typing import Dict, Iterable, List, Optional, Tuple
 from agentctx import auth, paths
 from agentctx.errors import InvalidProfileName, NoCurrentProfile, ProfileAlreadyExists, ProfileNotFound, UnsafeAuthFile
 
-PROFILE_RE = re.compile(r"^[A-Za-z0-9._-]+$")
+PROFILE_RE = re.compile(r"^[A-Za-z0-9._%+@-]+$")
+EMAIL_PROFILE_RE = re.compile(r"^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z0-9.-]+$")
 LEGACY_WORDS = {"save", "use", "sync", "backup", "doctor", "rename", "delete", "list", "current"}
 UNKNOWN_ACTIVE_PROFILE = "Unknown active profile"
 
@@ -26,6 +27,18 @@ def validate_profile_name(name: str) -> None:
         raise InvalidProfileName("invalid profile name: {0}".format(name))
 
 
+def validate_jwt_email_profile_name(name: str) -> None:
+    validate_profile_name(name)
+    if not EMAIL_PROFILE_RE.match(name):
+        raise InvalidProfileName("invalid JWT email for profile name: {0}".format(name))
+
+
+def _active_auth_email_profile_name() -> str:
+    name = auth.email_from_auth_jwt(paths.codex_auth_path())
+    validate_jwt_email_profile_name(name)
+    return name
+
+
 def _reject_unsafe_profile_dir(name: str) -> None:
     pdir = paths.profile_dir(name)
     if pdir.is_symlink():
@@ -272,6 +285,31 @@ def save_or_rename_current(new: str) -> str:
         return "saved"
 
 
+def save_or_rename_current_from_jwt_email(expected_name: Optional[str] = None) -> Tuple[str, str]:
+    with auth.lock():
+        new = _active_auth_email_profile_name()
+        if expected_name:
+            validate_jwt_email_profile_name(expected_name)
+            if expected_name.lower() != new:
+                raise InvalidProfileName(
+                    "profile name must match JWT email: {0}".format(new)
+                )
+
+        current = get_current_profile()
+        if current:
+            if current == new:
+                created_at = _read_created_at(current)
+                auth.copy_auth_atomic(paths.codex_auth_path(), paths.profile_auth_path(current))
+                _write_metadata(current, created_at=created_at)
+                _set_current(current)
+                return "saved", new
+            _rename_profile_locked(current, new)
+            return "renamed", new
+
+        _save_current_as_profile_locked(new)
+        return "saved", new
+
+
 def delete_profiles(requested_names: Iterable[str]) -> List[str]:
     requested = list(requested_names)
     if not requested:

{agentctx-0.2.0 → agentctx-0.4.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "agentctx"
-version = "0.2.0"
+version = "0.4.0"
 description = "kubectx-like CLI for switching Codex auth profiles"
 authors = ["Nikolay Baryshnikov <root@k0d.ru>"]
 packages = [